Over 80% of breaches involve weak or misused credentials, according to Verizon’s Data Breach Investigations Report. This is a clear example of just one risk that represents both a security and a compliance risk for organizations, as it impacts everything from the efficacy of your cybersecurity program to compliance audits, contracts, and revenue. 

For federal contractors handling Federal Contract Information (FCI), CMMC Level 1 directly addresses this risk and other pressing ones. Level 1 is designed to encourage basic cyber hygiene, and outlines 15 controls that help safeguard sensitive data and maintain eligibility for federal contracts.

In this blog post, we will go over a CMMC Level 1 checklist and requirements, starting with which types of organizations Level 1 applies to:  

Government contractors, subcontractors, and suppliers in the federal supply chain that handle FCI (Federal Contract Information) likely fall into CMMC Level 1. This tier is designed for contractors and subcontractors working with the Department of Defense who don't store or process sensitive technical data but still have access to basic contract details, for example.

CMMC Level 1 has 15 requirements. Your organization must meet these 15 requirements and self-attest against them each year. The requirements fall under basic safeguarding practices and are derived from the Federal Acquisition Regulation (FAR) 52.204-21

Below is our CMMC Level 1 Checklist, starting with the gap assessment process and then walking you through the 15 requirements that need to be addressed: 

Getting Started - CMMC Level 1 Checklist: Gap Assessment

"At Rhymetec, we always start with a gap assessment. A gap assessment against the NIST 800-171 controls is a must-have…It helps you determine if you have any missing controls or if you have any gaps in your compliance, so you can start putting together a roadmap for completing the remaining controls." - Metin Kortak, Rhymetec

The aim is to compare your current environment against the required controls. This process tells you what needs to be done before you’re ready to self-attest or move into the certification phase. 

CMMC 2.0 also allows you to use a Plan of Action and Milestones (POA&M) to formally track missing controls and your plan for implementing them:

“In 2.0, CMMC came out with a final action and milestones plan. This document essentially allows you to create implementation plans for controls that are missing in your gap assessment, so that you can remediate these controls within a certain amount of time. This is also something you can work with third parties on or conduct your own self-assessment.” - Metin Kortak, Rhymetec

Next, we'll break down what you need to do to meet the requirements of CMMC Level 1.

CMMC Level 1 Checklist

CMMC Level 1 Checklist

If your organization handles only FCI and not CUI, then CMMC Level 1 likely applies to you. 

"If you're only handling FCI and not CUI, you fall into Level 1. Level 1 is an order of magnitude less involved than Level 2. It actually only has 15 requirements that are heavily aligned with a subset of the NIST 800-171 framework. You must meet these 15 requirements, and then you just need to self-attest against them each year." - Matt Bruggeman, A-LIGN

This tier is designed for contractors and subcontractors working with the Department of Defense who don't store or process sensitive technical data but still have access to basic contract details, for example. The 15 requirements fall under basic safeguarding practices and map to NIST 800-171, Rev. 2, specifically from Federal Acquisition Regulation (FAR) 52.204-21

Below are the 15 action items you need to address for CMMC Level 1, divided into clear sections based on our expert advice. 

*For a full list of these items with a greater level of technical detail, see the official FAR 52.204-21 documentation

Access Control

1. Limit system access to authorized users.

To reduce the risk of unauthorized exposure of data, only users with a business need should be able to log in to systems that store or process FCI. 

In practice, what you’ll need to do is action items such as setting up role-based access controls, implementing IAM (identity and access management) tools, and regularly auditing user access to remove accounts if they are no longer needed. 

These types of security measures entail broader business benefits, as they reduce the risk of insider threats and limit the extent of potential damage in case of compromised credentials.

2. Limit system access to authorized devices.

Even if a user is not authorized, their device might be without the proper controls.

All laptops and mobile devices connected to your systems should be managed to prevent untrusted endpoints from introducing threats. Implementing Mobile Device Management or endpoint detection and response solutions are industry-standard methods to accomplish this and prevent threats from entering through untrusted endpoints.

3. Control access to system functions (e.g., user roles).

Users should only be able to perform actions appropriate for their job (such as admin tasks being restricted to IT staff). It is critical to define roles and assign permissions accordingly, and restrict admin rights to select personnel. 

These measures vastly minimize the risk of unauthorized changes or even accidental misconfigurations being made.

4. Verify control connections to external systems.

Any systems that link with a third party (such as a cloud storage provider or file-sharing services) can become gateways for data leaks. As such, they must be reviewed and approved to prevent unauthorized data transfers. 

Organizations can accomplish this by maintaining an inventory of all third-party connections, reviewing and approving integrations before use, and monitoring data flow between internal systems and external services. This serves to protect against data loss via insecure APIs or file-sharing platforms.

Identification and Authentication

5. Require user identification before granting system access.

Every action should be traceable to an individual. 

Action items to accomplish this objective include assigning unique user IDs to all personnel, eliminating any shared accounts, and enabling logging to tie activity back to specific users. 

The business value of this step is crucial, as it creates accountability and aids in forensic investigation in case of incidents.

Media Protection

6. Sanitize or destroy media containing FCI before disposal.

Leaving data on discarded devices is a common but extremely preventable risk.

Simply establishing a process to wipe drives using certified tools, physically destroy storage devices when decommissioned, and document sanitization or destruction (for audit purposes) accomplishes this and prevents data leakage from improperly discarded hardware.

7. Protect FCI stored on removable media and external drives.

Portable storage can create unique risks when used off-site, and it’s critical to protect data in the event devices are lost or stolen.

Avoiding the use of removable media altogether is the best way to circumvent this risk entirely, but if your organization has to use removable media, you should be encrypting USB drives and external hard drives and locking physical storage devices when not in use.  

Physical Protection

8. Limit physical access to systems storing or processing FCI.

Unauthorized individuals shouldn’t be able to walk up to a server or terminal. 

Acceptable measures to fulfill this requirement under CMMC Level 1 include using keycards, biometric access, or badge systems, monitoring entry points with surveillance, and keeping visitor logs. All of these measures greatly reduce the risk of physical tampering and/or data theft.

System and Communications Protection

9. Monitor and control communications at system boundaries.

Network traffic needs to be inspected and controlled to catch threats early. 

Firewalls and intrusion detection tools are used to monitor traffic entering or leaving your network and block suspicious activity, and setting up logging and alerting for traffic anomalies cues you into threats early on.

10. Implement boundary protections such as firewalls and filters.

Network segmentation can both contain threats and reduce their impact. 

Actions such as applying email filters and web proxies, enforcing traffic rule zones between zones, and creating VLANs to isolate sensitive systems will limit the radius of a breach and keep attackers from causing further harm.

11. Use cryptographic methods when transmitting FCI.

Sensitive data in transit needs to be protected from being intercepted. The recommended controls around this are enforcing TLS for all network communications, using secure transfer protocols, and encryption.

Encryption For CMMC

Systems and Information Integrity

12. Identify system flaws (e.g., patches) and manage them.

Outdated systems are prime targets for attackers. This is why it is crucially important to keep systems up to date by applying security patches regularly.

For CMMC Level 1, organizations need to be accomplishing this by prioritizing critical updates, applying patches on a schedule with a documented process, and regularly checking for software updates.

13. Take steps to protect against malicious code, such as antivirus.

Malware can compromise systems and exfiltrate data. To combat this risk, deploying anti-malware tools to block viruses and other threats that could compromise FCI are industry standard steps.

14. Monitor system activity for security events.

Without visibility, threats can go undetected for months. It’s crucial to set up a way to track system logs in order to detect unusual behavior that could indicate a breach or misuse. To accomplish this, organizations often implement a SIEM platform, or other tools to monitor for suspicious behavior. 

15. Perform periodic system scans and take corrective action. 

Running regular vulnerability scans to detect weaknesses and applying fixes or updates as needed to keep systems secure is something every organization should be doing. The business value of this last control is keeping your security posture strong and supporting audit readiness.

CMMC Level 1 Checklist: Self-Attestation For CMMC Level 1

Unlike Level 2 and Level 3, Level 1 does not require a third-party assessment. 

Instead, your organization must annually self-attest to meet all 15 practices. That attestation must come from a senior company official and be submitted through the Supplier Performance Risk System (SPRS). 

Most organizations will need to document the following for Level 1:

Although Level 1 is a massive degree less resource-intensive than Level 2 or 3, that doesn’t mean that accountability is any less important! Contractors who don’t meet these requirements can face contract risks. 

Here is how long you can anticipate CMMC Level 1 to take:

CMMC Level 1 Timeline

Partner For Success: Work With An Accredited C3PAO

Meeting CMMC requirements is a complex process, even for Level 1. 

The good news is that you don’t have to do it alone. Our partnership with industry leader A-LIGN, an accredited C3PAO, gives you access to both the security legwork needed to meet requirements as well as certified assessment services. Working with trusted partners speeds up the timeline for CMMC.

Together, we help organizations prepare for CMMC with confidence. Whether you are just getting started or finalizing your readiness for an assessment, we’re here to support your compliance journey with security expertise and a trusted C3PAO partner. 

C3PAOs are the only organizations authorized by the CyberAB to perform official CMMC assessments, if you need to go beyond self-assessments. Their involvement is essentially a must-have for any contractor aiming for certification. Meanwhile, as a Registered Provider Organization (RPO), Rhymetec works hand-in-hand with A-LIGN to help you prepare for that assessment. 

RPOs are approved to offer consulting and readiness support, and help you implement required controls, remediate gaps, and make sure your security practices and documentation align with CMMC standards. 

Together with A-LIGN, we are proud to offer this streamlined option for our clients. Contact us today to get started.


Meet Hunter!

Hi! My name is Hunter Moreno, and I'm a cybersecurity analyst at Rhymetec. My path to where I am today wasn't traditional. I wanted to delay taking out student loans until I reached university, so I worked in IT full-time while in community college, taking just a class or two each semester as I could afford them.

After receiving my associate's degree, I transferred to university for my bachelor's in cybersecurity. During this time, I got my first cybersecurity role with an oil and energy company where I handled security for their locations across the USA, Colombia, and Mexico. This experience gave me hands-on experience with endpoint security, threat intelligence, and cyberattack response. Most importantly, it taught me to adjust my communication to align with a non-technical audience, as many breaches result from human error, too many tools, or not enough tools.

I recently finished my master's degree in Information Technology with a focus in Information Security. However, my education journey is not over just yet! I plan to start studying pen testing and obtaining certifications.

Tell us a surprising fact about yourself…

I grew up on a ranch in a small town with just one stoplight! I even had a computer with dial-up internet in our barn!

If you could have any superpower, what would it be?

I'd love the power to instantly teach cybersecurity awareness to elderly people everywhere. Elderly people are often targeted by scammers and cybercriminals, and being able to help them recognize and avoid these threats would prevent tremendous financial and emotional damage.

What are some things you enjoy doing outside of work?

I love rock 'n' roll music and going to concerts! I actually got to combine this passion with my studies - my master's capstone project involved creating a database related to music.

Tell us about your role at Rhymetec…

I'm a cybersecurity analyst at Rhymetec, where I've been working since September 2024. I help our customers achieve compliance with standards like SOC 2, ISO 27001, and HIPAA. My daily responsibilities vary quite a bit, which keeps the work interesting, but typically include setting up monitoring alarms in AWS and Azure environments, creating security policies, and running compliance tests. I also conduct vendor reviews and risk assessments, manage device compliance configurations like encryption and MFA setup, oversee mobile device management security, and perform internal audits. A significant part of my work involves gathering evidence for compliance audits and conducting employee security reviews.

Why did you pursue a career in the cybersecurity industry?

My grandfather let me play games on a computer starting around age 5 because he knew computers were the future, and I've been hooked on technology ever since. Growing up, I had to run a 25-foot dial-up cord to the barn just to get more computer time!

As I got deeper into technology during my studies, I was trying to figure out which direction to take my career. I learned that cybersecurity was a rapidly growing field with great opportunities, and that practical aspect really appealed to me. Combined with my fascination with how technology works and the challenge of protecting digital systems, cybersecurity felt like the perfect fit.

What is your favorite part about working at Rhymetec, or in the cybersecurity industry?

I love that cybersecurity is like being a digital protector. Our job is to see threats you don't until it's too late. Every day brings different challenges and puzzles to solve, whether it's helping a client set up better security controls or investigating a potential threat. Plus, the field changes so quickly that I'm always learning something new, which keeps the work exciting.

What is your favorite quote or the best advice you have ever received?

The best advice I’ve ever received came from my mother and grandmother: “Education is the one thing no one can ever take from you.” That belief shaped my approach to life. It taught me that knowledge builds independence, creates opportunity, and empowers you to navigate challenges on your own terms. I carried that mindset through working my way through school and earning my master’s degree, and it continues to guide me today. Whether it’s formal education or self-taught skills, I believe continuous learning is one of the most powerful tools anyone can have.

Hunter Moreno - Meet the Team Photo

From a security or compliance perspective, what advice would you give to a potential client or SaaS business?

My biggest piece of advice is to never assume your security controls are working just because someone says they are. I've seen too many cases in my career where servers and systems were thought to be secure, but when we actually verified the controls, we found significant gaps. Often this happens because security measures weren't properly documented or the implementation was never completed as planned.

Compliance frameworks like SOC 2 and ISO 27001 aren't just regulatory requirements - they provide crucial verification that your security controls are actually in place and functioning as intended. Beyond the technical benefits, achieving compliance also demonstrates to your customers and stakeholders that you take security seriously. In today's business environment, that visible commitment to protecting data can be a real competitive advantage.

Connect with Hunter Moreno

In 2025, more companies than ever before are budgeting for ISO 27001 certification costs. In a recent ISO survey, the global number of ISO 27001 certificates reached over 70,000 certificates and were reported in 150 countries and across a range of economic sectors. 

Many of these certifications are driven by customer demand and procurement requirements, in particular in fields such as B2B SaaS. 

Understandably, cost is often one of the most important questions companies exploring their compliance options have. ISO 27001 is a bit more involved than other frameworks in this space, such as SOC 2, as it requires a broader set of security controls and third-party requirements. 

External audit costs, internal resource time, implementing technology changes at your organization, and ongoing maintenance all factor into ISO 27001 certification costs. Without a clear breakdown, it can be easy to underestimate both the initial investment and the ongoing effort. 

ISO 27001 Certification Costs 2025

This blog outlines what to expect for ISO 27001 certification costs, based on current market data, our team’s firsthand experience working with SaaS startups, and input from certified auditors we work closely with.

Preparation Costs 

Preparation costs for ISO 27001 represent a substantial part of the overall investment. Before engaging a registrar (an accredited certification body), your organization must complete a range of activities that require time, resources, investing in new technologies, and, in many cases, external support. 

Typically, the first step of an ISO 27001 engagement is a gap assessment. A gap assessment shows where you are versus where you need to be by identifying missing controls and policy gaps in comparison to the ISO 27001 standard. Companies may complete this assessment internally or work with a third-party consultant for greater objectivity and expertise (if you don’t have in-house personnel with compliance experience). 

Following the gap assessment, staff training and security awareness are typically the next steps. 

Every employee needs to understand their role in protecting both company and customer data. Your organization will likely need to develop new onboarding materials, invest in employee training sessions, and plan targeted training sessions for engineers and leadership.

The adoption of new software for compliance is often included in the preparation phase. Startups in rapid phases of growth typically select to use tools like Drata or Vanta to automate the pieces of compliance that can be automated, and keep track of their progress in one central place. 

These tools support policy management, control tracking, evidence collection, audit preparation, and more. These platforms can vastly simplify the compliance process, but they do entail an investment. Check out our blog post on compliance automation platforms for more information on how these tools work and how they accelerate compliance.

Each one of these preparation activities helps to create a foundation for a successful certification process. Companies that invest early on in assessments, training, and new technologies tend to move through the audit with greater efficiency and fewer surprises. While the cost ranges vary, the effort spent up front directly impacts how much time and work will be needed later on. 

Estimated Total Cost of Preparation: $2,000 - $10,000

ISO 27001 Certification Cost: Documentation and Policy Development 

ISO 27001 requires formal documentation of the Information Security Management System (ISMS), including your policies and procedures. Documents are reviewed during the audit and must align with how your organization operates in practice.

For this step, most companies begin by building out a core set of policies around access control, vendor management, risk management, acceptable use policies, incident response policies, and asset management. Policies must reflect actual practices and responsibilities that are implemented. 

While templates can be used to accelerate this step, customization specific to your organization is important. This is a good example of where using a compliance automation tool (such as Vanta or Drata) in combination with working with an expert security and compliance professional (such as our vCISOs at Rhymetec) can be extremely helpful:

The compliance automation tool provides an excellent baseline, while a dedicated team can customize documentation and policy development to your organization in a way that will pass scrutiny during your audit. 

Some companies choose to adopt a full ISMS documentation toolkit or policy automation platform. Although optional, these tools simplify everything from version control to auditor access and stakeholder review, but they do come with additional software costs. 

Your documentation will be one of the most scrutinized aspects of your ISO 27001 audit. It’s critical to adequately plan out enough time and resources to draft, review, and align policies with actual practices. Building out your policies with day-to-day operations in mind can help streamline the audit process while supporting long-term security and compliance.

Estimated Cost of Documentation and Policy Development: $1,000 - $8,000

Implementation Costs: Building The Framework 

Once documentation is drafted, the next step is to begin actually implementing the controls required by ISO 27001. 

The most critical piece of this phase is making sure your policies are aligned with real operational practices. Additionally, at this stage, you will assign responsibilities and validate that controls work as they are meant to. Costs can also add up during the implementation phase from technology upgrades you may need. 

Conducting a risk assessment and documenting a plan to mitigate any identified risks is also a key part of this stage. Many companies choose to circumvent the need to acquire new technologies and dedicate internal resources by engaging a vCISO (Virtual CISO). At Rhymetec, our vCISOs take the implementation work off your plate and accomplish these items for you. 

Estimated Implementation Costs: $1,000 - $10,000

 

ISO 27001 Customer Quote

 

 

Internal Audit and Pre-Audit Expenses 

Before undergoing your certification audit, you’ll need to complete an internal audit. 

In many cases, organizations will outsource this step to a firm specializing in pre-audit assessments (or, if you are already working with a vCISO, they will do this work for you!). Organizations with internal teams can manage this on their own, but many choose to work with outside consultants to speed things up and ensure objectivity. It’s important to note that it’s encouraged to find internal auditors who are PECB-accredited

The pre-audit, or readiness assessment, is a voluntary but highly recommended assessment typically carried out by a consultant (such as a vCISO) or the certification entity. This serves to mimic your official audit, identifying areas of weakness and reducing the risk of non-conformity during your real audit. Costs during this stage also reflect the need to revise any discovered gaps, finalize your evidence collection, and coordinate between teams.

Estimated Internal Audit & Pre-Audit Costs: $1,000 - $6,000

Certification Audit Costs 

After you’ve completed your ISO 27001 readiness work, the ISO 27001 certification audit is conducted by an accredited, external entity. The process is divided into two phases:

Phase 1 - Verifies your documentation.

Phase 2 - Verifies that controls are working as intended.

Costs depend primarily on organizational size, which region you are in, how complex your infrastructure is, and the level of risk associated with your operations. The total cost of the audit covers both of these phases. For startups or for SMBs with less than 100 employees, the audit typically takes anywhere from a few days to two weeks.

If areas of non-conformity are discovered during the audit, it may be necessary to undergo a follow-up audit after making changes. This can cost extra as well. Some auditing firms also tack on administrative costs, in addition to the baseline cost of the audit. 

Estimated Cost For Accredited ISO 27001 Audit: $4,000 - $12,000

Ongoing Costs: Maintaining Your Certification 

Once certification has been obtained, your organization must maintain the ISMS and undergo annual surveillance audits. This requirement generates a recurring set of compliance activities to be completed every year: 

The annual surveillance audit is completed by an accredited firm. While less demanding compared to the original audit, it’s still an obligatory step. Your internal team or vCISO will manage updating documentation, risk remediation where needed, technical control updates, and more. 

Additionally, every three years your organization will need to undergo a recertification audit, with costs similar to the initial audit. This is built into the overall ISO 27001 certification costs for ongoing maintenance. 

Estimated Ongoing Costs (Annualized): $1,000 - $4,000

Additional Factors That May Influence Your ISO 27001 Certification Cost 

While most organizations follow a similar certification process, a number of variables can influence total cost. The following factors will affect the duration of your audit, internal preparation effort, and the level of external support needed: 

Company Size and Structure

Larger teams, companies with multiple office locations, or hybrid work environments tend to increase both the number of controls and the audit scope. Costs due to these factors add up in terms of time spent on audit activities, documentation, and coordinating with internal teams. 

Level of Technical Complexity

Companies with custom infrastructure, multi-cloud environments, or proprietary platforms often require additional effort in terms of documentation and control verification. Auditors also need to spend more time reviewing technical evidence in these cases. 

Systems and Vendors That Are In-Scope

The number of systems and third-party services included in the ISMS directly affects the depth and length of your audit. Most companies include at least a dozen vendors in their initial ISO 27001 scope. 

Internal Experience Level

Companies without prior compliance experience will require a greater level of external guidance. Meanwhile, teams that are already familiar with SOC 2 or similar frameworks tend to move faster and are able to reduce external costs. 

The controls required for ISO 27001 overlap with several other popular frameworks in this space. If you already have SOC 2, for example, your organization can leverage some of those requirements to meet some of the ISO 27001 requirements. 

Auditing Body Selection

Certification bodies charge different rates and employ slightly different methodologies. Regional pricing differences, travel costs, and preferred audit partners can influence the final quote. 

Total ISO 27001 Certification Cost

For most startups and SMBs, the full cost of ISO 27001 certification falls between $10,000 - $50,000. This covers everything from preparation, implementation, internal and external readiness assessments, the official audit, and the first year of ongoing expenses. 

Companies building from scratch and managing the process on their own will fall toward the higher range, while companies that opt to engage external support (such as a vCISO) will see lower overall bundled costs, even if they are starting from scratch. 

This cost is front-loaded in year one, with most of the budget being allocated before and during the initial audit. After certification, annual maintenance costs are typically much lower.

In Conclusion: Planning For ISO 27001 Certification Cost 

ISO 27001 certification is a multi-phase effort that touches nearly every part of a company’s operations. The audit itself is just one part of the full cost. Preparation work, implementation of the ISMS, internal (and external) testing, and ongoing maintenance all contribute to the total budget. 

Companies that plan early on and understand their internal capacity are better positioned to keep costs under control. For early-stage teams, the main drivers of cost are scope, control maturity, and whether you’re handling the work internally or bringing in outside help. 

Most startups and small to mid-sized companies spend between $10,000 - $50,000, depending on how much needs to be built from scratch. Large corporations may spend over $100,000, depending on their industry and the complexity of their operations. At Rhymetec, our vCISO pricing depends on which tier of support you select:

ISO 27001 Certification Cost With A vCISO

Properly budgeting for ISO 27001 certification costs enables organizations to get certified while building sustainable security practices that scale as the business grows. Whether you are in the early stages of building your compliance program or if you have already started the work and feel stuck, our experts can assist. Contact us today to get started.


Meet Sam!

I grew up in Charlotte, North Carolina, and later moved to Charleston, South Carolina for college, where I earned my Master of Science in Information and Computer Sciences. My career began in IT support, where I worked in both the banking and healthcare industries.

Over time, I transitioned into cybersecurity, and for several years I’ve worked as an Information Security Analyst with a strong focus in the healthcare sector. About a year ago, I joined Rhymetec, where I continue to build on my cybersecurity expertise. Outside of work, I enjoy reading, gaming (both video and board games), working out, and relaxing at the beach.

Sam Brokaw - Rhymetec Meet the Team

Tell us a surprising fact about yourself…

Despite growing up biking, skateboarding, and playing sports like basketball and soccer, I’ve never broken a bone or been admitted to a hospital. Knock on wood.

If you could have any superpower, what would it be?

If I could have any superpower, it would be time travel. I’ve always had an interest in history, and the idea of being able to witness significant events or explore different eras firsthand really fascinates me.

What are some things you enjoy doing outside of work?

Spending time at the beach with my fiance, traveling any chance I can, staying active, and enjoying get togethers with my close friends, and family.

Tell us about your role at Rhymetec…

I’ve been with Rhymetec for a year, working as a Cyber Security Analyst. In my role, I support our clients in achieving and maintaining compliance with various frameworks such as SOC 2, ISO 27001, HIPAA, GDPR, and others. My day-to-day responsibilities involve managing project tasks related to audit preparedness, conducting audits for both internal and external clients, and responding to a wide
range of cybersecurity-related client needs.

Sam Brokaw - Meet the Team

Why did you pursue a career in the cybersecurity industry?

Ironically, my academic path began with a Bachelor’s in Psychology, but I’ve always had a strong interest in computers and technology. That interest led me to take computer science courses and eventually pursue a graduate degree in Information and Computer Sciences. I started my career in IT support, working in both the banking and healthcare sectors, where I gained hands-on technical experience and a solid foundation in the IT field.

From the beginning, my goal was to transition into cybersecurity. I saw it as a field that was rapidly evolving, full of complex challenges, and deeply connected to real-world outcomes. What fascinates me most about cybersecurity is the pace of change, the constant need to adapt and learn, and the critical role it plays in protecting people, organizations, and data. It’s a career that keeps me engaged, challenged, and continuously growing.

What is your favorite part about working at Rhymetec, or in the cybersecurity industry?

What I love most about working at Rhymetec is the culture and the team. I’m surrounded by dedicated and talented professionals who not only support one another and our clients but also create an environment where growth and development are encouraged. The company has given me the tools and opportunities to grow in this role and continue maturing as a cybersecurity analyst.

Sam Brokaw Meet the Team

What is your favorite quote or the best advice you have ever received?

One of the best pieces of advice I’ve ever received was: “You don’t have to know everything, just be willing to learn.” It came from a mentor early in my career, and it resonates, especially in a field like cybersecurity, where things are constantly evolving. It’s easy to feel like you’re always trying to catch up, but curiosity, adaptability, and a willingness to grow are often more valuable than having all the answers upfront. It’s shaped how I approach challenges, new roles, and even how I support others on my team.

From a security or compliance perspective, what advice would you give to a potential client or SaaS business?

The best advice I would give to a potential client is to build security and compliance into your processes early, not as an afterthought. It’s far more efficient and cost effective to design your systems, policies, and workflows with frameworks like SOC 2 or ISO 27001, in mind from the start, rather than retrofitting them later.

Also, don’t treat compliance as a checkbox exercise. The goal should be to create a security-first culture where protecting data and earning user trust are prioritized. This means investing in monitoring, documentation, employee training, and proactive risk management—not just preparing for the next audit.

Rhymetec can help clients achieve these goals by providing guidance tailored to your specific compliance needs, whether it's SOC 2, ISO 27001, HIPAA, or others. We work closely with clients to build sustainable security programs, prepare for audits, and implement best practices that align with both regulatory requirements and business objectives.

Connect with Sam Brokaw

The federal government spends more than $100 billion annually on IT services, much of it through contracts with private companies. That level of investment brings strict cybersecurity expectations, especially for contractors that handle government data. 

Two frameworks frequently encountered in this space are the Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP). Both programs share the same goal of protecting sensitive information. However, they serve slightly different purposes and apply to different types of vendors. 

CMMC is designed for companies working with the Department of Defense, in particular for those that handle Controlled Unclassified Information (CUI). Over 100,000 companies are part of the Defense Industrial Base. Any of them that handle CUI will eventually need to meet CMMC Level 2 or 3. 

Meanwhile, FedRAMP applies to cloud service providers working with civilian federal agencies. If you are a defense contractor, a SaaS provider, or if your organization supports both civilian and DoD programs, it's important to understand how CMMC and FedRAMP compare.

This article outlines the main differences between CMMC and FedRAMP, including which types of organizations they apply to, the requirements of each framework, and how to handle certification.

CMMC vs. FedRAMP

Who Needs CMMC and Who Needs FedRAMP?

CMMC and FedRAMP apply to different groups of contractors and vendors based on two factors: 

  1. The agencies they serve, and
  2. The type of data they handle. 

In short, if you're in the DoD supply chain, you may need to meet CMMC. If you're a cloud provider for civilian agencies, you may need FedRAMP authorization. Some organizations may need to pursue both if they serve both sides of the government in these capacities.

Below is a non-exhaustive list of a few common types of companies to which CMMC would apply. Remember that CMMC applies to companies that do business with the Department of Defense (DoD) and process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI): 

Basically, if a company touches DoD contract information in any way (and in particular if it involves CUI), it will most likely fall under CMMC. 

FedRAMP, on the other hand, applies to cloud service providers that want to sell their platforms or applications to civilian federal agencies (non-DoD). The types of companies this would include are:

For more information on what you will need to plan for to meet CMMC requirements specifically - and depending on which level of CMMC you need - check out our CMMC Level 1 Checklist and our CMMC Level 2 Checklist.

Security Requirements Compared

While CMMC and FedRAMP indeed share some overlap given their common goal to protect sensitive government data, they are built on different baseline requirements, and their approaches to security controls differ.

CMMC is based on the NIST SP 800-171 framework. It requires organizations to implement 110 security controls across 14 control families if they handle CUI and need to meet Level 2 certification. For organizations handling only FCI (Federal Contract Information), Level 1 requires 15 controls focused on basic security hygiene. CMMC's overall requirements are structured around the following security considerations:

Additionally, organizations must also produce documentation, including System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms), and be ready for assessment by a third-party assessment organization (C3PAO) at Level 2 or 3. Lastly, it's important to note that CMMC 2.0 is not a point-in-time audit. Contractors are required to maintain compliance continuously. For Levels 2 and 3, assessment will lapse upon failure to annually affirm, according to the DoD's CMMC Guidance.

CMMC vs FedRAMP Assessments

FedRAMP, by contrast, is based largely on NIST SP 800-53 controls, which are a bit more complex in scope. A Moderate FedRAMP authorization requires over 300 controls across a wide range of domains, including:

FedRAMP places more emphasis on supply chain risk management, cloud architecture documentation, and the remediation of vulnerabilities. Cloud service providers must show that they have a set of documents to pass the Joint Authorization Board or agency review. 

Documentation and Assessment Differences To Be Aware Of: CMMC vs. FedRAMP

The goal of documentation for CMMC (at Level 2) is to show that your organization meets the 110 controls from NIST SP 800-171. This includes documentation of:

  1. How controls are being implemented, and the plan for how they will be maintained. This documentation is your System Security Plan (SSP).
  2. A Plan of Action and Milestones (POA&M) - A list of gaps and a plan for remediation, with specific steps. 
  3. A list of policies and procedures, showing how your organization covers access control, incident response, configuration management, and other security controls. 
  4. Evidence of implementation (such as user logs, training records, configuration screenshots, etc) also must be included in your documentation. 

Finally, assessment is conducted by a C3PAO (Certified Third-Party Assessment Organization) for Level 2. Self-assessment is allowed at Level 1 (and in some cases, for Level 2), but must still be documented in SPRS (Supplier Performance Risk System) and affirmed by a senior official. 

*It's important to note that if you need CMMC Level 3, you will still need C3PAO affirmation completed on an annual basis, according to the DoD's updated overview of CMMC. For CMMC Level 3, the ongoing C3PAO assessments are in addition to undergoing an assessment every 3 years by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

FedRAMP documentation, meanwhile, is part of a full authorization package submitted to either a sponsoring agency or the Joint Authorization Board. Required documents include: 

  1. System Security Plan (SSP) - this can often reach over 600 pages for Moderate-level systems!
  2. A Privacy Impact Assessment that identifies how personal data is being collected, used, and protected.
  3. A Continuous Monitoring Plan detailing how your organization will monitor system changes, incidents, and vulnerabilities.
  4. An Incident Response Plan, showing how incidents will be reported and handled.
  5. Documentation showing how system changes are approved and tracked (also known as a Configuration Management Plan). 

Assessment is carried out by a third-party assessment organization that has been recognized by the FedRAMP PMO (Program Management Office). FedRAMP requires ongoing authorization maintenance, which takes the form of monthly vulnerability scans, incident reporting, and annual reassessments. 

How Certification Works: CMMC vs. FedRAMP

CMMC 2.0 certification is tied to a company's eligibility for Department of Defense contracts. Depending on the sensitivity of the data involved, contractors must meet either Level 1 (self-assessed) Level 2 (typically third-party assessed) requirements, or Level 3 (third-party assessed). As discussed in greater detail in the previous sections, the process entails the following steps:

The first step is to conduct an internal NIST 800-171 gap assessment to compare where you are versus where you need to be. The next step is to document your System Security Plan and Plan of Action and Milestones, followed by finally engaging a certified third-party assessment organization (for Level 2 and 3). 

There is no central approval body, and certification is granted per contract, with the assessment scope being based on the environment that contains CUI. 

FedRAMP follows a centralized authorization process managed by the FedRAMP Program Management Office. There are two paths:

  1. Agency Authorization. For this option, a single agency sponsors the cloud service provider and reviews the authorization package. 
  2. Joint Authorization Board. Authorization via a Joint Authorization Board (which comprises the DHS, GSA, and the DoD) involves a higher bar of scrutiny. 

For the FedRAMP process, your organization will work with a Third-Party Assessment Organization to complete your Security Assessment Plan and Security Assessment Report. You'll then need to submit a full authorization package through FedRAMP's secure repository, and finally, undergo ongoing monitoring after approval.

Can You Be Compliant With Both?

The short answer is yes.

If your organization provides cloud-based services to civilian agencies and works with the Department of Defense, you likely need to comply with both FedRAMP and CMMC. For example, a SaaS company that supports DoD contracts involving CUI will need CMMC Level 2, and if the same product is then sold to a civilian agency (like the Department of Energy), they will also need FedRAMP authorization. 

CMMC and FedRAMP share foundational requirements from NIST standards. But it's not a direct map on - meeting FedRAMP Moderate, for instance, doesn't automatically mean you meet CMMC Level 2. The good news is it absolutely does reduce duplication in areas such as access control, system monitoring, and incident response. 

If you do need both CMMC and FedRAMP, figuring out early on how to align both compliance efforts can reduce cost and headaches down the road. This is a common use case for working with a consultant to manage both tracks. A consultant has the experience implementing these requirements across a large spectrum of different types of organizations, and can help ensure efficient implementation.

When To Bring In A Consultant Or MSSP

A recent report by the U.S. Government Accountability Office shows that many small businesses in the defense industry lack the internal resources to implement NIST 800-171 without outside help. This illustrates a growing need for CMMC consultants and MSSPs. 

In the report, many smaller businesses in particular expressed concerns about the costs and resources required for CMMC implementation. This is where outsourcing the process can be transformative. Outsourcing is a fraction of the investment that building out an in-house team to carry out the implementation process would be. 

The fact is that organizations often wait too long to bring in help, and this can lead to missed deadlines and unnecessary rework. If you're pursuing CMMC, FedRAMP, or both, bringing in a consultant early can reduce risk and cost. 

It can be a good idea to bring in a consultant or MSSP if you don't have internal staff with experience in NIST 800-171 or 800-53 implementation, if you're unsure how to scope your CUI, if you're being asked to respond to a security questionnaire and aren't confident in your answers, or if you need to align your environment for both frameworks. 

A consultant will perform a gap analysis, build a compliance roadmap, draft documentation for you, implement technical controls, and fully prepare your team for assessment. For small and mid-sized organizations, especially those with aggressive go-to-market timelines, outsourcing to a qualified team helps avoid delays and prevents compliance from blocking growth.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

With a Registered Practitioner on Staff and a Proven Track Record, the Company Solidifies Its Role as a Leading Partner for Defense Contractors Navigating New CMMC Requirements.

NEW YORK, May 28, 2025 – 

Rhymetec, the industry leader in cloud security that provides innovative cybersecurity, compliance, and data privacy services to modern-day SaaS businesses, today announces it has achieved the status of Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) through CyberAB. Developed by the U.S. Department of Defense (DoD), the CMMC Program is a set of rules designed to strengthen cybersecurity and protect sensitive government information shared with defense contractors.

As a CMMC RPO, Rhymetec is equipped to provide expert advisory and compliance readiness and maintenance services to help organizations understand CMMC requirements, implement necessary controls, and prepare for audits and assessments. This milestone is especially timely, as the final CMMC requirements take effect this month, making compliance essential for contractors looking to win or retain DoD contracts. Rhymetec's commitment to advancing CMMC readiness is further demonstrated by its active participation in industry events such as CEIC West and recent collaborations with leading compliance partners like Vanta and A-LIGN.

"With the final CMMC requirements now in effect, defense contractors and subcontractors are under real pressure to get compliance right," said Justin Rende, founder and chief executive officer of Rhymetec. "Achieving RPO status reinforces our commitment to guiding clients through this critical process with clarity, confidence, and deep expertise."

In addition to being a designated CMMC Registered Provider Organization (RPO), Rhymetec's chief information security officer (CISO), Metin Kortak, has earned the credential of CMMC Registered Practitioner (RP). This distinction underscores the company's dedication to cybersecurity excellence and hands-on expertise. Having a certified RP on staff is not only a requirement for RPOs but also enhances the value of Rhymetec's advisory and managed services, enabling more strategic guidance and tailored preparation for organizations seeking certification under the latest CMMC standards.

"CMMC isn't just about checking boxes; it's about building a resilient security posture that can stand up to real-world threats," said Metin Kortak, CISO of Rhymetec. "As a Registered Practitioner, I'm proud to help organizations cut through the complexity and take actionable steps toward long-term compliance and protection."

If your organization needs guidance navigating the complexities of CMMC compliance, including conducting gap assessments or self-assessments, developing System Security Plans (SSPs), drafting a Plan of Action and Milestones (POA&M), implementing required security controls, and supporting remediation efforts, Rhymetec can help.

You can read the original press release on PR Newswire.

About Rhymetec

Rhymetec is an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business. The company builds, deploys and manages compliant information security and data privacy programs directly within their customers' unique environments, allowing them to focus on their core competencies within their business. Over the years, Rhymetec's services have grown to include a vCISO (Virtual CISO) program, ISO Internal Audits, and a variety of Penetration Testing services. For more information, please visit www.rhymetec.com and follow us on LinkedIn.

Vic DeBenedetto - Rhymetec Meet The Team Post

Meet Vic!

My name is Vic DeBenedetto, and I grew up in the Philly suburbs (Go Birds!). 

Growing up for me consisted of lots of sports practices during the school year and spending summers down at Long Beach Island, NJ. Although, like most kids, I tried every sport there was, the two that stuck were football and lacrosse. In the summer, I hung up the cleats and was a stand up paddleboard instructor at my local marina. 

After college at Penn State, I moved back to Philly. After a 4-year stint in the city, I recently settled in the suburbs.

Tell us a surprising fact about yourself…

When I was 18, I explored every career path that didn't involve going to college. My top two options that I can remember were enlisting in the military or becoming a barber. I'm not sure what drove that, but I'm glad I ended up where I am! 

If you could have any superpower, what would it be?

If I could have any superpower, it would be the ability to completely block out distractions and focus at will. In a world that's constantly buzzing with notifications (Slack especially) and competing priorities, having consistent focus would be a game-changer - not just for productivity, but for being fully present in everything I do.

What are some things you enjoy doing outside of work?

My favorite thing to do outside of work is golf. While my handicap is still in the double-digits, I have the bug and try to get out as much as possible! In the winter, I'm an avid skier and try to book at least one trip a year. Outside of that, I do CrossFit every morning before work to start the day, which never fails to humble me. On the weekends, if I'm not on the golf course or in the gym, I'm usually either trying new restaurants out or hanging out with friends and family. 

Vic DeBenedetto: Meet The Team

Tell us about your role at Rhymetec…

I have been working at Rhymetec for over a year—but it feels like so much longer (in the best way)! As an Account Executive, I'm responsible for bringing new business into Rhymetec and expanding our reach. I work closely with our incredible partners to identify prospects who are a strong fit for our services and guide them through their compliance and cybersecurity journeys, from initial discovery to onboarding. My role is a mix of consulting, partner relationship-building, and sales, which keeps every day interesting.

What I love most about working at Rhymetec is the combination of people and purpose. I truly believe we have the best team and culture; everyone is driven, supportive, and fun to work with. I feel inspired every time I open my laptop and genuinely look forward to the conversations and challenges each day brings. It's rewarding to know that the work we do makes a real difference for our clients, helping them feel confident and secure as they grow.

Why did you pursue a career in the cybersecurity industry?

I came from a marketing technology background, and while I enjoyed that space, I was looking for something that felt more like a need rather than a nice-to-have. That's what drew me to cybersecurity. It's an industry that's not just growing rapidly—it's essential. Every company, no matter the size or industry, needs to take security seriously, and I found that really compelling.

I didn't always plan on working in cybersecurity, but once I learned more about the space, I was completely bought in. The constant evolution of threats and the high stakes involved make it both fascinating and meaningful. I love that the work we do helps companies protect what matters most and gives them the confidence to keep moving forward.

What is your favorite part about working at Rhymetec, or in the cybersecurity industry?

One of my favorite parts is getting to collaborate with such great partners. We work with some of the best in the industry, and it's rewarding to be part of a network that's all working toward the same goal: helping companies strengthen their security and achieve compliance. The relationships we've built with our partners make the work not only effective but also enjoyable—I'm constantly learning and growing through them.

What is your favorite quote or the best advice you have ever received?

The best advice I've ever received came from my dad, who always reminded me: "God gave you two ears and one mouth, so listen twice as much as you speak." It's simple but powerful, and it's stuck with me throughout my personal and professional life. Whether I'm in a meeting, on a sales call, or just having a conversation, I've found that really listening—rather than thinking about what to say next—makes all the difference. It helps build trust, uncover real needs, and create stronger connections.

From a security or compliance perspective, what advice would you give to a potential client or SaaS business?

When advising a potential client or SaaS business from a security or compliance perspective, I would emphasize the importance of adopting both a proactive and holistic approach to data protection and regulatory adherence. A reactive and narrow will always lead to a large-scale data breach and loss of customer trust.

At Rhymetec, we understand that a proactive and holistic security program involves implementing various controls across multiple security domains including, but not limited to, risk management, incident management, cryptography and access management. Additionally, staying informed about relevant regulations—such as GDPR, HIPAA, or DORA—and regularly ensuring that your practices align with these standards is essential for maintaining compliance and building trust with your clients.

Connect with Vic DeBenedetto

Justifying the return on cybersecurity investments can be hard. Some things are relatively easy, especially with the help of tools like compliance automation platforms. You have to comply with legal requirements and customer demands to see your SOC 2 report, but what about security that goes beyond regulatory requirements? 

In a business full of competing interests, managers asking for new hires, and the marketing team wanting to spend additional money, security often falls by the wayside - but it shouldn't. 

That's one of the reasons at Rhymetec we love checking out Verizon's annual Data Breach Investigation Report (DBIR). Verizon's DBIR shows exactly why companies need to move beyond compliance and implement proactive controls. 

Regulators are often years behind the latest trends in the industry - companies that just focus on compliance often fail to implement safeguards and controls that could save their business millions of dollars in lost business, fines, and legal fees. 

So, what are the big takeaways from this year's DBIR? Well, there are quite a few:

Generative AI, Compliance, and Accidental Leaks

You almost certainly have employees at your company feeding data into AI models that you don't know about. One of the findings that should be the most alarming to information security leaders is that, according to the DBIR:

"15% of employees were routinely accessing GenAI systems on their corporate devices (at least once every 15 days). Even more concerning, a large number of those were either using non-corporate emails as the identifiers of their accounts (72%) or were using their corporate emails without integrated authentication systems in place (17%), most likely suggesting use outside of corporate policy."

Many organizations pick one or two AI vendors and work with those, and accept a certain degree of risk. However, employees signing up directly for generative AI applications can pose severe risks, particularly to organizations that deal with highly sensitive intellectual property, regulated data such as health records, or even national security and classified data. 

Verizon Data Breach Report 2025: GenAI Statistics

For example, imagine an employee at a defense contractor decides to use DeepSeek to analyze CUI (controlled unclassified information) that a contractor sends them. They likely unknowingly just sent that data directly to China. 

Getting a handle on "shadow SaaS", and particularly which AI applications employees may be sending sensitive data, is likely to be one of the most important issues vexing information security teams in the next five years. 

Third-Party Risk Remains Highly Relevant in The 2025 Verizon Data Breach Report

Another key finding in the 2025 DBIR that security professionals should be paying close attention to is the dramatic increase in third-party involvement in breaches. According to Verizon's analysis, third-party involvement in breaches doubled from 15% to 30% in just one year. This isn't merely a statistical blip - it represents a fundamental shift in how attackers are approaching your organization's security perimeter. 

As in all things in life, there are tradeoffs. As organizations increasingly adopt convenient SaaS solutions to solve various business challenges, in many cases, they unwittingly dramatically expand their attack surface (sometimes even the business doesn't know what their attack surface is, such as with shadow generative AI use). 

The report specifically highlights how several high-profile breaches in services like Change Healthcare, CDK Global, and Blue Yonder exposed sensitive data and created substantial business interruption events across entire industries:

Healthcare providers couldn't process claims, auto dealerships lost access to their systems, and retailers and food services companies found themselves unable to manage inventory. When your critical business functions rely on third-party SaaS providers, their security posture becomes your operational vulnerability. 

While compliance frameworks like SOC 2 have recognized third-party risk for years, the real-world impact is growing faster than many organizations' vendor management programs can adapt. 

This data should serve as a wake-up call: Today's interconnected business ecosystem requires a much more proactive approach to vendor security assessment, continuous monitoring, and contingency planning. Organizations that fail to evolve beyond "check the box" vendor management will increasingly find themselves dealing with the consequences of their partners' security failures.

Malware Is Fueling Identity-Based Attacks

On page 54 of the report is perhaps one of the most interesting insights of the 2025 DBIR. In a section titled "Infostealers Galore", Verizon discusses one of the most prominent threats to organizations today - infostealer malware. 

Infostealers are a type of malware that infects a victim's computer and siphons all of the passwords and session cookies the victim has saved on their browser, sessions for applications such as Discord, crypto wallet keys, autofill data, and basically any other sensitive or valuable lightweight data from the device. This data is then sent back to the threat actor's infrastructure, where individual victims' information is sold as an "infostealer log" containing one victim's data. 

Malware: DBIR 2025

As you can imagine, there is a trove of high value information for threat actors to leverage within this data to include session cookies which can be used to hijack active sessions to facilitiate account takeover attacks for major web applications and e-commerce companies, crypto wallet keys which can allow the threat actor to steal currency, and even credit card data from autofills which can facilitate fraud. 

However, this malware can also grab corporate emails and passwords for SaaS applications, VPN's, corporate bank accounts, and other critical information. Verizon estimates that 30% of the tens of millions of logs out there come from devices that are corporate-owned, an absolutely astounding figure. 

A discerning observer might ask an obvious question: Does the prevalence of corporate credentials, session cookies, and information available in the stealer log ecosystem enable ransomware groups and other similar threat actors?

Well, Verizon has the answer there, too. 

"By examining some of the victims posted to the ransomware extortion sites, we found that 54% of the victims had their domains show up in at least one infostealer log or in marketplace postings, and 40% of those logs contained corporate email addresses." - Verizon Data Breach Report 2025, page 57. 

This type of analysis is critical, as threat actors are continuously evolving their tactics, techniques, and procedures in response to improvements in organizational cybersecurity. Oftentimes, threat actors will use whatever is easiest, and active sets of corporate credentials and session cookies floating around in the criminal ether is indeed a pretty easy way to get access to some high-value systems.

Ransomware Is On the Rise, Sort Of

Speaking of ransomware, many organizations make the mistake of believing that they are too small for ransomware groups and threat actors to target. 

However, this belief couldn't be further from the truth. One of the most interesting and relevant findings from the DBIR was the data around ransomware attacks in 2024. While attacks continue to rise, victim behavior and attacker strategies are evolving in notable ways. 

Ransomware incidents jumped dramatically, showing a 37% increase from last year. These attacks now represent 44% of all data breaches analyzed - up from 32% in the previous report. Nobody expected ransomware to go away, but this data shows that even the notable law enforcement takedowns of Lockbit, Black Cat, and other high-profile ransomware groups has at best dented this highly financially lucrative criminal operation. 

However, it's worth digging in a bit on the ransomware piece of the report because the increase in ransomware as a proportion of all attacks doesn't tell the whole story. The reports section on ransom payments shows a potential silver lining: 

Both the frequency and size of ransom payments are decreasing. The median ransom payment dropped to $115,000 in 2024, down from $150,000 in 2023. More significantly, 64% of victims now refuse to pay ransoms altogether - a substantial increase from 50% just two years ago. 

While the report doesn't directly make the connection, organizations improving backup and recovery combined with defensive measures may be fueling another trend - the increased targeting of small and midsize businesses by ransomware operators. 

Perhaps the most alarming finding is how severely ransomware affects smaller organizations. While ransomware appears in 39% of breaches at large enterprises, it's present at a staggering 88% of breaches at SMBs. 

Verizon Data Breach Report 2025: Key Statistics

This disparity likely reflects the resource gap in cybersecurity preparedness. Smaller organizations typically have less robust backup solutions, fewer security controls, and limited incident response capabilities, making them both easier targets and more likely to suffer catastrophic impacts.

Concluding Thoughts: The Verizon Data Breach Report 2025

The 2025 Verizon Data Breach Report paints a clear picture of an evolving threat landscape that demands more than just a checkbox approach to security. Compliance frameworks like SOC 2 and ISO 27001 provide a valuable foundation, but going beyond them is essential for organizations to protect themselves from sophisticated ransomware groups and other threat actors.

The data tells a compelling story: Third-party risks have doubled, credential theft via infostealers is directly fueling ransomware attacks, and shadow AI usage presents entirely new vectors for data loss. These threats are often moving faster than regulatory and best practice frameworks can adapt. 

At Rhymetec, we recommend that organizations build their compliance foundation with targeted security investments that address these emerging threats:

  1. Implement continuous monitoring for external threats.
  2. Develop comprehensive controls for third-party risk management that go beyond questionnaires.
  3. Establish clear policies and technical controls for AI platform usage.
  4. Prioritize edge device security given their increased targeting by threat actors.
  5. Develop security strategies that account for the human element, which remains involved in 60% of breaches.

The most successful organizations will be those that view compliance as the starting point, not the destination, of their security journey. And most importantly, those who stay educated on how the threat landscape is shifting over time.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.

So, you're considering SOC 2 or ISO 27001 for the first time - and realizing just how much time and expertise it takes to actually get there. That's where Vanta (and Rhymetec!) comes in: 

Vanta automates 90% of compliance monitoring through integrations with 300+ systems, real-time control insights, and automated evidence collection—enhancing your visibility into your security posture. Rhymetec handles the hands-on readiness tasks for you. The combination of Vanta with our tailored services delivers a faster, more manageable path to audit success. 

Our team of experts at Rhymetec, by leveraging Vanta for you, accelerates every step of your compliance journey from the initial scoping phase to auditor handoff. We've helped over 1,000 organizations efficiently meet their security and compliance goals with this method. Here's how Vanta works in conjunction with our services, and how the platform can benefit you immediately, especially if you are early on in the process of compliance:  

Vanta Automates Compliance Workflows

Vanta automates the visibility into tasks required to build a compliance program. One of the main value adds of Vanta is that it will handle the repetitive work for you and give you back your time to focus on what really matters - growing your business. Here's how it works, particularly for organizations early in their compliance journey:

Using Vanta circumvents the need to even get started on tedious manual spreadsheets and checklists. Instead, Vanta enables organizations to jump right in and leverage its capabilities, including system integrations and automated collection of evidence. 

For instance, a startup pursuing SOC 2 may need to prove that it restricts employee access to production systems, monitors for security incidents, and keeps its asset inventory up-to-date and in line with SOC 2 requirements. Vanta connects to systems including AWS, GitHub, Google Workspace, and Okta to automatically accomplish the following:

It also includes pre-built policy templates for every framework, so teams can work from a baseline and avoid having to write everything from scratch. Leadership is able to track compliance status in real time and improve visibility tied to audit preparation for employees—resulting in efficiency and reduced time to compliance.

Vanta Dashboard for compliance

Who Uses Vanta And Why 

Vanta is primarily used by fast-growing, cloud-native organizations that are seeking to meet relevant security and data privacy requirements in the most efficient way possible. Often, these organizations are trying to avoid dedicating excessive internal resources to manual compliance work. However, we’ve seen companies from all sizes—startup to enterprise—with varying environments—such as multi-cloud and hybrid—utilize Vanta to streamline their compliance efforts. 

Some of the main reasons companies opt to use Vanta are to help them: 

  1. Reduce their audit timelines.
  2. Improve visibility into their security posture.
  3. Lower the overall cost of compliance.

Vanta connects to the tools you use via API, the cloud infrastructure you're set up in, and your internal systems to give you a complete view of your security and compliance. 

This eliminates the need for fragmented spreadsheets and manual checklists, providing leadership more control over compliance progress and unburdening technical teams that are already stretched thin. 

Another core value add is that Vanta enables a single source of truth for audit readiness, helping leaders and your sales team demonstrate you're where you need to be in terms of security and compliance to auditors, customers, your partners, and other stakeholders. 

What Does Vanta Do? Vanta Supports Continuous Compliance 

It's important to know going into your compliance journey that compliance doesn’t stop after one audit. 

Frameworks like SOC 2, ISO 27001, and HIPAA require ongoing evidence of control effectiveness, which means you need continuous monitoring rather than only point-in-time documentation.  

Vanta is built precisely to support this model. It runs in the background, constantly monitoring your infrastructure and systems for changes that could impact compliance. It will flag any issues in real time, such as expired access, unapproved software, or missing security training. The platform centralizes the evidence you'll need to show controls are operating continuously. 

This approach replaces manual check-ins and periodic reviews with continuous visibility. Combined with Rhymetec's guidance and remediation support, clients stay audit-ready year-round without having to rebuild compliance work from scratch each cycle. 

Vanta Streamlines The Work of Cybersecurity & Compliance Experts

Vanta automates the visibility into tasks (While Rhymetec can support the completion of them) that are most likely to slow down compliance teams, allowing the experts to focus on higher-impact and more specific work. Tasks like collecting screenshots, tracking evidence, and managing spreadsheets shift to automated processes within the platform. 

For Rhymetec's team, the platform provides a centralized source of truth and allows us to spend more time analyzing results and guiding clients through control implementation. Our team uses Vanta in every step of the compliance automation process on your behalf. By handling repetitive tasks and bringing issues to our attention automatically, Vanta allows us to carry out a more efficient process to compliance readiness for your organization.  

How Rhymetec Leverages Vanta To Deliver Compliance - Fast

Rhymetec leverages Vanta as a core part of our compliance delivery model. 

Our approach combines all of the benefits of automation with hands-on cybersecurity expertise to shorten the path to audit readiness. Our team configures Vanta for your systems and selected framework. We work hard to eliminate common setup delays and create alignment between compliance goals and actual business operations. 

Once deployed, Vanta automatically monitors your cloud infrastructure and systems for compliance-related activities. But automation alone doesn’t get you audit-ready. That’s where Rhymetec comes in. After the initial setup, our team steps in to:

  1. Interpret and prioritize Vanta’s findings based on your unique business needs
  2. Remediate flagged issues with hands-on support — not just advice
  3. Tackle all remaining manual components like policy creation, access reviews, evidence collection, and control implementation

The combination of automated and manual work keeps the momentum going and gets clients through readiness assessments and audits on a much faster timeframe. By managing both Vanta and the 'hands-on' components of compliance readiness work on your behalf, we’re able to accelerate every phase of the compliance process. 

What Does Vanta Do? Before vs. After: Vanta + Rhymetec

Why Pairing Vanta and Rhymetec Delivers Better Outcomes

Most frameworks require an array of expert judgment, manual implementation of certain controls, and a level of preparation that automation can't complete 100% of on its own. 

Rhymetec fills that gap by managing the manual work and aligning Vanta specifically to your environment. We interpret control requirements, resolve flagged issues, write custom policies, manage communication with auditors on your behalf, and more. 

By using Vanta for compliance automation - and Rhymetec filling in the gaps for you when needed - clients move faster and meet their compliance goals with less internal burden. Together, we consistently generate strong audit readiness and stronger security programs. 

Accessing Vanta Through Rhymetec

Rhymetec is proud to offer Vanta (in conjunction with our Vanta compliance services) directly to clients who haven't yet selected a compliance automation platform. 

Particularly in the case of clients early in their compliance journey, this vastly simplifies the buying process by providing both the technology and the services needed to meet requirements in one engagement. We give clients access to a world-class platform without requiring them to manage separate vendor relationships or navigate pricing and setup alone. 

Our team at Rhymetec handles everything from the initial deployment and setup in Vanta to ongoing administration of the platform on your behalf. This allows you to adopt automation earlier, which will accelerate your compliance timelines and help you avoid missteps that a self-directed rollout could entail. Contact our team to learn more:


Deepak Chopra once said, "All great changes are preceded by chaos." This has never been more accurate than when it’s applied to the current AI and cybersecurity environments—and the regulations that govern them.

New frameworks like the Digital Operational Resilience Act (DORA), the EU AI Act, the Network and Information Systems Directive 2 (NIS2) and the Cybersecurity Maturity Model Certification (CMMC) are reshaping how businesses handle security, risk and compliance. These regulations aren't just about ticking boxes—they carry major financial penalties and demand real operational changes.

For companies in financial services, AI development, critical infrastructure or defense, staying ahead of the changes is vital to avoid penalties, protect data and maintain trust. Let's look at what each entails.

DORA: Protecting Financial Institutions From Cyber Disruptions

Financial institutions face constant cyber threats and operational risks. DORA aims to empower financial organizations to weather system disruptions and continue operating smoothly.

DORA requires penetration testing, vulnerability assessments and disaster recovery planning. It focuses on business continuity to ensure that if a system fails, a plan is in place to keep operations running. Banks, insurance companies and investment firms must validate security controls through rigorous testing.

This regulation is a wake-up call for financial institutions to take cybersecurity resilience seriously. The penalties for non-compliance are severe, making it crucial for businesses to invest in robust security testing and operational risk management.

The EU AI Act: Setting The Global Standard For AI Compliance

AI development currently operates in a regulatory gray area, but the EU AI Act is changing that. One of the first laws to set clear boundaries on AI usage, it focuses on ethical risks, security concerns and prohibited applications.

The most important takeaway is the significant financial penalties for non-compliance: These can be up to 7% of a company's global annual revenue or 35 million euros, whichever is higher. That's more than GDPR, which has already forced businesses worldwide to rethink their approach to data privacy.

This law explicitly bans certain AI applications, particularly those that exploit vulnerabilities. The ban includes AI-powered cyberattacks, social manipulation and unethical facial recognition practices. Article 5 of the act outlines prohibited AI uses, such as systems that exploit people's age, disabilities or socioeconomic circumstances.

This isn't simply a privacy factor; its purpose is to prevent AI from being weaponized.

A common misconception is that this law only affects European companies. That's not the case. Any company developing, deploying or processing AI systems in the EU—or serving EU customers—must comply. For example, if a U.S. company hosts its platform in an EU data center or processes European customer data, this regulation applies.

The EU AI Act is setting the stage for global AI governance. Similar regulations are expected to emerge worldwide, making it smart for businesses to adapt now rather than scrambling to comply later.

NIS2: Strengthening Cybersecurity For Critical Infrastructure

Also in the EU, the NIS2 Directive expands cybersecurity requirements for critical industries like energy, healthcare, transportation and digital services. It builds on the original NIS Directive but goes much further, applying to more organizations, increasing security expectations and enforcing stricter penalties.

The enhanced reporting requirements are one of the biggest challenges. Companies must notify regulators of cyber incidents within 24 hours, provide a complete assessment within 72 hours and demonstrate they are actively managing security risks.

The directive also emphasizes stronger supply chain security, holding companies responsible for ensuring their vendors meet cybersecurity standards. This means businesses can't just secure their own systems—they must also vet suppliers and partners to prevent weak links in the supply chain.

Beyond reporting and supply chain oversight, NIS2 enforces stricter governance requirements. Organizations must appoint security officers, conduct regular risk assessments and develop robust cybersecurity policies. Those that fail to comply face heavy financial penalties and increased regulatory scrutiny.

Compliance isn't optional for companies operating in or serving the EU market. NIS2 is setting a new cybersecurity standard, and businesses that don't act risk fines, operational disruptions and reputational damage.

CMMC: Raising the Bar For U.S. Defense Contractors

The CMMC is a requirement for companies working with the U.S. Department of Defense (DoD). It builds on cybersecurity frameworks like NIST 800-171, ensuring that defense contractors follow strict security protocols to protect sensitive government data.

Recent changes to CMMC include a new self-assessment option for Level 1 compliance, making it easier for smaller contractors to meet requirements without hiring third-party auditors. However, higher certification levels still require independent verification, adding layers of accountability.

With the new compliance requirements going into effect in mid-2025, businesses need to act now. The DoD has made it clear that CMMC certification will be mandatory for contracts, and companies that don't comply risk losing business.

Evolving Security Frameworks: A Smarter Approach To Compliance

For organizations handling sensitive data in healthcare, finance and other regulated industries, new security frameworks present a way to prove compliance with strict privacy and cybersecurity standards. In the past, certification required a lengthy, one-size-fits-all assessment, but newer models offer more flexible options with fewer controls, reducing complexity while maintaining security.

Many businesses don't realize that certification levels vary, and choosing a lower-tier option may not meet regulatory or customer expectations. This is especially important for HIPAA compliance, where recognized certifications can demonstrate that companies meet security standards. As cybersecurity laws evolve, understanding these frameworks ensures that businesses stay compliant, competitive and prepared for future regulations.

Laws like DORA, the EU AI Act and NIS2 are designed to keep technology from becoming a threat. AI development currently lacks clear rules—without oversight, it can be used in dangerous ways. These regulations force businesses to prioritize security and ethics upfront, preventing bigger problems down the road.

To stay ahead, organizations must:

  1. Identify relevant regulations and update security policies.
  2. Invest in risk assessments, penetration testing and employee training.
  3. Stay informed—more regulations are coming.

Compliance isn't just about avoiding penalties but about building a safer, more resilient digital future. Companies that act now will lead, while those that wait will fall behind.

You can read the original article posted in Forbes by Rhymetec CISO, Metin Kortak.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business. Contact us today to get started.