SOC 2 Type II

Security ratings directly support SOC 2 criteria related to security, availability, and confidentiality controls.

How Ratings Support SOC 2

Continuous evidence of external security controls — not just point-in-time assessments

Independent, third-party verification of your security posture (CC6, CC7 controls)

Supports vendor risk assessments for subservice organizations (Trust Services Criteria)

Provides the "readily available evidence" that auditors increasingly request

Recommended Grade: B or Better

Most SOC 2 auditors now expect B+ or above to consider external security controls mature. An F or D rating often triggers additional audit testing or a qualified opinion.

See how ratings are calculated

HIPAA Security Rule

A poor security rating can flag the same technical safeguard deficiencies that OCR auditors look for during investigations.

Security Rating Factors That Map to HIPAA

DMARC/SPF/DKIM: prevents ePHI breach via email spoofing (Addressable under §164.312(d))

SSL/TLS configuration: encrypts PHI in transit (Required under §164.312(a)(2)(ii))

Dark web monitoring: detects compromised credentials containing PHI before exploitation

OCR Is Watching Your Rating

OCR investigators have used security ratings as a risk-routing signal. A D or F rating flagged during a vendor assessment can trigger an OCR investigation even if no breach has occurred. Our healthcare-specific reports map findings to HIPAA technical safeguards.

Read: HIPAA Compliance in 2026

PCI-DSS v4.0

External security ratings complement PCI-DSS QSA assessments by providing continuous visibility between formal audits.

How Ratings Support PCI-DSS

Addresses Requirement 12.10 (security incident response plan — demonstrates current posture)

Supports Requirement 6.3.3 (external vulnerability scanning — independent verification)

Evidence of TLS and certificate management for cardholder data environments (Re 4.2)

PCI + Cyber Insurance Discount

Many cyber insurers now require PCI-DSS compliance as a prerequisite. An improved security rating (B+) combined with PCI compliance can qualify you for a 15–25% cyber insurance premium discount.

NIST Cybersecurity Framework 2.0

Our scoring methodology maps directly to NIST CSF 2.0's six core functions: Govern, Identify, Protect, Detect, Respond, Recover.

How Our Rating Categories Map to NIST CSF 2.0 Functions

Email Security

→ Protect (PR.AA)

Identity management, access control

Vulnerability Mgmt

→ Detect (DE.CM)

Continuous monitoring, adversarial simulation

Dark Web

→ Identify (ID.AM)

Asset management, risk assessment

Network Security

→ Protect (PR.PS)

Platform technology, supply chain security

SSL/TLS Config

→ Protect (PR.DS)

Data-at-rest and in-transit protection

DNS Health

→ Govern (GV.OV)

Oversight, accountability, risk management

ISO 27001:2022

Security ratings provide objective evidence of control effectiveness for ISO 27001 certification and surveillance audits.

Rating Controls Mapped to ISO 27001:2022 Annex A

A.8.24 — Use of cryptography (TLS, certificate management)

A.8.5 — Secure authentication (MFA coverage from dark web data)

A.8.16 — Intrusion monitoring (external vulnerability visibility)

A.5.23 — Information security for cloud services

CMMC 2.0 (Level 2)

External ratings directly support NIST SP 800-171 controls required for DoD contractor CMMC Level 2 certification.

How Ratings Support CMMC Level 2

Supports AC.1.001, AC.1.002 (limiting information system access)

Addresses IA.1.076 (user identification and authentication)

Supports SC.3.189 (boundary protection, external web protection)

Maps to RA.2.137 (vulnerability scanning and remediation)

DoD Is Checking Your Rating

Starting January 2026, the DoD requires CMMC Level 2 for contracts above the micro-purchase threshold. DCSA uses external ratings to assess contractor compliance. A failing grade can block contract award.

CMMC 2.0 Roadmap Guide

Your Security Rating Is Your Compliance Foundation