Validation Process Overview
For Validated assessments, third parties need to provide evidence to support their answers, and a CyberGRX analyst will need to evaluate and validate this evidence. Validation turnaround is dependent on how quickly the CyberGRX Analyst receives the evidence.
(If the third party is completing a standard Tier 2 assessment, evidence is not required and therefore there is no evidence validation.)
The validation process for Validated assessments involves the following steps:
- Evidence Request: The controls requiring evidence for validation are found in the Validation Tab of the CyberGRX Dashboard.
- Initial Evidence Collection: This vital part of the process is often the most time-consuming for third parties who will need to gather the necessary documentation internally (see policy below). In order to begin the validation process, the questionnaire must first be completed and submitted with evidence uploaded in the CyberGRX Exchange.
- Initial Evidence Evaluation: The documentation provided by the third party is reviewed by an analyst at CyberGRX.
- Follow-Up Evidence Collection: If the CyberGRX analyst was unable to validate specific controls, we offer a secondary evidence review to the third party to provide additional documentation (see policy below). This is optional but encouraged.
- Follow-Up Evidence Evaluation: The CyberGRX Analyst reviews the additional documentation provided by the third party.
- Report Release: Validation is concluded and the findings are generated into a report. The findings coupled with the questionnaire responses is what comprises the final report that is issued to the customer.
Maximum Validation Timeline Policy (12/01/2022)
BACKGROUND: When customers request assessments from their third parties, it’s important to deliver that data in a reasonable amount of time - even when the assessment requires the extra step of validation. However, even though third parties can collect/submit evidence as they move through the questionnaire itself, we still find that many assessments become stalled at this step. (To note, customers can still preview a third party’s attested data as soon as the third party submits their questionnaire - in other words, the evidence collection process does not block that data from being released.) Previously, we gave third parties 120 DAYS to complete this step.
POLICY CHANGE: Starting January 9, 2023, third parties will only have 60 days to collect and submit their initial round of evidence for any validated assessment. After 60 DAYS, CyberGRX will automatically downgrade the request to a non-validated assessment request and release the data to the customer in full, pending third party authorization.
For third parties that DO complete the first round of evidence collection and validation, we also offer a follow-up round where we allow third parties a second and final opportunity to provide evidence to validate the requested controls. Unfortunately, this is another area where validated assessments get stalled. Similarly here, assessments that have completed the initial round of evidence collection within 60 days but do not complete the follow-up evidence collection process within an additional 60 days will be automatically released to the customer with the controls we were able to validate in the initial round. Please note that assessments are only eligible for evidence review every 12 months.
Rationale for Policy Change: Mitigate delays during the evidence collection phase and expedite customer access to their third parties’ data.