With organizations always working to improve their enterprise's cybersecurity posture, the information captured in CyberGRX reports, regardless of tier, is at risk of falling behind in relevance over time. This introduces the potential for a Third Party's CyberGRX report to be outdated. To address this, CyberGRX initiates opportunities for Third Parties to refresh the data in their CyberGRX assessments. These updates are referred to as a "refresh".
On a regular cadence, CyberGRX reaches out to Third Parties asking them to refresh their data. For non-validated assessments, this cadence is 11 months after they attest their questionnaire. For validated assessments, the cadence is 11 months after they complete validation.
- Opening your assessment for updates before 11 months may affect the timing of the next refresh.
- Several factors come into play such as age of validation, questionnaire content version, and time until the next scheduled refresh. Typically, the closer to the refresh date the questionnaire is opened, the more likely it is for the refresh date to be postponed or advanced.
- A CyberGRX customer may request to advance the refresh date from 11 months up to as soon as 9 months.
- Postponing your refresh is possible but not advised, and will involve notifying your authorized customers.
On the date the refresh is scheduled to begin, we will reach out to the Account Administrator for the Third Party who has logged in most recently with information about the process and refresh completion timeline.
The refresh questionnaire will be mostly pre-populated with the responses from the previous assessment. Review the previous responses, make updates where applicable, and complete any new content.
- New content can be located by following this guide: How to Locate New and Unanswered Questions
Once finished working on the questionnaire, please submit it via the Submit button on the "Review and Submit" section.
Validated assessments (Tier 1 and Tier 2 Validated) are fully re-validated during refresh. A maximum of 60 controls will be selected for validation, possibly including controls that were validated by CyberGRX prior.
- Full annual validations are the industry standard, which is why there may be overlap with controls being re-validated.
- Please note that past validation results will be unavailable while a CyberGRX Third Party is undergoing refresh validation.
For detailed information about the timeline, process, and recommended evidences for validation, please view our CyberGRX Evidence Validation Guide.
For non-validated assessments, once the Third Party submits their refresh questionnaire, the next refresh will be schedule for 11 months after that date. For validated assessments, the third party must first complete validation, and once the assessor attests, the next refresh will be scheduled for 11 months after that date.
Due to confidentiality, Customers are not CC'd on core refresh communications between CyberGRX and the Third Party.
Often, one or more customers will have requested that the Third Party completes the refresh. CyberGRX will designate in our communications which customers are specifically requesting the refresh to be completed, and which Customers will also receive the updated report, but are not specifically requesting the refresh to be completed.
Customers may be contacted about refreshes in select situations. These communications are done on private emails with the Customer to maintain confidentiality.
Customers may be contacted about refreshes if:
- The Third Party is unresponsive to CyberGRX's outreach regarding the refresh.
- The Third Party requests to postpone the scheduled refresh.
- The Third Party had declined to complete the refresh or is questioning why the refresh needs to be completed.
- The Third Party's progress on the refresh has stalled.