SCF Third-Party Assessment Organizations (3PAOs)
Within the SCF Conformity Assessment Program (SCF CAP), the role of the Third-Party Assessment Organization (3PAO) is to:
- Hire and train its personnel that are:
- Technically competent; and
- Capable of performing quality 3PAAC services;
- Manage the assignment of SCF Assessor roles:
- Formally documented roles & responsibilities; and
- Designating assigned personnel as a SCF Assessor within the SCF Connect tool;
- Operate an internal process management system to align with the following:
- ISO 9001:2015 - Quality management systems — Requirements; and/or
- ISO/IEC 17020:2012 - Conformity assessment — Requirements for the operation of various types of bodies performing inspection;
- Market its 3PAO services to OSC; and
- Develop and implement contract management practices for engaging in 3PAAC services with OSC.
SCF 3PAO Listings
The following organizations have asked to be listed as a SCF 3PAO. It is your organization's obligation to perform due diligence activities to ensure any organization you choose to work with has the appropriate competence to adequately support your specific needs:
 |
SecurityWaypoint Website: https://securitywaypoint.com Email: support@securitywaypoint.com |
Service Description: Extensive experience implementing and tailoring the Secure Controls Framework (SCF). We know what right looks like. SecurityWaypoint is honored to be the first SCF Third-Party Assessment Organization (3PAO) and has a long track record of successfully tailoring and operationalizing the SCF. We have a specialty within the healthcare and technology automation sectors, but we can work with any industry or size of organization. We have extensive experience implementing and tailoring the SCF, including corresponding "premium content" with ComplianceForge's SCF-based Digital Security Program (DSP) and Cybersecurity Standardized Operating Procedures (CSOP) documentation that augments and operationalizes the SCF. SecurityWaypoint offers the following services:
|
 |
Cybersec Investments Website: https://cybersecinvestments.com Email: info@cybersecinvestments.com |
Service Description: Cybersec Investments is the only organization that is both a SCF Third-Party Assessment Organization (3PAO) and an Authorized CMMC Third-Party Assessment Organization (C3PAO). Cybersec Investments is a Service-Disabled Veteran-Owned Small Business (SDVOSB) with over a decade of cybersecurity experience spanning private industry and the Department of Defense (DoD). Cybersec Investments' specialties include:
|
 |
Vigilant Systems Website: https://vigilant.us/scf-trusted Email: contact@vigilant.us |
Service Description: Vigilant is one of the first organizations to earn status as a SCF Third-Party Assessment Organization (3PAO). Vigilant can provide 3PAO services to Organizations Seeking Certification (OSC), regardless of the OSC’s size, industry, or geographic location(s). Vigilant has extensive experience leveraging the SCF as a risk & controls foundation. At its core, Vigilant is a consulting firm that does the heavy lifting to implement and manage effective cybersecurity and privacy governance programs. Vigilant is a Veteran-owned business with over 15 years of international experience implementing and managing cybersecurity risk controls. Vigilant’s client base includes complex multi-national corporations to start-ups with basic, immature governance programs. Viglant's services include the following:
|