Regulations

Is Coro on the New York State Office of General Services (NYS OGS) approved list?

No, Coro is not on the New York State Office of General Services (NYS OGS) approved list

Is Coro FERPA (Family Educational Rights and Privacy Act) compliant?

FERPA is a regulation that schools are required to comply with, not Coro. FERPA governs how schools handle personal information, including obtaining parental consent.

For more information, see FERPA.

Does the Coro platform meet Criminal Justice Information Services (CJIS) requirements?

The Coro platform supports the following technical safeguards required by CJIS:

  • Business email compromise (BEC).
  • Email account takeover.
  • Data governance monitoring and notifications on outgoing/incoming email.
  • Anti-virus (AV).
  • Advanced Threat Protection (ATP) (Next-Generation Antivirus (NGAV)).
  • Device security posture.
  • Data recovery.
  • Data Distribution Governance (DDM) and Role management.
  • Security and business-specific data monitoring.
  • Personally Identifiable Information (PII) monitoring.

For more information, see CJIS.

Is Coro CMMC compliant?

Unlike CMMC certification, CMMC compliance is not a well-defined concept. Companies that want to do business with the Department of Defense (DoD) must obtain CMMC certification from an accredited third-party organization, which verifies that the necessary security controls and practices are implemented. Coro Cybersecurity currently does not provide direct services to the Department of Defense (DoD), and thus CMMC certification is not required. Simultaneously, as a company, Coro is meeting the requirements of the CMMC standard, specifically the NIST SP 800-171 framework. Furthermore, Coro's data security and privacy service, in conjunction with its Coro Privatise offering, meets the vast majority of relevant CMMC certification requirements.

For more information, see Regulations and compliance.

Is Coro NIST compliant?

NIST has numerous frameworks, including::

  • NIST Cybersecurity Framework (CSF) (CSF Framework).
  • NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations.
  • NIST Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.
  • NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems.
  • NIST Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems.
  • NIST Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations.
  • NIST Special Publication 800-57: Recommendation for Key Management: Part 1 – General (Rev. 4).
  • NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
  • NIST Special Publication 800-171A: Assessing Security Requirements for Controlled Unclassified Information.

Coro assists its customers in complying fully with some of these frameworks and partially with others, while some NIST frameworks focus on aspects of organizational operations that Coro does not address.

For more information, see Regulations and compliance.

Does Coro form part of any GPO, specifically Costars, Peppm, SourceWell, or OMNIA Partners?

No, Coro does not form part of any GPO, but, of course, can be distributed by any GPO of the customer's choice.

Is Coro SEC (Securities and Exchange Commission) compliant?

SEC follows the main framework for any government organization. In terms of data loss prevention, access rights, and controls, Coro covers the majority of their requirements.

In what countries/regions can my Coro data be stored?

Coro stores data in the US only. It is important to note that Coro does not store any customer organizational data other than basic identifiers for users and devices. Coro does not store any of the customers' files, emails, or other similar data. The only data stored in Coro as a result of monitoring customers' organizational activities is data on threats and suspicious patterns discovered during Coro protection monitoring.

How can I obtain an Authorization to Operate (ATO) if I want to use Coro on an inter-agency body's network, for example, the Department of Defense (DOD)?

ATO is a permission to operate on the DoD's network, and in order to receive it, the requirement is to undergo security assessment such as the DoD Information Assurance Certification and Accreditation Process (DIACAP) or the Risk Management Framework (RMF). The overall network security is assessed to ensure that the DoD's information systems are secure and can operate effectively in a secure environment.

If my organization has a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy in place, How do Coro's settings fit into this workflow?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication method that protects against fraudulent emails. Email servers (M365/GW/etc.) are responsible for examining incoming messages for DMARC. This process unfortunately produces a high number of false positives. Coro has introduced conservative DMARC and Sender Policy Framework (SPF) analysis to mitigate this.

Does Coro provide support for organizations that need to comply with the Children's Internet Protection Act (CIPA)?

Yes, organizations with the SASE suite enabled can effectively block and govern internet access, enabling them to meet CIPA requirements at a high level.