Addons Overview

In addition to standard customizations, Praxis has experienced staff to augment a GaaS engagement with governance compliance add-ons and industry specific activities. Ask us how we can expand our relationship to meet your needs.

Our add-ons include:


Federal Trade Commission (FTC) Safeguard Rule - GLBA

The Gramm-Leach-Bliley Act is a U.S. federal law mandating financial institutions to implement safeguards ensuring the privacy and security of consumer financial information. Applies to “financial institutions,” but what is considered a “financial institution” which includes businesses that are “significantly engaged” in providing financial products or services, including (no matter the size):

  • Check-cashing businesses
  • Payday lenders
  • Payday lenders
  • Non-bank lenders
  • Personal property or real estate appraisers
  • Professional tax preparers such as CPA firms
  • Courier services

CJIS Security Policy

Criminal Justice Information Services is a set of security standards ensuring the proper handling and protection of criminal justice information within the United States. The Security Policy applies to anyone interacting with biometric, identity history, biographic, property, and/or case/incident data, regardless of what system they use to do so or how they are associated with the agency that owns it. That means law enforcement representatives, lawyers, contractors, and private entities, for example, are all subject to the rules laid out in the CJIS Security Policy.



The New York Department of Financial Services regulations imposes cybersecurity requirements on New York insurance companies, banks, and other regulated financial services institutions—including agencies and branches of non-US banks licensed in the state of New York to assess their cybersecurity risk.

SEC Cybersecurity Rules apply to public companies.

  • Disclosure of material cybersecurity incidents
  • Annual disclosure of cybersecurity risk management, strategy, and governance.


PCI DSS Payment Card Industry Data Security Standard for safeguarding payment card data with 12 security standards. It applies to businesses that process credit card data and is enforced by the merchant or payment service provider. Businesses fall into 4 levels depending on transaction volume and are required to fill out Self assessments (SAQ) depending on their credit card intake process.


The Family Educational Rights and Privacy Act is a federal law that applies to any public or private elementary, secondary, or post-secondary school. It also applies to any state or local education agency that receives funds from the department of education. It is a s a federal law that allows parents of K–12 students the right to access their children’s education records, seek to have the records amended and have some control over the disclosure of personally identifiable information from education records.


SOC 1:

Service Organization Control 1 (SSAE 18) is an auditing standard that focuses on a service provider’s processes and controls that could impact their client’s internal control over their financial reporting (ICFR) and includes data security best practices for security and confidentiality.

SOC 2:

Service Organization Control 2 is a that focuses on controls at a service provider relevant to the security, availability, processing integrity, confidentiality, and privacy of a system. It ensures that data is kept private and secure while in storage and in transit and that it is available for you to access at any time.

Additional State Privacy Laws

For organizations with multiple locations or operating in multiple jurisdictions, add more state-specific privacy laws data protection and breach notification compliance.

  • CCPA - California
  • CPA - Colorado
  • CDPA - Connecticut
  • UCPA - Utah
  • VCPA -Virginia
Server rack cluster in a data center (shallow DOF; color toned i


The General Data Protection Regulation is a European Union regulation designed to protect the privacy and personal data of individuals, establishing guidelines for the lawful processing of such data by organizations.



NIST 800-53 Low-High

National Institute of Standards and Technology Special Publication 800-53, a framework providing security controls for federal information systems, categorized from low to high impact levels.


Federal Risk and Authorization Management Program, a U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services.


DFARS Interim Rule (DFARS Case 2019-D041)

National Institute of Standards and Technology Special Publication 800-53, a framework providing security controls for federal information systems, categorized from low to high impact levels.

  • NIST 800-171: National Institute of Standards and Technology Special Publication 800-171, a set of security requirements for protecting controlled unclassified information (CUI) in non-federal systems.
  • Calculating SPRS Score
  • Plan of action and Milestone
  • System Security Plan (SSP)


Cybersecurity Maturity Model Certification, a framework for assessing and enhancing the cybersecurity posture of contractors in the U.S. defense industrial base. Applies to the Department of Defense supply chain.