What is CARA?
KnowBe4's Compliance Audit Readiness Assessment (CARA) is a free self-assessment tool that can help you determine whether your organization is prepared to meet audit requirements. When you sign up for CARA, you can select the Cybersecurity Maturity Model Certification (CMMC) framework, the Statement on Standards for Attestation Engagements no. 18 Trust Services Criteria (SSAE 18 TSC) framework, or the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
CARA only takes about five minutes to complete. After you complete the assessment, KnowBe4 will send you an email that summarizes your results and contains a PDF report. The PDF report will include guidance that can help you define the controls that your organization will need to implement before an audit.
To get started with CARA, navigate to the CARA webpage. Then, click the Start Assessment button under the framework that you would like to use to assess your organization. To learn more about the frameworks you can select, see the Selecting a Framework section below. Then, in the page that opens, fill out the form to sign up for the assessment.
After you fill out the form, KnowBe4 will send you an email that contains a link to the assessment. We recommend that you save this email in case you would like to complete or retake the CARA assessment in the future.
Selecting a Framework
When you sign up for CARA, you can select a framework that your organization would like to assess the requirements for.
To learn about the frameworks that you can select, see the subsections below.
The Cybersecurity Maturity Model Certification (CMMC) framework is a standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 organizations that are in the Department of Defense (DoD) supply chain. If your organization is currently contracted or subcontracted with the DoD, you will be required to obtain at least one level of the CMMC. You can use the CMMC framework to verify that your federal contractors have implemented the correct cybersecurity practices and processes.
CMMC has five certification levels that assess your organization’s cybersecurity maturity and preparedness. Each level is built from the last, so your organization must be compliant with Level 1 before you can comply with Level 2. CARA includes requirements from CMMC Level 1 so you can work on establishing a foundation for the higher CMMC levels.
To learn more about the CMMC, see the U.S. Department of Defense's CMMC website.
SSAE 18 TSC Framework
The Statement on Standards for Attestation Engagements no. 18 Trust Services Criteria (SSAE 18 TSC) framework was created by the American Institute of Certified Public Accountants (AICPA) for service organizations. You can use this framework as a standard to assess the quality of financial reporting and system security that your organization provides, including the accuracy, completeness, and fairness of these processes.
Often, organizations use this framework to obtain a System and Organization Controls 2 (SOC 2) certification. The SOC 2 certification applies to most organizations that provide software as a service (SaaS) and all organizations that store customer data on the cloud. SOC 2 reports on your organization’s controls that involve the security, availability, processing integrity, confidentiality, and privacy of data storage.
To learn more about SSAE 18, see the SSAE website.
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was created by the National Institute of Security and Technology. The NIST CSF integrates industry standards and best practices to help your organization build its cybersecurity plan. If your organization already has a cybersecurity plan, you can use the framework to assess and improve your cybersecurity plan.
The NST CSF framework can help your organization understand how to perform the actions listed below:
- Identify cybersecurity risks.
- Detect cybersecurity risks.
- Protect against cybersecurity risks.
- Respond to cybersecurity incidents.
- Recover from cybersecurity incidents.
For CARA, we have selected specific requirements from the NIST CSF to help you assess your organization’s current cybersecurity plan.
To learn more about NIST CSF, see the NIST website.
Completing the CARA Assessment
After you sign up for CARA on our website, you can begin your assessment.
To complete the CARA assessment, follow the steps below:
- Check your inbox for an email from KnowBe4. The email's subject line will be Your KnowBe4 Compliance Audit Readiness Assessment (CARA).
- In the email, click the assessment link. When you click this link, you'll be taken to the CARA welcome page.
- At the bottom of the page, click the Get Started button to start the assessment.
- For each requirement, read the requirement's Name and Description.
- In the Self-Assessment Response column, select the response that best represents your organization's current status for meeting the requirement. You can select Met, Partially Met, Not Met, or N/A.
Note: As you select a response for each requirement, the Requirements Breakdown progress bar will update to show your self-assessment response percentages.
- After you select a response for each requirement, click the Complete and Get Results button at the bottom of the page.
Note: Until you select a response for all requirements in the assessment, this button will not display. Instead, a Save for Later button will display. If you would like to gather additional information before you complete the assessment, you can click the Save for Later button. When you're ready to return to your assessment, you can click the link in the email that you received after you signed up for the assessment.
Analyzing Your Results
After you click the Complete and Get Results button, the webpage will display your customized report. KnowBe4 will also send you an email where you can view and download a PDF version of your customized report.
To learn about the pages of your report, see the list below:
- The first page of your report will display a summary of your responses. On this page, you can view the number of requirements you labeled as Met, Partially Met, and Not Met.
- The second page of your report will display the steps that we recommend you take next. On this page, you can also click the Request Your Demo Today to Learn More! link if you would like to see a demo of our KCM GRC platform.
- The remaining pages in your report will display additional information about any requirements that you selected Partially Met or Not Met for. Each of these requirements will have a page in the report. On these pages, you can view the requirement, a clarification from the framework, and additional self-assessment questions. For more information about these sections, see the list below:
- Requirement: This section contains the requirement that you responded to when you completed the assessment.
- Clarification: This section explains the requirement so that you can understand what is required of your organization.
- Additional Self-assessment Questions: These questions can help you define the controls that your organization will need to implement before an audit. To qualify for the CMMC or SOC 2, your organization should be able to say “Yes” to these questions.
KnowBe4's KCM GRC platform can help you manage the controls that your organization will need to implement to meet requirements. You can use KCM GRC to store your organization's requirements and controls, automate task reminders to satisfy your controls, and store necessary evidence for your auditors.
Frequently Asked Questions
Question: What happens to the responses that I enter into the assessment?
Answer: Your responses will be stored at the CARA link in the email that you received in your inbox. After you complete your assessment, you can delete your responses from the results page. To delete your responses, click the Delete My Information button in the top-right corner of the page. If you delete your responses, you can still download your PDF report from the email that you received after you completed your assessment.
Question: Can I retake the assessment?
Answer: Yes. In the email you received when you signed up for the assessment, click the CARA welcome page link. Then, click the Get Started button to retake your assessment (click to view).
If you did not delete your responses after you took the assessment, your previous self-assessment responses will be shown. You can update your responses. Then, when you click the Complete and Get Results button, you will receive a new customized report.
Question: I completed the assessment, but I didn't receive an email containing my PDF report. Where can I find this email?
Answer: Check your Spam and Junk folders. The email's subject line will be Compliance Audit Readiness Assessment Report.
If you can't find your email in either of these folders, contact our support team.