Your QSA may not be telling you the whole story.

No, I’m not talking about sloppy assessment work. What I’m referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement!

In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their contracts! This means that the QSA has a choice. They can either breach the agreement they have with the Council, thus quickly getting them delisted as a QSA. Or, they will breach YOUR contract and send the info along without your consent!

I am surprised that QSAs are doing this, and wondering what their intentions are. If nothing else, if you get a contract without that clause in there, what does that say for the quality of the assessment you will receive?

This post originally appeared on