All Articles

Roughly 60% of data breaches still trace back to a person rather than a system, according to Verizon’s 2025 Data Breach Investigations Report. Earlier editions of the same report put the figure as high as 74%. That single statistic is why every framework Drata supports — from SOC 2 to HIPAA — treats Drata security awareness training as a required control rather than a nice-to-have. Drata gives you three ways to run that training: automatic tracking across your personnel and recurring resets that keep evidence current for auditors. This guide covers how each piece works, how to configure it, and the quiet mistakes that break compliance. What Is Security Awareness Training in Drata? Security awareness training in Drata is the annual cybersecurity education your workforce completes to satisfy personnel-related controls across frameworks. The control language is consistent across audits: security awareness training is provided to all employees on an annual basis. Drata’s job is to deliver or track that training, then hold the completion evidence in one place so you can show an auditor that every current employee and contractor met the requirement for the current cycle. The discipline itself is well established. The broad concept of security awareness maps to the Protect function (PR.AT) of the NIST Cybersecurity Framework, which treats workforce education as a foundational layer of organizational defense. Inside Drata, training settings live on the Internal Security page, and completion surfaces on the Personnel page and in each person’s My Drata onboarding. Training Methods Available in Drata Drata supports three approaches, and you choose one on the Internal Security page. They differ mainly in who delivers the content and who supplies the completion evidence. Drata Embedded Security Awareness Training (Default) Drata built its own training course that personnel complete directly inside the platform. During onboarding, the employee opens the Complete Security Awareness Training task, clicks Begin Training, and works through the module. On completion, the task flips to completed automatically, and the Personnel page reflects it. No file uploads, no chasing screenshots. This is the simplest route to compliance and the default for most accounts. Connected Training Provider If you already run a training platform, you can connect it so completion data flows into Drata automatically. Drata integrates with providers including KnowBe4, Huntress, and Curricula. Once connected, Drata recognizes that provider as your default training source and pulls completion status for the campaigns you select. For each person, Drata combines campaign selection, enrollment, and completion status to decide whether they are compliant. Insider Note: Drata only syncs training for individuals who are not yet compliant. Once someone is marked compliant, Drata stops pulling their status from the connected provider, so a later change in that tool won’t accidentally overwrite a green check. The practical consequence: if you need to re-run someone, reset them in Drata first, then let the sync pick them back up. External Training (Evidence Upload) The third option covers training done entirely outside Drata. Here, evidence is uploaded manually — either by the employee through My Drata, or by an admin on their behalf, depending on configuration. Compliance is determined by the presence of valid evidence — a certificate, screenshot, or other file — for each current person. How to Configure Security Awareness Training in Drata Where to Find Security Awareness Training Settings All training configuration lives in one place. Select your account from the bottom-left navigation, open Settings, then Internal Security. Only account administrators can access this section. The Security Awareness Training section is where you choose your method. If HIPAA or an AI-related framework is enabled on your account, additional training sections appear below it. Setting Up Security Awareness Training for All Personnel Under the Security Awareness Training section, select the radio button for your chosen method — embedded, a connected provider, or external upload — then save. That setting applies to all personnel going forward, and new hires see the corresponding task in their onboarding automatically. Assigning Training to Individual Personnel Most configuration is account-wide, but you manage individuals from the Personnel page. Select a person to open their detail drawer, where you can view their training status and, for the external method, view or upload evidence on their behalf. This is also where you handle one-off resets, covered further below. HIPAA Training in Drata (If Enabled) What Is Annual HIPAA Training in Drata? The HIPAA Security Rule requires covered entities to implement a security awareness and training program for their entire workforce — a standard codified at 45 CFR 164.308(a)(5). If you have purchased the HIPAA framework in Drata, a dedicated HIPAA Training section appears on the Internal Security page so you can track this separately from general security awareness. Personnel complete it annually to address the associated control. How to Configure HIPAA Training With HIPAA enabled, the HIPAA Training section offers four options: Drata’s embedded HIPAA training, a connected provider, external training with manual evidence upload by an admin or information security lead, or opting out if HIPAA training is not required for your personnel. Select one and save. If you opt out, Drata removes all references to HIPAA training from the interface. Compliance is based on valid evidence existing for each current employee or contractor.   AI Awareness Training in Drata What Is AI Awareness Training? AI awareness training covers responsible and secure use of AI tools, and it maps to newer governance frameworks. Personnel should complete it annually to satisfy requirements in frameworks such as the NIST AI Risk Management Framework and ISO 42001. The setting only appears on your Internal Security page when a related framework is enabled on your account. How to Configure AI Awareness Training The AI Awareness Training section offers four options that mirror the others: Drata’s embedded AI training, a connected provider, external training with manual upload, or a URL that links personnel straight to an external course from My Drata. With the embedded option, Drata generates a certificate of completion as a PDF and uploads it automatically, viewable from the

The Drata Agent is the part of Drata’s compliance stack that actually touches employee devices. It is a lightweight, read-only desktop application that runs in the system toolbar, reads a narrow set of security configuration settings, and reports them back to the Drata platform on a daily schedule. If a SOC 2 or ISO 27001 audit depends on showing that every endpoint has disk encryption, screen lock, antivirus, a password manager, and automatic updates enabled, the Agent is the thing that produces that evidence. This guide covers exactly what it does, how it works, how to install it on macOS, Windows, and Linux, and what to do when it stops syncing. What Is the Drata Agent? The Drata Agent is a desktop application built with Electron, the same framework used by Slack, VS Code, and Discord. It uses osquery, an open-source endpoint instrumentation tool created at Facebook and now maintained as a Linux Foundation project, to query the operating system for specific configuration values. The Agent runs from the system toolbar — the menu bar on macOS, the system tray on Windows, and the indicator area on Linux — and synchronises once per day with Drata’s backend. The full source code of the Agent has been open source since June 2023. Anyone can audit the code on Drata’s GitHub organisation, including security teams that need to validate it before deploying to the fleet. The Agent supports the latest two major versions of each operating system. On macOS, that currently means macOS 26 (Tahoe) and macOS 15 (Sequoia), with Agent version 3.9.0 or higher. On Windows, it covers the two most recent stable versions Microsoft actively maintains. On Linux, only LTS distributions are supported; Ubuntu 22.04 LTS and 24.04 LTS are the current supported targets.   What the Drata Agent Does (and Does Not Do) The Agent collects a tightly scoped list of configuration data points — specifically the items that map to typical SOC 2 and ISO 27001 device-level controls. The Agent does read: disk encryption status (FileVault, BitLocker, LUKS); screen lock and screensaver configuration; installed antivirus or endpoint protection software; installed password manager applications; operating system version and update status; the list of installed applications and browser extensions for Chrome, Firefox, and Internet Explorer (used to detect AV and password manager presence); and the operating system identifier and machine serial number for asset attribution. The Agent does not read keystrokes, browsing history, file contents, clipboard data, screen contents, network traffic, or any application data. Access is strictly read-only at the system-preferences level. The Agent cannot make changes to the device, push configuration, or remediate failed controls. If a check fails, the employee or IT team fixes it manually; the Agent simply observes whether the fix worked on the next sync. Important: Read-only does not mean invisible. The Agent enumerates installed applications and browser extensions to detect antivirus and password manager presence, and this list is sent to Drata. If that level of visibility is a concern for privacy or works council requirements, address it before rollout — not after. How Does the Drata Agent Work? Once installed and registered, the Agent runs continuously in the background. It performs scheduled checks, reports results to Drata, and updates itself when new versions ship. Synchronization Process The Agent syncs once per day. The sync runs at the first opportunity each calendar day: typically, the first network connection after the device was off or asleep, the moment the user logs in if the Agent autostarts, or any manual trigger from the toolbar menu. The data sent is small — a structured report of the configuration values the Agent read, plus the Agent version and machine identifier. There is no telemetry of user activity. When the sync succeeds, the device’s compliance status in Drata updates within a few minutes. When it fails, the device may show an Unable to get data status, and the corresponding controls in Drata will appear unconfirmed until the next successful sync. Automatic Updates The Agent updates itself. When a new version is released, the Agent shows a notification asking the user to allow the update. Updates are mandatory — running an outdated Agent eventually causes registration and sync failures. Linux installations through Ubuntu’s package manager auto-update via the system updater starting with version 3.6; AppImage installations and Arch AUR builds need to be updated manually or through the AUR helper.   Prerequisites Before Installing the Drata Agent Before installation, three things need to be in place. First, the device user needs an active Drata account with employee onboarding tasks assigned. Second, the operating system must be a supported version. Third, the user needs administrator rights on the device to install the application, since it registers a startup item. The user will also need access to their work email during installation. Registration uses a magic-link verification flow, and the verification email arrives within a minute of clicking Register Drata Agent in the Drata UI. How to Install the Drata Agent on Mac There are two practical paths on macOS: install through Homebrew Cask, or download the signed installer directly from MyDrata. Installation via Homebrew The Drata Agent is published as an official cask in the Homebrew repository, which is the cleanest install method for engineers who already use Homebrew for package management. The cask requires macOS 12 (Monterey) or newer. The install command is: brew install –cask drata-agent After Homebrew finishes, open Drata Agent.app from /Applications, then return to MyDrata and click Register Drata Agent. A magic-link email arrives shortly after. Open the link, copy the token portion of the URL, paste it into the Agent’s register dialog, and confirm. Run or Build the Drata Agent on Mac For organisations that want to build from source rather than use the published package, the GitHub repository contains the full Electron build pipeline. Build prerequisites include Node.js and electron-builder, and the osquery binaries need to be supplied separately. Drata explicitly notes that locally built packages are not signed and that production registration requires an

Risk analysis failures sit behind 76% of HIPAA enforcement actions in 2025, according to The HIPAA Journal’s annual breach report. That single statistic explains why healthcare organizations and their business associates are rethinking how they manage HIPAA. Its no longer enough to conduct an annual policy review, it is now a continuous control problem. Drata fits that shift. It is a security and compliance automation platform that connects to the systems where PHI lives, maps controls to the HIPAA Privacy, Security, and Breach Notification Rules, and keeps evidence current between formal assessments. This guide covers what Drata actually does for HIPAA: which rules it addresses, how the automation works in practice, what it leaves to humans, and how readiness compares to running parallel frameworks like SOC 2. What Is HIPAA and Why Does Compliance Matter? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the U.S. federal law governing the protection of protected health information (PHI). It applies to two categories of organizations: covered entities (health plans, healthcare clearinghouses, and most providers) and business associates, a category that captures any vendor, SaaS company, or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Enforcement is led by the HHS Office for Civil Rights (OCR). Penalties scale with culpability, capped at roughly $2.1 million per violation category per year after inflation adjustments. OCR’s 2025 enforcement priorities were almost entirely focused on the Security Rule, particularly the requirement to conduct a thorough, organization-wide risk analysis. The agency has confirmed that 2026 will follow the same playbook, with risk management evidence (proof that identified risks are being actively reduced) becoming a separate focus area in its own right. Healthcare also remains the most expensive sector for breaches. IBM’s 2024 Cost of a Data Breach Report put the average healthcare breach at $9.48 million, more than double the cross-industry average. The cost is not abstract: in 2025, OCR penalties for risk analysis failures ranged from $25,000 against small practices up to $3 million against a national medical supplier following a phishing-driven breach. What Is Drata and How Does It Support HIPAA Compliance? Drata is a GRC automation platform that integrates with cloud infrastructure, identity providers, HRIS systems, ticketing tools, and endpoint management to continuously collect evidence and test controls against more than 30 compliance frameworks. HIPAA was added in late 2021 as Drata’s third framework, joining SOC 2 and ISO 27001. For HIPAA specifically, Drata does not certify anyone; there is no formal HIPAA certification anyway, but it operationalizes the work that OCR expects to see when an investigation lands. That includes mapped controls for administrative, physical, and technical safeguards; policy templates for HIPAA-specific requirements like the Business Associate Agreement; embedded workforce training; an integrated risk management module; and an evidence library that auditors and counsel can access during a review. Worth Knowing: There is no government-issued HIPAA certification. Any vendor claiming to make you “HIPAA certified” is using marketing language. What auditors and OCR investigators actually look for is documented, ongoing compliance with the three HIPAA Rules. Drata’s value sits in producing that documentation continuously rather than retroactively. For a deeper look at what formal certification actually involves in adjacent frameworks, see our guide to HIPAA certification. Key HIPAA Requirements Drata Helps You Address HIPAA consists of three operative rules, each with distinct compliance obligations. Drata’s control library maps to all three. HIPAA Privacy Rule The Privacy Rule governs the use and disclosure of PHI in any form: electronic, paper, or verbal. It defines 18 specific identifiers that constitute PHI, sets the minimum necessary standard, and gives patients rights of access, amendment, and accounting of disclosures. Drata supports this through policy templates (notice of privacy practices, minimum necessary use, patient rights procedures), access tracking through integrations with identity providers, and workforce training that covers permissible uses and disclosures. HIPAA Security Rule The Security Rule is where most enforcement activity happens. It applies specifically to electronic PHI (ePHI) and requires three categories of safeguards: administrative, physical, and technical. According to HHS, the Security Rule “requires implementation of appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.” Drata’s control library maps directly to the 45 CFR Part 164 implementation specifications, both required and addressable. HIPAA Breach Notification Rule The Breach Notification Rule requires notification to affected individuals, HHS, and, for breaches affecting 500 or more residents of a state, the media, no later than 60 days after discovery. Drata supports breach response through incident management workflows, policy templates that codify the four-factor risk assessment, and audit trails for breach documentation. The platform does not file your OCR breach report for you; that remains a human task, but it keeps the underlying evidence organized. Important: OCR has explicitly stated that breach notification failures were the second most common reason for a financial penalty in 2025. More than one-fifth of enforcement actions included a breach notification violation. The 60-day clock starts at discovery, not at confirmation, so detection latency directly increases legal exposure. How Drata Automates HIPAA Compliance Automation in Drata operates on four layers: evidence collection, control monitoring, gap detection, and integration with healthcare-relevant tools. The combination is what produces the continuous compliance posture that OCR is now effectively demanding through its risk management initiative. Automated Evidence Collection for HIPAA Audits Drata reports that its platform automates roughly 80% of evidence collection across frameworks. For HIPAA, that means pulling configuration data from AWS, Azure, or GCP; enrollment status from MDM tools like Jamf or Intune; SSO and MFA enforcement from Okta or Entra ID; and onboarding/offboarding records from HRIS platforms. Instead of screenshotting these on demand for an auditor, the platform timestamps and stores them on a continuous basis. Real-Time HIPAA Compliance Monitoring The platform runs automated tests against connected systems daily. If MFA is disabled on an administrator account that has access to a system holding ePHI, the relevant control flips to failing status and the owner

In late 2025, Drata became one of a small group of compliance platforms to earn a FedRAMP 20x Low Pilot Authorization, completing the modernized review track that GSA designed to compress federal cloud authorizations from years into weeks. That milestone matters because most “FedRAMP-ready” tools still rely on narrative documentation built for the old process.  Drata’s authorization is proof that its automation pipeline can satisfy the standards the federal program now wants every cloud service provider to meet. This guide explains what Drata actually does for FedRAMP, where it fits in the authorization workflow, what it costs, and where its limits show up, with current context on how FedRAMP 20x is reshaping the entire process. What Is FedRAMP and Why Does It Matter for Cloud Service Providers? FedRAMP is the U.S. government’s standardized program for assessing, authorizing, and continuously monitoring cloud services used by federal agencies. Established in 2011 and codified in law through the FedRAMP Authorization Act of 2022, it operates on a do once, use many principle: a cloud service offering authorized once can be reused across federal agencies without each agency repeating the entire security assessment. The program is administered by GSA through a Program Management Office, with technical baselines drawn from NIST SP 800-53. Three impact baselines define the depth of the controls a cloud provider must implement: Low (156 controls), Moderate (323 controls), and High (410 controls). A separate LI-SaaS baseline streamlines requirements for low-impact SaaS systems. The Moderate baseline is the most commonly pursued path because it covers Controlled Unclassified Information, the threshold most federal contracts demand. What Is Drata and What Does It Do for FedRAMP? Drata Company Overview and Background Drata is a security and compliance automation platform headquartered in San Diego, founded in 2020 by Adam Markowitz, Daniel Marashlian, and Troy Markowitz. The company has grown to roughly 8,000 customers and reached unicorn status with a $2 billion valuation following its Series C round. In February 2025 it acquired SafeBase, folding the trust center product into its core platform. Drata supports more than 30 frameworks including SOC 2 compliance, ISO 27001, HIPAA, PCI DSS, GDPR, NIST 800-53, NIST 800-171, CMMC, and FedRAMP. Does Drata Support FedRAMP as a Framework? Yes. Drata provides pre-built FedRAMP frameworks for LI-SaaS, Low, Moderate, and High baselines, with controls mapped to NIST 800-53 requirements. The platform is built around OSCAL, the open machine-readable format that NIST developed for control catalogs and assessment data, which is now the required submission format under FedRAMP 20x. Drata also offers a dedicated FedRAMP Readiness Framework for organizations earlier in the journey. As of late 2025, Drata holds its own FedRAMP 20x Low Pilot Authorization, meaning federal agencies and contractors can use the platform itself without inheriting a compliance gap from their tooling. How Drata Works for FedRAMP Compliance Step by Step Step 1: Connect Your Cloud and Security Tools The first work in any Drata implementation is wiring up integrations. Drata supports more than 200 connectors covering AWS (including 45+ services), Azure, GCP, GitHub, Okta, identity providers, vulnerability scanners, HRIS, and ticketing platforms. For FedRAMP environments, the AWS GovCloud and Azure Government integrations matter most, since federal workloads typically live in those tenants. The connections feed system data into Drata’s monitoring engine, where it becomes the raw material for automated control tests. Step 2: Map Controls to FedRAMP Requirements Automatically Once integrations are in place, Drata applies its pre-built control mappings against the FedRAMP baseline you have selected. A single control can satisfy requirements across multiple frameworks at once, so an organization that has already implemented SOC 2 compliance or ISO 27001 inherits significant credit when expanding into FedRAMP. For a deeper look at how those frameworks compare, our ISO 27001 vs SOC 2 guide walks through the key differences. The control set is editable, which matters because FedRAMP allows narrowly scoped parameter overrides for some controls. Step 3: Continuously Monitor Your FedRAMP Control Environment Drata runs automated control tests on a continuous basis, validating that the configurations and evidence each control depends on are still in place. When a control drifts, an alert is issued and the gap is logged. For FedRAMP, this is the operational backbone of continuous monitoring for SOC 2, and for FedRAMP alike, the program’s defining requirement and historically the area where authorized providers most often fall out of compliance. Step 4: Collect and Organize FedRAMP Evidence Automatically Evidence is generated as a side effect of monitoring. Configuration data, access logs, and policy acknowledgments flow into Drata and are tagged against the controls they satisfy. The platform replaces manual screenshot collection, which has historically been the most labor-intensive part of FedRAMP audits. Step 5: Prepare Your System Security Plan and Audit-Ready Documentation For Rev 5 authorizations, the System Security Plan remains a written document. Drata centralizes the policy library, control implementation descriptions, and supporting artifacts a 3PAO will need, but it does not write narrative SSP language for you. For FedRAMP 20x submissions, the burden shifts dramatically: the SSP is replaced by structured KSI evidence, and Drata’s OSCAL-native architecture is built specifically to produce the machine-readable packages that path requires. Important: Drata accelerates FedRAMP work, but it does not eliminate the engineering effort. Boundary architecture, encryption-in-transit and at-rest decisions, configuration baselines, and DoD-specific overlays are technical work the platform cannot do for you. Treat Drata as the compliance automation layer on top of a security program, not as a substitute for one. Key Drata Features That Support FedRAMP Authorization Multi-Framework Control Mapping for FedRAMP Baselines Drata pre-maps controls across FedRAMP baselines and cross-maps them to other frameworks. An organization holding SOC 2 Type II that is now pursuing FedRAMP Moderate will see substantial overlap surface automatically, with Drata flagging only the FedRAMP-specific gaps that require new work. If you are already working through the SOC 2 process, the Drata SOC 2 guide covers that workflow in detail. The platform supports custom control parameters for cases where FedRAMP allows tailoring. Continuous Monitoring and Automated Evidence Collection Drata’s continuous