FTC Safeguards Rule checklist: the nine required elements
FTC Safeguards isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What FTC Safeguards requires
FTC Safeguards is assessed against 9 controls across 5 families: Program governance, Risk assessment, Technical safeguards, Monitoring & testing, Oversight. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All nine required elements of the amended FTC Safeguards Rule. Use the table below as your working checklist — 9 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| §314.4 — the nine elements | ||
| (a) | Designate a qualified individual | Manual |
| (b) | Written risk assessment | Manual |
| (c) | Safeguards: access controls, inventory, encryption, MFA, disposal, change mgmt, monitoring | Auto |
| (d) | Regular testing: continuous monitoring or annual pen test + biannual vuln scans | Auto |
| (e) | Security awareness training | Manual |
| (f) | Oversee service providers | Manual |
| (g) | Evaluate & adjust the program | Manual |
| (h) | Written incident response plan | Manual |
| (i) | Annual report to the board | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of FTC Safeguards controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.