SACS-002 Compliant Infrastructure
Out of the Box
Every company doing business with Saudi Aramco needs a Cybersecurity Compliance Certificate. The SACS-002 standard mandates dozens of technical and organizational controls covering email security, encryption, firewalls, VPN access, patch management, employee training, disaster recovery, and more. Most vendors don't have the IT infrastructure or in-house expertise to implement them. MassiveGRID's CCC package solves the entire compliance stack in a single engagement — pre-configured infrastructure, ready-made governance policy templates, and a direct path to certification through our authorized audit firm partners.
The SACS-002 Compliance Challenge
Saudi Aramco's Third Party Cybersecurity Standard (SACS-002) requires every vendor in the supply chain to satisfy two layers of requirements before obtaining a Cybersecurity Compliance Certificate. The technical layer demands email security with SPF and DKIM, encryption of all data in transit, managed firewalls with daily antivirus updates, multi-factor authentication, audit logging, automated patching, backup and disaster recovery, and identity access management. The governance layer requires documented company policies — an Acceptable Use Policy (TPC-1), an Incident Response Plan (TPC-23), a Data Classification Policy (TPC-9), and annual cybersecurity training for all employees (TPC-7). Most vendors fail their first audit not because of one missing control, but because they underestimate the combined scope. MassiveGRID eliminates both layers: pre-configured infrastructure that satisfies every technical control, ready-made policy templates that satisfy every governance requirement, and direct introductions to authorized audit firms to complete your certification.
Why Ready-Made Beats Build-Your-Own
Most Aramco vendors attempt SACS-002 compliance by stitching together separate tools, hiring consultants, and writing policies from scratch. The result is months of delays, budget overruns, and failed first audits. MassiveGRID's pre-built package eliminates the entire build phase.
Build It Yourself
Deploy Ready-Made
Each component is pre-configured to satisfy specific TPC controls from the SACS-002 standard. Together, they provide a complete compliant environment covering email, file storage, remote access, network security, VPN connectivity, continuous monitoring, security awareness training, automated patch management, backup and disaster recovery, and identity access lifecycle management. No manual configuration required — deploy and start your audit preparation immediately.
Email Hosting
Private domain email with SPF, DKIM, and DMARC pre-configured on the mail server and in DNS. Multi-factor authentication enforced for all email access. TLS encryption on all mail transport. SACS-002 explicitly prohibits consumer email services like Gmail and Yahoo — this component ensures your organization uses a private, authenticated, and auditable email system that satisfies TPC-8, TPC-9, and TPC-10 controls out of the box.
Encrypted File Hosting
Secure file storage with AES-256 encryption at rest and TLS 1.3 encryption in transit. Role-based access controls enforce need-to-know data access as required by SACS-002. Every file access event is logged with timestamps, user identity, and action type. Supports data classification labeling, version control, and automated backup with configurable retention policies for Aramco data handling requirements.
Secured Remote Desktop
Remote desktop access with mandatory multi-factor authentication, session logging, and 15-minute idle timeout lock — all enforced at the platform level. Password policies meet exact SACS-002 specifications: minimum 8 characters with special characters, 12-password history, 90-day maximum age, and automatic lockout after 10 failed attempts. Clipboard and drive mapping controls prevent unauthorized data transfer.
Enterprise Firewall
Managed stateful-inspection firewall with logging enabled on all endpoints. Includes anti-virus with daily definition updates and full system scans every two weeks — the exact schedule SACS-002 requires under TPC-6. DDoS mitigation with 10+ Tbps scrubbing capacity is included at no extra cost. Web application firewall (WAF) protection available for web-facing systems. Configuration exports provided as audit evidence on demand.
VPN with IPSec Encryption
Site-to-site and remote-access VPN tunnels encrypted with IPSec and AES-256, directly satisfying TPC-52's requirement for encrypted data transmission. All VPN connections are logged with user identity, timestamps, source IP, and session duration. Network segmentation ensures Aramco-related traffic is isolated from other workloads. Certificate-based authentication available for enhanced security required by CCC+ classifications.
24/7 Monitoring & Logging
Continuous security monitoring by MassiveGRID's NOC/SOC team with real-time alerting and escalation. Comprehensive audit logs capture authentication events, access changes, configuration modifications, and security incidents. All logs are retained for a minimum of one year in tamper-evident storage as required by SACS-002. Incident response procedures include 24-hour notification to Aramco per Appendix A requirements.
Security Awareness Training
SACS-002 mandates annual cybersecurity training for all employees under TPC-7. MassiveGRID's integrated training platform delivers pre-built modules covering phishing awareness, password hygiene, social engineering, data protection, and acceptable use policies. Completion tracking with timestamped certificates provides the audit evidence your assessor requires. Includes quarterly phishing simulations to test and reinforce training effectiveness.
Patch Management
Unpatched systems are the number one cause of CCC audit failures. TPC-11 requires automated patching of operating systems and applications across all technology assets. MassiveGRID's patch management service provides automated vulnerability scanning, CVSS-based prioritization, scheduled deployment windows, and compliance dashboards that show your auditor exactly which systems are patched and when.
Backup & Disaster Recovery
SACS-002 requires documented backup procedures, defined RPO/RTO targets, and annual DR testing with evidence. MassiveGRID provides automated daily backups with AES-256 encryption, geo-redundant storage across multiple datacenters, one-click restoration, and scheduled DR tests with documented results your auditor can verify. Configurable retention policies ensure Aramco data is preserved according to contractual requirements.
Identity & Access Lifecycle
TPC-6 requires access revocation within 24 hours of employee termination, and TPC-18 mandates formal off-boarding procedures. MassiveGRID's IAM lifecycle component provides a centralized identity dashboard with automated de-provisioning triggers, quarterly access review workflows, privileged session recording, and compliance reports. When an employee leaves, their access across every system is revoked in minutes — not days.
SACS-002 Compliance Matrix
This control-by-control mapping shows exactly which package component satisfies each relevant SACS-002 Third Party Cybersecurity (TPC) requirement. Every control listed below is addressed by the infrastructure package with zero manual configuration.
| TPC Control | Requirement | Package Component | Status |
|---|---|---|---|
| TPC-1 | Cybersecurity governance — dedicated personnel and documented policies | Monitoring & Logging + governance documentation templates | ✓ |
| TPC-2 | Password protection: 8+ characters, special characters, 12-password history, 90-day max age, 10-attempt lockout | All components — enforced at platform level across email, RDP, file hosting, VPN | ✓ |
| TPC-3 | Password protection applied to all IT assets | All components — no unauthenticated access points exist in the package | ✓ |
| TPC-6 | Anti-virus with daily definition updates and bi-weekly full system scans | Enterprise Firewall + Endpoint Protection | ✓ |
| TPC-8 | SPF email security technology implemented on mail server | Email Hosting — SPF pre-configured on mail server | ✓ |
| TPC-9 | SPF record published in DNS | Email Hosting — SPF DNS record managed and published | ✓ |
| TPC-10 | Private email domain required (no consumer email like Gmail or Yahoo) | Email Hosting — custom domain with private mail infrastructure | ✓ |
| TPC-52 | Encryption of data in transit using SSH, FTPS, HTTPS, TLS, or IPSec | VPN (IPSec) + all components (TLS 1.3 on all interfaces) | ✓ |
| MFA | Multi-factor authentication required for all cloud-based access | All components — TOTP/FIDO2 MFA enforced on every access point | ✓ |
| Firewall | Firewalls configured and enabled on all endpoints | Enterprise Firewall — host and network-level firewalls active | ✓ |
| DDoS | DDoS protection on internet-facing infrastructure | Enterprise Firewall — 10+ Tbps always-on DDoS mitigation | ✓ |
| Audit Logs | Audit log retention for minimum 1 year for Aramco-related data | Monitoring & Logging — tamper-evident 1-year retention | ✓ |
| Data Isolation | Logical partitioning and isolation of Aramco data from other tenants | All hosting components — dedicated resources with hypervisor-level isolation | ✓ |
| Incident Response | Security incident notification to Aramco within 24 hours | Monitoring & Logging — structured incident response with 24h notification | ✓ |
| Pen Testing | Annual external penetration testing on IT infrastructure | Pre-authorized testing windows with infrastructure access coordination | ✓ |
| Backup & Recovery | Documented backup and disaster recovery procedures | Automated daily backups with configurable retention and DR support | ✓ |
| Screen Lock | 15-minute inactivity screen saver lock on all workstations | Remote Desktop — 15-minute idle timeout enforced at platform level | ✓ |
| Data Sanitization | Secure media sanitization on hardware decommission or repurpose | NIST 800-88 compliant cryptographic erasure with certificates of destruction | ✓ |
| TPC-7 | Annual cybersecurity training covering phishing, social engineering, and acceptable use | Security Awareness Training — LMS with pre-built modules, completion tracking, and certificates | ✓ |
| Phishing Sims | Periodic phishing simulation testing to validate training effectiveness | Security Awareness Training — quarterly automated phishing campaigns with click-rate tracking | ✓ |
| TPC-11 | Automated OS and application patching across all technology assets | Patch Management — automated scanning, CVSS prioritization, scheduled deployment | ✓ |
| Patch Reporting | Patch compliance evidence showing percentage of systems up-to-date | Patch Management — real-time compliance dashboard with exportable reports | ✓ |
| Backup Procedures | Documented backup procedures with defined RPO/RTO targets | Backup & DR — automated daily backups, configurable retention, documented procedures | ✓ |
| DR Testing | Annual disaster recovery testing with documented results | Backup & DR — scheduled DR tests with restoration verification reports | ✓ |
| Geo-Redundancy | Off-site backup storage for business continuity | Backup & DR — geo-redundant storage across multiple MassiveGRID datacenters | ✓ |
| TPC-6 | Employee access revocation within 24 hours of termination | Identity & Access Lifecycle — automated de-provisioning with HR integration | ✓ |
| TPC-18 | Off-boarding procedures: asset return, credential deactivation, access removal | Identity & Access Lifecycle — structured off-boarding workflow with audit trail | ✓ |
| Access Reviews | Periodic review of user access rights and privilege levels | Identity & Access Lifecycle — quarterly access review with approval workflows | ✓ |
| Asset Inventory | Identification and categorization of all IT assets storing Aramco data | Patch Management + IAM — centralized asset registry with classification labels | ✓ |
This matrix covers the infrastructure and operational controls addressed by the package. Remaining governance controls (TPC-1 Acceptable Use Policy, TPC-23 Incident Response Plan, TPC-9 Data Classification Policy) are covered by ready-made policy templates included in the package — see Your Path to Certification below.
Each component in the package is purpose-built to satisfy specific SACS-002 controls. Below is a detailed breakdown of what each component includes and which audit requirements it addresses. When your authorized audit firm requests evidence for a specific TPC control, the relevant component provides it automatically.
Email Hosting — Private, Authenticated, Auditable
SACS-002 dedicates three specific TPC controls to email security because email remains the primary attack vector for supply chain compromises. Consumer email services like Gmail and Yahoo cannot satisfy these controls, and free email addresses will cause an immediate audit failure. MassiveGRID's email hosting is built specifically to pass the email section of your CCC assessment. Read our detailed guide on Aramco CCC email requirements →
- Private domain email on your company's domain (e.g., name@yourcompany.com)
- SPF record pre-configured and published in DNS (TPC-9)
- SPF technology active on the mail server (TPC-8)
- DKIM signing enabled for all outbound email
- DMARC policy configured and published
- TLS encryption on all mail transport (SMTP over TLS)
- Multi-factor authentication required for webmail and IMAP access
- Anti-spam and anti-malware filtering with daily signature updates
- Full audit trail of login events, sent/received messages, and admin changes
Encrypted File Hosting — Classified, Controlled, Logged
SACS-002 requires that any system storing Aramco-related data implements encryption, access controls, audit logging, and data classification. The file hosting component provides all of these at the platform level, eliminating the need to configure encryption or access policies manually. Read our guide on file hosting and data security for Aramco compliance →
- AES-256 full-disk encryption at rest on all storage volumes
- TLS 1.3 encryption for all data in transit
- Role-based access controls with granular permissions per folder and file
- Data classification labeling support (Confidential, Internal, Public)
- File version control with rollback capability
- Comprehensive audit logging: who accessed what, when, and what action was taken
- Automated daily backups with configurable retention periods
- Secure file sharing with expiring links and password protection
- NIST 800-88 compliant data sanitization on storage decommission
Secured Remote Desktop — Authenticated, Monitored, Time-Locked
For vendors with distributed teams or remote workers handling Aramco-related work, SACS-002 requires that all remote access is authenticated with MFA, logged, and subject to inactivity timeouts. The remote desktop component enforces every password and session control that SACS-002 specifies, directly at the platform level with no user configuration needed. Read our guide on secure remote access for Aramco vendors →
- Multi-factor authentication required on every login (TOTP or FIDO2)
- Password policy enforced: 8+ characters, special characters, 12-password history
- 90-day password rotation enforced automatically
- Account lockout after 10 failed authentication attempts
- 15-minute inactivity timeout with automatic session lock
- Session recording and logging for audit evidence
- Clipboard and drive mapping controls to prevent unauthorized data exfiltration
- TLS-encrypted RDP sessions end-to-end
Enterprise Firewall — Inspecting, Protecting, Documenting
SACS-002 requires that firewalls are active on all endpoints and that anti-virus runs with daily updates and bi-weekly full scans. The enterprise firewall component handles both requirements and produces the configuration exports and scan reports that auditors need as evidence. Read our guide on firewall and endpoint protection for Aramco CCC →
- Stateful packet inspection firewall active on all endpoints
- Network-level firewall with subnet segmentation and VLAN isolation
- Anti-virus with daily signature updates (automated, no manual intervention)
- Full system scans every two weeks as required by TPC-6
- DDoS mitigation with 10+ Tbps scrubbing capacity included at no extra cost
- Web Application Firewall (WAF) for web-facing systems
- Firewall rule exports and AV scan reports available for audit evidence
- Real-time alerting on blocked threats and policy violations
VPN with IPSec Encryption — Tunneled, Segmented, Logged
TPC-52 is one of the most frequently tested controls in CCC audits. It mandates that all data in transit is encrypted using approved protocols: SSH, FTPS, HTTPS, TLS, or IPSec. For vendors with network connectivity to Aramco (CCC+ classification), IPSec VPN is not optional — it is required. Read our guide on SACS-002 encryption requirements →
- IPSec VPN tunnels with AES-256 encryption (site-to-site and remote access)
- Split tunneling controls to ensure Aramco traffic stays within encrypted tunnel
- VPN access logging: user identity, timestamps, source IP, session duration
- Network segmentation isolating Aramco-related traffic from other workloads
- Certificate-based authentication option for CCC+ network connectivity requirements
- Kill switch to prevent data leakage if the VPN connection drops
- Compatible with Aramco's VPN gateway requirements for direct connectivity
24/7 Monitoring & Logging — Watching, Recording, Responding
SACS-002 requires continuous security monitoring, audit log retention for at least one year, and incident notification to Aramco within 24 hours. This component provides all three through MassiveGRID's security operations center and SIEM infrastructure. Read our SACS-002 audit preparation guide →
- 24/7 security monitoring by MassiveGRID's NOC/SOC team
- SIEM integration for centralized log collection and correlation
- Minimum 1-year audit log retention in tamper-evident storage
- Real-time alerting on security events, anomalies, and policy violations
- Structured incident response procedures per SACS-002 Appendix A
- 24-hour incident notification to Aramco with technical reports within 10 business days
- Audit-ready log exports in formats accepted by authorized audit firms
- Annual penetration testing coordination with pre-authorized testing windows
Security Awareness Training — Educating, Testing, Documenting
TPC-7 requires annual cybersecurity training for all employees with documented completion records. This is one of the most frequently cited audit findings because organizations either skip training entirely or cannot produce evidence that it happened. MassiveGRID's training component eliminates this gap with a complete learning management system pre-loaded with SACS-002-aligned content. Read our guide on SACS-002 training requirements →
- Pre-built training modules: phishing awareness, password hygiene, social engineering, data protection
- Acceptable Use Policy (AUP) acknowledgment workflow with digital signatures
- Quarterly phishing simulation campaigns with automated click-rate tracking
- Role-specific training paths: general staff, IT administrators, executives
- Completion tracking with timestamped certificates for audit evidence
- Annual training schedule with automated reminders and escalation for non-completion
- Training effectiveness metrics and trend reporting for management review
- Multi-language support for organizations with diverse workforces
Patch Management — Scanning, Prioritizing, Deploying
TPC-11 requires automated patching of operating systems and software. Unpatched systems are the single most common finding in CCC assessments, because manually tracking patches across dozens of servers and applications is operationally impossible for most vendors. MassiveGRID's patch management service automates the entire lifecycle from vulnerability detection to deployment. Read our guide on SACS-002 patch management requirements →
- Automated vulnerability scanning across all managed systems
- CVSS-based patch prioritization: critical patches within 14 days, routine within 30 days
- Scheduled deployment windows to minimize operational disruption
- Coverage across OS, firmware, middleware, and third-party applications
- Pre-deployment testing in staging environments with automated rollback capability
- Real-time compliance dashboard showing patch levels per system
- Exception tracking for patches that cannot be applied immediately (with compensating controls)
- Exportable patch compliance reports for auditor review
Backup & Disaster Recovery — Protecting, Replicating, Restoring
SACS-002 requires documented backup and disaster recovery procedures with defined RPO and RTO targets and annual DR testing. Many vendors have backups but cannot produce the documentation and test evidence that auditors require. MassiveGRID's Backup & DR component handles both the infrastructure and the documentation automatically. Read our guide on backup and disaster recovery for Aramco compliance →
- Automated daily backups with AES-256 encryption at rest and in transit
- Configurable RPO (down to 1 hour) and RTO (down to 15 minutes) targets
- Geo-redundant backup storage across multiple MassiveGRID datacenters
- Incremental and full backup schedules with configurable retention periods
- One-click restoration with integrity verification
- Annual DR testing with documented test plans and restoration verification reports
- Backup monitoring with alerts on failures or missed backup windows
- Documented DR procedures and runbooks provided as audit evidence
Identity & Access Lifecycle — Provisioning, Reviewing, Revoking
TPC-6 and TPC-18 together form a critical control pair: when an employee is terminated or changes roles, their access to all systems must be revoked within 24 hours, with formal off-boarding procedures and asset return. Most audit failures in this area happen because access revocation is a manual process spread across disconnected systems. MassiveGRID's IAM component centralizes this into a single automated workflow. Read our guide on identity and access management for Aramco CCC →
- Centralized identity dashboard spanning all package components (email, file hosting, RDP, VPN)
- Automated de-provisioning: terminate access across all systems from a single action
- Joiner/mover/leaver workflows with HR integration triggers
- Quarterly access review campaigns with manager approval workflows
- Privileged access management (PAM) with session recording for admin accounts
- Service account inventory and monitoring with password rotation
- Principle of least privilege enforcement with role-based access templates
- Complete audit trail: who was granted access, by whom, when, and what changed
Whether you need CCC or CCC+, the infrastructure controls are the same. This package satisfies the technical requirements for every vendor classification in the Aramco supply chain. Not sure which certificate you need? Read our CCC vs CCC+ guide →
General Requirement Vendors
Any company engaged in business with Saudi Aramco — trading companies, service providers, consultants. You need CCC certification and this package provides the full path: compliant infrastructure, ready-made governance policy templates, and a direct introduction to an authorized audit firm for remote assessment.
Outsourced Infrastructure Providers
Companies managing Aramco infrastructure, business processes, or maintenance operations. You handle Aramco systems and data, which means your own infrastructure must meet every technical control in SACS-002. This package ensures your internal systems are compliant while you manage Aramco's.
Network Connectivity Vendors
Suppliers with direct VPN or leased-line connectivity to Aramco networks. You require CCC+ certification with an on-site audit. This package's IPSec VPN component with certificate-based authentication and network segmentation specifically addresses the enhanced controls for your classification.
Critical Data Processors
Companies processing Aramco data including accounting, risk assessment, and sensitive operations. CCC+ is mandatory. This package's encrypted file hosting with data classification, role-based access controls, and 1-year audit log retention directly satisfies the enhanced data handling requirements for your classification.
Your Path to Certification — End to End
Most CCC providers stop at infrastructure. MassiveGRID covers the full certification journey: compliant infrastructure deployed in 48 hours, ready-made governance policy templates customized for your organization, and direct introductions to authorized audit firms. The result: faster certification at lower cost.
Compliant Infrastructure
All 10 components deployed and configured within 48 hours. Every technical TPC control is satisfied from day one — no manual configuration, no missing pieces.
- Email, file hosting, remote desktop, firewall, VPN
- 24/7 monitoring, patch management, backup & DR
- Security awareness training, IAM lifecycle
- Audit evidence generated automatically
Governance Policy Templates
SACS-002 requires company-specific policies that auditors will review. Writing these from scratch takes weeks and requires compliance expertise. We provide ready-made templates aligned to every governance control — just customize with your company details.
- Acceptable Use Policy (TPC-1) — employee technology use rules
- Incident Response Plan (TPC-23) — 24-hour Aramco notification workflow
- Data Classification Policy (TPC-9) — Aramco data handling and disclosure rules
- Risk Assessment Template — cybersecurity risk register
- Off-boarding Checklist (TPC-6/TPC-18) — access revocation procedure
- Media Sanitization Procedure (TPC-19) — data destruction protocol
Authorized Audit Firm Partners
The final step is engaging an Aramco-authorized audit firm to assess your compliance and issue the certificate. MassiveGRID has established partnerships with authorized audit firms, so we connect you directly — no searching, no cold outreach, no guesswork about which firms are qualified.
- Direct introductions to authorized CCC assessors
- Pre-audit readiness review with MassiveGRID's team
- Audit evidence package pre-compiled from your infrastructure
- Support during the assessment process for technical questions
- Faster turnaround — auditors familiar with MassiveGRID's platform
SACS-002 Compliance Resources
Explore our detailed guides on each SACS-002 control area. Each article maps specific TPC requirements to concrete infrastructure solutions and explains what auditors expect to see.
Why MassiveGRID for Aramco CCC Compliance
MassiveGRID has been providing secure, high-availability cloud infrastructure since 2002. Our platform is built for organizations that require enterprise-grade security and compliance from day one.
Our datacenters in New York, London, Frankfurt, and Singapore provide geographic flexibility for vendors operating across regions. Every deployment runs on Proxmox HA clusters with automatic VM failover, ensuring the uptime and availability that SACS-002 business continuity requirements demand. Our support team consists of real engineers — not chatbots — who understand compliance requirements and can provide the technical documentation your audit firm needs.
Get CCC-Certified, Not Just CCC-Ready
Book a compliance consultation with MassiveGRID's team. We'll review your Aramco vendor classification, deploy your compliant infrastructure within 48 hours, provide customized governance policy templates, and connect you with an authorized audit firm to complete your certification. Infrastructure, policies, and audit — one engagement, one provider.