Alternate Text
SACS-210 Aramco CCC Compliance
06-07-2026
TechX

SACS-210: What’s New for Aramco CCC Compliance

The old SACS-002 standard has been replaced by SACS-210 (published Feb 2026). This updated Third-Party Cybersecurity Standard introduces a broader, stricter set of requirements for all Saudi Aramco vendors.

Key changes include a larger baseline control set, stronger alignment to international frameworks, and new technical focus areas (like OT security and ransomware resilience). Every third-party supplier that connects to Aramco’s network or handles Aramco data must now comply with the SACS-210 controls and obtain a Cybersecurity Compliance Certificate (CCC) under this new standard.

Moving from SACS-002 to SACS-210 can be complex. Our Aramco CCC Consultancy help organizations perform SACS-210 gap analyses, update policies, and prepare audit-ready evidence. This proactive support keeps your compliance project on track and minimizes delays in obtaining the new CCC.

Why SACS-210 Matters

SACS-210 applies globally to any vendor with Aramco exposure. Aramco has opened a 6-month transition window ending 26 August 2026. Existing SACS-002 certificates remain valid until their normal expiry, but any new contract or renewal after August 2026 requires the updated SACS-210–based CCC. In practice, this means vendors must actively transition: if you don’t meet the new standard by renewal time, you risk losing your Aramco certification.

Key Changes in SACS-210

SACS-210 is essentially a restructuring and strengthening of the previous framework. At its core are 33 mandatory controls (TPC1.1–TPC1.33) that apply to all Aramco third parties. These controls cover governance, access management, data protection, and incident response. Compared to SACS-002, SACS-210 places much stronger emphasis on modern security best practices. Highlights include:

  • Expanded Control Set: All vendors must implement 33 general controls. By contrast, SACS-002 had a smaller baseline. The new controls are aligned to the NIST Cybersecurity Framework, NIST 800 guidelines, and Saudi Arabia’s NCA Essential Cybersecurity Controls. If your organization already follows ISO 27001 or NCA ECC 2:2024, you’ll find these SACS-210 controls closely overlap your existing controls.
  • Governance & Policy: More rigorous requirements for policies and documentation. You must maintain up-to-date cybersecurity policies, asset inventories, risk assessments, and compliance registers. For example, SACS-210 explicitly requires an IT asset inventory (TPC1.8) to track all hardware, software, and data repositories.
  • Identity & Access: Tighter identity controls. Multi-Factor Authentication (MFA) is now mandatory for all Aramco-related remote access and privileged accounts. This includes VPN/Internet access, cloud services, email logins, and any user accounts with special privileges. Additionally, role-based access and periodic access reviews are enforced more strictly.
  • Endpoint Security: Vendors must deploy modern endpoint protection. Full-disk encryption (AES-256 or higher) and next-generation antivirus/EDR solutions are required on all endpoints and servers. Patch management must be regular and documented.
  • Network & Email Security: Network controls have explicit specifications. Firewalls, intrusion detection/prevention, and network segmentation are mandated, with detailed configuration guidelines. Email security is also tightened: Aramco forbids generic email domains (no Gmail/Hotmail). Instead, suppliers must use their business email with proper SPF/DKIM/DMARC authentication.
  • Data Protection & Backups: There are new data resilience rules. Sensitive data at rest and in transit must use Saudi National Cryptographic Standards (NCS-1:2020) encryption. Regular offline, air-gapped backups are required to protect against ransomware. Additionally, when disposing of storage media, vendors must follow NIST SP 800-88 media sanitization procedures (ensuring secure data wiping).
  • Logging & Monitoring: Continuous monitoring is emphasized. Organizations must enable and protect audit logging (see SACS-210 Appendix C for specifics). Log integrity and long-term storage are expected.
  • Incident Response: Faster reporting. Any cybersecurity incident must be reported to Aramco within 24 hours of discovery. After the initial report, interim status updates are required every 24 hours until the incident is closed.
  • Operational Technology (OT): SACS-210 explicitly includes an OT section. If your services involve industrial control systems or OT environments, you must implement OT-specific controls (e.g. safety interlocks, network isolation, OT asset management) in addition to the general controls.
  • Cloud & Critical Data: Vendors offering cloud services or handling Aramco-designated critical data must meet additional addendum controls. SACS-210 has sections for Cloud Computing and Critical Data Processors which impose stricter technical requirements. (All third parties should review these addenda to see if they apply.)

In summary, SACS-210 restructures Aramco’s control framework with stronger NIST/NCA alignment and higher technical expectations. You can think of it as an upgrade from a checklist to a fully harmonized security program.

SACS-002 vs SACS-210 at a Glance

Area

SACS-002

SACS-210

Framework

Previous supplier standard

Updated cybersecurity standard

Security Controls

Existing baseline controls

Expanded and more structured baseline

Identity Security

Standard authentication

Stronger MFA and identity controls

Monitoring

Basic monitoring expectations

Greater focus on continuous monitoring

Operational Technology

Limited focus

Dedicated OT security requirements

Audit Readiness

Documentation focused

Documentation plus stronger technical evidence

Long-Term Approach

Compliance driven

Continuous cybersecurity maturity

 

Transition Timeline & Next Steps

To comply with SACS-210, follow these steps:

1. Assess Your Classification

Determine your Aramco Classification (General, Network Connectivity, Cloud, Critical Data, OT, etc.). This tells you whether you need a standard CCC (remote audit) or a CCC+ (on-site audit). If both CCC and CCC+ could apply, Aramco requires the CCC+ path.

2. Gap Analysis

Compare your current security controls and documentation against the 33 SACS-210 controls. Identify missing policies, outdated processes, or technical gaps (MFA, encryption, backups, monitoring, etc.).

3. Update Documentation

Revise your cybersecurity policy, incident response plan, network diagrams, and other documentation to cover SACS-210 requirements. Ensure approval signatures and dates are current.

4. Implement Controls

Deploy any needed technical changes. For example, enforce MFA on all endpoints, configure email authentication, enable full encryption, implement automated backup routines, and tighten network defenses per the new specifications.

5. Gather Evidence

Collect proof for auditors. This includes screenshots of configurations (with timestamps), system logs, vulnerability scan reports, asset registers, and any other records showing compliance. All evidence should be recent and clearly attributed to your organization.

6. Perform Audit

Engage an Aramco Authorized Audit Firm to conduct your CCC or CCC+ assessment under SACS-210. Submit the completed Third-Party Classification Template and Confirmation Letter before the audit, as these define your scope. The auditor will review your self-assessment report and evidence, then issue the CCC if you meet all controls.

7. Submit & Renew

After the audit, upload the issued Cybersecurity Compliance Certificate and audit report to Aramco’s e-Marketplace. Remember, the CCC is valid for two years, so track your renewal date and ensure SACS-210 compliance for any new contract classification or renewal request.

Starting early is crucial. The transition deadline (26 Aug 2026) may sound far off, but preparing policies, implementing new controls, and gathering evidence can take months. Vendors who act now will avoid last-minute bottlenecks and be ready well before the deadline.

Final Thoughts

SACS-210 is a real jump from SACS-002, and the deadline isn't as far off as it looks once you factor in gap analysis, documentation updates, and audit prep. Vendors who start now will have time to fix problems before they become renewal issues.

If you need help figuring out where your organization stands against the 33 controls, our CCC consultants can walk you through the assessment and get you audit-ready. Book a Consultation!

Disclaimer: All logos, trademarks, and brand names used in this document are the property of their respective owners. Their use here is for identification purposes only and does not imply endorsement.


TechX
Share:
Lets Talk