Cybersecurity attacks have become such a significant and ongoing threat that a variety of regulatory and oversight bodies have introduced cybersecurity requirements for their constituents. The HIPAA Security Rule, PCI Data Security Standards and FFIEC requirements have long been established and should be well-known by now. Other regulatory requirements are in early stages of implementation and could have large impacts if they apply to your organization.
The Department of Defense (DoD) is working on implementing Cybersecurity Model Maturity Certification (CMMC) requirements into its acquisition rules. The National Association of Insurance Commissioners has defined a model law for cybersecurity requirements, and each state is in process of implementing these requirements. The Federal Trade Commission has defined cybersecurity safeguards required for nonbanking financial institutions. Even large organizations with complex supply chains and distribution networks, like automotive manufacturers, are mandating their own cybersecurity programs.
Next steps
- Research your industry and look for specific cybersecurity requirements: The U.S. doesn’t have one overarching federally mandated cybersecurity law, so each industry is creating its own standards and requirements. You’ll need to do some research to understand what applies to you. It’s always a good idea to consult specialists if you’re unsure what applies to your organization.
- Review contracts to identify contractual obligations: Sometimes contracts you have with your customers will specify what cybersecurity requirements apply to you. This is especially true with contracts with the DoD or prime contracts that flow down CMMC requirements. You’ll want to review contracts with your major customers to make sure you understand whether your customers have dictated cybersecurity requirements.
- Obtain top-down support: By gaining top-down support for cybersecurity, you can more effectively obtain budget and organizational commitment to a comprehensive security program. After all, significant portions of your revenue stream may be dependent on meeting these cybersecurity requirements.
- Conduct an assessment to identify gaps: These regulatory requirements for cybersecurity practices are high hurdles to clear. Almost no organization has everything in place right out of the blocks. You’ll want to conduct a gap assessment to identify what you’re missing and develop a remediation plan to ensure you comply with the requirements.
- Work with specialists to implement required safeguards: It’s not uncommon for an organization to need help meeting these cybersecurity requirements. There’s usually a lot of interpretation that needs to be made to take a general regulatory statement and apply it to your environment. Be sure to work with a specialist experienced in the given regulation to make sure you get it right and can defend the judgments you made in designing your controls and implementing safeguards.