NIST, CMMC, CCPA, SHIELD—you’ve likely heard the acronyms, but how much do you know about the laws behind them?
The cybersecurity regulation landscape can be confusing, and it’s not getting any simpler: thirty-one states enacted cybersecurity-related legislation in 2019 alone, and that’s not counting federal or industry standards. Even if you’re committed to getting your cybersecurity act in order, the number of cybersecurity acts out there can make it a complex business.
As effective dates approach and pass, it’s important to stay aware of standards and regulations that may impact your business, your partners, and your customers. And it doesn’t have to be complicated—let’s start with the basics around some of the key acronyms you might be hearing about:
NIST CSF – The National Institute of Science and Technology Cybersecurity Framework
- What you need to know: NIST’s Cybersecurity Framework isn’t a regulation, but rather a voluntary resource to help with cybersecurity. The NIST CSF helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
- Who does this apply to: Flexible enough to be adopted by all kinds of businesses.
- Effective Date: N/A
- Full details on NIST CSF here…
Cybersecurity Maturity Model Certification (CMMC)
- What you need to know: The CMMC is a new cybersecurity-related certification designed by the U.S. Department of Defense (DoD) to protect Controlled Unclassified Information (CUI). Released in January of 2020, it builds on the Defense Federal Acquisition Regulation Supplement (DFARS) and other cybersecurity standards to implement multiple levels of cybersecurity. While some details for implementation are still being ironed out, the CMMC will use a similar format as the DFARS mandate of 2018.
- Who does this apply to: All companies doing business with the DoD, including manufacturers, subcontractors, and vendors.
- Effective Date: June 2020
- Full details on CMMC here…
CCPA – The California Consumer Privacy Act
- What you need to know: The CCPA expands Californians’ right to privacy to include the ability to access, opt-out, and delete personal information collected by corporations, and can levy fines of as much as $7,500 per violation. To help create “privacy by default,” companies should adopt cybersecurity best practices and evaluate vendors with security in mind. Because California plays such a large role in the U.S. economy, this is part of getting your cybersecurity act in order even if you aren’t based in the state.
Who does this apply to: Any for-profit entity that does business in California, collects personal data about California residents, and meets one or more of the following thresholds:
- Gross revenues greater than or equal to $25 million
- Collects personal information from more than 50,000 California residents, households, or devices per year
- Generates over 50% of ARR by selling personal information about California residents
- Effective Date: January 1, 2020
- Full details on CCPA here…
NY SHIELD Act – The Stop Hacks and Improve Electronic Data Security Act
- What you need to know: Everyone loves a good backronym! The New York SHIELD Act requires companies to adopt specific security programs to reduce the risk of a data breach. Companies should review their cybersecurity program to see how it fits with the SHIELD ACT, appoint a Chief Information Security Officer (CISO), and provide cybersecurity training for all employees. Businesses must also conduct due diligence on all third-party vendors.
- Who does this apply to: All New York businesses and businesses in other states who access data of New York residents. Some small businesses have less stringent requirement under the NY SHIELD Act, but still must adopt “reasonable” safeguards.
- Effective Date: March 21, 2020
- Full details on SHIELD here…
Current and future regulations and compliance impact many businesses, and the first step towards preparation is simply understanding the requirements. From there, you can begin to assess your business’ cybersecurity posture to see where you check the boxes and where you have an opportunity to improve. Here’s to being a class cybersecurity act!
Your Friends @ Defendify