Resources
CMMC – CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. https://www.acq.osd.mil/cmmc/faq.html
FFIEC – The Federal Financial Institutions Examination Council (FFIEC) was established on March 10, 1979. The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions. https://www.ffiec.gov/about.htm
HIPAA/HITECH – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. https://www.cdc.gov/phlp/publications/topic/hipaa.html
The Health Information Technology for Economic and Clinical Health (HITECH) Act”. The HITECH Act included the concept of electronic health records – meaningful use [EHR-MU], an effort led by Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health IT (ONC). HITECH proposed the meaningful use of interoperable electronic health records throughout the United States health care delivery system as a critical national goal. https://www.cdc.gov/phlp/publications/topic/hipaa.html
ISO/IEC 27001 – The ISO 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission(IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. A European update of the standard was published in 2017. Organizations that meet the standard’s requirements can choose to be certified by an accredited certification body following successful completion of an audit.
https://en.wikipedia.org/wiki/ISO/IEC_27001#Certification
ISO/IEC 27002 – ISO 20072:2009 applies to the design, labelling, instructions for use and testing requirements for hand-held single- and multi-use aerosol drug delivery devices (ADDDs) intended to deliver a metered or pre-metered aerosolized medication to or by means of the human respiratory tract (including nasal, oral, tracheal, bronchial and alveolar sites). This International Standard applies to both refillable and disposable devices intended for personal use.
https://www.iso.org/standard/41989.html
NERC-CIP – Critical Infrastructure Protection Committee (CIPC) was formed to help NERC (North American Electric Reliability Corporation) advance the physical security and cybersecurity of the critical electricity infrastructure of North America. The committee consists of both NERC-appointed regional representatives and technical subject matter experts. CIPC coordinates NERC’s security initiatives and serves as an expert advisory panel to the NERC Board of Trustees, standing committees in the areas of physical security and cybersecurity, and the Electricity Information Sharing and Analysis Center (E-ISAC).
https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
NIST 800-171 – Regulates practices and procedures that must be followed to safeguard the control of Controlled Unclassified Information (CUI) — both physical and digital — that companies of the Defense Industrial Base (DIB) have access to. These guidelines were originally published in 2015 by the National Institute of Standards and Technology (NIST) and are updated regularly.
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST 800-53 – NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. Wikipedia
PCI-DSS – The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. Interestingly, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.
https://www.pcisecuritystandards.org/pci_security/
SSAE 18 (SOC 1, SOC 2, and SOC 3) – SSAE 18 is the attestation standard used for reporting on controls at service organizations, one that is part of the American Institute of Certified Public Accountants’ Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports.