DFARS – Defense Federal Acquisition Regulation Supplement
All contractors working for DoD, even subcontractors must comply with DFARS 252.204.7012. This clause is in direct response to data breaches and cybersecurity threats and will be part of DoD contractor responsibility going forward. Each DoD contractor must meet technical and procedural controls spelled out by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-171.
GDPR – General Data Protection Regulation
For companies collecting data from EU citizens (whether or not they are based in the EU), GDPR means ramping up their company’s data collection systems, improving accountability, and in most cases, hiring or promoting a data control officer, whose primary responsibility is ensuring that the company’s proper data collection protocols are followed. Ignorance of the provisions of the regulation is not a valid excuse under GDPR, and companies face strict financial penalties for noncompliance.
FISMA – Federal Information Security Management Act
FISMA was introduced to reduce risks involving federal information and data while also managing federal spending on information security programs and procedures. The importance of FISMA is summarized as a means to protect sensitive information in a timely and costly manner. To be FISMA compliant, companies must follow a FISMA Certification Process that begins with meeting the guidelines set in place by NIST. Adherence to these guidelines is crucial for FISMA compliance.
SOX – Sarbanes-Oxley Act
The Sarbanes-Oxley Act came into force in July 2002 and introduced major changes to the regulation of corporate governance and financial practice. It is named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, and it set a number of non-negotiable deadlines for compliance.
GLBA – Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
PCI – Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
SOC2 – Service Organization Control 2
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.