Cybersecurity and compliance are often intertwined. IT/security teams working on 2021 plans should remember to consider any regulatory mandates that may affect their organization’s cybersecurity posture. To help busy IT/security professionals get started, we’ve compiled some of the most common cybersecurity regulatory requirements expected to impact enterprises in 2021, along with links to resources to learn more about the laws.
State Data Privacy Regulations
Data privacy rules are different from state-to-state, but cybersecurity will continue to be a priority in state legislatures in 2021. According to the National Conference of State Legislatures, “at least 38 states, Washington, D.C., and Puerto Rico introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity.” One of the most well-known state cybersecurity laws is the California Consumer Privacy Act (CCPA). The CCPA, which went into effect this year, mandates that “organizations maintain reasonable cybersecurity related to the sensitivity of the data that needs protecting.
By Sarah Rippy
March 12, 2020
National Conference of State Legislatures
September 13, 2020
Cybersecurity Maturity Model (CMMC)
In the fall of 2020, the Department of Defense (DoD) rolled out its new Cybersecurity Maturity Model Certification (CMMC). The CMMC is a unified standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). Any company that works with the U.S. DoD will be required to meet CMMC requirements to bid on contracts. According to an article in CSO, “this includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers.”
By Abigail Stokes and Marcus Childress from Miller & Chevalier
April 8, 2020
Office of the Under Secretary of Defense for
Acquisition & Sustainment
General Data Protection Regulation (GDPR)
The Europe Union (EU) General Data Protection Regulation (GDPR) is a regulatory framework for data protection and privacy. The GDPR the strictest privacy and security law in the world and “requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory” (gdpr.edu). Any company that collects data on citizens in EU countries is required to comply with the GDPR. The regulation requires the implementation of seven principles of data protection and facilitation of eight privacy rights. In addition, meeting compliance with GDPR requires third-party oversight.
Horizon 2020 Framework Programme of the European Union
American University of Beirut
August 4, 2020
Internet of Things (IoT) Cybersecurity Improvement Act of 2020
IoT security vulnerabilities are well-known threats to networks. The IoT Cybersecurity Improvement Act of 2020, which was signed into law on December 4, 2020, is meant “to establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government, and for other purposes.” As of right now, the law applies only to devices owned or controlled by the federal government. The hope, however, is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, device manufacturers will adopt the same standards designed to limit IoT vulnerabilities in consumer IoT devices.
By Justin Katz
November 18, 2020
By Daniel Pepper and Adam I. Cohen from Baker & Hostetler LLP
December 11, 2020
Together, these compliance requirements represent just the tip of the iceberg when it comes to cybersecurity compliance. In addition to general cybersecurity regulations, there are many industry-specific compliance regulations that organizations must maintain compliance with, including HIPAA for healthcare organizations, PCI Security Council standards for financial institutions, and the Cybersecurity Assessment Tool (CAT) for credit unions.
Fortunately, new technology has helped produce free online resources such as some of the links above, and Cybersecurity-as-a-Service providers have grown in prominence and are available to help resource-constrained small and medium-size enterprises (SMEs). These outside resources are key to navigating some of the thorny compliance issues and cybersecurity challenges your business is facing in the year ahead.