Your Guide to Cybersecurity Compliance, from Federal Policy to Industry Standards

Let’s be real, cybersecurity compliance is massively complicated and really important when something goes wrong. Complying with cybersecurity laws has only become more challenging in the past few years as the U.S. federal government and the European Union have both accelerated their efforts to modernize cybersecurity legislation and regulations.

This accelerated pace of influence and involvement of governments worldwide is impacting all businesses that use software to operate (which is to say, all businesses). Not only because the government is being more prescriptive with the requirements that have to be met in order to operate a business but also because of the financial penalties involved with non-compliance.

This guide will help you understand how cybersecurity laws and regulations impact your businesses and how to think about cybersecurity compliance so you don’t run afoul of non-compliance fines.

What is cybersecurity compliance?

Cybersecurity compliance is the practice of conforming to established standards, regulations, and laws to protect digital information and systems from cybersecurity threats. By implementing specific policies, procedures, and controls, organizations meet the requirements set by various governing bodies. This enables these organizations to demonstrate their commitment to cybersecurity best practices and legal mandates.

Consider the construction of a house. Just as architects and builders follow blueprints and building codes to ensure the house is safe, sturdy, and functional, cybersecurity compliance serves as the “blueprint” for organizations in the digital world. These guidelines and standards ensure that the organization’s digital “structure” is secure, resilient, and trustworthy. By adhering to these blueprints, organizations not only protect their assets but also create a foundation of trust with their stakeholders, much like a well-built house stands strong and provides shelter for its inhabitants.

Why is cybersecurity compliance important?

At its core, the importance of cybersecurity compliance can be distilled into one critical aspect: the financial well-being of an organization. Typically when we list the benefits of cybersecurity compliance, we are forced to use imprecise ideas like “enhanced trust” or “reputational safeguarding,” but the common thread connecting all these benefits is the tangible and direct impact on an organization’s bottom line. In this case, it is easier to understand the benefits of cybersecurity compliance by instead looking at the consequences of non-compliance.

1. Direct financial penalties: Regulatory bodies can impose substantial fines on organizations that neglect cybersecurity standards. According to the IBM Cost of a Data Breach Report 2023, the average company can expect to pay approximately $40,000 USD in fines due to a data breach. The emphasis of this figure is that it is the average. A black swan event can lead to a significantly different outcome. A prime example of this is the TJX Companies data breach in 2006. TJX faced a staggering fine of $40.9 million after the exposure of credit card information of more than 45 million customers for non-compliance with PCI DSS standards.
2. Operational disruptions: Incidents like ransomware attacks can halt operations, leading to significant revenue loss.
3. Loss of customer trust: A single data breach can result in a mass exodus of clientele, leading to decreased revenue.
4. Reputational damage: The long-term financial effects of a tarnished reputation can be devastating, from stock price drops to reduced market share.
5. Legal fees: Lawsuits from affected parties can result in additional financial burdens.
6. Recovery costs: Addressing a cyber incident, from forensic investigations to public relations efforts, can be expensive.
7. Missed opportunities: Non-compliance can lead to lost contracts and business opportunities, especially with entities that mandate cybersecurity standards.

An overview of cybersecurity laws and legislation

This section will give a high-level overview of cybersecurity laws, standards and the governing bodies that exert their influence on these laws and standards.

Government agencies that influence cybersecurity regulations

Navigating the complex terrain of cybersecurity regulations in the United States is akin to understanding a vast network of interlinked agencies, each with its own charter to protect various facets of the nation’s digital and physical infrastructure. This ecosystem is a tapestry woven with the threads of policy, enforcement, and standardization, where agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DoD) play pivotal roles in crafting the guidelines and directives that shape the nation’s defense against cyber threats.

The White House and legislative bodies contribute to this web by issuing executive orders and laws that direct the course of cybersecurity policy, while international standards bodies such as the International Organization for Standardization (ISO) offer a global perspective on best practices. Together, these entities form a collaborative framework that influences the development, enforcement, and evolution of cybersecurity laws and standards, ensuring a unified approach to protecting the integrity, confidentiality, and availability of information systems and data.

1. Cybersecurity and Infrastructure Security Agency (CISA)
   • Branch of Department of Homeland Security (DHS) that oversees cybersecurity for critical infrastructure for the US federal government
   • Houses critical cybersecurity services, such as, National Cybersecurity and Communications Integration Center (NCCIC), United States Computer Emergency Readiness Team (US-CERT), National Coordinating Center for Communications (NCC) and NCCIC Operations & Integration (NO&I)
   • Issues Binding Operational Directives, such as, BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities which require federal agencies to take action
2. National Institute of Standards and Technology (NIST)
   • Plays a key role in the implementation of the federal cybersecurity mandate established by the Federal Information Security Management Act (FISMA).
   • Develops the Cybersecurity Framework
   • Publishes the Special Publication (SP) series, notably,
     • SP 800-37, the Risk Management Framework (RMF)
     • SP 800-53, the Control Catalog
     • SP 800-218, the Secure Software Development Framework (SSDF)
     • SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
3. Department of Defense (DoD)
   • Enforces the Defense Federal Acquisition Regulation Supplement (DFARS) which mandates NIST SP 800-171 compliance for defense contractors
   • Introduced the Cybersecurity Maturity Model Certification (CMMC) for defense industrial base (DIB) which builds a certification around the security controls in NIST SP 800-171
   • Releases memorandums that amend other cybersecurity laws and standards specific to the DIB, such as, the Continuous Authorization To Operate (cATO) memo
4. The White House
   • Issues executive orders (EOs) that direct federal agencies to take specific actions related to cybersecurity (e.g., May 2021, President Biden issued “Executive Order on Improving the Nation’s Cybersecurity”)
   • Launches policy initiatives that prioritize cybersecurity, leading to the development of new regulations or the enhancement of existing ones
   • Release strategy documents to align agencies around a national vision for cybersecurity (e.g., National Cybersecurity Strategy)
5. International Organization for Standardization (ISO)
   • Develops and publishes international standards, including those related to information security
   • Roughly equivalent to NIST but for European countries
   • Influence extends beyond Europe in practice though not officially
6. European Union Agency for Cybersecurity (ENISA)
   • EU’s agency dedicated to achieving a high common level of cybersecurity across member states
   • Roughly equivalent to CISA but for European states
7. The Federal Bureau of Investigation (FBI)
   • Investigates cyber attacks, including those by nation-states, hacktivists, and criminals; investigations can set legal precedent
   • Leads National Cyber Investigative Joint Task Force (NCIJTF) to coordinate interagency investigation efforts
   • Collaborates with businesses, academic institutions, and other organizations to share threat intelligence and best practices through the InfraGard program
8. Federal Trade Commission (FTC)
   • Takes legal action against companies failing to protect consumer data
   • Publishes guidance for businesses on how to protect consumer data and ensure privacy
   • Recommends new legislation or changes to existing laws related to consumer data protection and cybersecurity
9. U.S. Secret Service
   • Investigates cyber crimes, specifically financial crimes; investigations can set legal precedent
   • Manages the Electronic Crimes Task Forces (ECTFs) focusing on cyber intrusions, bank fraud, and data breaches
10. National Security Agency (NSA)
    • Collects and analyzes signals intelligence (SIGINT) related to cyber threats
    • Established the Cybersecurity Directorate to unify foreign intelligence and cyber defense missions for national security systems and the defense industrial base (DIB)
    • Conducts extensive research in cybersecurity, cryptography, and related fields. Innovations and findings from this research often influence broader cybersecurity standards and practices
11. Department of Health and Human Services (HHS)
    • Enforces the Health Insurance Portability and Accountability Act (HIPAA) ensuring the protection of health information
    • Oversees the Office for Civil Rights (OCR) which enforces HIPAA’s Privacy and Security Rules
12. Food and Drug Administration (FDA)
    • Regulates the cybersecurity of medical devices, specifically Internet of Things (IoT) medical devices
    • Provides guidance to manufacturers on cybersecurity considerations for medical devices
13. Securities and Exchange Commission (SEC)
    • Requires public companies to disclose material cybersecurity risks and incidents
    • Enforces the Sarbanes-Oxley Act (SOX) implications for cybersecurity, ensuring the integrity of financial data
14. Federal Trade Commision (FTC)
    • The FTC is the chief federal agency on consumer security and privacy policy and enforcement
    • Responsible for enforcing Children’s Online Privacy Protection Act (COPPA)
    • Enforce laws governing consumers’ privacy rights and sensitive consumer information

U.S. cybersecurity laws and standards to know

Navigating the complex web of U.S. cybersecurity regulations can often feel like wading through an alphabet soup of acronyms. We have tried to highlight some of the most important and give context on how the laws, standards and regulations interact, overlap or build on each other.

1. NIST 800-53
   • Comprehensive collection of security controls that many other laws and standards refer to as the baseline
   • Other compliance standards will refer to a subset of NIST 800-53, it is unlikely all controls will need to be met in many environments
2. Federal Information Security Management Act (FISMA)
   • Law that requires federal agencies and their contractors to implement comprehensive cybersecurity measures
   • Many of the standards and recommendations of the NIST Special Publication series on cybersecurity are a response to the mandate of FISMA
3. Federal Risk and Authorization Management Program (FedRAMP)
   • Standard for assessing security of cloud/SaaS products and services used by federal agencies
   • Certification is the manifestation of the FISMA law
4. Defense Federal Acquisition Regulation Supplement (DFARS)
   • Rules that require Department of Defense (DoD) contractors to protect controlled unclassified information (CUI)
   • Specific security controls are detailed in NIST SP 800-171
5. Cybersecurity Maturity Model Certification (CMMC)
   • Certification to prove that DoD contractors are in compliance with cybersecurity practices and processes required in DFARS
   • For many years DFARS was not enforced, CMMC is certification process to close this gap
6. SOC 2 (System and Organization Controls 2)
   • Compliance framework for auditing and reporting on controls related to the security, availability, confidentiality, and privacy of a system
   • Very popular certification for cloud/SaaS companies to maintain as a way to assure clients that their information is managed in a secure and compliant manner
7. Payment Card Industry Data Security Standard (PCI DSS)
   • Establishes security standards for organizations that handle credit cards
   • Must comply with this security standard in order to process or store payment data
8. Health Insurance Portability and Accountability Act (HIPAA)
   • Protects the privacy and security of health information for consumers
   • Must comply with this security standard in order to process or store electronic health records
9. NIST Cybersecurity Framework
   • Provides a policy framework to guide private sector organizations in the U.S. to assess and improve their ability to prevent, detect, and respond to cyber incidents
   • While voluntary, many organizations adopt this framework to enhance their cybersecurity posture
10. NIST Secure Software Development Framework
    • Standardized, industry-agnostic set of best practices that can be integrated into any software development process to mitigate the risk of vulnerabilities and improve the security of software products
    • More specific security controls than NIST 800-53 that still meet the controls outlined in the Control Catalog regarding secure software development practices
11. CCPA (California Consumer Privacy Act)
    • Statute to enhance privacy rights and consumer protection to prevent misuse of consumer data
    • While only application to business operating in California, it is considered the most likely candidate to be adopted by other states
12. Gramm-Leach-Bliley Act (GLBA)
    • Protects consumers’ personal financial information held by financial institutions
    • Financial institutions must explain their information-sharing practices and safeguard sensitive data
13. Sarbanes-Oxley Act (SOX)
    • Addresses corporate accounting scandals and mandates accurate financial reporting
    • Public companies must implement stringent measures to ensure the accuracy and integrity of financial data
14. Children’s Online Privacy Protection Act (COPPA)
    • Protects the online privacy of children under 13.
    • Websites and online services targeting children must obtain parental consent before collecting personally identifiable information (PII)

EU cybersecurity laws and standards to know

1. ISO/IEC 27001
   • An international standard that provides the criteria for establishing, implementing, maintaining, and continuously improving a system
   • Roughly equivalent to NIST 800-37, the Risk Management Framework
   • Also includes a compliance and certification component; when combined with ISO/IEC 27002 it is roughly equivalent to FedRAMP
2. EU 881/2019 (Cybersecurity Act)
   • The law that codifies the mandate for ENISA to assist EU member states in dealing with cybersecurity issues and promote cooperation
   • Creates an EU-wide cybersecurity certification framework for member states to aim for when creating their own local legislation
3. NIS2 (Revised Directive on Security of Network and Information Systems)
   • A law that requires a high level of security for network and information systems across various sectors in the EU
   • A more specific set of security requirements than the cybersecurity certification framework of the Cybersecurity Act
4. ISO/IEC 27002
   • An international standard that provides more specific controls and best practices that assist in meeting the more general requirements outlined in ISO/IEC 27001
   • Roughly equivalent to NIST 800-53, the Control Catalog
5. General Data Protection Regulation (GDPR)
   • A comprehensive data protection and privacy law
   • Non-compliance can result in significant fines, up to 4% of an organization’s annual global turnover or €20 million (whichever is greater)

How to streamline cybersecurity compliance in your organization

Ensuring cybersecurity compliance is a multifaceted challenge that requires a strategic approach tailored to an organization’s unique operational landscape. The first step is to identify the specific laws and regulations applicable to your organization, which can vary based on geography, industry, and business model. Whether it’s adhering to financial regulations like GLBA and SOX, healthcare standards such as HIPAA, or public sector requirements like FedRAMP and CMMC, understanding your compliance obligations is crucial.

While this guide can’t give prescriptive steps for any organization to meet their individual needs, we have put together a high-level set of steps to consider when developing a cybersecurity compliance program.

1. Determine which laws and regulations apply to your organization

Geography

• US-only; if your business only operates in the United States then you only need to be focused on compliance with US laws
• EU-only; if your business only operates in the European Union then you only need to be focused on compliance with EU laws
• Global; if your business operates in both jurisdictions then you’ll need to consider compliance with both EU and US laws, as well as any other jurisdictions you operate in.

Industry

• Financial Services; financial services firms have to comply with the GLBA and SOX laws but if they don’t process credit card payments they might not need to be concerned with PCI-DSS
• E-commerce; any organization that processes payments, especially via credit card will need to adhere to PCI-DSS and attaining a SOC2 audit is often common.
• Healthcare; any organization that processes or stores data that is defined as protected health information (PHI) will need to comply with HIPAA requirements
• Federal; any organization that wants to do business with a federal agency will need to be FedRAMP compliant
• Defense; any defense contractor that wants to do business with the DoD will need to maintain CMMC compliance
• B2B; there isn’t a law that mandates cybersecurity compliance for B2B relationships but many companies will only do business with other companies that maintain SOC2 compliance

Business model

• Data storage; if your organization stores data but does not process or transmit the data then your requirements will differ. For example, if you offer a cloud-based data storage service and a customer uses your service to store PHI, they are required to be HIPAA-compliant but you are considered a Business Associate and do not need to comply with HIPAA specifically. You should consult with your legal team to determine which data processing laws apply to your business.
• Data processing; if your organization processes data but does not store the data then your requirements will differ. For example, if you process credit card transactions but don’t store the credit card information you will probably need to comply with PCI-DSS but possibly not GLBA and SOX
• Data transmission; if your organization transmits data but does not process or store the data then your requirements will differ. For example, if you run an internet service provider (ISP) credit card transactions and PHI could traverse your network, HIPAA or PCI-DSS compliance is not your responsibility.

2. Conduct a gap analysis

Current State Assessment: Evaluate the current cybersecurity posture and practices against the required standards and regulations.

Identify Gaps: Highlight areas where the organization does not meet required standards.

These steps can either be done manually or automatically. Anchore Enterprise offers organizations an automated, policy-based approach to scanning their entire application ecosystem and identifying which software is non-compliant with a specific framework.

If you’re interested to learn more check out our webinar titled, “Policy-Based Compliance for Containers: CIS, NIST, and More”

3. Prioritize compliance needs

Risk-based Approach: Prioritize gaps based on risk. Address high-risk areas first.

Business Impact: Consider the potential business impact of non-compliance, such as fines, reputational damage, or business disruption.

4. Develop a compliance roadmap

Short-term Goals: Address immediate compliance requirements and any quick wins.

Long-term Goals: Plan for ongoing compliance needs, continuous monitoring, and future regulatory changes.

5. Implement controls and solutions

Technical Controls: Deploy cybersecurity solutions that align with compliance requirements, such as encryption, firewalls, intrusion detection systems, etc.

Procedural Controls: Establish and document processes and procedures that support compliance, such as incident response plans or data handling procedures.

Another important security solution, specifically targeting software supply chain security, is a vulnerability scanner. Anchore Enterprise is a modern, SBOM-based software composition analysis platform that combines software vulnerability scanning with a monitoring solution and a policy-based component to automate the management of software vulnerabilities and regulation compliance.

If you’re interested to learn more, we have detailed our strategy in a blog, titled “A Policy Based Approach to Container Security & Compliance” and spelled out the benefits in a separate blog post called, “The Power of Policy-as-Code for the Public Sector”.

6. Monitor and audit

Continuous Monitoring: Use tools and solutions to continuously monitor the IT environment for compliance. Auditing an IT environment once a year is no longer considered a best practice.

Regular Audits: Conduct internal and external audits to ensure compliance and identify areas for improvement.

Being able to find vulnerabilities with a scanner at a point in time or evaluate a system against specific compliance policies is a great first step for a security program. Being able to do each of these things continuously in an automated fashion and be able to know the exact state of your system at any point in time is even better. Anchore Enterprise is capable of integrating security and compliance features into a continuously updated dashboard enabling minute-by-minute insight into the security and compliance of a software system.

7. Document everything

Maintain comprehensive documentation of all compliance-related activities, decisions, and justifications. This is crucial for demonstrating compliance during audits.

8. Engage with stakeholders

Regularly communicate with internal stakeholders (e.g., executive team, IT, legal) and external ones (e.g., regulators, auditors) to ensure alignment and address concerns.

9. Review and adapt

Stay Updated: Regulatory landscapes and cybersecurity threats evolve. Stay updated on changes to ensure continued compliance.

Feedback Loop: Use insights from audits, incidents, and feedback to refine the compliance strategy.

How Anchore can help

Anchore is a leading software supply chain security company that has built a modern, SBOM-powered software composition analysis (SCA) platform that helps organizations meet and exceed the security standards in the above guide.

As we have learned working with Fortune 100 enterprises and federal agencies, including the Department of Defense, an organization’s supply chain security can only be as good as the depth of the data on their supply chain and the automation of processing the raw data into actionable insights. Anchore Enterprise provides an end-to-end software supply chain security system with total visibility, deep inspection, automated enforcement, expedited remediation, and trusted reporting to deliver actionable insights to make a software system compliant.

If you’d like to learn more about the Anchore Enterprise platform or speak with a member of our team, feel free to book a time to speak with one of our specialists.