Every small business leadership team should be aware of the compliance requirements they need to fulfill in order to conduct their operations. For this reason, we have written this article, which gives an overview of the most important compliance requirements that may apply to your small business. Your company should take the time to learn about these important compliance standards and regulations to both improve and secure your operations and also be more accessible to new business opportunities.
Most Important Compliance Requirements
PCI DSS
One set of information security standards that virtually all businesses have to follow is the payment card industry data security standard (PCI DSS). The major branded credit cards mandate that any businesses that accept payment with their products follow these standards. These requirements seek to ensure that all companies that process, store, or transmit sensitive credit card information maintain it securely.
This security standard has 12 requirements that revolve around practicing good cyber hygiene including having updated firewalls and configured passwords and settings as well as the encryption of the transmission of cardholder data across public networks. It also requires strict limits on employees having access to workplace and cardholder data along with regular monitoring and testing of your network defenses.
GDPR
The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018 requiring businesses to provide significant privacy protections for consumers in the European Union.
Importantly, this impacts any US companies that collect any money from EU consumers or target them with marketing efforts. This regulation also applies to any US companies, which have a web presence accessible within the EU that collects personally identifiable data (PII) such as email addresses, phone numbers, and home addresses. Some industry sectors that are likely to fall under this regulation include tourism, software services, travel, hospitality, and e-commerce companies.
Some of the required steps companies must take to comply include ensuring customer content to obtain their personal data, protecting sensitive customer data, adding a designated data protection officer, and providing notification of data breaches within 72 hours of a successful cyberattack.
The forces behind this regulation purposely made the fines for non-compliant companies significant to emphasize the importance of following it. For example, depending upon factors such as the severity of any data breach and past data protection efforts, a company can be fined up to 20 million Euros or 4% of annual worldwide revenue.
HIPAA/HITECH
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to improve the nation’s health care system by mandating the standards-based implementation of security controls by all health care entities that create, store, or transmit personal health information (PHI). This act also applies to any companies that work with any of this sensitive information such as law firms, accountants, billing services, IT companies, and other professional service providers.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the American Recovery and Reinvestment Act of 2009. Its passage built upon the standards in HIPAA bringing additional compliance requirements to organizations involved with health care. HITECH mandates healthcare organizations and business associates to apply “meaningful use” of security technology to ensure the confidentiality, integrity, and availability of protected personal data in electronic, paper, or oral form. It also requires that companies notify their customers and clients about any data breach.
The detailed requirements for HIPAA and HITECH are managed by the Department of Health and Human Services (HHS) and enforced through mandatory audits, which can result in penalties from $50K to $1.5 million per calendar year for non-compliance and even criminal prosecution in some cases.
NIST
The National Institute of Standards and Technology (NIST) is one of the nation’s oldest and most respected physical science laboratories and is a part of the U.S. Department of Commerce. One of their main functions is to develop and issue standards, guidelines, and other publications that will help to protect the sensitive information and information systems of federal agencies. IT security, compliance, and risk management professionals from all industries consider the guidance and resources NIST provides as a respected standard for best practices.
NIST has issued cybersecurity controls for companies to follow when working on government contracts. The NIST security mandate that is most relevant to small businesses is NIST Special Publication 800-171. This mandate was introduced in 2017, with important revisions in 2020, and details the security compliance requirements for any company that processes, stores, or transmits potentially sensitive information for the DoD, General Services Administration (GSA), and other federal and state agencies. For the first time via NIST 800-171, IT security compliance requirements apply to any companies working in the federal supply chain including prime contractors, subcontractors supporting prime contractors, and subcontractors working for other subcontractors.
NIST 800-171 focuses on providing guidance on the protection of Controlled Unclassified Information (CUI). CUI is any information that is created by the government, or by an entity on behalf of the government, which is unclassified but still needs to be protected.
Subcontractors are required to pass satisfactory IT security assessments and provide proof of this to the prime contractor on the government contract. The prime contractors are ultimately responsible for proving to their government customer that all contractors and subcontractors involved in their project are following NIST.
CMMC
In a comprehensive effort to improve the overall security and resiliency of companies working under U.S. military contracts, the Department of Defense (DoD) launched version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in January 2020. The CMMC was formulated using well-regarded security frameworks and standards from NIST, the Federal Acquisition Regulation (FAR), and the Computer Emergency Response Team (CERT) Resilience Management Model (RMM) version 1.2. Through its comprehensive design, the CMMC represents a unified cybersecurity standard that all current and potential companies working with the DoD will have to meet.
The CMMC is specifically targeted to safeguard the controlled unclassified information (CUI) and federal contract information (FCI) located on the unclassified networks of any companies or subcontractors working with the DoD.
One important mandate of CMMC is that all contractors and subcontractors on DoD projects will need to pass a thorough validation of CMMC requirements conducted by an official third-party assessment organization. DoD contracts with more complexity and vulnerabilities will require participating companies to possess a higher level of CMMC maturity, which can range from 1 to 5.
Consult with an IT Security and Compliance Expert
As you can see from this overview, there are a variety of important compliance requirements that may impact your organization. We recommend that your company work with an expert in IT security and compliance, such as Network Depot, in order to be prepared to meet any compliance requirements.
Importantly, if your small business is unable to demonstrate compliance with these important standards and regulations, then you will not be eligible to participate in the multitude of government and private contracts that require it. In short, by understanding the importance of these standards and taking the actions to achieve compliance, your company will be more secure and will also open the door to a huge amount of new business.
With the help of a trusted IT Support partner, your organization will be able to successfully navigate the compliance process and will be prepared to work effectively and securely on private and government contracts in the future.