One of the most critical elements of cybersecurity for all enterprise companies is regulatory compliance. Depending on the kind of business your company engages in, it may need to implement controls from various regulatory frameworks, each overseen by a governmental or industry-defining organization. Requirements for compliance reporting may also vary depending on the framework that applies and the size and nature of your company.
Types of Regulatory Compliance Reports
Achieving compliance is about more than just implementing controls; you also need to assess and report on them, often with third-party help. This blog will break down everything you need to know about compliance reporting for three of the most widely applicable regulatory frameworks:
- HHS’s HIPAA and HITECH, which apply to nearly all medical-related businesses
- DFARS, NIST, and CMMC frameworks, which all apply to aspiring military contractors
- PCI controls, like the DSS, which apply to all companies processing card payments
Then, we’ll also provide a quick overview of how employing robust compliance advisory and patch reporting services can facilitate compliance for any company.
Healthcare Businesses: HIPAA/HITECH Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a regulatory guide that applies to covered entities within and adjacent to the healthcare industry. Covered entities include providers, plan administrators, health clearinghouses, and select business associates thereof.
The Department of Health and Human Services (HHS) oversees HIPAA compliance and enforcement. Unlike certain other regulatory frameworks detailed below, there is no official, standardized compliance reporting process for HIPAA outside of HHS audits.
Instead, the Privacy and Security Rules’ built-in parameters require regular self-monitoring and reporting on any identified flaws in compliance architecture. Nonetheless, documentation of compliance measures simplifies audits and provides assurance to clients and business partners.
Implementing HIPAA Framework Requirements
The HIPAA framework also specifies the reporting requirements for non-compliance. Overall, the framework comprises three primary rules companies need to follow:
- Privacy Rule – Covered entities must limit disclosures of protected health information (PHI) to permitted instances, while also providing access to the PHI’s subject.
- Security Rule – Covered entities must also ensure the confidentiality, integrity, and availability of PHI through a set of administrative, physical, and technical safeguards.
- Breach Notification Rule – If Privacy or Security are compromised, covered entities must report on it to impacted parties, the HHS, and local media (for breaches affecting 500 or more individuals).
There is also a fourth rule, the Enforcement Rule, which details consequences for failure to follow the other three. These can range from civil money penalties in the tens of thousands to criminal penalties and imprisonment if the Department of Justice identifies criminal behavior.
Military Contractors: DFARS, NIST, and CMMC
Next up is a suite of compliance regulations that apply to companies who want to work with the US Department of Defense (DoD). The primary requirements for the DoD and all of its many contractors are laid out in the Defense Federal Acquisition Register Supplement (DFARS).
These DFARS requirements are then fleshed out into controls across two frameworks: the National Institute for Standards and Technology (NIST) Special Publication 800-171 and the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a newer framework, still being rolled out, and it is presided over by the Under Secretary of Defense (OUSD(A&S)).
Compliance reporting for NIST SP 800-171 is a self-certification method, but the CMMC requires verification through a Certified Third-Party Assessor Organization (C3PAO).
Understanding the NIST SP 800-171 Framework
At the core of the NIST SP 800-171 are 110 Requirements, distributed as “Basic” or “Derived” across 14 distinct “Requirement Families.” Altogether, the Requirements break down as follows:
- Access Control – Two Basic and 19 Derived Requirements
- Awareness and Training – Two Basic and one Derived Requirements
- Audit and Accountability – Two Basic and seven Derived Requirements
- Configuration Management – Two Basic and seven Derived Requirements
- Identification and Authentication – Two Basic and nine Derived Requirements
- Incident Response –Two Basic and one Derived Requirements
- Maintenance – Two Basic and Four Derived Requirements
- Media Protection – Three Basic and six Derived Requirements
- Personnel Security – Two Basic Requirements
- Physical Protection – Two Basic and four Derived Requirements
- Risk Assessment – One Basic and two Derived Requirements
- Security Assessment – Four Basic Requirements
- System and Communications – Two Basic and 14 Derived Requirements
- System Information Integrity – Three Basic and four Derived Requirements
Following all these controls guarantees protection for Controlled Unclassified Information (CUI).
Upgrading to the OUSD(A&S) CMMC Framework
The CMMC is a much broader framework than SP 800-171; it encompasses SP 800-171 in its entirety, along with various controls from other frameworks. It also differs from SP 800-171 in that it allows for the gradual adoption of all 171 Practices across five distinct “Maturity Levels”:
- Level 1 – Focused on safeguarding Federal Contract Information (FCI)
- Level 2 – Focused on preparing for Level 3 (full protection of FCI/CUI)
- Level 3 – Focused on fully protecting CUI (including all of SP 800-171)
- Level 4 – Focused on preparing for Advanced Persistent Threats (APT)
- Level 5 – Focused on optimizing all controls for FCI, CUI, and APT
The core of the CMMC comprises 17 Security Domains. These include all 14 Requirement Families from NIST SP 800-171, bearing identical names, along with three new Domains:
- Asset Management – Comprising two Practices
- Recovery – Comprising four Practices
- Situational Awareness – Comprising three Practices
Level 5 certification is not yet required of most businesses—but it will be by 2026 at the latest.
Companies Processing Card Payments: PCI
Finally, the most widely applicable regulatory compliance frameworks related to credit card data are overseen by the Payment Card Industry (PCI). Specifically, they are developed and enforced by the Security Standards Council (SSC) of the PCI, which comprises critical stakeholders in the industry, like its Founding Members: Visa, Mastercard, American Express, JCB International, and Discover.
Compliance reporting for PCI depends on the specific framework you need to follow. The most widely used one is the Data Security Standard (DSS), which applies to nearly all companies that process, store, or transmit credit card data. Companies with lower transaction volumes report via Self-Assessment Questionnaires (SAQ). Companies handling the most transactions must also file a (third-party verified) Attestation of Compliance (AoC) or Report on Compliance (RoC).
Framework and regulatory compliance reporting documents are accessible via the SSC library.
Using the Data Security Standards Framework
At the core of PCI DSS compliance are six primary Goals and 12 Requirements. These are:
- Build and maintain secure networks:
- Install and keep firewall configurations up to date
- Remove and replace default security configurations.
- Protect credit card and cardholder data:
- Protect stored card and cardholder data.
- Encrypt transmitted card and cardholder.
- Maintain vulnerability management:
- Install and keep antivirus software up to date.
- Maintain security for all developed applications.
- Maintain identity and access management:
- Restrict access to cardholder data by business need.
- Authenticate user identities for access to cardholder data.
- Restrict physical access to card and cardholder data.
- Monitor and assess all networks:
- Track permitted access to card and cardholder data.
- Assess network security and access on a regular basis.
- Maintain information security policy:
- Develop and keep staff-wide security policy up to date.
There are similar requirements specified across other PCI SSC standards, but none are as widespread as the DSS. Most other PCI requirements are based upon the DSS foundation.
Benefits of Professional Compliance Advisory Services
Beyond the challenges of implementing any individual regulatory compliance framework, many companies find themselves juggling multiple. A comprehensive compliance advisory services suite simplifies individual framework implementation and maps similarities across different ones. Another, lower-intensity approach involves patch monitoring, or analysis of what gaps your company needs to bridge to achieve or maintain compliance.
To see how powerful a suite of SIEM compliance reporting services can be, contact RSI Security today to get started!