Security Frameworks
Many industries in the United States must adhere to specific state or federal regulations, or industry requirements. Governing agencies may impose fines, fees, withhold reimbursements, or potentially even pursue criminal prosecution depending on whether the severity of the violations. Compliance requirements cover a broad range of topics, but today I want to focus on security frameworks, and their role in compliance programs.
If you work in healthcare or manufacturing, you may already be familiar with HIPAA or CMMC respectively. You may already even be aware of frameworks such as NIST or ISO 27001, or perhaps you’ve heard companies must adhere to these frameworks to maintain compliance. When we dive into these subjects, those claims are not necessarily so straightforward, but it doesn’t hurt to think there’s overlap, because there is!
Let’s sort this out by simply identifying what the general purpose of the terminology is and which organizations manage them.
HIPAA – this is a law, signed into effect in 1996, with one large focus being the protection of patients’ healthcare information.
CMMC – this is a DoD security framework. It’s not a law, but it is enforced by a government agency for any organizations that want to manufacture anything for the DoD.
ISO 27001 - an international security framework.
NIST SP 800-171 Rev. 2 – A security framework that provides objectives to meet CMMC requirements
NIST SP 800-66r2 – A security framework that provides objectives to meet HIPAA requirements
Now that we have identified what these terms mean, let’s think about the practical application of these concepts by asking ourselves a question: do we need frameworks to be compliant with the requirements for HIPAA and CMMC?
The answer could be no, but that’s may not be the best approach to compliance in general. Here’s what your organization should emphasize: good faith effort. If you know about these frameworks, a good faith effort is to assess your own standing with these frameworks, identify and prioritize outstanding controls, and remediate gaps according to the documented priorities. Documenting is vital for organizations to map how they intend to address gaps along the way, but they also serve as evidence of good faith efforts to address requirements. There are good practices for documentation, but we’ll go into the details of a good compliance program in another blog.
I hope this helps, but if you have any questions, let us know through our site contact form or email us at info@keepcompliance.com!