Understanding Today’s Data Regulations (Part 2)

Shimrit Tzur-David | November 8, 2018

In our first post on data regulations, we laid out the facts on some of the most important organizations influencing the world of IT’s industry standards.

To help understand the ins and outs of these groups matter, and how they affect digital authentication, we put together the who, what, and where of each regulation.

In this second post in the series, we’re tackling three more regulatory bodies central to anyone interested in data security and management today.

US National Institute of Standards and Technology (NIST)

Who are they?

The US National Institute of Standards and Technology (NIST) is one of the oldest and most prestigious organizations dealing with standards on digital data. Founded in 1901, NIST is a chain of physical laboratories charged with researching best practices on a wide variety of technical and applied sciences. Today NIST is most known for its publications on information technology. Although they often influence United States regulations at different levels, from local to federal, NIST guidelines themselves are non-regulatory and do not have the force of law. Still, the guidelines of NIST almost always become policy for federal agencies and other affiliated bodies and are used as a framework in both health and financial industries. Additionally, due to the weight of NIST as an authority, achieving compliance with their recommendations is considered industry standard throughout the world of IT.

Which Industries does NIST cover?

NIST guidelines are by in large non-industry specific; rather they address the general application of different information technologies. Thus NIST recommendations are relevant to any organization utilizing modern data tools and systems–which pretty much means every enterprise today. Recently, NIST has begun to put a stronger emphasis on best practices in the realm of digital identity management as well as assessing the platforms used in identity security.

What is the Goal of NIST Regulations?

The mandate of NIST is to provide the US government as well as the general public, with the knowledge that will “enhance economic security” with new insights into the use of technology. To this end, NIST scientists produce regular publications assessing the digital security landscape. What’s important to note about these publications is that new reports almost always update and modify older guidelines as threat trends and relevant technologies evolve.

See our full guide to navigating the NIST identity and access management guidelines

Payment Card Industry Data Security Standard (PCI DSS)

Who are they?

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of regulations published by the  Payment Card Industry Security Standards Council. The Council which was formed by some of the biggest names in the credit card industry, including Mastercard and American Express, periodically updates their standards based on changes in the industry and emerging technologies. Since the PCI was established in 2004, the standards have been revised no less than seven times. An organization’s compliance of the standards is conducted once a year, either by a Qualified Security Assessor (QSA) or by a company’s own Internal Security Assessor (ISA).

Which Industries does PCI DSS cover?

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all entities that store, process or transmit cardholder data (CHD) or other sensitive authentication data (SAD) relating to an account.

What is the Goal of the Regulations?

The PCI’s standards were created to increase controls around cardholder data to reduce credit card fraud. To this end PCI established several “control objectives” for data handlers to abide by.

The objectives are geared toward improving vulnerability management, achieving stronger monitoring and test networks, as well as securing access and authentication.

See our guide to navigating PCI DSS authentication regulations

Defense Federal Acquisition Regulations Supplement (DFARS)

Who are they?

The United States federal government maintains a long list of protocols for how it goes about buying equipment and supplies for its various agencies and projects. These rules are laid out in the Federal Acquisition Regulations (FAR). The Defense Federal Acquisition Regulations Supplement, or DFARS, is the subset of FAR that deals with procurement for the Department of Defense (DoD). Included in DFARS are several sections delineating the obligations of DoD contractors on safeguarding digital information. Since the initial release of rules on data security came out some five years ago, DoD has regularly updated and modified requirements on storing, transmitting, and otherwise processing “controlled information”, i.e. sensitive information with military applications.

Which Industries does DFARS cover?

DFARS applies to any enterprise interested in contracting with the Defense Department. This applies whether the company is selling products to DoD or providing a service.

What is the Goal of the Regulations?

First and foremost, the goal of DFARS is to protect government data in the hands of contractors. Defense companies often have access to some of the most sensitive information, dealing with everything from cutting-edge weapons platforms, to new information and computing systems. This fact has made defense contractors prime targets for cyber criminals. Thus DoD demands higher security standards for any firm seeking to do business with them.

The second factor driving the regulations is threat awareness. The US government wants to be updated on the actors targeting federal data exploitation. A large part of DFARS rules on cyber deal with disclosure of data breach which includes reporting the type of incident, as well as which malicious programs or tactics were used in an attack.