An Overview of Major Compliance Requirements

Drew Bixby
Read Time: 4 minutes

In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.

CJIS: Criminal Justice Information Services (CJIS) is the largest division of FBI and comprises of various departments that include National Instant Criminal Background Check System (NICS), National Crime Information Center (NCIC) and Integrated Automated Fingerprint Identification System (IAFIS).

The mission of CJIS as stated on their website is:

“To equip our law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties.”

CJIS is responsible for monitoring and tracking criminal activities across the nation as well as international communities by using statistics and analytics provided by several law enforcement agencies. The databases of the CJIS act as a repository of criminal justice information for agencies around the globe. With several changes occurring in the compliance regulations, coupled with the increasing penetration of internet and sophistication of cyber criminals and cyber threats, CJIS is gaining increasing importance. The organizations in the US, especially federal, state and local agencies and the companies they are working with would need to comply with the security standards set up by CJIS Division. The CJIS division has set up a security policy with 13 primary policy areas, not all consumers will encounter all the policy areas. They are applicable based on the circumstances and individual agencies. The policy areas are listed below:

  • Policy Area 1—Information Exchange Agreements
  • Policy Area 2—Security Awareness Training
  • Policy Area 3—Incident Response
  • Policy Area 4—Auditing and Accountability
  • Policy Area 5—Access Control
  • Policy Area 6—Identification and Authentication
  • Policy Area 7—Configuration Management
  • Policy Area 8—Media Protection
  • Policy Area 9—Physical Protection
  • Policy Area 10—Systems and Communications Protection and Information Integrity
  • Policy Area 11—Formal Audits
  • Policy Area 12—Personnel Security
  • Policy Area 13—Mobile Devices

HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) sets standards that need to be followed by companies involved in handling the public health information (PHI). These companies must ensure that all the required network, processes and physical security measures are followed and in place. All the covered entities (CE) that are involved in providing treatment, operations and payments in healthcare and the business associates (BA) that aid these entities and access the health record information need to comply with the HIPAA privacy rule. The HIPAA Security Rule clearly outlines the national security standards that the organizations need to be compliant with to protect the health data that is created, received, maintained or transmitted electronically. If you are hosting your health-related data with a HIPAA compliant hosting provider, you need to ensure that the following safeguards are in place

  • Physical Safeguards: These safeguards include limited access to the physical center, with access restricted only to authorized personnel. All the covered entities must be HIPAA compliant and must have policies conforming to HIPAA. These include the standards that need to be followed while removing, transferring, reusing and disposing of electronic protected health information (ePHI).
  • Technical Policies: Technical policies cover measures and integrity controls that ensure that the ePHI records are not destroyed or altered.
  • Technical Safeguards: These safeguards must allow only the authorized personnel to access and handle sensitive ePHI data. This can include user IDs, passwords etc.
  • Network, Security or Transmission: This safeguard is among the latest aspects that the HIPAA compliant service providers need to adhere to this safeguard is to disallow unauthorized public access to ePHI.
  • Audits: Audit reports and tracking records need to be maintained to keep a tab on the events occurring on hardware and software. This can be particularly useful in pinpointing the cause or source in case of a violation.

FedRAMP: Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that outlines a standardized policy to approach to authorization, security assessment and monitoring of cloud services and products. There a few objectives that FedRAMP outlines for corporate and government organizations are

  • Increase efficiencies and remove inconsistencies related to security
  • Mitigate redundant and duplicative efforts
  • Cut down the costs associated with current security authorization process

There are a few ways to be associated with FedRAMP

  • You can be cloud service provider that is FedRAMP security authorized
  • You can be among the Federal Agencies that use FedRAMP
  • You can alternatively become a Third-Party Assessment Organization (3PAO) for the Assessor program accredited by FedRAMP

FERPA: Family Educational Rights and Privacy Act (FERPA) is one such federal law that aims at protecting the privacy of student education records. The law gives the parents various rights with respect to the privacy of their wards’ education records. These rights are transferred to the student once they attain the age of 18 or a reaches a school beyond the high school level. The various privileges given to the parents or the eligible students include

  • They have the right to request the school or the educational organization to correct the records that they believe are misleading or inaccurate. If the school disagrees to change the said information, the parents or the eligible students have right to a formal hearing.
  • Parents and students also have the right to review and inspect the student’s education records that the school maintains. The school needn’t provide the copies unless the reason is strong enough wherein the parents or the students can’t review the records personally. The school may charge for the copies issued
  • In general, the schools must have the written consent from the parents or the eligible students before releasing any information about them.

FISMA: FISMA stands for Federal Information Security Management Act. The Act defines a comprehensive framework aimed at protecting government operations, information and all other assets from man-made or natural threats. FISMA uses the services of several agencies to safeguard federal government data. The Act assigns responsibilities to program officials and heads of each agency to conduct an annual review of the IT security programs to ensure that the security risk is below a specific level. The authorities also ensure that the security is maintained in a cost-effective, efficient and timely manner. The National Institute of Standards and Technology (NIST) has outlined nine basic steps to achieve compliance with FISMA. They are

  • Choose minimum baseline controls.
  • Carefully select and categorize the information intended to be protected.
  • Use a risk assessment process and refine it as per the need.
  • Place in a record the controls in the security plan in the system.
  • Choose the information systems that need security controls and implement them.
  • After the implementation of the security controls, assess their effectiveness.
  • Determine the agency-level risk to the business case or the mission.
  • Authorize processing of the information system.
  • Continuously monitor the security controls.

ITAR: ITAR stands for International Traffic in Arms and Regulations (ITAR) is an export control law in the US. This law in conjunction with Export Administration Regulations (EAR) is among the most important export control laws that have major implications in manufacturing, distribution, and sales of technology. The law seeks to limit the access to specific types of data and technology to a foreign national. The law aims to restrict the transfer and disclosure of sensitive information about technology. ITAR constitutes a list of restricted services and articles that are a part of United States Munitions List (USML) and these articles and services need to be protected from unauthorized access. In order to become ITAR and EAR compliant, manufacturers or exporters need to register themselves with the U.S. State Department’s Directorate of Defense Trade Controls (DDTC). It is difficult for international exporters and manufacturers to be compliant with ITAR given the fact that the data related to the specific type of technology need to be transferred over the Internet and ensuring the security of the data is of prime importance. Hence, the exporters and manufacturers need to ensure that the information is completely safe and they are compliant with ITAR regulations.

About DoubleHorn

DoubleHorn is a leading Security and Compliance focused Cloud Solutions Provider, founded in 2005. We, along with our strategic partners are able to design and offer Cloud solutions meeting all the major regulatory compliance requirements. We were awarded the Cloud Services Contract for the State of Texas (DIR-TSO-2518) and Oklahoma (ITSW1022D) covering Cloud Services Brokerage, Cloud Assessment and Cloud Infrastructure-as-a-Service (IaaS). Contact us for a complimentary initial screening.