NEW NIST REVISIONS - WHAT DO THEY MEAN FOR REGULATORY COMPLIANCE?

摘要

Regardless of the industry, there are several commonalities that transcend data privacy and security. Confidentiality, integrity and availability of the data should form the foundation of any risk analysis that assesses technical, administrative and physical safeguards. In the United States, the National Institute for Standards and Technology ("NIST") publishes a variety of special publications to assist the United States Government and private persons in their legal and regulatory compliance efforts. Recently, NIST promulgated new publications - NIST-SP-800-53, rev. 5 and NISTIR 8228. These two publications are of particular importance for two reasons. First, SP800-53 addresses a broad spectrum of privacy and security controls. Second, NISTIR 8228 applies IoT, which is quickly expanding and evolving into a collection of various technologies that interact with the physical world. In essence, IoT is the intersection between information technology and operational technology. The impetus behind this article is to provide a synopsis of these two recent NIST standards, assess their application to a variety of laws in the healthcare, finance and government procurement and conclude with a round-up of why NIST should be the first place to turn. The take-aways for readers should be the following: to appreciate the importance of data privacy and security compliance; to utilize a risk analysis, which is based on NIST standards to address the gaps in the requisite technical, administrative and physical safeguards; and to provide a sampling of legal scenarios where NIST applies.