What are cybersecurity frameworks and standards?
Cybersecurity standards are collections of best practices created by experts to protect organizations from cyber threats and help improve their cybersecurity posture. Cybersecurity frameworks are generally applicable to all organizations, regardless of their size, industry, or sector. Frameworks are often referred to as a standard. In reality, most frameworks are merely a repository of specific controls that are organized by control families (e.g., NIST CSF, ISO 27002, NIST SP 800-171, NIST SP 800-53, etc.).
DFARS (Defense Federal Acquisition Regulation Supplement)
The DFARS is a DoD (Department of Defense) specific supplement to the FAR (Federal Acquisition Regulation). It provides acquisition regulations that are specific to the DoD. DoD government acquisition officials, contractors, and subcontractors doing business with the DoD must adhere to the regulations in the DFARS.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) is a United States federal law enacted as Title III of the E-Government Act of 2002.
FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires federal agencies to implement information security programs to ensure their information and IT systems’ confidentiality, integrity, and availability, including those provided or managed by other agencies or contractors.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy–Kassebaum Act, is a federal law enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, protect the confidentiality and security of health care information, and help the health care industry control its administrative costs.
ISO 27001 is the international standard that describes the requirements for an ISMS (information security management system). The standard’s framework is designed to help organizations manage their security practices in one place, consistently and cost-effectively.
NIST Cybersecurity Framework (CSF)
The NIST CSF is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing best practices. However, the NIST CSF has proven flexible enough to be implemented by non-US and non-critical infrastructure organizations.