The National Institute of Standards and Technology provides best practices and guidelines for compliance among federal agencies. If your company meets the NIST guidelines, you’re compliant in several different categories, including HIPAA and FISMA.
Even if your organization is not required to meet these NIST guidelines for cybersecurity and customer protection, following these best practices ensures the safety of your online presence.
For example, in partnership with the ISO and IEC, NIST developed a cybersecurity framework of Identify, Protect, Detect, Respond, and Recover for building a secure network to protect “an organization’s ability to innovate and to gain and maintain customers.”
FISMA Compliance
The Federal Information Security Management Act requires government organizations to document their information security practices with an inventory, risk categorization, security plan, risk assessments, certifications, and other standards. These regulations apply not only to federal government agencies but also to any contractors working with the government, and now at the state and local government, as well.
Regulatory compliance with FISMA relies on the NIST Risk Management Framework for proper implementation.
When government agencies or their contracted private companies fail to comply, they risk reduction in funding, fines, and loss of future government work.
HIPAA
The Health Insurance Portability and Accountability Act is far more common than NIST and FISMA since it applies to every health organization, as well as every Human Resource department.
But it goes beyond keeping patient health information confidential.
For medical offices and hospitals, every piece of communication needs to be encrypted and secured safely, relying heavily on fax systems or client dashboards to manage risk.
From a cybersecurity perspective, regulatory compliance with HIPAA usually means end-to-end security for phones and other communication. A compliance checklist includes applicable audits, analysis, documented deficiencies, remediation plans, appointing a designated Security Officer, and others.
For a private company looking to protect employee health information, you may want to review the checklist and offer more privacy than a locked filing cabinet.