<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

COVID-19 Updates: Impact on Information Security Compliance Deadlines

In these unprecedented times, security leaders are faced with the duality of meeting compliance requirements while keeping their organizations secure in the face of increased tension and the rise of virtual work. 

See how your industry's compliance requirements for 2020 are being impacted. 

CMMC

Cybersecurity Maturity Model Certification

STATUS: PROCEEDING ON SCHEDULE

The Department of Defense's Cybersecurity Maturity Model Certification represents the next step toward securing the United States' defense industrial base and is slated to begin appearing in RFI's in the second half of 2020.

The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.

Listen to our most recent conversation with Katie Arrington at the RSA Conference in February on the status of the CMMC timeline and what to expect. 

CMMC Resources

Current CMMC Milestones for 2020

What is the Cybersecurity Maturity Model Certification

California Consumer Privacy Act

CCPA

STATUS: PROCEEDING ON SCHEDULE (contested)

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.

On June 28, 2019, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA began January 1st, 2020.

As of March 26, the California Consumer Privacy Act is still on track for enforcement starting in July. However, a group of over 60 businesses have submitted a letter to the California Attorney General asking for an extension given the extraordinary circumstances. 

Update: The California Attorney General responded to the letter submitted on March 17 stating "CCPA has been in effect since January 1, 2020. We're committed to enforcing the law starting July 1," an advisor to Becerra said. "We encourage businesses to be particularly mindful of data security in this time of emergency."

CCPA Resources

What is the CCPA and Who Must Comply

NYDFS

New York Department of Financial Services

STATUS: 2019 CERTIFICATION OF COMPLIANCE DEADLINE EXTENDED TO JUNE 1, 2020

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial proposal for what would become 23 NYCRR 500. 23 NYCRR 500 is designed to foster and standardize cybersecurity across the financial services industry in New York.

In late March, the Superintendant of Financial Services extended the deadline for the 2019 Certificate of Compliance by 45 days to July 1. 

NYDFS Cybersecurity Resources

Guide to 23 NYCRR 500

Overview of 23 NYCRR 500

Critical Infrastructure Protection for Energy & Utilities

NERC CIP

STATUS: ENFORCEMENT RELAXED, CIP-013 ENFORCEMENT DELAYED

The National Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are not new to the energy and utilities industries, however, the COVID-19 crisis has impacted the enforcement. Due to the physical nature of the assets that these organizations are responsible for assessing to determine compliance, FERC has relaxed enforcement of the NERC CIP standards from March 1-December 31, 2020. 

Because of the resource limitations during this time period, periodic actions required by the reliability standards that must occur between March 1, 2020, and July 31, 2020, can be missed on a case-by-case basis if the activities cannot be performed due to COVID-19. To use this flexibility, utilities will need to notify their regional entities of the specific actions that will be missed. These periodic requirements exist in both the Operating & Planning standards (such as protection system maintenance and testing) and the Critical Infrastructure Protection standards (such as patching and vulnerability assessments). Read more. 

With that in mind, CSPs at these organizations must take this opportunity to focus on securing their organization to the fullest extent that they are able. In this state of chaos, critical infrastructure is especially targeted by bad actors

Update 4/17/2020: FERC has agreed to NERC's request to delay the enforcement of the new CIP-013 for three to six months. Read the full statement here.

NERC CIP Resources

NERC Statement on COVID-19 Impact

What is NERC CIP

How to Report on NERC CIP Standards

Security Rules for HIPAA Governed Organizations

HIPAA Security Rules

STATUS: ENFORCEMENT RELAXED

The HIPAA security rule is not new to the healthcare industry. However, in the face of the COVID-19 crisis, it is the healthcare systems and hospitals that are under the most strain. As a result, the United States' Department of Health and Human Services has announced that they are relaxing the enforcement of the security rules for the foreseeable future. 

The relaxed enforcement focuses specifically on telehealth as it relates to using potentially less secure video conferencing tools to communicate with potentially infected patients

The waiver only applies...

  • In the emergency area identified in the public health emergency declaration
  • To hospitals that have instituted a disaster protocol
  • For up to 72 hours from the time the
    hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster
    protocol.

Read the full statement

Healthcare and Hospital Cybersecurity Resources 

8 NIST Security Controls to Focus on During, and After, a Crisis

Three Areas of Cybersecurity Strength for Hospitals During a Pandemic

Cybersecurity Requirements for Payment Card Recipients and Processors

PCI

STATUS: ENFORCED WITH VIRTUAL ASSESSMENTS AND TRAINING

Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry.

PCI SSC on March 12 released a statement outlining steps for assessors in response to the growing COVID-19 health risks. Along with remote assessments, they are hosting all of their training sessions virtual for the time being. 

PCI Resources

PCI SSC Statement on Remote Assessments

PCI Guidance on Staying Compliant While Working Remotely