10534 York Road #202
Hunt Valley, Maryland 21030
The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of two sections.
HIPAA Title I mandates protection of health insurance coverage for people who lose or change jobs.
HIPAA Title II provides for administrative simplification, requiring the development of standards for the electronic exchange of health care information, the protection of the privacy of personal health information and the establishment of security requirements to protect that information.
The Sarbanes–Oxley Act, also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and commonly called Sarbanes–Oxley, Sarbox or SoX, is a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms.
In early 2015 the Federal Chief Information Officers (CIO) Council and the Chief Acquisition Officers (CAO) Council created a working group to review current contract clauses and information technology (IT) acquisition policies and practices around contractor and subcontractor information system security. This interagency group was comprised of senior experts in acquisition, security, and contract management and their recommendations are included in this guidance to Federal agencies on implementing strengthened cybersecurity protections in Federal acquisitions.
We released this proposed guidance for public feedback on the open source platform GitHub to signal transparency in Federal policymaking and to reach a broad audience of stakeholders to assist in further enhancing this guidance. Similar public feedback processes for other OMB initiatives have been very successful in engaging and obtaining the views of the technology and security communities. OMB’s goal in this period of public feedback was to allow for a better understanding of the perspectives of the broader community and to identify areas for improvement to make this guidance even more meaningful and effective.
The intent of the proposed guidance is to take major steps toward implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk of potential incidents in the future. This proposed guidance also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.
In an effort to address this problem, the Department of Commerce National Institute of Standards and Technology has released a draft version of NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [pdf].
The new NIST guidance is directed at contractors that already have information technology infrastructure and associated security policies and practices in place. The final version of Special Publication 800-171 will attempt to synthesize the federal government’s recommendations to ensure the confidentiality of sensitive federal information stored on contractor computers and information systems. Special Publication 800-171 is part of a three-part plan that will ultimately make these recommendations mandatory. The other parts include a rule proposed by the National Archives and Records Administration—currently under review by OMB—and the eventual adoption of a FAR clause that will apply the requirements of the NARA rule and Special Publication 800-171 to all federal contracts.
Special Publication 800-171 sets forth fourteen specific security objectives. In brief, these recommendations are:
Each recommendation contains a more detailed checklist of requirements that contractors will be able to use to meet the security objective. In many cases, the requirements and objectives will overlap with security processes that contractors already have in place.