Staying on top of compliance requirements
PCI DSS v4.0 Phase 1
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. The goals for PCI DSS to promote security as a continues process that is flexible for different methodologies with enhanced validation methods.
On March 31, 2024, PCI DSS v4.0 will officially replace PCI DSS v3.2.1. Once PCI DSS v4.0 becomes the official standard, the countdown begins for the final deadline to comply with the new requirements by March 31, 2025.
The summary of changes from v3.2.1 to v4.0 structure and format, clarifying and guidance, evolving requirements.
SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
On July 26, 2023, the Securities and Exchange Commission (SEC) adopted amendments to require current disclosure about material cybersecurity incidents and requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risk in Inline eXtensible Business Reporting Language (“Inline XBRL”) format.
The final rule requiring businesses to begin reporting on a material cybersecurity incident within four (4) business days of determination became effective on September 5, 2023.
Zero Trust
In May 2021, the White House issued an executive order that made it mandatory for government agencies to transition to Zero Trust principles. The order aimed to enhance cybersecurity capabilities for these agencies and also raised awareness about Zero Trust principles among a wider audience. Following the release of the executive order,
In January 2022, the White House issued a memorandum which outlined a Federal Zero Trust Architecture (ZTA) strategy. This strategy required federal agencies, and potentially other organizations working with the government, to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024.
The cybersecurity goals mandated for federal agencies align directly with the five pillars described in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. Initially, Executive Order 14028 required agencies to develop their own plans for implementing a Zero Trust Architecture. However, with the new memorandum, agencies are now required to expand upon their existing ZTA plans and incorporate the 19 additional tasks outlined in the memorandum.
CMMC 2.0
The Department of Defense (DoD) is preparing to introduce CMMC 2.0, which closely adheres to the NIST 800-171 standards compared to the first version. This means that defense contractors and subcontractors will need to familiarize themselves with NIST guidelines. It is important for organizations to start working on their CMMC implementation plans as soon as possible, as compliance with NIST 800-171 is currently required.
As of May 2023, a phased implementation of CMMC 2.0 is already underway, and some DoD contractors are now requiring subcontractors to demonstrate compliance ahead of the final deadline in October 2025.
While organizations are getting ready to implement CMMC 2.0, one notable change is the removal of security levels two and four. This effectively reduces the number of security tiers from five to three and brings CMMC closer in line with NIST requirements. However, meeting the objectives of CMMC 2.0 may become a moving target in the upcoming months as NIST 800-171 r3 is finalized in the spring.
Get Started
The imminent deadlines for PCI DSS v4.0, SEC cybersecurity requirements, Zero Trust, and CMMC 2.0 encourage organizations to strengthen their cybersecurity measures.
Hugo is the only industry decision-making assistant for stakeholders to address all aspects of an enterprise compliance.