Do federal cybersecurity laws and regulations such as NAID apply to your business? Well, the answer to that is the same as the answer to most questions worth asking: it depends, but most likely yes.
The Local Community Organizations and Supply Chain are Subject to Cybersecurity Laws and Codes
Many organizations use uncertified data destruction companies. This is a big problem as healthcare, police, schools, governments and even utilities are impacted. People from all of those sources can come into contact with personal information. This might include personal identifying information (PII), personal health information (PHI) or personal financial information (PFI). Sure, a company could still be compliant if they aren’t certified. However, the facts are that typically, they aren’t.
But what does US law say? Well, it states pretty clearly that if organizations receive federal funds or process federal directed PII and PHI, they are must follow federal cybersecurity laws and regulations. Furthermore, these regulations are inspectable for 6 plus years. So, simply put: if you take money from the government and you deal with any personal information of US citizens, this applies to you. CIOs and CISOs really should be getting up to speed on FISMA, IRS 1075, CJIS Security Policies, and CMS Information Security Policy. Consequently, all of those standards map directly to the NIST Cybersecurity Controls.
What Does NAID and NIST Certification Include
We’ve found over the years that data protection regulations require a few things. Namely, that companies to perform due diligence and ongoing monitoring of data destruction service providers. So that means this is on you, the customer, to be smart about who you choose to dispose of your data bearing assets. Therefore, company executives should review the contractor’s certifications. It only makes sense! There is a big difference between someone claiming they are compliant with a policy vs someone who is certified as such. In order to be certified, providers must be evaluated by certifying organizations. These organizations perform thorough inspections of the contractor’s policies, procedures for meeting certification standards. Critically, they require evidence for meeting these standards. For NAID, this includes verification of a secure Data Destruction company’s services for compliance with all known data protection laws.
What does NAID AAA inspect in its onsite audits?
- NAID performs regularly scheduled and random, unannounced audits
- Checks for incident response preparedness, employee training, and regulatory compliance
- Employee background screening and confidentiality agreements
- Access control and operational security
- Quality control monitoring for destruction process
- Responsible disposal requirements
- And more, based on the stated NAID Specifications
How Does Your Company Comply with Industry, Federal and State Regulations?
But because of GDPR, NIST, ZTA, CCPA and IRS 1075, and other data security requirements, you also must have their cybersecurity credentials showing they meet the NIST standard and therefore the federal agency’s obligations.
TechR2’s NAID, NIST and ISO Certifications tells you the level of services and protection that your organization will receive.
Contact Sepp Rajaie to learn more. Contact our experienced TechR2 staff.
- Analyzing the Impact of the Many New Rules of Cybersecurity
- Federal Information Security Modernization Act | CISA
- Publication 1075 (Rev. 11-2021) (irs.gov)
- Reinforce compliance in your company today. TechR2 is ISO, NIST, NAID and ISO 31000 certified – TechR2
- TechR2 Reaches Highest Industry Certifications: ISO 27001, ISO 31000, ISO 14001, ISO 9001, ISO 45001 – TechR2