Strengthening Cybersecurity: The Role of CSIRTs in Meeting FISMA, CPRA, and CCPA Compliance


FISMA Compliance Overview

FISMA provides a relevant major law that influences an organization’s decision to form a CSIRT. In order to work with federal agencies, organizations must be FISMA compliant. FISMA requires federal agencies to develop, document, and implement an information security and protection program. Common security frameworks, such as NIST SP 800-53 and ISO 27002, recommend the formation of a CSIRT as a security best practice for FISMA compliance. FISMA compliance requires organizations to continuously monitor their networks and their third-party networks to ensure they can adequately respond to a security incident. I believe FISMA exists to provide a small safeguard for consumer protection and privacy. While businesses undeniably grow in a free market and some flexibility should exist for small businesses, all businesses should be held accountable for protecting user information and reducing the risk of cybercrime and cyberwar. Compliance with FISMA should be mandatory for all organizations engaging in business in the United States.


CSIRT Overview

In my home state of California, state laws like CPRA and CCPA further encourage the formation of a CSIRT to further require proactive cybersecurity measures for organizations handling the sensitive data of California residents. A CSIRT guides organizations in property documenting their efforts to reduce risk and implement efficient, proactive incident response plans. With an ever-growing rise in cybersecurity incidents through third-party vendors, continuous monitoring, reliable security ratings, and strong CSIRT teams form a baseline for protecting consumer information and building stakeholder trust. FISMA requirements mandate information security and protection programs to protect citizens in the United States from foreign and domestic cyber-attacks.


State and Federal Data Privacy Legislation

In an interconnected world, the cybersecurity landscape must continuously evolve to mitigate an ever-increasing threat landscape. US Data Privacy Legislation: Could a Federal Law be on the Horizon? discusses a dramatic shift in data privacy legislation in the United States to support continuous growth in the realm of cybersecurity. The reexamination of the American Data Privacy Protection Act suggests a need to unify data privacy standards at the federal level. 


Personal Values and Navigating Data Privacy Legislation

In the United States, the balance between state and federal legislative powers poses fundamental questions that consider the principles of federalism our nation was founded on. The current tension between federal and state legislative powers indicates a possibility that federal law might set a baseline that either complements or disrupts state privacy laws like California's CCPA and CPRA. While these ideals may seem intense, the dynamics of federal and state legislative powers have been negotiated since the birth of our nation. While privacy policies continue to evolve, new challenges for data privacy and cybersecurity undeniably indicate a strong need for compliance regulations, detailed documentation, comprehensive monitoring, and effective incident response plans. Forgoing a CSIRT could prove an expensive mistake in 2023, where data privacy laws remain in limbo, and compliance and documentation become a necessity for all businesses operating in the United States.


Reference


Anthony, R. (2023). What is NIST SP 800-53. Cybersait Security. https://www.cybersaint.io/blog/what-is-nist-800-53#:~:text=The%20NIST%20Special%20Publication%20800,Management%20Act%20(FISMA)%20requirements.


BreachRX. (2023). CCPA and CPRA Incident Response Guidelines. https://www.breachrx.com/global-regulations-data-privacy-laws/ccpa-cpra-california-data-privacy-law/


Duball, J. (2023). US House lawmakers keep federal privacy legislation top of mind. The Privacy Advisor. https://iapp.org/news/a/us-house-lawmakers-keep-federal-privacy-legislation-top-of-mind/


Parks, G.T., & Del Sesto, R.W. (2023). US Data Privacy Legislation: Could a Federal Law be on the Horizon?. Morgan Lewis. https://www.morganlewis.com/pubs/2023/07/us-data-privacy-legislation-could-a-federal-law-be-on-the-horizon#:~:text=American%20Data%20Privacy%20and%20Protection,mechanisms%2C%20and%20establish%20meaningful%20enforcement.


RiskOptics. (2023). Complete Guide to the NIST Cybersecurity Framework. https://reciprocity.com/resource-center/complete-guide-to-nist-cybersecurity-framework-800-53-800-171/#:~:text=NIST%20has%20a%20set%20of,equivalent%20of%20NIST%20800%2D53.


Thomas, B. (2023). 4 Things to Know About FISMA. Bitsight

https://www.bitsight.com/blog/4-things-to-know-about-fisma

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more