The cybersecurity program strategy identifies any applicable compliance requirements that must be satisfied by the program (for example, NERC CIP, TSA Pipeline Security Guidelines, PCI DSS, ISO, DoD CMMC)

Compliance requirements are typically imposed on the organization by local, state, or federal governments. Different compliance requirements may apply to some but not all assets in-scope for the cybersecurity program. The cybersecurity program should be aware of what compliance requirements must be fulfilled by the program and the scope of each requirement. Listing compliance requirements in the cybersecurity program strategy helps ensure that cybersecurity program stakeholders know what they are held accountable for. For example, a strategy might include a statement that compliance to PCI DSS is required by the cybersecurity program. Organizations should consider the differences in legal and regulatory requirements within the areas in which they operate and how they may conflict with global IT, enterprise-wide IT, or cybersecurity controls. Some examples of compliance requirements that organizations may need to satisfy include: · North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards · Transportation Security Administration (TSA) Pipeline Security Guidelines · Payment Card Industry Data Security Standards (PCI DSS) · International Organization for Standardization (ISO) · Department of Defense Cybersecurity Maturity Model Certification (DoD CMMC) · California Consumer Privacy Act (CCPA) · Health Insurance Portability and Accountability Act of 1996 (HIPAA) · State- and local-level cybersecurity and privacy laws

Related Practices · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-1a, PROGRAM-1b, PROGRAM-1c, PROGRAM-1d, PROGRAM-1e, PROGRAM-1f, PROGRAM-1g, PROGRAM-1h.