Technology Compliance And Regulatory Changes coming in 2023

As if managing daily information technology (IT) operations, cybersecurity responsibilities and software and hardware lifecycles aren’t enough, organizations and technology professionals must also accommodate new government regulations and industry compliance requirements changes taking effect or likely to require adjustments in 2023. From new security compliance requirements for US Department of Defense (DoD) contractors to data privacy requirements becoming more restrictive in multiple states, there’s much to track.

Cybersecurity Maturity Model Certification 2.0

New Cybersecurity Maturity Model Certification (CMMC) requirements take effect this year that impact contractors and subcontractors working for the DoD and the Defense Industrial Base (DIB). Commonly referred to as CMMC 2.0, the updated program requirements are designed to protect the DoD, companies that service the defense industry and US military technologies and information.

As we noted in late 2022, numerous new cybersecurity standards will be required of DoD contractors and subcontractors as soon as the corresponding rule making process completes and the new rules are in place, likely by May. Contractors and their subs could begin seeing the new cybersecurity requirements appearing in new contracts in just a few months.

With CMCC 2.0, five cybersecurity compliance levels are being consolidated within three tiers. The Level 1 Foundational tier requires compliance with 17 fundamental cybersecurity practices and an annual self-assessment, whereas the Level 2 Advanced tier adds the requirement contractors and subs comply with some 110 National Institute of Standards and Technology (NIST)-aligned cybersecurity practices and obtain third-party assessment certification every three years. The Level 3 Expert tier also requires compliance with more than 110 NISP-aligned cybersecurity practices, targets highest priority initiatives, while requiring the entity to obtain government-led assessment certification every three years.

For more information on CMMC 2.0’s specific practices and requirements, visit the DoD website.

Cybersecurity Risk Management Disclosure For Public Companies

A number of initiatives—including a Securities and Exchange Commission (SEC) proposal—are moving to require companies to disclose, within specific and aggressive (potentially 72-hour) time periods, whenever they experience a ransomware attack. These requirements follow passage and signing into law of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The new law requires the Cybersecurity and Infrastructure Security Agency (CISA) “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.”

Vendors are already working to prepare clients for corresponding cyber incident-reporting responsibilities. For example, Palo Alto Network’s Unit 42 cyber-security research lab partnered with HardenStance analysts to produce their Practical Steps for CISOs to Make Cybersecurity Reporting Frictionless white paper.

For more information on the corresponding legislation, read the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Alternatively, you can review the corresponding Fact Sheet.

Small Business Credit Data Collection And Reporting

March 31st marks the deadline for the Consumer Financial Protection Bureau (CFPB) to issue final rules for lending institutions regarding small business data collection and reporting. The financial application information is to be collected from credit applications submitted by small businesses, including those that are women- or minority-owned, in efforts to assist fair lending.

For more information on the small business lenders data collection rule and data collection requirements spawning from Section 1071 of the Dodd-Frank Act, check out the CFPB update or review the specific proposed rule changes.

Consumer Financial Data Accessibility

Lenders should also prepare for changes to way the CFPB will soon likely require them to respond to consumer requests for access to their own financial information, including payment and transaction histories. Authorized under Section 1033 of the Dodd-Frank Act, the changes have been in the works for years. In late October 2022, the CFPB announced details of data rights rules to be implemented in a comprehensive outline.

Businesses tracking the changes can find more information on the CFPB website. Among the documents that could prove helpful are the CFPB’s High-Level Summary and the bureau’s corresponding news release.

Privacy Regulation Changes In Multiple States

Data privacy laws are tightening in multiple states in 2023, too. Organizations and their supporting technology departments must ensure compliance with the new requirements in an ever-increasing number of locations.

Of particular importance is the fact 2023 marks the year in which US data privacy laws seemingly begin converting from a harm-prevention approach, as has essentially been the practice, to more expansive rights-based enforcement, as has been the European model. For example, Colorado, Connecticut, Utah and Virginia begin requiring more stringent consumer data privacy standards requiring shifts in data collection strategies.

As of January 1, 2023, businesses must also comply with California Privacy Rights Act (CCPA) amendment provisions. The regulations define changes to the specific responsibilities businesses must follow managing consumers’ personal information. Provisions include honoring a consumer’s request to delete personal information a business has collected and correcting inaccurate personal information, when requested.

Expect more states to follow suit. In the interim, you can tap a resource, such as the AuditBoard, for help tracking the status of new data privacy requirements.

HIPAA Changes

HIPAA privacy rules are also expected to change in March 2023. New section 164.524(d) more clearly defines patients’ rights and access routines for their personal health information (PHI), including a patient’s ability to direct electronic medical records (EMR) to third parties. Changes also address practitioners’ charging reasonable fees for the corresponding work producing the corresponding records.

Under new HIPAA rules, health care providers must provide a patient’s PHI within 15 days, too, when requested, whereas previous requirements provided health care practitioners 30 days. Patients also receive greater access to their PHI, including in-person rights and the option to take notes or photographs.

Keeping Current

Need help keeping current with compliance requirement changes? You’re not alone.

Numerous businesses are likely to be impacted by legislation affecting pay transparency, noncompete agreements, family leave, independent contractor status and similar topics as new laws and regulations take hold. Unfortunately, there’s no one source to follow for definitive updates.

Organizations can, however, entrust HR departments to track changing labor and employment laws in states in which they operate. Firms can also track industry changes using trusted authorities and trade publications. As for federal legislation that could impact businesses, companies can monitor Congress.gov, Brookings and The White House’s Legislation website.