- Statutory requirements come from laws passed by government bodies. Non-compliance can mean criminal penalties and jail time.
- Regulatory requirements come from rules issued by government-appointed regulatory bodies. Non-compliance typically results in fines and enforcement actions.
- Contractual requirements come from agreements between private parties. Non-compliance means breach of contract and potential lawsuits.
- These three categories define your Minimum Compliance Requirements (MCR), the must-have controls that are non-negotiable.
- Beyond MCR, organizations should implement Discretionary Security Requirements (DSR), nice-to-have controls based on risk appetite.
- Understanding this hierarchy helps you present non-compliance in a compelling business context to get the resources you need.
Why Should You Care?
Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.
Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance penalties can be as stark as:
Cybersecurity, IT and privacy professionals routinely abuse the terms law and regulation as if they are synonymous, but those terms have unique meanings with very different implications for non-compliance.
MCR vs DSR
When discussing cybersecurity and privacy requirements, the term "must" is often thrown around as an absolute. This is most often due to an applicable law, regulation or contract clause that is compelling the control to exist.
Minimum Compliance Requirements (MCR)
MCR represent the minimum bar required by external obligations such as laws, regulations, and contracts. These are non-negotiable. Not implementing them creates legal or contractual exposure.
- Externally influenced (laws, regs, contracts)
- "Must have" requirements (e.g., non-discretionary)
- Fact-finding, not risk assessment
- Forms compliance baseline
Discretionary Security Requirements (DSR)
DSR are selected based on the organization's own risk appetite and judgment. These go beyond the minimum and represent best-practice enhancements driven by internal risk management.
- Internally influenced (risk-based decisions)
- "Nice to have" (e.g., risk-informed choices, discretionary)
- Based on threat landscape and asset sensitivity
- Elevates posture beyond compliance floor
Legal Reguirements
Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:
US - Federal Laws
- Children's Online Privacy Protection Act (COPPA);
- Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule;
- Family Education Rights and Privacy Act (FERPA);
- Federal Information Security Management Act (FISMA);
- Federal Trade Commission (FTC) Act;
- Gramm-Leach-Bliley Act (GLBA);
- Health Insurance Portability and Accountability Act (HIPAA); and
- Sarbanes-Oxley Act (SOX).
US - State Laws
- California SB 1386;
- Massachusetts 201 CMR 17.00; and
- Oregon ORS 646A.622.
International Laws
- Canada - Personal Information Protection and Electronic Documents Act (PIPEDA);
- UK - Data Protection Act (DPA); and
- Other countries' variations of Personal Data Protect Acts (PDPA).
Regulatory Requirements
Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:
US Regulatory Requirements
- Defense Federal Acquisition Regulation Supplement (DFARS);
- Cybersecurity Maturity Model Certification (CMMC);
- Federal Acquisition Regulation (FAR);
- Federal Risk and Authorization Management Program (FedRAMP);
- DoD Information Assurance Risk Management Framework (DIARMF);
- National Industrial Security Program Operating Manual (NISPOM);
- Financial Industry Regulatory Authority (FINRA); and
- New York Department of Financial Services (NY DFS) 23 NYCRR 500.
International Regulatory Requirements
- European Union General Data Protection Regulation (EU GDPR).
Contractual Requirements
Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:
Common Contractual Requirements
- Payment Card Industry Data Security Standard (PCI DSS);
- ISO 27001 certification;
- Service Organization Control (SOC) audits;
- Generally Accepted Privacy Principles (GAPP);
- Center for Internet Security (CIS) Critical Security Controls (CSC); and
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).