Take, for example, the Federal Information Security Management Act, known as FISMA 1, that was passed into law in 2002. This established a program framework and objectives regarding risk assessment, security accreditation, planning, testing, and incident management. Now, as the Federal Information Security Management Act name begins to indicate, this is of course a law that was passed specifically to apply to federal organizations of all types. As such, it was set into documentation form and functionally implementable by the NIST standards that formed its foundation. Following this, the Federal Information Security Systems Modernization Act, known as FISMA 2, brought all of this under the umbrella with federal cybersecurity guidance and oversight under the Department of Homeland Security.

Now, in recent years, we've heard a lot about the risk management framework called the RMF. And it has been committed to several NIST publications, such as the 800-14, 800-30, - 37, -39, and the -100, to provide the necessary details for successful implementation. But the principles discussed in these laws are equally applicable to civilian and other non-governmental organizations, should they choose to do so.

Continuing our discussion on regulations, we have the Sarbanes-Oxley Act of 2002. This was passed as a legislative reaction to the corporate scandals present at that time, such as with Enron and the Arthur Andersen. Now, within Sarbanes-Oxley Section 404, it stated and restated practices that are common for accounting. And it restated this requirement for strong internal controls to ensure convention at security that protects the integrity of the information used in external financial reporting. Prior to that, the Gramm-Leach-Bliley Act of 1999 did for personal financial information what the HIPAA Act, preceding it by yet another three years in 1996, did for personal health information. These laws served as the basis for their respective industries to establish policy, the legislative foundation for their enforcement, and the discipline that follows with compliance violations, should the entity in question not measure up.

So we have HIPAA, the Health Insurance Portability and Accountability Act of 1996, that at the time was the most pervasive, federal level privacy law passed in this country. And many have followed it that have followed its model. This was amended by the HITECH Act passed as part of the American Recovery and Reinvestment Act of 2009. And it added additional controls over the privacy and security of protected health information to make them stronger, ensure that enforcement was formalized and more aggressive, and adding technology in the form of encryption as a required control to protect the information from unauthorized and unwanted exposure.

Now, unlike those things listed on the previous slides, which were laws, we also have the Payment Card Industry Data Security Standards, known as PCI DSS. Now these are not laws or regulations, but they are very strong and very important industry security standards that govern the protection and use of the information captured in payment card transactions. These industry standards brought about by the PCI DSS Standards Board, place requirements on vendors and processors, as well as other entities involved in in-person and online payment card transactions to ensure the end-to-end protection of cardholder data in all of these different states.

Now there are, of course, other regulations that exist around the world that govern the collection, use, and disclosure of personally identifiable information at both the state and federal levels within the US and internationally. A prime example would be the General Data Protection regulation we find in the European Union. As in their particular case, a federal type of standard applying to all member states at the EU, but also for the laws that exist in each of the member countries.