|
|
| (111 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| What are cybersecurity standards? CGI, Inc. calls them "critical means by which the direction described in an enterprise’s cybersecurity strategy and policies are translated into actionable and measurable criteria." They contain a set of statements about what processes must be followed to achieve the security outcomes expected by the organization.<ref name="CGIUnderstand19">{{cite web |url=https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf |format=PDF |title=Understanding Cybersecurity Standards |publisher=CGI, Inc |date=April 2019 |accessdate=23 July 2020}}</ref> Sometimes those standards get placed within a framework, which adds additional policy, procedure, and process to the set of statements laid out in the standards. This resulting cybersecurity standards framework acts as a defined, collective approach to how the information system, data, and services are managed within the organization.
| |
|
| |
|
| Some experts further differentiate between frameworks. Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, splits frameworks into three categories: control, program, and risk frameworks. Control frameworks provide a baseline set of controls for assessing technical capability, prioritizing implementation, and developing a cybersecurity plan. Program frameworks offer a more program-based approach, allowing organizations to broadly assess the current state of their cybersecurity program and further develop it. Risk frameworks "allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities."<ref name="RayomeHowTo19">{{cite web |url=https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/ |title=How to choose the right cybersecurity framework |author=Rayome, A.D. |work=TechRepublic |publisher=CBS Interactive |date=07 March 2019 |accessdate=23 July 2020}}</ref> Data communications and security specialist Robert Slade does something similar using slightly different terminology. Checklist frameworks are the equivalent of Kim's control frameworks, governance frameworks appear to be Kim's program frameworks, and risk management frameworks represent Kim's risk frameworks. Slade adds a fourth category, however: audit and assurance.<ref name="SladeSecurity11">{{cite web |url=http://itm.iit.edu/netsecure11/RobertSlade_SecFrameworks.pdf |format=PDF |title=Security Frameworks |author=Slade, R.M. |publisher=Illinois Institute of Technology |date=2011 |accessdate=23 July 2020}}</ref>
| | ==The laws themselves== |
|
| |
|
| Numerous cybersecurity standards frameworks exist, some based in specific countries, others based on specific industries. According to at least one authority, the top four cybersecurity standards frameworks being leveraged by organizations are the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2013, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.<ref name="WatsonTopFour19">{{cite web |url=https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks |title=Top 4 cybersecurity frameworks |author=Watson, M. |work=IT Governance USA Blog |publisher=GRC International Group plc |date=17 January 2019 |accessdate=23 July 2020}}</ref> These and a selection of additional cybersecurity standards frameworks and standards are shown in Table 2:
| | ===1. Federal Telecommunications Act of 1996, Section 255 ([https://www.law.cornell.edu/uscode/text/47/255 47 U.S.C. § 255 - Access by persons with disabilities])=== |
|
| |
|
| {|
| | <blockquote>'''(b) Manufacturing''' |
| | STYLE="vertical-align:top;"|
| | A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable. |
| {| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="85%"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 2.''' Examples of cybersecurity standards frameworks and standards
| |
| |-
| |
| |-
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Name
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Developer
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Framework type
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Industry
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ANSI/ISA 62443 Standards<ref name="ISAThe62443_16">{{cite web |url=https://cdn2.hubspot.net/hubfs/3415072/Resources/The%2062443%20Series%20of%20Standards.pdf |format=PDF |title=The 62443 series of standards |publisher=ISA |date=December 2016 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISA
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control and Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industrial automation and control systems
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Baseline Cyber Security Controls for Small and Medium Organizations<ref name="CCCSBaseline19">{{cite web |url=https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations |title=Baseline Cyber Security Controls for Small and Medium Organizations |publisher=Canadian Centre for Cyber Security |date=20 November 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Canadian Centre for Cyber Security
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; small and medium organizations
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security (CIS) Controls<ref name="CISThe20_19">{{cite web |url=https://www.cisecurity.org/controls/cis-controls-list/ |title=The 20 CIS Controls & Resources |work=CIS Controls |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Controls Matrix<ref name="CSA_CSM19">{{cite web |url=https://cloudsecurityalliance.org/research/cloud-controls-matrix/ |title=Cloud Controls Matrix (CCM) |publisher=Cloud Security Alliance |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Alliance
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud services and implementation
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Code Quality Standards<ref name="CISQCode19">{{cite web |url=https://www.it-cisq.org/standards/code-quality-standards/index.htm |title=Code Quality Standards |publisher=Consortium for Information & Software Quality |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Consortium for Information & Software Quality
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Software development
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control Objectives for Information and Related Technologies (COBIT)<ref name="ISACA_COBIT19">{{cite web |url=http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx |archiveurl=https://web.archive.org/web/20200121085305/http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx |title=COBIT 4.1: Framework for IT Governance and Control |publisher=Information Systems Audit and Control Association |date=2019 |archivedate=21 January 2020 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Information Systems Audit and Control Association
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Critical Infrastructure Protection (CIP) Standards<ref name="NERC_CIP17">{{cite web |url=https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx |title=CIP Standards |publisher=North American Electric Reliability Corporation |date=2017 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|North American Electric Reliability Corporation
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Utilities
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity Assessment Tool<ref name="FFIECCyber17">{{cite web |url=https://www.ffiec.gov/cyberassessmenttool.htm |title=Cybersecurity Assessment Tool |publisher=Federal Financial Institutions Examination Council |date=May 2017 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Financial Institutions Examination Council
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Financial services
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Essential Cybersecurity Controls (ECC - 1: 2018)<ref name="NCAEssential18">{{cite web |url=https://itig-iraq.iq/wp-content/uploads/2019/08/Essential-Cybersecurity-Controls-2018.pdf |format=PDF |title=Essential Cybersecurity Controls (ECC - 1: 2018) |publisher=National Cybersecurity Authority of Saudi Arabia |date=2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Cybersecurity Authority of Saudi Arabia
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ETSI TR 103 305 V1.1.1<ref name="ETSICritical15">{{cite web |url=https://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf |format=PDF |title=Critical Security Controls for Effective Cyber Defence |publisher=European Telecommunications Standards Institute |date=May 2015 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|European Telecommunications Standards Institute
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Telecommunications
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Information Processing Standards (FIPS)<ref name="NISTCompli19">{{cite web |url=https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips |title=Compliance FAQs: Federal Information Processing Standards (FIPS) |work=Standards.gov |publisher=National Institute of Standards and Technology |date=15 November 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|HISO 10029:2015 Health Information Security Framework<ref name="MoH_HISO19">{{cite web |url=https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework |title=HISO 10029:2015 Health Information Security Framework |publisher=New Zealand Ministry of Health |date=21 June 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|New Zealand Ministry of Health
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Healthcare
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|HITRUST CSF<ref name="HITRUSTCSF19">{{cite web |url=https://hitrustalliance.net/hitrust-csf/ |title=HITRUST CSF |publisher=HITRUST Alliance |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|HITRUST Alliance
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 15408-1:2009<ref name="ISO15408_14">{{cite web |url=https://www.iso.org/standard/50341.html |title=ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |publisher=International Organization for Standardization |date=January 2014 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 27001:2013<ref name="ISO27001_19">{{cite web |url=https://www.iso.org/standard/54534.html |title=ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements |publisher=International Organization for Standardization |date=03 June 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST Cybersecurity Framework<ref name=NISTCyber19">{{cite web |url=https://www.nist.gov/cyberframework |title=Cybersecurity Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; U.S. federal information systems and organizations
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<ref name=NISTSP800-171_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |title=NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=February 2020 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; U.S. non-federal information systems and organizations
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|OCTAVE Allegro<ref name="CaralliIntro07">{{cite web |url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419 |title=Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process |author=Caralli, R.A.; Stevens, J.F.; Young, L.R. et al. |publisher=Software Engineering Institute |date=2007 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Software Engineering Institute
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-Neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Payment Card Industry Data Security Standards (PCI DSS) V3.2.1<ref name="PCIData18">{{cite web |url=https://www.pcisecuritystandards.org/document_library |title=Payment Card Industry Data Security Standard - Requirements and Security Assessment Procedures |publisher=PCI Security Standards Council, LLC |date=May 2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|PCI Security Standards Council, LLC
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"All entities involved in payment card processing"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Protective Security Requirements<ref name="NZProtect19">{{cite web |url=https://www.protectivesecurity.govt.nz/ |title=Protective Security Requirements |publisher=New Zealand Security Intelligence Service |date=August 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|New Zealand Security Intelligence Service
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Secure Controls Framework<ref name="SCFSecure19">{{cite web |url=https://www.securecontrolsframework.com/secure-controls-framework |title=Secure Controls Framework (SCF) |publisher=Secure Controls Framework Council, LLC |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Secure Controls Framework Council, LLC
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Sherwood Applied Business Security Architecture (SABSA)<ref name="SABSAExec18">{{cite web |url=https://sabsa.org/sabsa-executive-summary/ |title=SABSA Executive Summary |publisher=The SABSA Institute C.I.C |date=2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|The SABSA Institute C.I.C.
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program and Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Enterprise-level business
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Standard of Good Practice for Information Security 2018<ref name="ISFTheISF18">{{cite web |url=https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/ |title=The ISF Standard of Good Practice for Information Security 2018 |publisher=Information Security Forum Ltd |date=2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Information Security Forum Ltd.
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|System and Organization Controls for Cybersecurity (SOC-C)<ref name="AICPA_SOC19">{{cite web |url=https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.html |title=SOC for Cybersecurity |publisher=Association of International Certified Professional Accountants |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Association of International Certified Professional Accountants
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Water Sector Cybersecurity Risk Management Guidance v3.0<ref name="AWWACyber19">{{cite web |url=https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance |title=Water Sector Cybersecurity Risk Management Guidance |author=West Yost Associates |publisher=American Water Works Association |date=04 September 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|American Water Works Association
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Water and wastewater
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
|
| Choosing the appropriate frameworks requires consideration and research. For the purposes of this guide, NIST SP 800-53, Rev. 4 and, to a lesser degree, the NIST Cybersecurity Framework receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.<ref name="WatsonTopFour19" /> NIST SP 800-53, Rev. 4 and the NIST Cybersecurity Framework are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."<ref name="NISTNIST19">{{cite web |url=https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework |title=NIST Marks Fifth Anniversary of Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=12 February 2019 |accessdate=23 July 2020}}</ref><ref name="PerryExplain19">{{cite web |url=https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/ |title=Explaining the Breakout Success of the NIST Cybersecurity Framework |author=Perry, J. |work=Infosecurity Magazine |publisher=Reed Exhibitions Limited |date=16 April 2019 |accessdate=23 July 2020}}</ref>
| | '''(c) Telecommunications services''' |
|
| |
|
| ==References== | | A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable. |
| {{Reflist|colwidth=30em}}
| | |
| | '''(d) Compatibility''' |
| | Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.</blockquote> |
| | |
| | The term '''disability''' is [https://www.law.cornell.edu/uscode/text/42/12102 defined here]. You can read the full entry, but the basics are: |
| | |
| | <blockquote>'''(1) Disability''' The term “disability” means, with respect to an individual— |
| | :'''(A)''' a physical or mental impairment that substantially limits one or more major life activities of such individual; |
| | |
| | :'''(B)''' a record of such an impairment; or |
| | |
| | :'''(C)''' being regarded as having such an impairment (as described in paragraph (3)).</blockquote> |
| | |
| | The term '''readily achievable''' is [https://www.law.cornell.edu/uscode/text/42/12181 defined here]. It is defines as: |
| | |
| | <blockquote>'''(9) Readily achievable''' The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include— |
| | |
| | :'''(A)''' the nature and cost of the action needed under this chapter; |
| | :'''(B)''' the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility; |
| | :'''(C)''' the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and |
| | :'''(D)''' the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.</blockquote> |
| | |
| | ===2. Rehabilitation Act of 1973, Section 508, amended ([https://www.law.cornell.edu/uscode/text/29/794d 29 U.S.C. 794d] - Electronic and information technology)=== |
| | |
| | There's a government website dedicated to Section 508: [https://www.section508.gov/ https://www.section508.gov/] The related laws and polices can be [https://www.section508.gov/manage/laws-and-policies/ found here]. The intro states (italics emphasis mine): |
| | |
| | <blockquote>In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) ''applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology''. Under Section 508, agencies must give ''disabled employees and members of the public'' access to information comparable to the access available to others. |
| | |
| | The [https://www.access-board.gov/ U.S. Access Board] is responsible for developing Information and Communication Technology (ICT) accessibility ''standards'' to ''incorporate into regulations that govern Federal procurement practices.'' On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018. |
| | |
| | The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines ''in response to market trends and innovations in technology.'' The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, ''and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.''</blockquote> |
| | |
| | In discussing ICT, the U.S. Access Board [https://www.access-board.gov/ict/#b-summary-of-key-provisions summarized the key provisions] as such: |
| | |
| | <blockquote>The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.</blockquote> |
| | |
| | The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: [https://www.access-board.gov/ict/ https://www.access-board.gov/ict/] |
| | |
| | The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in [https://www.access-board.gov/ict/#chapter-5-software Chapter 5: Software] and [https://www.access-board.gov/ict/#chapter-6-support-documentation-and-services Chapter 6: Support Documentation and Services]. (If for some reason LLX is in the hardware domain, they'll want to also consider[https://www.access-board.gov/ict/#chapter-4-hardware Chapter 4: Hardware] If you're curious about the underlying standards, you can find them in [https://www.access-board.gov/ict/#chapter-7-%C2%A0-referenced-standards Chapter 7: Referenced Standards]. |
| | |
| | Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: [https://www.section508.gov/develop/ https://www.section508.gov/develop/] |
| | |
| | ==Additional information== |
| | |
| | 1. The Section 508 website and its glossary mention LIMS under "[https://www.section508.gov/art/glossary/#S scientific instrument]," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT." |
| | |
| | 2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: [https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502 https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502] |
| | |
| | 3. Some additional posts and guides that may be revealing: |
| | * [https://www.levelaccess.com/how-do-i-determine-if-my-web-site-or-application-is-section-508-compliant/ How do I determine if my website or application is Section 508 compliant?] |
| | * [https://ftp.cdc.gov/pub/Software/RegistryPlus/508%20Compliance/508softwareandos.doc GSA Guide For Making Software Applications and Operating Systems Accessible] (.doc file; NOTE: No date, so not sure if incorporates amended material, so be careful) |
| | * [https://www.dhs.gov/publication/dhs-section-508-compliance-test-processes DHS Section 508 Compliance Test Processes] |
The laws themselves
(b) Manufacturing
A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable.
(c) Telecommunications services
A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable.
(d) Compatibility
Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.
The term disability is defined here. You can read the full entry, but the basics are:
(1) Disability The term “disability” means, with respect to an individual—
- (A) a physical or mental impairment that substantially limits one or more major life activities of such individual;
- (B) a record of such an impairment; or
- (C) being regarded as having such an impairment (as described in paragraph (3)).
The term readily achievable is defined here. It is defines as:
(9) Readily achievable The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include—
- (A) the nature and cost of the action needed under this chapter;
- (B) the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility;
- (C) the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
- (D) the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.
2. Rehabilitation Act of 1973, Section 508, amended (29 U.S.C. 794d - Electronic and information technology)
There's a government website dedicated to Section 508: https://www.section508.gov/ The related laws and polices can be found here. The intro states (italics emphasis mine):
In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508, agencies must give disabled employees and members of the public access to information comparable to the access available to others.
The U.S. Access Board is responsible for developing Information and Communication Technology (ICT) accessibility standards to incorporate into regulations that govern Federal procurement practices. On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018.
The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines in response to market trends and innovations in technology. The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.
In discussing ICT, the U.S. Access Board summarized the key provisions as such:
The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.
The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: https://www.access-board.gov/ict/
The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in Chapter 5: Software and Chapter 6: Support Documentation and Services. (If for some reason LLX is in the hardware domain, they'll want to also considerChapter 4: Hardware If you're curious about the underlying standards, you can find them in Chapter 7: Referenced Standards.
Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: https://www.section508.gov/develop/
Additional information
1. The Section 508 website and its glossary mention LIMS under "scientific instrument," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT."
2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502
3. Some additional posts and guides that may be revealing:
