In late 2018, the Office of Management and Budget (OMB) released a memorandum that pertains to strengthening cybersecurity practices for High Value Assets (HVAs), which also includes privacy considerations for Personally Identifiable Information (PII). Why this matters is OMB M-19-03 will have a trickle-down effect to most US government contractors. While the EU GDPR kicked off a focus on being able to demonstrate security and privacy principles were designed and implemented “by default and by design,” M-19-03 will likely have broader impact in the US through contract requirements that flow down to subcontractors throughout the supply chain.
M-19-03 specifically calls out NIST 800-160 as the vehicle to implement secure engineering principles. Contractors and their subcontractors will need to be ready to address compliance with M-19-03 through documented evidence of secure engineering principles. This is the reason ComplianceForge used NIST 800-160 to build its Security & Privacy by Design (SPBD) product as a way for an organization to demonstrate evidence of due care and due diligence in how both security and privacy principles are embedded into the development lifecycle of systems, projects and other initiatives.