P2P

55 I L T A N E T . O R G 6. The Federal Information Processing Standard (FIPS) (140-3) specifies the security requirements that need to be satisfied by cryptographic modules. This is a critical standard when dealing with highly regulated industries. FIPS-3 is replacing the previous standard, FIPS 140-2. 7. The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services provided to government customers. This approach uses a "do once, use many times" framework that saves cost, time, and staff required to conduct redundant government agency security assessments. FedRAMP uses the controls outlined in the current version of the National Institute of Standards and Technology (NIST) publication 800-53. 8. Export Administration Regulations (EAR) are export control regulations run by different departments of the US government. The US Department of Commerce administers EAR, which regulate the export of "dual-use" items, including technical data and technical assistance, which are designed for commercial purposes, but which could have military applications, such as computers, aircraft, and pathogens. 9. Defense Federal Acquisition Regulation Supplement (DFARS) requirements and regulations are meant to guarantee the integrity of Controlled Unclassified Information (CUI), or sensitive information belonging to the government that third-parties such as suppliers, partners, and trade associations may hold or use. The purpose of DFARS is to protect the confidentiality of CUI and is applicable to all Department of Defense contractors. 10. The Federal Information Security Management Act (FISMA) is US legislation that defines a framework of guidelines and security standards to protect government information and operations. Like FedRAMP, it leverages controls identified in NIST 800-53. 11. The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 US law that provides privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Covered entities, business associates, and business associate subcontractors are all responsible for maintaining HIPAA regulations. Since there is not a compliance certification process in HIPAA, SaaS providers like NetDocuments can have an attestation regarding their compliance with the requirements based on an independent audit. 12. SEC Rule 17a-4 applies to broker-dealers and other relevant parties who trade securities or function as brokers for traders, including banks, securities firms, stock brokerage firms, and any other entity that falls under the authority of the Financial Industry Regulatory Authority (FINRA). In a nutshell, SEC Rule 17a-4 requires broker-dealers to store all business records for a period of no less than six years on non- rewriteable and non-erasable media. Not only does section (f) of SEC Rule 17a-4 state that Write-Once- Read-Many times (WORM) storage must be used when records are electronically stored, but it also gives

• Cover