Compliance, Stakeholder Engagement, and Changing Regulations

📢 From the Publisher

We’re excited to launch the first edition of our cybersecurity risk-focused roundup, The Maze!

Risk and Compliance management can be a tough maze to navigate (hence the name!) and we want to help readers make their way safely and securely through the twisting corridors of oversight and expectations. Regardless of your position within your particular organization, compliance and security are important topics to understand — even if yours is an organization of one.

Each edition of The Maze will get you there, increasing your understanding of risk and compliance management as a concept, as well as notifying you of important regulatory changes that might impact your business.

Thank you for reading, and we welcome you to reply to this email with any feedback or questions you may have!

🤝 Chasing Stakeholder Engagement

Being a compliance officer or virtual Chief Information Security Officer (vCISO) often means stepping into the unexpected role of salesperson. While their primary focus is on ensuring regulatory adherence and managing risk, these professionals must also "sell" the importance of compliance and security to stakeholders across the organization.

How can compliance officers and vCISOs become internal advocates, driving organizational buy-in for initiatives that are critical but not always top-of-mind for others?

📖 Read the Article from NTM Advisory: Winning Hearts and Minds: How vCISOs Can Drive Stakeholder Engagement for Compliance Success

Compliance Updates

⏹️ Finalization of 48 CFR Rule

The long-awaited 48 CFR rule governing CMMC implementation is expected to be finalized around April 2025. This rule will formally integrate CMMC requirements into contracts, marking a significant milestone in the program's rollout.

⏹️ US Data Transactions Restrictions

The US Department of Justice’s Final Rule imposing restrictions on data transactions with countries of concern takes effect on April 8, 2025. Businesses handling "Bulk US Sensitive Personal Data" or "Government-Related Data" must ensure compliance with new security, due diligence, and reporting requirements.

⏹️ State Privacy Laws

Businesses must adapt to new state privacy laws enacted in Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland throughout 2025. These laws add complexity to existing compliance programs.

💡Compliance is a Business Asset, not a Burden

Compliance has long been viewed by some as the “Department of No.” What typically happens is a new product or service is being launched, and compliance is brought in at the end of the process. Inevitably, the compliance team finds aspects of the new product or service that violate a law, regulation, or rule, and so the rollout is delayed while the issue is addressed…

📖 Read the Article from Compliance Week: Compliance should be a business partner, not a blocker

👇 Reader Survey 👇

🤔 Questions or Concerns?

We’re happy to listen! Just reply to this email and we’ll be in touch!