Manufacturing and Its Regulatory Burden
Manufacturers today face regulatory compliance requirements and operational risks from multiple directions. Modern manufacturing also relies heavily on subcontractors and outsiders, which drives up the need for and also complicates risk assessment and monitoring of third parties.
Manufacturers face data privacy requirements for the personal data they might keep on employees or third parties. Those demands come from source such as: HIPAA, the Gramm-Leach-Bliley Act, the EU General Data Protection Regulation, and state breach disclosure laws.
Manufacturers also need strong assurance over the security of subcontractors, technology vendors, and other business partners that might touch the companies valuable intellectual property. Suppliers to the Defense Department, for example, must meet the NIST cybersecurity standards to maintain DFARS compliance and their eligibility to bid on government contracts. That security must extend down through a manufacturer’s supply chain.
Finally, manufacturers also have reporting requirements around product safety from agencies such as the Consumer Products Safety Commission as well as environmental, health, and safety standards from agencies such as OSHA or the EPA. If that data is stored or processed with outside technology vendors, the security of those vendors must be assured as well.
So manufacturers not only have a large regulatory burden but they have a diverse burden that cuts across different types of data and risk.
Compliance Objective
Frameworks do exist to help manufacturers address all these regulatory compliance objectives. Still, compliance functions will need to manage multiple frameworks simultaneously to achieve progress on multiple needs, each one moving at its own pace. For example, companies need to.
Assess the starting security posture of their own systems and any third parties they use.
Establish corrective steps that might be necessary.
Monitor whether those fixes are on schedule.
Identify security gaps they must fill to meet regulatory requirements
Assign those corrective steps to control owners.
Understand and respond to any new assessments might be necessary as new regulations emerge.