US and Canada Federal Regulations

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Forcepoint DLP Predefined Policies and Classifiers > Data Loss Prevention policies > Regulations, Compliance and Standards > US and Canada Federal Regulations

US and Canada Federal Regulations

Predefined Policies and Classifiers | Forcepoint DLP | 8.7.1

The following regulations apply to both the United States and Canada:

Children's Online Privacy Act (COPPA)

Controlled Unclassified Information (CUI)

Export Administration Regulations (EAR)

Risk Management Framework (RMF) for DoD Information Technology (IT)

Sarbanes-Oxley Act (SOX)

The Check Clearing for the 21st Century Act (Check 21) is a Federal law designed to foster innovation in the payments system and to enhance its efficiency by reducing some of the legal impediments to check truncation. The policy detects TIFF files, widely used for scanned checks. The rule for this policy is:

Check 21: TIFF Format

Children's Online Privacy Act (COPPA)

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law applied to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. The policy detects combinations of personal information with age information that indicates that the person's age is less than 13, based on explicit age or date of birth. The rules for this policy are:

COPPA: PII of Children (Wide)

COPPA: PII of Children (Default)

Controlled Unclassified Information (CUI)

Policy for detecting files that contain controlled unclassified information, based on CUI markings. Some US regulations, for example, the Department of Defense's "Defense Federal Acquisition Regulation Supplement" (DFARS) to the American Federal Acquisition Regulation (FAR), require contractors and subcontractors to safeguard covered information, marked by Controlled Unclassified Information (CUI). The rules for this policy are:

Controlled Unclassified Information: Banner Marking (Wide)

Controlled Unclassified Information: Banner Marking (Default)

Controlled Unclassified Information: Banner Marking (Narrow)

Controlled Unclassified Information: Portion Marking (Wide)

Controlled Unclassified Information: Portion Marking (Default)

Controlled Unclassified Information: Portion Marking (Narrow)

The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the US Department of Defense process to ensure the management of risks on Information Systems (IS). The policy is applied to information systems of DoD-related units and contractors. The DLP aspect of the policy applies to combinations of Personally Identifiable Information (like social security number or credit card number) with sensitive private information, such as health conditions, names of crimes, and ethnicities, to promote compliance with DoD Privacy Program (DoD 5400.11-R) and Privacy of Health Information in DoD Health Care (DoD 6025.18). Additional rules detect confidential information about the corporate network, and confidential documents, according to DoD 8520.1 - Protection of Sensitive Compartmented Information (SCI). This regulation was deprecated in 2014 and replaced by "Risk Management Framework for DoD Information Technology". The transition to the new regulation must be done before the end of 2016. The rules for this policy are:

DIACAP: DoD 5400.11-R - Name and Crime

DIACAP: DoD 5400.11-R - Name and Ethnicity

DIACAP: DoD 5400.11-R - Name and SSN

DIACAP: DoD 5400.11-R - SSN and Crime

DIACAP: DoD 5400.11-R - SSN and Ethnicity

DIACAP: DoD 6025.18 - CCN and Sensitive Disease or drug

DIACAP: DoD 6025.18 - Name and Common Medical Condition (Default)

DIACAP: DoD 6025.18 - Name and Common Medical Condition (Narrow)

DIACAP: DoD 6025.18 - Name and Sensitive Disease (Default)

DIACAP: DoD 6025.18 - Name and Sensitive Disease (Narrow)

DIACAP: DoD 6025.18 - SSN and Sensitive Disease or Drug

DIACAP: DoD 8520.1 - Confidential Document

DIACAP: DoD 8520.1 - Proprietary in Header or Footer

DIACAP: DoD 8520.1 - Password Dissemination for HTTP Traffic (Wide)

DIACAP: DoD 8520.1 - Password Dissemination for HTTP Traffic (Default)

DIACAP: DoD 8520.1 - Password Dissemination for HTTP Traffic (Narrow)

DIACAP: DoD 8520.1 - Password Dissemination for non-HTTP/S Traffic (Wide)

DIACAP: DoD 8520.1 - Password Dissemination for non-HTTP/S Traffic (Default)

DIACAP: DoD 8520.1 - Password Dissemination for non-HTTP/S Traffic (Narrow)

DIACAP: Network Information and Security (Pattern and IP)

DIACAP: Network Information and Security (Textual Pattern)

Export Administration Regulations (EAR)

The Export Administration Regulations (EAR) are issued by the United States Department of Commerce, and control also the usage of "dual purpose" items (i.e., commercial products that can also be used for military purposes.) The definition of "Export" includes disclosing or transferring technical data to a foreign person whether in the U.S. or abroad. The policy comprises rules for detection of probable EAR-regulated information, such as chemical formulas, information pertaining encryption technology and confidential documents. The rules for this policy are:

EAR: CAD Files: Abaqus ODB File

EAR: CAD Files: Autodesk Design Web File

EAR: CAD Files: Autodesk Maya Binary File

EAR: CAD Files: Autodesk Maya Textual File

EAR: CAD Files: Catia File

EAR: CAD Files: Corel Draw File

EAR: CAD Files: DWG File

EAR: CAD Files: DXF Binary File

EAR: CAD Files: DXF Textual File

EAR: CAD Files: IGS Textual File

EAR: CAD Files: JT File

EAR: CAD Files: Nastran OP2 File

EAR: CAD Files: PTC Creo ASM File

EAR: CAD Files: PTC Creo DRW File

EAR: CAD Files: PTC Creo FRM File

EAR: CAD Files: PTC Creo PRT File

EAR: CAD Files: Siemens NX PRT File

EAR: CAD Files: SolidWorks File

EAR: CAD Files: STL Binary File

EAR: CAD Files: STL Textual File

EAR: CAD Files: STP File

EAR: CAD Files: WHIP File

EAR: CAD Files: X_T Textual File

EAR: Chemicals and Materials (Default)

EAR: Chemicals and Materials (Narrow)

EAR: Chemicals and Materials (Wide)

EAR: Confidential Document

EAR: Encryption Technologies (Default)

EAR: Encryption Technologies (Narrow)

EAR: Encryption Technologies (Wide)

EAR: Laser and Microelectronics (Default)

EAR: Laser and Microelectronics (Narrow)

EAR: Laser and Microelectronics (Wide)

EAR: Microorganisms and Toxins (Default)

EAR: Microorganisms and Toxins (Narrow)

EAR: Microorganisms and Toxins (Wide)

EAR: Microsoft Visio File

EAR: Military Technologies (Default)

EAR: Military Technologies (Narrow)

EAR: Military Technologies (Wide)

EAR: Nuclear Technologies (Default)

EAR: Nuclear Technologies (Narrow)

EAR: Nuclear Technologies (Wide)

EAR: Proprietary in Document

EAR: Python (Default)

EAR: Python (Wide)

EAR: Space Technologies (Default)

EAR: Space Technologies (Narrow)

EAR: Space Technologies (Wide)

EAR: C Family or Java (Default)

EAR: C Family or Java (Wide)

The Fair Credit Reporting Act ("FCRA") is a United States federal law. The Act is designed to help ensure that consumer reporting agencies act fairly, impartially, and with respect for the consumer's right to privacy when preparing consumer reports on individuals. The policy comprises rules for detection of personal financial information. The rules for this policy are:

FCRA: SSN and Personal Finance Terms

FCRA: DL and Personal Finance Terms

FCRA: SSN and Account

FCRA: DL and Account

FCRA: CCN: All Credit Cards

FCRA: Credit Card Magnetic Strips

FCRA: Name and Personal Finance Terms

Title 21 Part 11 of the Code of Federal Regulations (CFR) deals with the FDA guidelines on electronic records and electronic signatures in the United States. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are (a) required to be maintained by the FDA predicate rules or (b) used to demonstrate compliance to a predicate rule. The rules for this policy are:

FDA 21 CFR: Clinical Trials

FDA 21 CFR: Controlled Drugs

FDA 21 CFR: DICOM

FDA 21 CFR: DNA Sequence

FDA 21 CFR: Name and Common Medical Condition (Default)

FDA 21 CFR: Name and Common Medical Condition (Narrow)

FDA 21 CFR: Password Dissemination for HTTP Traffic (Wide)

FDA 21 CFR: Password Dissemination for HTTP Traffic (Default)

FDA 21 CFR: Password Dissemination for HTTP Traffic (Narrow)

FDA 21 CFR: Protein Sequence (Default)

FDA 21 CFR: Protein Sequence (Narrow)

Policy to promote compliance with the requirements imposed by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Council (NERC) to protects Critical Energy Infrastructure Information (CEII). The policy detects sensitive Energy Infrastructure Information, such as natural gas pipeline flow diagrams, various drawing and schemes files and FERC forms 567 and 715. The rules for this policy are:

FERC and NERC: CAD Files: DWG File

FERC and NERC: CAD Files: DXF Binary File

FERC and NERC: CAD Files: DXF Textual File

FERC and NERC: CAD Files: IGS Textual File

FERC and NERC: CAD Files: JT File

FERC and NERC: CAD Files: PTC Creo ASM File

FERC and NERC: CAD Files: PTC Creo DRW File

FERC and NERC: CAD Files: PTC Creo FRM File

FERC and NERC: CAD Files: PTC Creo PRT File

FERC and NERC: CAD Files: SolidWorks File

FERC and NERC: CAD Files: STL Binary File

FERC and NERC: CAD Files: STL Textual File

FERC and NERC: CAD Files: STP File

FERC and NERC: CAD Files: WHIP File

FERC and NERC: CAD Files: X_T Textual File

FERC and NERC: Disclaimer

FERC and NERC: Form 567

FERC and NERC: Form 715

FERC and NERC: Microsoft Visio

FERC and NERC: Pipeline Flow Diagram

The Family Educational Rights and Privacy is a US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The policy detects combinations of Personally Identifiable Information (PII) like social security number or driver license number, and sensitive private information such as grades, health conditions, and names of crimes and ethnicities. The rules for this policy are:

FERPA: Driver License and Common Medical Condition

FERPA: Driver License and Ethnicities

FERPA: Driver License and Grades

FERPA: Driver License and Sensitive Disease or drug

FERPA: Name and Common Medical Condition (Default)

FERPA: Name and Common Medical Condition (Narrow)

FERPA: Name and Sensitive Disease or drug (Default)

FERPA: Name and Sensitive Disease or drug (Narrow)

FERPA: SSN and Common Medical Condition

FERPA: SSN and Ethnicities

FERPA: SSN and Grades

FERPA: SSN and Sensitive Disease or drug

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the Federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions

The rules for this policy are:

FFIEC: 5-8 Digit Account Number

FFIEC: 9 Digit Account Number

FFIEC: 10 Digit Account Number

FFIEC: Credit Card Magnetic Strip

FFIEC: Credit Card Number

FFIEC: Driver License

FFIEC: Password Dissemination for HTTP Traffic (Wide)

FFIEC: Password Dissemination for HTTP Traffic (Default)

FFIEC: Password Dissemination for HTTP Traffic (Narrow)

FFIEC: Password Dissemination for non-HTTP/S Traffic (Wide)

FFIEC: Password Dissemination for non-HTTP/S Traffic (Default)

FFIEC: Password Dissemination for non-HTTP/S Traffic (Narrow)

FFIEC: Social Security Number

FFIEC: TIFF File

FFIEC: Zip Code and Financial Term

The Federal Information Security Management Act of 2002 ("FISMA") imposes a mandatory set of processes that must be followed for all information systems used or operated by a US federal agency or by a contractor or other organization on behalf of a US Government agency. The policy detects combinations of Personally Identifiable Information (PII) like social security number or credit card number, with sensitive private information, such as health conditions, names of crimes, and ethnicities. Additional rules detect confidential information about the corporate network, and confidential documents. The rules for this policy are:

FISMA: CCN and Crime

FISMA: CCN and Ethnicity

FISMA: CCN and Sensitive Disease or Drug

FISMA: Confidential in Document

FISMA: Proprietary in Document

FISMA: Network Information and Security (Pattern and IP)

FISMA: Network Information and Security (Textual Pattern)

FISMA: Password Dissemination for HTTP Traffic (Wide)

FISMA: Password Dissemination for HTTP Traffic (Default)

FISMA: Password Dissemination for HTTP Traffic (Narrow)

FISMA: Password Dissemination for non-HTTP/S Traffic (Wide)

FISMA: Password Dissemination for non-HTTP/S Traffic (Default)

FISMA: Password Dissemination for non-HTTP/S Traffic (Narrow)

FISMA: SSN and Crime

FISMA: SSN and Ethnicity

FISMA: SSN and Sensitive Disease or Drug

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, is a U.S. Federal regulation that includes provisions to protect consumers' personal financial information held by financial institutions. The policy contains rules to detect accounts, credit cards, and social security numbers. The policy comprises rules for detection of personal financial information and other personal information. The rules for this policy are:

GLBA: CCN (Default)

GLBA: CCN (Narrow)

GLBA: Name and 5-8 Digit Account Numbers

GLBA: Name and 9-Digit Account Numbers

GLBA: Name and 10-Digit Account Numbers

GLBA: Name and Contact Information

GLBA: Name and Personal Finance Terms

GLBA: Name and Sensitive Disease or Drug (Default)

GLBA: Name and Sensitive Disease or Drug (Narrow)

GLBA: Name and SSN

GLBA: RTN/ABA (Wide)

GLBA: RTN/ABA (Default)

GLBA: RTN/ABA (Narrow)

GLBA: SSN and Account

GLBA: SSN and Personal Finance Terms

The Health Insurance Portability and Accountability Act is a US Federal law that specifies a series of administrative, technical, and physical safeguards, organizational and documentation requirements for covered entities to use to assure the availability, confidentiality, and integrity of electronically protected health information. The policy detects combinations of Personally Identifiable Information (PII) like name, social security or credit card number, and protected health information (PHI). The rules for this policy are:

HIPAA: Credit Card Number and Common Medical Condition

HIPAA: Credit Card Number and Sensitive Disease or Drug

HIPAA: DNA Profile (Default)

HIPAA: DNA Profile (Narrow)

HIPAA: DOB and Name (Wide)

HIPAA: DOB and Name (Default)

HIPAA: ICD9 Code and Description

HIPAA: ICD9 Code and Name

HIPAA: ICD9 Description and Name

HIPAA: ICD10 Code and Description

HIPAA: ICD10 Code and Name

HIPAA: ICD10 Description and Name

HIPAA: Medical Form (Wide)

HIPAA: Medical Form (Default)

HIPAA: Medical Form (Narrow)

HIPAA: Name and Common Medical Condition (Default)

HIPAA: Name and Common Medical Condition (Narrow)

HIPAA: Name and Contact Information

HIPAA: Name and MBI (Default)

HIPAA: Name and MBI (Wide)

HIPAA: Name and HICN

HIPAA: Name and Sensitive Disease or Drug (Default)

HIPAA: Name and Sensitive Disease or Drug (Narrow)

HIPAA: NDC Number (Wide)

HIPAA: NDC Number (Default)

HIPAA: NDC Number (Narrow)

HIPAA: SPSS Text File

HIPAA: SSN and Common Medical Condition

HIPAA: SSN and Sensitive Disease or Drug

The ITAR regulation for industry and government regulates dissemination of encryption, space, military and nuclear technology, along with source code. The rules for this policy are:

ITAR: C family or Java Source Code

ITAR: Confidential in Header or Footer

ITAR: Encryption Technologies (Default)

ITAR: Encryption Technologies (Narrow)

ITAR: Encryption Technologies (Wide)

ITAR: Military Technologies (Default)

ITAR: Military Technologies (Narrow)

ITAR: Military Technologies (Wide)

ITAR: Nuclear Technologies (Default)

ITAR: Nuclear Technologies (Narrow)

ITAR: Nuclear Technologies (Wide)

ITAR: Proprietary in Header or Footer

ITAR: Python (Default)

ITAR: Python (Wide)

ITAR: Space Technologies (Default)

ITAR: Space Technologies (Narrow)

ITAR: Space Technologies (Wide)

ITAR: SPICE Source code

ITAR: Technical Drawing files

ITAR: Verilog Source code

ITAR: VHDL Source Code

ITAR:SPICE Source code (Berkeley version)

The Management of Information Technology Security (MITS) standard defines baseline security requirements that Canadian federal departments must fulfill to ensure the security of information and information technology (IT) assets under their control. The DLP aspect of the policy applies to combinations of Personally Identifiable Information (like social insurance number or credit card number) with sensitive private information, such as health conditions, to promote compliance with the Canadian Privacy Impact Assessment mandated by MITS. Additional rules detect confidential information about the corporate network, and confidential documents, to promote compliance with the Canadian Government Security Policy. The rules for this policy are:

MITS: Confidential Document

MITS: Proprietary in Document

MITS: Network Information and Security (Pattern and IP)

MITS: Network Information and Security (Textual Pattern)

MITS: Password Dissemination for HTTP Traffic (Wide)

MITS: Password Dissemination for HTTP Traffic (Default)

MITS: Password Dissemination for HTTP Traffic (Narrow)

MITS: Password Dissemination for non-HTTP/S Traffic (Wide)

MITS: Password Dissemination for non-HTTP/S Traffic (Default)

MITS: Password Dissemination for non-HTTP/S Traffic (Narrow)

MITS: SIN and CCN

MITS: SIN and Common Medical Condition

MITS: SIN and Sensitive Disease or Drug

MITS: Social Insurance Number

Risk Management Framework (RMF) for DoD Information Technology (IT)

The Risk Management Framework is a United States federal government policy and standards to help secure information systems developed by National Institute of Standards and Technology (NIST). The two main publications that cover the details of RMF are NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", and NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations". DoD instruction 8510.01 defines the Risk Management Framework for DoD Information Technology. The rules for this policy are:

RMF for DoD IT: CCN and Sensitive Disease or Drug

RMF for DoD IT: Confidential Document

RMF for DoD IT: Name and Common Medical Condition (Default)

RMF for DoD IT: Name and Common Medical Condition (Narrow)

RMF for DoD IT: Name and Crime

RMF for DoD IT: Name and Ethnicity

RMF for DoD IT: Name and Sensitive Disease (Default)

RMF for DoD IT: Name and Sensitive Disease (Narrow)

RMF for DoD IT: Name and SSN

RMF for DoD IT: Network Information and Security (Pattern and IP)

RMF for DoD IT: Network Information and Security (Textual Pattern)

RMF for DoD IT: Password Dissemination for HTTP Traffic (Wide)

RMF for DoD IT: Password Dissemination for HTTP Traffic (Default)

RMF for DoD IT: Password Dissemination for HTTP Traffic (Narrow)

RMF for DoD IT: Password Dissemination for non-HTTP/S Traffic (Wide)

RMF for DoD IT: Password Dissemination for non-HTTP/S Traffic (Default)

RMF for DoD IT: Password Dissemination for non-HTTP/S Traffic (Narrow)

RMF for DoD IT: Proprietary in Header or Footer

RMF for DoD IT: SSN and Crime

RMF for DoD IT: SSN and Ethnicity

RMF for DoD IT: SSN and Sensitive Disease or Drug

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) mandates public companies to comply with its requirements. This act provides strict guidelines for ensuring corporate governance and control policies for information within publicly traded companies. The Forcepoint SOX-related policy promotes compliance with the data protection aspects of SOX by detecting audit terms and SEC 10-K and 10-Q reports. The rules for this policy are:

SOX: Form 10-K (Non-Standard Fiscal Year)

SOX: Form 10-K (Standard Fiscal Year)

SOX: Form 10-Q (Non-Standard Fiscal Year)

SOX: Form 10-Q (Standard Fiscal Year)

SOX: SOX-Related Term

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Forcepoint DLP Predefined Policies and Classifiers > Data Loss Prevention policies > Regulations, Compliance and Standards > US and Canada Federal Regulations

Copyright 2020 Forcepoint. All rights reserved.