NAC is often used as one tool for enforcing regulatory compliance standards and then proving that the standards were met.

Vendors including Cisco, ConSentry, ForeScout, Mirage, StillSecure and others tout this compliance application of NAC in their marketing literature to attract customers. It’s a legitimate use of the technology.

Of course, customers have to be careful not to read into this that employing NAC means compliance with all of Sarbanes-Oxley or HIPAA or PCI requirements; it doesn’t. It means they meet narrowly focused pieces of the regulations.

The definition of NAC has changed considerably since it was conceived, expanding from a means to confirm endpoint health and enforce policies about it to a way to control behavior of devices that are already admitted to the network.

NAC has been rolled into products that do more than just enforce NAC, such as software security suites on endpoints and network switches.

Following these two trends, it seems possible that security vendors could look at the various regulations and what products can help fulfill them.

Industry best practices for meeting the various regulatory requirements have become more firmly established as businesses grapple with how to comply. Vendors with a broad array of security products could pull together managed bundles that address specific chunks of specific regulations and produce reports in the form that regulators want. Such platforms could ease the pain of compliance.

Given that businesses face government and business-group mandates for network security and data protection, security vendors should stop up with compliance packages. NAC could be a key feature.

Tim Greene is senior editor at Network World.