Frameworks
Introduction to Cybersecurity Frameworks
Cybersecurity frameworks are structured sets of guidelines, standards, controls, and best practices that organisations use to manage and reduce information security risk. They translate complex security requirements into actionable programmes that protect people, systems, and data. Frameworks differ in scope, origin, and application: some are mandated by law, some by contract, some adopted voluntarily as best practice. Understanding when each framework applies — and how they interrelate — is foundational knowledge for security practitioners, compliance professionals, and executive leadership.
No single framework addresses every security need. In practice, most organisations operate under multiple simultaneous frameworks: a healthcare provider may be subject to HIPAA, adopt NIST CSF, implement CIS Controls, and seek ISO 27001 certification concurrently. This document provides a comprehensive reference for the most significant cybersecurity frameworks, their requirements, and their specific applications to personal privacy, federal government compliance, financial security, and broader security programme design.
Framework Categories and Primary Applications
- Personal PrivacyFrameworks governing the collection, storage, processing, and transfer of personal data. GDPR, CCPA, HIPAA Privacy Rule, and NIST Privacy Framework directly regulate how organisations handle personally identifiable information (PII) and personal health information (PHI).
- Federal GovernmentFrameworks mandated for or specifically designed for US federal agencies and their contractors: FISMA, FedRAMP, NIST SP 800-53, CMMC. These frameworks carry statutory authority and non-compliance can result in loss of federal contracts or criminal liability.
- Financial SecurityFrameworks protecting financial systems, payment data, and financial institutions: PCI DSS (payment cards), SOX (public company financial controls), GLBA (financial institutions), NY DFS 23 NYCRR 500 (New York financial services). Combine security controls with audit and accountability requirements.
- Risk ManagementFrameworks for systematic identification, assessment, and treatment of information security risk: NIST RMF, ISO 31000, FAIR (Factor Analysis of Information Risk). Provide the analytical foundation on which security investment decisions are made.
- Technical ControlsFrameworks providing prescriptive technical security configuration guidance: CIS Controls, DISA STIGs, NSA/CISA Security Advisories. Specify exact configurations, system settings, and tool deployments rather than outcome requirements.
- International StandardsGlobally recognised standards enabling cross-border security assurance: ISO/IEC 27001 (ISMS), ISO/IEC 27002 (security controls), ISO 27017 (cloud security), ISO 27701 (privacy). Certification demonstrates security capability to international customers, regulators, and partners.
- Industry-SpecificFrameworks tailored to sector-specific risk profiles: HIPAA/HITECH (healthcare), NERC CIP (energy/utilities), TSA Security Directives (transportation), NRC cybersecurity regulations (nuclear). Apply in addition to general-purpose frameworks.
- Emerging FrameworksRecently published frameworks addressing modern threat environments: NIST CSF 2.0 (2024), Zero Trust Architecture (NIST SP 800-207), Secure Software Development Framework (SSDF), OT/ICS cybersecurity (IEC 62443). Address gaps in legacy frameworks that predate cloud, container, and AI deployments.
NIST Cybersecurity Frameworks
The National Institute of Standards and Technology (NIST) is the primary source of cybersecurity framework guidance for US government and a globally respected standard-setting body for the private sector. NIST frameworks are freely available, regularly updated, and supported by extensive guidance documentation, reference implementations, and mapping tools. Multiple NIST publications form an integrated framework ecosystem that organisations apply together.
NIST Cybersecurity Framework (CSF) 2.0
NIST CSF is the most widely adopted cybersecurity framework in the United States across all sectors. Originally published in 2014 and significantly revised in 2024 (CSF 2.0), it provides a flexible, outcome-based structure for managing cybersecurity risk using six core functions that span the full security lifecycle.
| Feature / Element | Description |
|---|---|
| Privacy Relevance | CSF 2.0 explicitly integrates privacy considerations, particularly in the Identify and Protect functions. PR.DS (Protect: Data Security) addresses personal data protection; ID.RA (Identify: Risk Assessment) includes privacy risk. The NIST Privacy Framework maps to and extends CSF for organisations requiring explicit privacy programme alignment. |
| Federal Relevance | CSF is the baseline voluntary framework for US critical infrastructure and recommended by the White House Cybersecurity Executive Orders. Federal agencies map their FISMA compliance programmes to CSF. CSF 2.0 adds a new “Govern” function reflecting the increased regulatory focus on cybersecurity governance and board-level accountability. |
| Financial Relevance | Financial sector regulators (OCC, FDIC, Federal Reserve) reference CSF in cybersecurity guidance. The Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile extends CSF for financial services, mapping to FFIEC, PCI DSS, and other financial frameworks simultaneously. |
| CSF Core Functions | Govern (GV): establish and monitor cybersecurity risk management strategy. Identify (ID): understand assets, risks, and vulnerabilities. Protect (PR): implement safeguards. Detect (DE): monitor for adverse events. Respond (RS): contain and communicate incidents. Recover (RC): restore operations and improve. |
| Tiers | CSF Tiers describe the rigour of an organisation’s cybersecurity risk management practices: Tier 1 (Partial) through Tier 4 (Adaptive). Tiers are not maturity levels — they represent the degree to which risk management practices are formalised, risk-informed, and integrated with business practices. |
| Profiles | CSF Profiles document the “current” and “target” state of an organisation’s cybersecurity programme. The gap between Current and Target Profiles drives prioritised security investment. Sector-specific Profile templates (Healthcare, Financial Services, Manufacturing) accelerate profile development. |
NIST SP 800-53 — Security and Privacy Controls for Federal Systems
NIST SP 800-53 Rev. 5 is the most comprehensive catalogue of security and privacy controls for federal information systems. It is mandatory for federal agencies under FISMA and is adopted voluntarily by private sector organisations as the most thorough available control catalogue. Revision 5 (2020) integrated privacy controls directly alongside security controls — a landmark change reflecting the inseparability of security and privacy in modern information systems.
| Component | Description |
|---|---|
| Privacy Relevance | NIST 800-53 Rev. 5 added a dedicated Privacy (PT) control family with 8 controls covering consent and notice, data minimisation, individual access, de-identification, and privacy monitoring. The control catalogue explicitly addresses the handling of PII throughout the system development lifecycle. |
| Federal Mandate | Required for all federal information systems under FISMA (44 U.S.C. § 3551). Federal agencies must select controls based on system categorisation (Low/Moderate/High impact under FIPS 199), document control implementations in System Security Plans (SSPs), and maintain continuous monitoring programmes. |
| Control Families | 20 control families covering: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Risk Assessment (RA), System and Communications Protection (SC), System and Information Integrity (SI), and 11 additional families. |
| Baselines | NIST 800-53B defines Low, Moderate, and High control baselines. Low: ~100 controls for systems where compromise has limited adverse effect. Moderate: ~250 controls covering most federal systems. High: ~350 controls for national security and critical systems. Privacy baseline applies whenever PII is processed. |
| Mapping Ecosystem | NIST 800-53 is the hub of a framework mapping ecosystem. NIST maintains mappings to ISO 27001, NIST CSF, CIS Controls, HIPAA, PCI DSS, and dozens of additional frameworks — enabling organisations to satisfy multiple frameworks efficiently by implementing 800-53 controls. |
NIST Risk Management Framework (RMF)
The NIST Risk Management Framework (SP 800-37 Rev. 2) provides the structured process through which federal agencies categorise information systems, select and implement security controls, assess their effectiveness, authorise system operation, and continuously monitor security posture. It integrates the full NIST 800-53 control catalogue into a repeatable lifecycle process.
| RMF Element | Description |
|---|---|
| RMF Steps | Prepare: establish risk management roles and strategy. Categorise: classify information and systems using FIPS 199. Select: choose controls from 800-53 based on category. Implement: deploy controls with documented implementation evidence. Assess: verify controls are implemented correctly and effective. Authorise: AO makes risk-based accept/deny decision. Monitor: continuous monitoring and ongoing authorisation. |
| Privacy Integration | RMF Rev. 2 added privacy as a co-equal concern alongside security. Privacy Risk Assessments (PRAs) are conducted alongside security risk assessments. Privacy controls from 800-53 Rev. 5 are incorporated into the control selection and assessment steps. |
| Federal ATO | The Authorisation to Operate (ATO) is the formal risk acceptance decision by an Authorising Official (AO) permitting a system to operate. ATOs are time-limited (typically 3 years) and conditional on continued compliance with the Plan of Action and Milestones (POA&M) for any outstanding control weaknesses. |
| Continuous Monitoring | NIST SP 800-137 defines the continuous monitoring strategy that maintains the ATO between formal reauthorisations. Automated scanning, SIEM integration, and configuration management provide ongoing assurance that control effectiveness is maintained as systems change. |
NIST SP 800-171 & 800-172 — Protecting Controlled Unclassified Information
NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organisations. It is the direct basis for the CMMC framework requirements and applies to any organisation handling CUI received from federal agencies under contract.
| Component | Description |
|---|---|
| CUI Categories | CUI is government-created or government-owned information that requires safeguarding but is not classified. Categories include: Export Control (ITAR/EAR), Law Enforcement Sensitive, Controlled Technical Information (CTI), Privacy (PII), Critical Infrastructure, and Nuclear. Each category has specific handling requirements. |
| 110 Requirements | 800-171 specifies 110 security requirements across 14 families derived from the NIST 800-53 Moderate baseline. Requirements cover access control, awareness training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. |
| CMMC Relationship | CMMC Level 2 (Advanced) requires implementation of all 110 NIST 800-171 Rev. 2 requirements. CMMC Level 3 (Expert) adds requirements from NIST 800-172 (Enhanced CUI Security). CMMC assessments are conducted by C3PAOs (Certified Third-Party Assessment Organizations) — NIST 800-171 compliance claims are no longer self-attestable above CMMC Level 1. |
| DFARS Clause | DFARS 252.204-7012 mandates 800-171 compliance for all DoD contractors and sub-contractors that process, store, or transmit CUI. Violations can result in False Claims Act liability, contract termination, and debarment from federal contracting. |
Federal Government Compliance Frameworks
Federal government cybersecurity compliance is governed by a hierarchy of statutes, executive orders, and agency-specific regulations that create binding legal obligations for agencies and their contractors. Unlike voluntary frameworks, federal compliance frameworks carry statutory authority — non-compliance results in legal consequences, loss of federal contracts, and in some cases criminal liability. Understanding the federal compliance landscape is essential for any organisation that provides services to or handles data from federal agencies.
FISMA — Federal Information Security Modernization Act
FISMA (44 U.S.C. § 3551 et seq.) is the primary federal law governing information security for federal agencies. Originally enacted in 2002 and modernized in 2014, FISMA requires federal agencies to develop, document, and implement agency-wide information security programmes. It delegates technical standard-setting to NIST and oversight to OMB and CISA.
| Component | Description |
|---|---|
| Legal Authority | FISMA applies to all federal executive branch agencies and their contractors that operate systems on behalf of federal agencies. The CIO of each agency is responsible for implementing the agency-wide security programme. Annual FISMA reporting to OMB and Congress is mandatory. |
| Privacy Relationship | FISMA explicitly covers “information security” which includes protection of personally identifiable information (PII). OMB Circular A-130 reinforces FISMA privacy requirements and mandates Privacy Impact Assessments (PIAs) for systems that collect or maintain PII. |
| Agency Requirements | Each agency must: designate a Senior Agency Information Security Officer (SAISO/CISO), develop a comprehensive security programme, train employees on security awareness, test and evaluate programme effectiveness annually, develop remediation plans, and report incidents to US-CERT within defined timeframes. |
| 2014 Modernisation | FISMA 2014 shifted the law’s focus from documentation to continuous monitoring and real-time risk management. It expanded CISA’s role in coordinating federal cybersecurity and required agencies to report major incidents to Congress. The Federal Information Security Modernization Act replaced the original Federal Information Security Management Act. |
FedRAMP — Federal Risk and Authorization Management Program
FedRAMP provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services used by federal agencies. Any cloud service provider (CSP) offering services to federal agencies must obtain a FedRAMP authorisation. This “authorise once, use many times” model avoids redundant security assessments across agencies.
| Component | Description |
|---|---|
| Privacy Application | FedRAMP includes specific requirements for cloud services processing federal PII. CSPs must comply with OMB Memoranda on Privacy, implement applicable 800-53 privacy controls, and include privacy in continuous monitoring reporting. FedRAMP High baseline applies to systems with significant PII. |
| Impact Levels | FedRAMP Low: approximately 125 controls for non-sensitive data. FedRAMP Moderate: approximately 325 controls for most federal data (the majority of cloud services). FedRAMP High: approximately 425 controls for high-impact systems (e.g. law enforcement, emergency services, financial systems). DoD Impact Levels (IL2-IL6) extend FedRAMP for defence applications. |
| Assessment Process | Joint Authorization Board (JAB) Provisional Authorization: reviewed by DoD, DHS, and GSA; applicable government-wide. Agency Authorization: individual agency-sponsored assessment. Tailored LI-SaaS: streamlined pathway for low-impact SaaS with limited federal data. 3PAO: independent Third Party Assessment Organizations conduct security assessments. |
| Continuous Monitoring | FedRAMP ConMon requires monthly vulnerability scanning, annual penetration testing, Plan of Action and Milestones (POA&M) management, and incident reporting within one hour for high-impact events. FedRAMP Agency Use is contingent on the CSP maintaining ConMon compliance. |
| Business Impact | FedRAMP authorisation is a prerequisite for selling cloud services to US federal agencies — a multi-billion-dollar market. The investment in FedRAMP authorisation (typically $500K–$2M+) is recovered through federal contract access. FedRAMP marketplace listings drive significant commercial credibility beyond the federal sector. |
CMMC — Cybersecurity Maturity Model Certification
CMMC 2.0 is the DoD’s contractor cybersecurity certification programme that replaces self-attestation of NIST 800-171 compliance. It establishes three certification levels based on the sensitivity of information handled, with the most sensitive levels requiring independent third-party assessment rather than contractor self-reporting.
| Level | Description |
|---|---|
| Level 1: Foundational | 17 security practices from FAR 52.204-21. Covers basic cyber hygiene: access control, media sanitisation, physical protection, system integrity. Annual self-assessment with senior official affirmation. Applies to contractors handling only Federal Contract Information (FCI), not CUI. |
| Level 2: Advanced | 110 security requirements from NIST SP 800-171. Triennial third-party assessment (C3PAO) for prioritised acquisitions; annual self-assessment for non-prioritised. Applies to contractors handling Controlled Unclassified Information (CUI). Covers the vast majority of DoD contractors in the defence industrial base. |
| Level 3: Expert | All 110 NIST 800-171 requirements plus selected requirements from NIST 800-172. Triennial government-led assessment (DCSA). Applies to contractors handling the most sensitive CUI associated with critical programmes and technologies. Approximately 300–500 companies anticipated to require Level 3. |
| Privacy Relationship | CUI categories include significant privacy-sensitive data (PII, health information, export-controlled data). CMMC compliance directly supports privacy protection for sensitive government information entrusted to contractors. Incidents involving CUI require notification under DFARS 252.204-7012. |
| Rulemaking Timeline | CMMC 2.0 final rule published November 2024. DoD contracts began including CMMC requirements in 2025. Full implementation across the defence industrial base expected through 2026–2028 as existing contracts are renewed and new contracts are issued with CMMC requirements embedded in solicitations. |
Executive Orders and Presidential Directives
| Directive | Description |
|---|---|
| EO 14028 (2021) | Executive Order on Improving the Nation’s Cybersecurity directed: zero trust architecture adoption across federal agencies, software supply chain security (SSDF, SBOM), enhanced detection capabilities (EDR), cloud migration security standards, and cyber safety review board establishment. Most requirements implemented through OMB memoranda and CISA guidance. |
| NSM-8 (2022) | National Security Memorandum on Improving Cybersecurity of National Security Systems extended EO 14028 requirements to NSS. Directed NSA to issue technical standards for NSS, mandated multi-factor authentication and encryption for all NSS, and required CNSS assessments of NSS security posture. |
| EO 14110 (2023) | Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Directed NIST to develop AI Risk Management Framework (AI RMF), OMB to issue guidance on federal agency AI use, and DHS/CISA to assess AI cybersecurity risks. Represents the first major federal AI security governance framework. |
| CISA Binding Directives | CISA issues Binding Operational Directives (BODs) and Emergency Directives (EDs) that are legally binding on federal civilian executive branch agencies. BOD 22-01 (KEV catalogue remediation) and BOD 23-02 (internet-exposed management interfaces) represent significant compliance obligations with defined remediation timelines. |
Personal Privacy Frameworks and Regulations
Privacy frameworks govern how organisations collect, use, store, share, and delete personal information. Unlike security frameworks that focus primarily on preventing unauthorised access, privacy frameworks address the legitimate use of personal data — requiring organisations to process personal data only in accordance with individuals’ expectations and legal rights. The past decade has seen a global proliferation of privacy regulations, transforming privacy from an aspirational principle to a legally enforced operational requirement.
GDPR — General Data Protection Regulation
The EU General Data Protection Regulation (Regulation 2016/679), effective May 2018, is the most comprehensive and globally influential privacy law in force. GDPR applies to any organisation that processes the personal data of EU/EEA residents, regardless of where the organisation is located. Its extraterritorial scope and substantial penalties have made it the de facto global privacy standard.
| Component | Description |
|---|---|
| Core Principles | Lawfulness/Fairness/Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality (security), and Accountability. Organisations must be able to demonstrate compliance with all principles — accountability is active, not passive. |
| Legal Bases | Processing requires a valid legal basis: Consent (freely given, specific, informed, unambiguous), Contract (necessary for contract performance), Legal Obligation, Vital Interests, Public Task, or Legitimate Interests. Relying on the wrong legal basis invalidates the processing. Consent must be separately obtained for each purpose. |
| Data Subject Rights | Right of Access (DSAR: response within 30 days), Right to Rectification, Right to Erasure (Right to be Forgotten), Right to Restriction of Processing, Right to Data Portability, Right to Object (to direct marketing, automated decisions), Rights related to Automated Decision-Making (profiling, significant decisions without human review). |
| Security Requirements | Article 32 requires “appropriate technical and organisational measures” for security including encryption, pseudonymisation, confidentiality, integrity, availability, and resilience. Security impact assessments (DPIA) required for high-risk processing. Incident notification: 72 hours to supervisory authority; without undue delay to affected individuals. |
| Enforcement Penalties | Two tiers: administrative fines up to €10M or 2% global turnover (less serious violations) and up to €20M or 4% global turnover (most serious, including fundamental principles, data subject rights, international transfers). DPA enforcement records: Meta €1.2B (2023), Amazon €746M (2021), Instagram €405M (2022). |
| International Transfers | Transfer of EU personal data to third countries requires adequate safeguards: adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or derogations. EU-US Data Privacy Framework (2023) replaced invalidated Privacy Shield. Schrems II ruling requires transfer impact assessments for SCCs. |
CCPA / CPRA — California Consumer Privacy Act
The California Consumer Privacy Act (2018) and California Privacy Rights Act (2020) together create the strongest US state privacy law. CPRA significantly expanded CCPA protections and created the California Privacy Protection Agency (CPPA) as a dedicated enforcement authority. California’s law serves as the de facto US national privacy standard, with most large organisations extending its protections beyond California residents.
| Component | Description |
|---|---|
| Consumer Rights | Right to Know (categories and specific pieces collected), Right to Delete (with exceptions), Right to Opt-Out of Sale/Sharing, Right to Correct, Right to Limit Use of Sensitive Personal Information, Right to Non-Discrimination for exercising rights, Right to Data Portability. Response required within 45 days (extendable to 90 days). |
| Sensitive Data | CPRA defines sensitive personal information (SPI) requiring specific disclosure and opt-out rights: SSN, driver’s licence, financial account + credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text content, health/medical, sexual orientation, and biometric data. |
| Business Thresholds | Applies to for-profit businesses that: (a) have gross revenue over $25M, (b) annually buy/sell/share personal data of 100,000+ consumers/households, or (c) derive 50%+ revenue from selling/sharing personal data. No residency requirement for the business — applies regardless of where the business is located if it processes California residents’ data. |
| Security Requirement | Businesses must implement reasonable security measures appropriate to the nature of personal information. Failure to implement reasonable security that results in a breach of specific data categories (SSN, financial credentials, biometric, health) creates private right of action with statutory damages of $100–$750 per consumer per incident. |
| US Privacy Law Landscape | Following CPRA, comprehensive state privacy laws enacted in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and 15+ additional states. No current federal comprehensive privacy law, though the American Data Privacy and Protection Act (ADPPA) has progressed further than any prior federal privacy bill. |
HIPAA — Health Insurance Portability and Accountability Act
HIPAA (1996) and its implementing regulations — the Privacy Rule (2003), Security Rule (2003), Breach Notification Rule (2009), and Omnibus Rule (2013) — create the federal framework for protecting Protected Health Information (PHI) in the US healthcare system. HITECH (2009) significantly strengthened HIPAA penalties and extended requirements to Business Associates.
| Rule / Component | Description |
|---|---|
| Privacy Rule | Defines PHI as individually identifiable health information in any form. Establishes permitted uses and disclosures (treatment, payment, healthcare operations) without patient authorisation. Requires Notice of Privacy Practices. Grants patients rights to access, amend, and request restriction of their PHI. Minimum Necessary standard limits PHI use to what is needed. |
| Security Rule | Applies to electronic PHI (ePHI) only. Requires Administrative Safeguards (policies, training, workforce management), Physical Safeguards (facility access, workstation security, device controls), and Technical Safeguards (access controls, audit controls, integrity controls, transmission security). Implementation specifications: Required vs. Addressable (reasonable and appropriate). |
| Breach Notification | Covered Entities must notify affected individuals within 60 days of discovery. Breaches affecting 500+ individuals in a state require notification to major media. HHS notification within 60 days (500+ individuals) or annually for smaller breaches. Business Associate notifies Covered Entity without unreasonable delay and within 60 days. |
| Enforcement Penalties | Civil penalties tiered by culpability: Did not know ($100–$50,000/violation), Reasonable Cause ($1,000–$50,000), Willful Neglect corrected ($10,000–$50,000), Willful Neglect not corrected ($50,000+). Maximum $1.9M per violation category per year. OCR enforcement actions frequently exceed $1M. State AGs also enforce HIPAA. |
| Business Associates | Any entity that creates, receives, maintains, or transmits ePHI on behalf of a Covered Entity is a Business Associate (BA) subject to the Security Rule and portions of the Privacy Rule. BAs must execute Business Associate Agreements (BAAs). Cloud service providers storing ePHI are BAs regardless of whether they can access the data. |
| HITECH Enhancements | HITECH increased penalty maximums, extended direct liability to Business Associates, required periodic HHS audits of covered entities and BAs, created Breach Notification Rule, and enhanced enforcement resources. Post-HITECH penalties total hundreds of millions annually. OCR’s Right of Access enforcement initiative has focused specifically on patient access violations. |
NIST Privacy Framework
The NIST Privacy Framework (Version 1.0, 2020) provides a voluntary tool for organisations to manage privacy risks and demonstrate compliance with applicable privacy requirements. It deliberately parallels the structure of NIST CSF to enable joint implementation and aligns with NIST 800-53 Rev. 5 privacy controls.
| Component | Description |
|---|---|
| Core Functions | Identify-P: develop organisational understanding of privacy risk to individuals. Govern-P: develop governance structures for privacy management. Control-P: develop and implement activities enabling individuals to exercise agency. Communicate-P: develop understanding of privacy practices. Protect-P: develop and implement safeguards for data processing. |
| CSF Alignment | Privacy Framework functions map to CSF functions, enabling coordinated implementation. Where security and privacy overlap (e.g. protecting ePHI involves both security and privacy controls), the frameworks’ shared structure facilitates integrated programme design and eliminates duplicative compliance activities. |
| 800-53 Mapping | NIST maintains a mapping between Privacy Framework subcategories and 800-53 Rev. 5 privacy controls (PT family and others), enabling organisations to assess their Privacy Framework implementation status through their 800-53 assessment results. |
Financial Security Frameworks
Financial sector cybersecurity is governed by a dense, overlapping set of regulations from banking regulators, securities regulators, payment networks, and state authorities. Financial institutions face some of the most sophisticated and persistent threat actors — nation-state groups specifically target financial infrastructure for geopolitical and criminal purposes. Financial security frameworks reflect this elevated threat environment through specific technical requirements, incident response obligations, and regulatory examination programmes.
PCI DSS v4.0 — Payment Card Industry Data Security Standard
PCI DSS is a contractual security standard mandated by the payment card brands (Visa, Mastercard, Amex, Discover) for all organisations that store, process, or transmit cardholder data. Version 4.0 (released 2022, fully effective 2025) significantly modernised the standard to address cloud, e-commerce, and emerging threats while maintaining backward compatibility with existing programmes.
| Component | Description |
|---|---|
| Privacy Relationship | PCI DSS protects cardholder data — Primary Account Numbers (PAN), cardholder names, expiration dates, and service codes. While PCI DSS predates modern privacy regulation, its prohibitions on unnecessary data retention and requirements for data minimisation directly align with GDPR and CCPA privacy principles. |
| 6 Goals / 12 Requirements | Build/maintain secure network (Req. 1–2), Protect cardholder data (3–4), Maintain vulnerability management (5–6), Implement access control (7–9), Regularly monitor/test (10–11), Maintain information security policy (12). PCI DSS v4.0 added 64 new requirements, many relating to authentication, e-commerce security, and scripting controls. |
| Scope Reduction | Reducing the PCI DSS scope (the portion of the environment subject to PCI requirements) is the primary strategy for managing compliance costs. Tokenisation, point-to-point encryption (P2PE), and network segmentation reduce or eliminate cardholder data from scope. Third-party payment processors (Stripe, Braintree) shift scope away from merchants. |
| Levels and Validation | Merchant Levels 1–4 based on transaction volume. Level 1 (>6M Visa/MC transactions/year): annual QSA assessment, quarterly network scans. Levels 2–4: Self-Assessment Questionnaire (SAQ) types A through D based on environment. Service Provider Levels 1–2 have similar validation requirements with additional controls. |
| v4.0 New Requirements | Customised Approach: allows alternative controls demonstrating the same security objective. Targeted Risk Analysis: defines required annual risk assessment activities. Multi-factor authentication: expanded requirements. Anti-phishing: 12.3.7 for personnel awareness. Scripts on payment pages: 6.4.3 management and justification of all scripts. |
SOX — Sarbanes-Oxley Act
The Sarbanes-Oxley Act (2002) was enacted following the Enron and WorldCom accounting scandals to improve the accuracy and reliability of financial disclosures from public companies. Section 302 (CEO/CFO certification of financial reports) and Section 404 (management and auditor assessment of internal controls) created significant cybersecurity implications for all public companies.
| Component | Description |
|---|---|
| SOX 404 Controls | Section 404 requires management to assess the effectiveness of internal control over financial reporting (ICFR) and independent auditors to attest to management’s assessment. IT General Controls (ITGCs) — logical access, change management, computer operations, and backup/recovery — are the cybersecurity controls tested in SOX 404 audits. |
| Privacy Relationship | SOX requires protection of financial records and the integrity of financial reporting systems. This directly encompasses the personal financial data of customers and employees in financial reporting systems. Unauthorised access to, or modification of, systems containing financial data violates both SOX ICFR requirements and privacy regulations. |
| IT General Controls | Logical Access Controls: who can access financial systems and how access is provisioned, reviewed, and revoked. Change Management: how changes to financial applications are approved, tested, and deployed to prevent unauthorised modifications. Computer Operations: monitoring, job scheduling, and exception handling. Backup and Recovery: ensuring financial data can be recovered and is protected from loss. |
| Deficiencies | Material Weakness: significant deficiency in ICFR that results in more than remote likelihood of material misstatement. Significant Deficiency: less severe than material weakness but requires disclosure. Both require immediate escalation and remediation plans. Material weaknesses in access controls are a common finding that indicates cybersecurity control failures in public companies. |
GLBA — Gramm-Leach-Bliley Act Safeguards Rule
GLBA (1999) and the FTC’s Safeguards Rule (amended 2023) require financial institutions to protect the security and confidentiality of customer financial information. The 2023 Safeguards Rule update brought GLBA requirements into alignment with modern security practices, adding specific technical requirements that parallel NIST 800-53 and CIS Controls.
| Component | Description |
|---|---|
| Covered Institutions | Financial institutions subject to FTC jurisdiction: mortgage brokers, auto dealers, payday lenders, finance companies, tax preparers, financial advisors, money services businesses, and non-bank financial companies. Federally chartered banks and credit unions are subject to equivalent rules from their banking regulators (OCC, FDIC, Federal Reserve, NCUA). |
| 2023 Safeguards Rule | Key additions: designate qualified CISO (or equivalent), conduct annual penetration testing, implement multi-factor authentication for all information systems, encrypt customer information at rest and in transit, implement a vulnerability management program, deploy an intrusion detection system, train employees on cybersecurity awareness. |
| Customer Financial Info | Safeguards protect “nonpublic personal information” (NPI): any information not publicly available that the customer provides, that results from transactions, or that is obtained from third parties. Includes Social Security Numbers, account numbers, income information, credit history, and payment history. |
| Privacy Notices | GLBA Privacy Rule requires initial and annual privacy notices to customers describing information sharing practices and opt-out rights. Financial institutions must honour opt-out elections. Sharing with nonaffiliated third parties for marketing purposes requires opt-out opportunity. The annual notice requirement was streamlined in 2015 if practices haven’t changed. |
FFIEC — Federal Financial Institutions Examination Council
The FFIEC coordinates the examination of US financial institutions by five federal regulatory agencies (Federal Reserve, OCC, FDIC, NCUA, CFPB). FFIEC IT Examination Handbook booklets provide supervisory guidance that bank examiners use to assess cybersecurity programmes during safety-and-soundness examinations.
| Component | Description |
|---|---|
| Cybersecurity Assessment Tool (CAT) | The FFIEC CAT maps cybersecurity risks (Inherent Risk Profile: low to most) against cybersecurity maturity (Baseline through Innovative). Institutions should match or exceed the maturity level appropriate to their inherent risk profile. Regulators reference CAT in examinations, and many institutions complete annual self-assessments. |
| Key Booklets | Information Security: comprehensive cybersecurity programme expectations. Business Continuity Management: resilience and recovery. Outsourcing Technology Services: vendor/third-party risk management. Retail Payment Systems: payment processing security. Wholesale Payment Systems: wire transfer and ACH security. Each booklet contains examination procedures used by bank examiners. |
| Third-Party Risk | FFIEC guidance requires comprehensive third-party technology risk management: due diligence before engagement, contractual security requirements, ongoing monitoring, and exit strategy planning. The OCC’s guidance on Third-Party Relationships (2023 interagency guidance) applies across federal banking agencies. |
| Regulatory Examinations | Unlike voluntary frameworks, FFIEC compliance is assessed through regulatory examination by federal bank examiners with authority to issue Matters Requiring Attention (MRAs) or Matters Requiring Immediate Attention (MRIAs) — binding directives that require remediation with examiner follow-up. Persistent cybersecurity deficiencies can result in formal enforcement actions. |
NY DFS 23 NYCRR 500
New York Department of Financial Services (NY DFS) Part 500 is the most prescriptive state-level cybersecurity regulation for financial services, applying to all DFS-regulated entities including insurance companies, banks, and licensed lenders. Its 2023 amendments significantly strengthened requirements and are being watched as a template for other state regulators.
| Component | Description |
|---|---|
| Applicability | All entities licensed, registered, chartered, or authorised by NY DFS to conduct regulated financial services in New York. Covers approximately 3,000 entities including banks, insurance companies, mortgage companies, money transmitters, check cashers, and premium finance agencies. |
| 2023 Amendments | CISO reporting directly to Board/Senior Leadership; cybersecurity governance policy; Board oversight requirements; Class A company requirements (annual penetration testing, independent security assessment); incident notification within 72 hours for ransom payments; backup and recovery testing; enhanced MFA requirements for all external-facing systems. |
| Certification Requirement | Annual certification to NYDFS that the entity is in compliance with Part 500 requirements. False certifications carry significant regulatory and potential criminal consequences. This personal certification requirement by responsible officers parallels SOX 302 certification obligations. |
International Standards and Cross-Sector Frameworks
International standards and cross-sector frameworks provide the building blocks of enterprise security programmes that transcend specific regulatory regimes. Unlike sector-specific regulations, these frameworks apply across industries and geographies, enabling organisations to build a coherent security programme that satisfies multiple regulatory requirements through a single integrated implementation.
ISO/IEC 27001 — Information Security Management System
ISO/IEC 27001 is the internationally recognised standard for information security management systems (ISMS). Published jointly by ISO and IEC, it specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. ISO 27001 certification — awarded by accredited certification bodies following a formal audit — is the gold standard for demonstrating security programme maturity to customers, regulators, and partners worldwide.
| Component | Description |
|---|---|
| Privacy Relationship | ISO 27001 directly addresses personal data protection through its Annex A controls. The companion standard ISO 27701 (Privacy Information Management System) extends ISO 27001 with privacy-specific requirements that map to GDPR and other privacy regulations. ISO 27701 certification demonstrates both security and privacy programme maturity. |
| ISMS Structure | ISO 27001 requires: documented scope definition, information security policy, risk assessment methodology, Statement of Applicability (SoA) documenting selected controls and justification for exclusions, risk treatment plan, management review process, and continual improvement programme. Certification requires successful external audit by accredited certification body. |
| Annex A Controls | ISO 27001:2022 (ISO 27002:2022) contains 93 controls across 4 themes: Organisational (37 controls), People (8), Physical (14), Technological (34). New controls added in 2022: threat intelligence, cloud service information security, ICT readiness for business continuity, physical security monitoring, data masking, data leakage prevention, and web filtering. |
| Certification Process | Stage 1 audit: documentation review assessing ISMS design readiness. Stage 2 audit: on-site assessment of ISMS implementation effectiveness. Certification: 3-year period with annual surveillance audits. Recertification: full audit at year 3. Certification does not guarantee zero breaches — it assures systematic security programme management. |
| Global Acceptance | ISO 27001 certification is recognised in over 150 countries and accepted by regulators in the EU (GDPR compliance evidence), UK, Singapore, Australia, Japan, Brazil, and dozens of additional jurisdictions. Many government and enterprise procurement processes require or favour ISO 27001-certified suppliers. |
CIS Controls — Center for Internet Security Critical Security Controls
The CIS Controls (version 8.0) provide 18 prioritised security actions that address the most common cyber-attacks. Originally developed by SANS Institute and now maintained by CIS, the Controls are derived from analysis of actual attack data — each control addresses specific attack techniques documented in real-world breaches. CIS Controls are the most widely adopted technical security framework in the private sector.
| Component | Description |
|---|---|
| Three Implementation Groups | IG1 (Essential Cyber Hygiene): 56 safeguards for organisations with limited IT resources or low sensitivity data. IG2 (adds 74 safeguards): for organisations with dedicated IT staff and moderate sensitivity data. IG3 (adds 23 safeguards): for organisations with significant IT expertise and critical/sensitive data. IG1 alone addresses the majority of common cyber-attacks. |
| Top Controls | CIS Control 1: Inventory of Enterprise Assets. Control 2: Inventory of Software Assets. Control 3: Data Protection. Control 4: Secure Configuration of Enterprise Assets. Control 5: Account Management. Control 6: Access Control Management. Control 7: Continuous Vulnerability Management. These 7 controls address 85%+ of common attack techniques. |
| Privacy Relevance | CIS Control 3 (Data Protection) directly addresses personal data: data classification, data flow documentation, data retention, data disposal, encryption of data at rest and in transit, and access controls on data. CIS Safeguard 3.3 specifically addresses configuring data access controls consistent with the sensitivity of the data. |
| Federal Alignment | CISA recommends CIS Controls as foundational security guidance for critical infrastructure organisations. CIS Controls v8 maps to NIST CSF, NIST 800-53, ISO 27001, PCI DSS, HIPAA, CMMC, and NIST 800-171 — the CIS Controls implementation satisfies control requirements across multiple compliance frameworks simultaneously. |
| CIS Benchmarks | CIS Benchmarks complement the Controls with prescriptive configuration guidance for 100+ platforms: Windows, Linux, macOS, Docker, Kubernetes, AWS, Azure, GCP, network devices, databases, and mobile platforms. Consensus-developed by security professionals; the industry standard for secure system configuration. |
SOC 2 — System and Organisation Controls
SOC 2 reports (developed by AICPA) provide assurance on a service organisation’s controls related to security, availability, processing integrity, confidentiality, and privacy. Unlike certifications with pass/fail outcomes, SOC 2 reports describe the organisation’s system and controls and express an opinion on whether those controls were suitably designed and operated effectively.
| Component | Description |
|---|---|
| Report Types | SOC 2 Type I: assessment of control design at a point in time — “were controls designed appropriately?” SOC 2 Type II: assessment of control operating effectiveness over a period (minimum 6 months, typically 12) — “did controls operate effectively throughout the period?” Type II reports are significantly more valuable as compliance evidence. |
| Trust Services Criteria | Security (CC): required for all SOC 2 reports. Availability (A): system availability for operation and use. Processing Integrity (PI): complete, valid, accurate, timely, and authorised processing. Confidentiality (C): information designated as confidential is protected as committed. Privacy (P): personal information is collected, used, retained, disclosed, and disposed of as committed. |
| Privacy TSC | Privacy criteria are derived directly from the AICPA’s Generally Accepted Privacy Principles (GAPP) and align with GDPR and CCPA. SOC 2 + Privacy provides external assurance of privacy practices — valuable evidence of compliance with privacy regulations when provided to customers, regulators, and partners. |
| Customer Demand | SOC 2 Type II reports are the primary mechanism through which SaaS and cloud service providers demonstrate security and privacy assurance to enterprise customers. Most enterprise procurement processes require current SOC 2 Type II reports from cloud vendors handling sensitive data. Absence of SOC 2 is frequently a blocking factor in enterprise sales. |
Industry-Specific and Sector Cybersecurity Frameworks
Beyond general-purpose frameworks, many industries operate under sector-specific cybersecurity requirements driven by the unique risk profiles, regulatory structures, and societal consequences of security failures in those sectors. Understanding sector-specific requirements is essential for organisations operating in critical infrastructure, healthcare, energy, or other regulated industries.
NERC CIP — North American Electric Reliability Corporation
NERC Critical Infrastructure Protection (CIP) standards are mandatory reliability standards for bulk electric system owners and operators in North America. NERC CIP addresses the unique challenges of operational technology (OT) cybersecurity in energy infrastructure — systems where security failures can result in physical damage, widespread power outages, and threats to public safety.
| Component | Description |
|---|---|
| Mandatory Standards | NERC CIP standards are filed with FERC (Federal Energy Regulatory Commission) and are legally mandatory. Violations result in NERC penalties of up to $1M per violation per day — the highest cybersecurity penalties of any US regulatory framework. NERC CIP compliance is audited by Regional Entities on a 3-year cycle. |
| Key Standards | CIP-002: BES Cyber System Categorisation (High/Medium/Low impact). CIP-003: Security Management Controls. CIP-005: Electronic Security Perimeters. CIP-006: Physical Security of BES Cyber Systems. CIP-007: System Security Management. CIP-010: Configuration Change Management and Vulnerability Management. CIP-013: Supply Chain Risk Management. |
| OT/IT Convergence | NERC CIP predates modern OT/IT convergence challenges. CIP-013 (Supply Chain, 2020) and ongoing CIP development address cloud connectivity, remote access, and distributed energy resources that blur traditional OT security perimeters. IEC 62443 is increasingly referenced alongside NERC CIP for comprehensive OT security. |
| Supply Chain Risk | CIP-013 requires documented supply chain risk management plans addressing: software integrity verification, vendor remote access, vendor notification of security incidents, and identification of vendor-disclosed vulnerabilities. Aligns with NIST SP 800-161 (Cybersecurity Supply Chain Risk Management) for the energy sector. |
HITRUST CSF — Healthcare Information Trust Alliance
HITRUST CSF is a healthcare-specific security framework that integrates requirements from HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single, prescriptive, assessable framework. HITRUST Certification has become the de facto standard for demonstrating healthcare security programme maturity and is increasingly required in healthcare business associate agreements.
| Component | Description |
|---|---|
| Privacy Application | HITRUST CSF explicitly maps to HIPAA Privacy and Security Rule requirements, enabling organisations to use HITRUST certification as evidence of HIPAA compliance. The r2 (Risk-Based 2-Year) Certification represents the most rigorous assurance level and is accepted by major healthcare payers as evidence of HIPAA compliance. |
| Certification Levels | e1 (Validated 1-Year): 44 essential controls assessed by HITRUST Authorised Assessor. i1 (Implemented 1-Year): ~180 controls for moderate-risk organisations. r2 (Risk-Based 2-Year): complete HITRUST CSF assessed by HITRUST Authorised Assessor — the highest assurance certification. |
| Healthcare Adoption | HITRUST r2 certification is required or strongly preferred by major health insurance companies (Anthem, Cigna, United, Aetna) and health systems for their business associates. HITRUST certification eliminates the need for each covered entity to conduct its own HIPAA security assessments of BAs — a significant efficiency driver. |
TSA Security Directives — Transportation Sector
Following the Colonial Pipeline ransomware attack (2021), the Transportation Security Administration (TSA) issued binding Security Directives for pipeline, rail, and aviation operators with specific cybersecurity requirements that marked a significant escalation of federal cybersecurity mandates for transportation critical infrastructure.
| Directive | Description |
|---|---|
| Pipeline Requirements | SD Pipeline-2021-02 (amended): designate cybersecurity coordinator, report incidents to CISA, develop and implement cybersecurity incident response plan, conduct cybersecurity architecture review. Performance-based approach allowing operators to achieve outcomes through alternative methods — aligned with NIST CSF. |
| Rail / Aviation | Subsequent TSA directives applied similar requirements to passenger and freight railroad operators, transit operators, and airport/aircraft operators. The directives reflect a regulatory approach shift: TSA moved from voluntary guidelines to mandatory directives following demonstrated inadequacy of the voluntary approach. |
IEC 62443 — Industrial Automation and Control Systems Security
IEC 62443 is the international standard for Industrial Automation and Control System (IACS) cybersecurity, covering both the procedures and technical requirements for securing operational technology (OT) environments across all industrial sectors. It defines roles, responsibilities, and security requirements for product suppliers, system integrators, and asset owners.
| Component | Description |
|---|---|
| Applicability | Applicable across all industrial sectors using IACS: energy, oil and gas, water, manufacturing, building automation, transportation. Complementary to NERC CIP (energy), CFATS (chemical facilities), TSA directives (pipeline/rail/aviation). The only comprehensive OT security standard covering the entire system lifecycle from design through operations. |
| Security Levels | SL 0 (No specific requirements) through SL 4 (Protection against state-sponsored attacks). SL 2 (Protection against intentional violation using simple means with low resources) is the common baseline for most industrial facilities. Each SL defines specific technical and procedural requirements mapped to foundational requirements. |
| CIA Availability Focus | In OT environments, Availability is typically the most critical CIA Triad pillar — industrial process availability is a safety and production requirement, not merely a business continuity concern. IEC 62443 explicitly addresses this OT security priority distinction from IT security, where Confidentiality typically leads. |
Zero Trust Architecture and Emerging Security Frameworks
Traditional security architectures relied on network perimeter defences: everything inside the network perimeter was trusted, everything outside was untrusted. The combination of cloud migration, remote work, mobile devices, and sophisticated supply chain attacks has fundamentally invalidated the perimeter trust model. Zero Trust Architecture (ZTA) replaces implicit perimeter trust with explicit, continuous verification of every access request regardless of source. Several authoritative frameworks now define ZTA implementation.
NIST SP 800-207 — Zero Trust Architecture
NIST SP 800-207 is the definitive federal guidance on Zero Trust Architecture, defining the principles, logical components, deployment scenarios, and migration roadmap for enterprise ZTA implementation. EO 14028 directed federal agencies to develop plans to implement NIST 800-207 principles.
| ZTA Component | Description |
|---|---|
| ZTA Principles | Verify explicitly: always authenticate and authorise based on all available data points (identity, location, device health, service/workload, data classification, anomalies). Use least privilege access: limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies. Assume breach: minimise blast radius and segment access; verify end-to-end encryption; use analytics to improve defences. |
| Privacy Relevance | ZTA is a foundational privacy protection architecture. Least privilege access directly limits the quantity of personal data accessible to any given user or system. Continuous verification prevents unauthorised access to personal data repositories. Micro-segmentation limits lateral movement after breach — reducing the scope of privacy incidents when they occur. |
| Federal ZTA Mandates | OMB M-22-09 directed federal agencies to achieve specific ZTA targets by end of FY2024: identity using phishing-resistant MFA, device compliance enforcement before authorisation, network micro-segmentation, application access based on identity not network location, and data categorisation and response controls. |
| Core Components | Identity: robust identity verification for all users (phishing-resistant MFA). Device: device health verification before access. Network/Environment: network segmentation and micro-segmentation. Application Workload: application-level access control, API security. Data: data classification-driven access controls, encryption. |
NIST AI Risk Management Framework (AI RMF)
The NIST AI Risk Management Framework (2023) provides a voluntary framework for managing the risks of AI systems. EO 14110 directed NIST to lead federal AI risk management standards. As AI systems become embedded in security tools, business processes, and government operations, AI RMF provides the governance structure for managing AI-specific risks including privacy violations, bias, security vulnerabilities, and misuse.
| Component | Description |
|---|---|
| Core Functions | Govern: establish AI risk management culture and accountability. Map: identify AI system context, categorise risks. Measure: analyse and assess AI risks quantitatively and qualitatively. Manage: allocate resources and implement risk treatment for identified AI risks. |
| Privacy Application | AI systems frequently process large volumes of personal data, creating significant privacy risks: training data containing personal information, inference attacks recovering training data, re-identification of anonymised data through model outputs, and profiling individuals at scale. AI RMF explicitly addresses these privacy dimensions of AI system risk. |
| Security Intersection | AI systems introduce unique security vulnerabilities: adversarial examples (inputs crafted to fool ML models), training data poisoning, model extraction attacks, and model inversion. AI RMF addresses these ML-specific security risks alongside traditional security risks in AI system deployments. |
NIST Secure Software Development Framework (SSDF)
NIST SP 800-218 (SSDF) provides a set of fundamental secure software development practices for integrating security into the software development lifecycle. EO 14028 directed NIST to publish secure software development guidance and directed OMB to require software vendors to comply with SSDF as a condition of federal procurement.
| Component | Description |
|---|---|
| SSDF Practice Groups | Prepare the Organisation (PO): establish appropriate organisational contexts for implementing secure software development. Protect the Software (PS): protect software code and related artefacts. Produce Well-Secured Software (PW): produce software with minimal security vulnerabilities. Respond to Vulnerabilities (RV): identify and remediate released software vulnerabilities. |
| Federal Procurement | OMB M-23-16 directed federal agencies to require software producers to self-attest conformance with SSDF using a standardised attestation form. Federal agencies may require third-party assessment for critical software. SSDF attestation is now a standard component of federal software procurement. |
| SBOM Connection | SSDF PW.4 requires software composition analysis and generation of Software Bills of Materials (SBOMs). EO 14028 separately mandated SBOMs for software sold to the federal government. SBOMs enable rapid identification of affected software when new vulnerabilities in common libraries are disclosed. |
Framework Selection, Integration, and Compliance Reference Matrix
No organisation should implement frameworks in isolation. The most cost-effective compliance approach identifies the most comprehensive applicable framework as the foundation and demonstrates how its implementation satisfies the requirements of all other applicable frameworks. The following matrix maps each framework to its applicability context and primary CIA Triad focus.
| Framework | Primary Applicability Context | CIA Triad & Key Focus |
|---|---|---|
| NIST CSF 2.0 | All sectors, critical infrastructure, voluntary federal baseline | All three pillars — outcome-based framework for full security lifecycle: Govern, Identify, Protect, Detect, Respond, Recover |
| NIST SP 800-53 Rev. 5 | Federal agencies (FISMA mandatory), federal contractors, high-assurance private sector | All three pillars — most comprehensive control catalogue; 800-53 Moderate baseline satisfies most other frameworks |
| NIST RMF | Federal agencies (FISMA mandatory), FedRAMP cloud services | All three pillars — structured authorisation process producing ATO; continuous monitoring post-authorisation |
| NIST 800-171 / CMMC | DoD contractors, CUI handlers, defence industrial base | Confidentiality (primary) — 110 controls protecting Controlled Unclassified Information in non-federal systems |
| FedRAMP | Cloud service providers selling to US federal agencies | All three pillars — cloud-specific controls; Low/Moderate/High baselines aligned with impact level |
| FISMA | All US federal executive branch agencies (mandatory) | All three pillars — statutory mandate for agency-wide security programmes; delegates to NIST for technical standards |
| GDPR | Any org processing EU/EEA resident personal data (extraterritorial) | Confidentiality (primary) — personal data protection, privacy rights, breach notification, lawful processing |
| CCPA / CPRA | Businesses processing California resident data meeting thresholds | Confidentiality — consumer privacy rights, sensitive data protections, opt-out rights, private right of action |
| HIPAA Security Rule | Healthcare covered entities and business associates (ePHI) | Confidentiality (primary) — ePHI protection via admin/physical/technical safeguards; Availability (contingency planning) |
| PCI DSS v4.0 | All orgs storing, processing, or transmitting payment card data | Confidentiality (primary) — cardholder data protection; 12 requirements covering full cardholder data environment |
| SOX Section 404 | US public companies (SEC registrants) | Integrity (primary) — financial reporting system controls; ICFR accuracy; access control and change management |
| GLBA Safeguards Rule | FTC-regulated financial institutions (non-bank) | Confidentiality — nonpublic personal financial information protection; specific technical control requirements |
| FFIEC | US federally supervised banks, credit unions, savings institutions | All three pillars — comprehensive IT and cybersecurity examination framework; regulatory examination authority |
| NY DFS 23 NYCRR 500 | NY DFS-licensed financial institutions (banks, insurers, lenders) | All three pillars — most prescriptive US state financial cybersecurity regulation; board-level accountability requirements |
| ISO/IEC 27001:2022 | All sectors, international customer/partner assurance, GDPR compliance | All three pillars — ISMS standard; 93 Annex A controls; internationally recognised certification framework |
| CIS Controls v8 | All organisations — prioritised by implementation group and resource level | All three pillars — 18 controls derived from real-world attack data; most widely adopted technical security framework |
| SOC 2 Type II | SaaS/cloud service providers — customer assurance reports | Security, Availability, Integrity, Confidentiality, Privacy — independent assurance of service organisation controls |
| NERC CIP | Bulk electric system owners/operators (mandatory, FERC-enforced) | Availability (primary) — BES reliability; highest penalty framework ($1M/day); OT/ICS security requirements |
| HITRUST CSF | Healthcare and business associates — HIPAA compliance assurance | All three pillars — healthcare-specific framework integrating HIPAA, NIST, ISO; r2 certification widely required by payers |
| IEC 62443 | Industrial automation/control systems across all industrial sectors | Availability (primary in OT) — security levels 0–4; covers product, system, and operational requirements for IACS |
| NIST 800-207 ZTA | Federal agencies (EO 14028 mandated), modern enterprise architecture | Confidentiality & Integrity — never trust, always verify; least privilege; assume breach; identity-centric security |
| NIST AI RMF | AI system developers and deployers; federal agencies (EO 14110) | All three pillars — AI-specific risk governance: Govern, Map, Measure, Manage; privacy and security in AI systems |
Multi-Framework Compliance Strategy
Organisations subject to multiple frameworks can dramatically reduce compliance costs and complexity by implementing a single comprehensive control framework as the foundation and mapping to other frameworks’ requirements rather than treating each framework independently.
| Strategy Element | Description |
|---|---|
| Anchor Framework Selection | Select the most comprehensive applicable framework as the primary implementation target. For federal contractors: NIST 800-53 Moderate or CMMC Level 2. For healthcare: NIST 800-53 Moderate + HIPAA. For financial services: NIST CSF + PCI DSS. For international organisations: ISO 27001 + GDPR. The anchor framework’s controls will satisfy the majority of requirements in all other applicable frameworks. |
| Gap Analysis Process | After implementing the anchor framework, conduct a systematic gap analysis against each secondary framework. Most gaps will be minor — additional documentation requirements, specific notification procedures, or narrow technical controls not in the anchor framework. Document how anchor controls satisfy secondary requirements in a single integrated compliance matrix. |
| Common Control Libraries | Map all applicable framework requirements to a common control library maintained by the security team. Each control implementation is assessed once and credited against all frameworks it satisfies. This approach eliminates duplicative evidence collection and produces a single integrated audit evidence package. |
| Automation and CAASM | Cyber Asset Attack Surface Management (CAASM) and Governance, Risk, and Compliance (GRC) platforms automate framework mapping and evidence collection. Modern GRC platforms maintain pre-built mappings between NIST 800-53, ISO 27001, CIS Controls, PCI DSS, HIPAA, SOC 2, CMMC, and dozens of other frameworks — eliminating manual mapping work. |
| Evidence Architecture | Design the evidence collection architecture around the anchor framework’s control structure. Continuous monitoring data, scan reports, and assessment evidence are automatically tagged to both the primary control and all secondary framework requirements it satisfies. A single evidence artifact satisfies multiple auditors simultaneously. |