Secure Controls Framework
Download The SCF
Start Here
Free Content
GRC Fundamentals
SCF Certified
Marketplace
GRC Fundamentals

Common Cybersecurity Regulations

Regulatory obligations are required by law, but are rules issued by a regulating body (e.g., a government agency). Regulatory requirements tend to change more often than statutory requirements, due to how difficult it can be to change a law. This page provides a concise reference for the most impactful US cybersecurity regulations, including their scope, who they apply to, enforcement, and how the SCF CCF™ maps to each.

Download The SCFIncluded Laws, Regulations & Frameworks
US Regulatory Requirements

Key Cybersecurity Regulations

The three most broadly impactful US cybersecurity regulations, covering defense contractors, financial institutions, and the broader federal supply chain.

CMMC

Cybersecurity Maturity Model Certification

US Federal
DoD / Defense
Applies to
DoD contractors and subcontractors who handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
Codified In
Title 32, Part 170 of the Code of Federal Regulations
Key Requires
Three-level maturity model (L1–L3); NIST SP 800-171 implementation; third-party C3PAO assessment for Level 2; annual self-attestation
Enforcement
Loss of contract eligibility; False Claims Act liability (treble damages); potential debarment
Certification
Yes (DoD CMMC certification via C3PAO or DIBCAC)
SCF Domains
GOV, IAC, MNT, CFG, NET, SA, SCF, RA, IRO
Deep Dive: CMMC →

DFARS 252.204-70XX

Defense Federal Acquisition Regulation Supplement

US Federal
DoD / Defense
Applies to
Defense contractors and subcontractors storing, processing or transmitting Controlled Unclassified Information (CUI)
Key Clauses
252.204-7008 (pre-award); 252.204-7012 (safeguarding + 72hr incident reporting); 252.204-7019 (SPRS); 252.204-7020 (DoD audit); 252.204-7021 (CMMC)
Key Requires
Full implementation of NIST SP 800-171 (110 controls); SSP and POA&M documentation; SPRS score submission; 72-hour cyber incident reporting
Enforcement
Breach of contract; False Claims Act liability ($9M+ settlements); contract termination; suspension/debarment
Certification
Yes (via CMMC clause -7021)
SCF Domains
GOV, IAC, MNT, CFG, NET, SA, SCF, RA, IRO, TPM
Deep Dive: DFARS →

NY DFS 23 NYCRR 500

New York Department of Financial Services Cybersecurity Regulation

US (New York)
Financial Services
Applies to
NY-licensed financial institutions: banks, insurers, mortgage companies, money transmitters, virtual currency businesses, and health/life insurers operating in New York
Key Requires
Written cybersecurity program; designated CISO; annual penetration testing; MFA for external/privileged access; 72-hour incident notification; annual compliance certification by April 15
Enforcement
Civil monetary penalties up to tens of millions; consent orders; license revocation; public enforcement disclosure (Robinhood $30M; EyeMed $4.5M)
Certification
No official cert. SCF CAP can issue SCF Certified for NY DFS 23 NYCRR 500
SCF Domains
GOV, IAC, RA, MON, IRO, TPM, BCD, TRN
Deep Dive: NY DFS 23 NYCRR 500 →
Enforcement Reference

Cybersecurity Regulation Enforcement Comparison

Enforcement mechanisms and exposure vary significantly across regulations. This reference covers the primary enforcement levers. Actual consequences depend on severity, intent, and remediation efforts.

Regulation
Jurisdiction
Primary Enforcement
Criminal Exposure?
Certification Required?
CMMC
US Federal (DoD)
Loss of contract eligibility; False Claims Act (treble damages)
Yes (via FCA qui tam provisions)
Yes (C3PAO or DIBCAC, Level 2+)
DFARS 252.204-7012
US Federal (DoD)
Breach of contract; FCA liability; $9M+ settlements on record
Yes (via False Claims Act)
Yes (via CMMC clause -7021)
DFARS 252.204-7019
US Federal (DoD)
Ineligibility to bid; SPRS score scrutiny during source selection
Yes (score inflation = FCA fraud)
No (self-assessed SPRS score)
NY DFS 23 NYCRR 500
New York State
Civil monetary penalties; consent orders; license suspension/revocation
No (civil regulatory)
No (annual self-certification to DFS)
FAR 52.204-21
US Federal
Contract termination; suspension/debarment
Yes (via FCA if misrepresented)
No (self-attestation)
FINRA Cybersecurity Rules
US (Self-Regulatory)
Fines, suspensions, and expulsion from FINRA membership
No (regulatory)
No

Enforcement mechanisms shown are indicative. Actual consequences vary based on severity, cooperation, and remediation. This is not legal advice.

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceFAQAboutBlog

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap