The three categories of cybersecurity compliance obligations are routinely confused, even by experienced practitioners. Getting this wrong has real consequences: under-investment in legally required controls, or wasted effort on voluntary frameworks mistaken for mandates. Here is how they actually differ.
Each category creates different types of obligations, enforced by different authorities, with different consequences for non-compliance. The SCF categorizes all 200+ mapped compliance sources into exactly these three buckets.
A statute enacted by a legislative body (e.g., US state or Federal legislature, a foreign parliament, etc) that creates laws.
Created By: Legislatures.
Enforced By: Courts, regulatory agencies, law enforcement.
Penalties: Civil fines, criminal prosecution, private right of action. Mandatory for entities within jurisdiction.
Examples: HIPAA, GLBA, SOX, CCPA, TX SB 2610, etc.
A rule issued by a regulatory agency under authority granted by a law. Regulations fill in the operational specifics that laws leave to agencies.
Created By: Regulatory agencies (e.g., SEC, HHS, NYDFS, etc.).
Enforced By: The issuing agency.
Penalties: Regulatory fines, license revocation, contract termination, debarment. Mandatory for regulated entities.
Examples: DFARS, NY DFS Part 500, GDPR, etc..
A set of recommended practices (e.g., industry best-practice) that is developed by a standards body, industry group, or government agency without statutory authority. Adoption is optional unless a contract or law specifically requires it.
Created By: Standards bodies (e.g., NIST, ISO, CIS, etc.)
Enforced By: Legal contracts.
Penalties: No direct penalties from framework itself.
Examples: NIST CSF, ISO 27001, CIS Controls, SOC 2, HITRUST.
Organizations that treat voluntary frameworks as mandatory obligations waste resources on controls that exceed their actual legal requirements. Organizations that treat mandatory laws as optional “best practice” frameworks face regulatory fines, litigation, and criminal exposure.
The SCF addresses this by classifying all 1,400+ controls using the MCR / DSR distinction: Minimum Compliance Requirements (legally mandated) vs Discretionary Security Requirements (voluntary best practice). Every control is tagged so organizations know which obligations are legally mandatory and which represent above-baseline security maturity.
MCR gaps are legal liability. A gap in a Minimum Compliance Requirement is not a security recommendation. It is a violation of a binding legal obligation with associated penalties.
DSR gaps are risk decisions. A gap in a Discretionary Security Requirement is a business risk decision, not a legal violation. Organizations can accept DSR risk with appropriate documentation.
Frameworks can become MCRs. A voluntary framework becomes mandatory when a law, regulation, or contract specifically requires it. For example, NIST SP 800-171 is a framework, but DFARS and CMMC make it mandatory for DoD contractors.
The SCF maps both. Every SCF control is tagged MCR or DSR, enabling organizations to instantly identify which gaps are legal mandates vs. risk management decisions.
The most important nuance in this topic: voluntary frameworks do not stay voluntary. They become de-facto or de-jure mandatory through three distinct mechanisms.
A regulation explicitly requires adoption of a framework. The framework itself has no legal authority, but the regulation does. Example: NIST SP 800-171 is a voluntary NIST publication. But DFARS 252.204-7012 makes it mandatory for all DoD contractors handling CUI. CMMC Level 2 further mandates third-party assessment against it.
A customer, partner, or counterparty requires framework compliance as a condition of doing business. The framework remains voluntary under law, but the contractual obligation makes it mandatory. Example: SOC 2 is a voluntary AICPA framework. But enterprise customers routinely require SOC 2 Type II reports as a condition of vendor onboarding.
Courts and regulators treat widely-adopted frameworks as the definition of "reasonable" cybersecurity. Organizations that ignore well-established frameworks face liability exposure. Example: The FTC Act requires "reasonable" data security. The NIST CSF is widely treated as evidence of reasonableness by regulators. Deviation without justification is a litigation risk.
The SCF maps to 200+ laws, regulations, and frameworks using the NIST IR 8477 Set Theory Relationship Mapping (STRM) methodology. Every mapped source is classified as a law, regulation, or framework, and every SCF control is tagged with its MCR/DSR status.
This means organizations using the SCF know, for every control, whether implementing it satisfies a legally mandatory obligation or represents voluntary best-practice investment. There is no ambiguity about what is required vs. what is recommended.
All 200+ sources classified as law, regulation, or framework in the SCF LRF catalog
Every control tagged MCR (mandatory) or DSR (discretionary) based on the organization’s applicable LRF profile
STRM crosswalks show exactly which specific provisions of each law/regulation/framework map to each SCF control
GRC platforms can import the SCF via Excel or NIST OSCAL JSON to automate MCR tracking
%20(white).png)
.png)