Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Secure Controls Framework (SCF) Laws, Regulations & Frameworks (LRF)

The SCF contains a considerable breadth of coverage. If you download the SCF, you will find these listed on the "Authoritative Sources" tab. These Authoritative Sources are categorized by:

  • Universal / Common Frameworks
  • United States (US)
  • Europe Middle East & Africa (EMEA)
  • Asia Pacific (APAC)
  • Americas (non-US)

To understand the coverage for these Laws, Regulations and Frameworks (LRF), please read through how the SCF leverages Set Theory Relationship Mapping (STRM) according to NIST IR 8477 to demonstrate how SCF controls address targeted LRF requirements.

Universal / Common Frameworks

  1. AICPA: Service Organization Control - Trust Services Criteria (TSC) - SOC2 (2022 points of focus)
  2. BSI: Standard 200-1
  3. CIS: Critical Security Controls (CSC) version 8.1
  4. CIS: Critical Security Controls (CSC) version 8.1 - IG1
  5. CIS: Critical Security Controls (CSC) version 8.1 - IG2
  6. CIS: Critical Security Controls (CSC) version 8.1 - IG3
  7. ISACA: Control Objectives for Information and Related Technologies (COBIT) 2019
  8. COSO: Committee of Sponsoring Organizations (COSO) 2017 Framework
  9. CSA: Cloud Controls Matrix (CCM) v4CSA: CSA IoT Security Controls Framework v2
  10. EU: European Union Agency for Network and Information Security (ENISA)
  11. AICPA: Generally Accepted Privacy Principles (GAPP)
  12. IEC: IEC TR 60601-4-5:2021
  13. IEC: IEC 62443-4-2:2019 - Security for industrial automation and control systems
  14. IEC: ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering
  15. ISO: 22301:2019 - Security and resilience — Business continuity management systems — Requirements
  16. ISO: 27001:2013 - Information Security Management Systems (ISMS) - Requirements
  17. ISO: 27001:2022 - Information Security Management Systems (ISMS) - Requirements
  18. ISO: 27002:2013 - Code of Practice for Information Security Controls
  19. ISO: 27002:2022 - Information security, cybersecurity and privacy protection - Information security controls
  20. ISO: 27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
  21. ISO: 27018:2014 - Code of Practice for PI in Public Clouds Acting as PI Processors
  22. ISO: 27701:2019 - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
  23. ISO: 29100:2011 - Privacy Framework
  24. ISO: 31000:2009 - Risk Management
  25. ISO: 31010:2009 - Risk Assessment Techniques
  26. ISO: ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system
  27. MITRE: MITRE ATT&CK - NIST 800-53 mappings
  28. MPA: MPA Content Security Best Practices Common Guidelines v5.1
  29. NAIC: Insurance Data Security Model Law (MDL-668)
  30. NIST: NIST Artificial Intelligence Risk Management Framework (AI RMF) v1.0
  31. NIST: NIST Privacy Framework v1.0
  32. NIST: NIST SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2
  33. NIST: NIST SP 800-39 - Managing Information Security Risk
  34. NIST: NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations
  35. NIST: NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (low baseline)
  36. NIST: NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline)
  37. NIST: NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (high baseline)
  38. NIST: NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations
  39. NIST: NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations - Privacy Baseline
  40. NIST: NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations - Low Baseline
  41. NIST: NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations - Moderate Baseline
  42. NIST: NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations - High Baseline
  43. NIST: NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations - Select Not Otherwise Categorized (NOC) controls
  44. NIST: NIST SP 800-63B - Digital Identity Guidelines (partial mapping)
  45. NIST: NIST SP 800-82 R3 - Guide to Industrial Control Systems (ICS) Security
  46. NIST: NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security
  47. NIST: NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security
  48. NIST: NIST SP 800-160 - Systems Security Engineering
  49. NIST: NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
  50. NIST: NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM Baseline)
  51. NIST: NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Flow Down)
  52. NIST: NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 1)
  53. NIST: NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 2)
  54. NIST: NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 3)
  55. NIST: NIST SP 800-171 R2 - Protecting CUI in Nonfederal Systems and Organizations
  56. NIST: NIST SP 800-171 R3
  57. NIST: NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information
  58. NIST: NIST 800-171A R3
  59. NIST: NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
  60. NIST: NIST SP 800-207 - Zero Trust Architecture
  61. NIST: NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1:
  62. NIST: NIST Cybersecurity Framework (CSF) v1.1
  63. NIST: NIST Cybersecurity Framework (CSF) v2.0
  64. OWASP: OWASP Top 10 Most Critical Web Application Security Risks
  65. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS)
  66. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.01
  67. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A
  68. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A-EP
  69. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B
  70. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B-IP
  71. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C
  72. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C-VT
  73. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Merchant
  74. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Service Provider
  75. PCI SSC: Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ P2PE
  76. Shared Assessments: Shared Assessments Standard Information Gathering Questionnaire (SIG) 2024
  77. SPARTA: Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
  78. SWIFT: SWIFT Customer Security Controls Framework 2021
  79. TISAX: TISAX ISA 6.0.3
  80. UL: 2900-1 - Software Cybersecurity for Network-Connectable Products
  81. United Nations: UN Regulation No. 155 - Cyber security and cyber security management system
  82. United Nations: UNECE WP.29

US-Specific Laws, Regulations & Frameworks (LRF)

  1. Federal: Cybersecurity Capability Maturity Model v2.1
  2. Federal: CERT Resilience Management Model v1.2
  3. Federal: CISA Cross-Sector Cybersecurity Performance Goals (CPG)
  4. Federal: CISA Secure Software Development Attestation Form (SSDAF)
  5. Federal: US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy v5.9.3
  6. Federal: Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1
  7. Federal: Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 2
  8. Federal: Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 3
  9. Federal: US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0
  10. Federal: Children's Online Privacy Protection Act (COPPA)
  11. Federal: Data Privacy Framework (DPF)
  12. Federal: DoD Zero Trust Reference Architecture v2
  13. Federal: Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - 7012
  14. Federal: Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections 3.0 Security Capabilities Catalog
  15. Federal: Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF)
  16. Federal: Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA)
  17. Federal: Federal Acquisition Regulation (FAR) 52.204-21
  18. Federal: Federal Acquisition Regulation (FAR) 52.204-27 Prohibition on a ByteDance Covered Application
  19. Federal: Federal Acquisition Regulation (FAR) 889
  20. Federal: Food & Drug Administration (FDA) 21 CFR Part 11
  21. Federal: Federal Risk and Authorization Management Program R4 (FedRAMP R4)
  22. Federal: Federal Risk and Authorization Management Program R4 (FedRAMP R4) (low baseline)
  23. Federal: Federal Risk and Authorization Management Program R4 (FedRAMP R4) (moderate baseline)
  24. Federal: Federal Risk and Authorization Management Program R4 (FedRAMP R4) (high baseline)
  25. Federal: Federal Risk and Authorization Management Program R4 (FedRAMP R4) (Li-SAAS) baseline)
  26. Federal: Federal Risk and Authorization Management Program R5 (FedRAMP)
  27. Federal: Federal Risk and Authorization Management Program R5 (FedRAMP R5) (low baseline)
  28. Federal: Federal Risk and Authorization Management Program R5 (FedRAMP R5) (moderate baseline)
  29. Federal: Federal Risk and Authorization Management Program R5 (FedRAMP R5) (high baseline)
  30. Federal: Federal Risk and Authorization Management Program R5 (FedRAMP R5) (Li-SAAS) baseline)
  31. Federal: Family Educational Rights and Privacy Act (FERPA)
  32. Federal: Federal Financial Institutions Examination Council (FFIEC)
  33. Federal: Financial Industry Regulatory Authority (FINRA)
  34. Federal: Federal Trade Commission (FTC) Act
  35. Federal: Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023)
  36. Federal: HIPAA Administrative Simplification (2013)
  37. Federal: HIPAA Security Rule (includes mapping to NIST SP 800-66 R2)
  38. Federal: Health Industry Cybersecurity Practices (HICP) - Small Practice
  39. Federal: Health Industry Cybersecurity Practices (HICP) - Medium Practice
  40. Federal: Health Industry Cybersecurity Practices (HICP) - Large Practice
  41. Federal: Internal Revenue Service (IRS) 1075
  42. Federal: International Traffic in Arms Regulation (ITAR) [limited to Part 120]
  43. Federal: North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
  44. Federal: National Industrial Security Program Operating Manual (NISPOM)
  45. Federal: Naval Nuclear Propulsion Information (NNPI)
  46. Federal: National Science & Technology Council (NSTC) NSPM-33
  47. Federal: Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) - 17 CFR Parts 229, 232, 239, 240, and 249
  48. Federal: Sarbanes Oxley Act (SOX)
  49. Federal: Social Security Administration (SSA) Electronic Information Exchange Security Requirements
  50. State: StateRAMP Low (Category 1)
  51. State: StateRAMP Low+ (Category 2)
  52. State: StateRAMP Moderate (Category 3)
  53. Federal: Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)
  54. State: AK - Alaska Personal Information Protection Act (PIPA)
  55. State: CA - SB327State: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) - November 2022 versionState: CA - SB1386
  56. State: CO - Colorado Privacy Act
  57. State: IL - Illinois Biometric Information Privacy Act (PIPA)
  58. State: IL - Illinois Identity Protection Act (IPA)
  59. State: IL - Illinois Personal Information Protection Act (PIPA)
  60. State: MA - 201 CMR 17.00
  61. State: NV - SB220
  62. State: NY - Cybersecurity Requirements for Financial Services Companies (DFS 23 NYCRR500) - 2023 Amendment 2
  63. State: NY - SHIELD Act (SB S5575B)
  64. State: OR - ORS 646A
  65. State: OR - Consumer Privacy Act (SB 619)
  66. State: SC - South Carolina Insurance Data Security Act
  67. State: TN - Information Protection ActState: TX - BC521
  68. State: TX - Cybersecurity Act
  69. State: TX - Consumer Data Protection Act (CDPA)
  70. State: TX - DIR Security Control Standards Catalog v2.0
  71. State: TX - Texas Risk & Authorization Management Program (TX-RAMP)
  72. State: TX - Texas Risk & Authorization Management Program (TX-RAMP)
  73. State: TX - 2019 - SB820
  74. State: Virginia Consumer Data Protection Act (2023)
  75. State: VT - Act 171 of 2018 (Data Broker Registration Act)

EMEA-Specific Laws, Regulations & Frameworks (LRF)

  1. EU: European Banking Authority (EBA) Guidelines on ICT and security risk management
  2. EU: Digital Operational Resilience Act (DORA) (2023)
  3. EU: General Data Protection Regulation (GDPR)
  4. EU: ENISA NIS2 (Directive (EU) 2022/2555)
  5. EU: Second Payment Services Directive (PSD2)
  6. EU: EU-US Data Privacy Framework
  7. Austria: Federal Act concerning the Protection of Personal Data (DSG 2000)
  8. Belgium: Act of 8 December 1992
  9. Germany: Federal Data Protection Act
  10. Germany: Banking Supervisory Requirements for IT (BAIT)
  11. Germany: Cloud Computing Compliance Controls Catalogue (C5) 2020
  12. Greece: Protection of Individuals with Regard to the Processing of Personal Data (2472/1997)
  13. Hungary: Informational Self-Determination and Freedom of Information (Act CXII of 2011)
  14. Ireland: Data Protection Act (2003)
  15. Israel: Cybersecurity Methodology for an Organization v1.0
  16. Israel: Protection of Privacy Law, 5741 – 1981
  17. Italy: Personal Data Protection Code
  18. Kenya: Kenya Data Protection Act (2019)
  19. Netherlands: Personal Data Protection Act
  20. Nigeria: Nigeria Data Protection Regulation (2019)
  21. Norway: Personal Data Act
  22. Poland: Act of 29 August 1997 on the Protection of Personal Data
  23. Qatar: Personal Data Privacy Protection Law (PDPPL)
  24. Russia: Federal Law of 27 July 2006 N 152-FZ
  25. Saudi Arabia: Critical Systems Cybersecurity Controls (CSCC – 1: 2019)
  26. Saudi Arabia: Saudi Arabia IoT CGIoT-1:2024
  27. Saudi Arabia: Essential Cybersecurity Controls (ECC – 1 : 2018)
  28. Saudi Arabia: Operational Technology Cybersecurity Controls (OTCC -1: 2022)
  29. Saudi Arabia: Saudi Arabia Personal Data Protection Law (PDPL)
  30. Saudi Arabia: SACS-002 - Third Party Cybersecurity Standard
  31. Saudi Arabia: Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF) Version 1.0 (May 2017)
  32. Serbia: Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18)
  33. South Africa: Protection of Personal Information Act (POPIA)
  34. Spain: BOE-A-2022-7191
  35. Spain: Royal Decree 1720/2007 (protection of personal data)
  36. Spain: Spain Royal Decree 311/2022
  37. Spain: ICT Security Guide CCN-STIC 825
  38. Sweden: Personal Data Act
  39. Switzerland: Federal Act on Data Protection (FADP)
  40. Turkey: Regulation on Protection of Personal Data in Electronic Communications Sector
  41. UAE: UAE National Information Assurance Framework (NIAF)
  42. United Kingdom: Cyber Assessment Framework (CAF) v3.1
  43. United Kingdom: Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850)
  44. United Kingdom: Cyber Essentials
  45. United Kingdom: Data Protection Act
  46. United Kingdom: Ministry of Defence Standard 05-138 (14 May 2024)
  47. United Kingdom: UK General Data Protection Regulation

APAC-Specific Laws, Regulations & Frameworks (LRF)

  1. Australia: Australia Essential Eight
  2. Australia: Privacy Act of 1998
  3. Australia: Australia Privacy Principles
  4. Australia: Australian Government Information Security Manual (ISM) (June 2024)
  5. Australia: Australia - Code of Practice - Securing the Internet of Things for Consumers
  6. Australia: Prudential Standard CPS 230 - Operational Risk Management
  7. Australia: Prudential Standard CPS 234 Information Security
  8. China: China Cybersecurity Law of the People's Republic of China (China Cybersecurity Law) 2017
  9. China: China Data Security Law of the People's Republic of China
  10. China: Decision on Strengthening Network Information Protection
  11. China: Personal Information Protection Law of the People's Republic of China
  12. Hong Kong: Personal Data Ordinance
  13. India: India Digital Personal Data Protection Act 2023
  14. India: Information Technology Rules (Privacy Rules)
  15. Japan: Act on the Protection of Personal Information (June 2020)
  16. Japan: Japan Information System Security Management and Assessment Program (ISMAP)
  17. Malaysia: Personal Data Protection Act of 2010
  18. New Zealand: NZ Health Information Security Framework (2022)
  19. New Zealand: HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers
  20. New Zealand: New Zealand Information Security Manual (NZISM) v3.6
  21. New Zealand: Privacy Act of 2020
  22. Philippines: Data Privacy Act of 2012
  23. Singapore: Personal Data Protection Act of 2012
  24. Singapore: Cyber Hygiene Practice
  25. Singapore: Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines (2021)
  26. South Korea: Personal Information Protection Act
  27. Taiwan: Personal Data Protection Act

Americas (Non-US)-Specific Laws, Regulations & Frameworks (LRF)

  1. Argentina: Protection of Personal Law No. 25,326
  2. Argentina: Protection of Personal Data - MEN-2018-147-APN-PTE
  3. Bahamas: Data Protection Act
  4. Bermuda: Bermuda Monetary Authority Cyber Code of Conduct
  5. Brazil: General Data Protection Law (LGPD)
  6. Canada: Office of the Superintendent of Financial Institutions Canada (OSFI) - Cyber Security Self-Assessment Guidance
  7. Canada: Protecting controlled information in non-Government of Canada systems and organizations (ITSP.10.171)
  8. Canada: B-13
  9. Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  10. Chile: Act 19628 - Protection of Personal Data
  11. Colombia: Law 1581 of 2012
  12. Costa Rica: Protection of the Person in the Processing of His Personal Data
  13. Mexico: Federal Law on Protection of Personal Data held by Private Parties
  14. Peru: Personal Data Protection Law
  15. Uruguay: Law No. 18,331 - Protection of Personal Data and Action "Habeas Data"

© 2025 Secure Controls Framework All rights reserved. | Sitemap