Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Secure Controls Framework (SCF) Laws, Regulations & Frameworks (LRF)

The SCF contains a considerable breadth of coverage. If you download the SCF, you will find these listed on the "Authoritative Sources" tab. These Authoritative Sources are categorized by:

  • General Frameworks (univeral and not country/geo-specific)
  • US - United States
  • EMEA - Europe Middle East & Africa
  • APAC - Asia Pacific
  • Americas - Non-US North, Central & South America

To understand the coverage for these Laws, Regulations and Frameworks (LRF), please read through how the SCF leverages Set Theory Relationship Mapping (STRM) according to NIST IR 8477 to demonstrate how SCF controls address targeted LRF requirements. The 2026.1 version of the SCF contains coverage for 250 unique LRF:

SCF Mapped General Frameworks

There are currently 91 General frameworks (e.g., ISO, NIST, PCI DSS, OWASP, etc.):

  1. AICPA Privacy Management Framework (PMF) (2020)
  2. Trust Services Criteria (TSC) (2017)
  3. APEC Privacy Framework (2015)
  4. Standard 200-1 (v1.0)
  5. Critical Security Controls (CSC) (v8.1)
  6. Critical Security Controls (CSC) (v8.1) - IG1
  7. Critical Security Controls (CSC) (v8.1) - IG2
  8. Critical Security Controls (CSC) (v8.1) - IG3
  9. Control Objectives for Information and Related Technologies (COBIT) (2019)
  10. Committee of Sponsoring Organizations (COSO) (2013)
  11. Cloud Controls Matrix (CCM) (v4.1.0)
  12. IoT Security Controls Framework (v2)
  13. Cyber Resilience Capability Maturity Model (CR-CMM) (2026)
  14. GovRAMP
  15. GovRAMP Core
  16. GovRAMP Low
  17. GovRAMP Low+
  18. GovRAMP Moderate
  19. GovRAMP High
  20. IEC TR 60601-4-5 (2021)
  21. IEC 62443-2-1 (2024)
  22. IEC 62443-3-3 (2013)
  23. IEC 62443-4-1 (2018)
  24. IEC 62443-4-2 (2019)
  25. International Maritime Organization (IMO) Guidelines on Maritime Cyber Risk Management (2025)
  26. ISO 21434 (2021)
  27. ISO 22301 (2019)
  28. ISO 27001 (2022)
  29. ISO 27002 (2022)
  30. ISO 27017 (2015)
  31. ISO 27018 (2025)
  32. ISO 27701 (2025)
  33. ISO 29100 (2024)
  34. ISO 31000 (2018)
  35. ISO 31010 (2009)
  36. ISO 42001 (2023)
  37. MITRE ATT&CK (v16.1)
  38. Content Security Best Practices Common Guidelines (v5.3.1)
  39. Insurance Data Security Model Law 668 (2017)
  40. NIST AI 100-1 (AI RMF 1.0)
  41. NIST AI 600-1
  42. NIST Privacy Framework (v1.0)
  43. NIST SP 800-37 R2
  44. NIST SP 800-39
  45. NIST SP 800-53 R4
  46. NIST SP 800-53 R5
  47. NIST SP 800-53 R5 - Privacy Baseline
  48. NIST SP 800-53 R5 - Low Baseline
  49. NIST SP 800-53 R5 - Moderate Baseline
  50. NIST SP 800-53 R5 - High Baseline
  51. NIST SP 800-66 R2
  52. NIST SP 800-82 R3
  53. NIST SP 800-82 R3 - Low OT Overlay
  54. NIST SP 800-82 R3 - Moderate OT Overlay
  55. NIST SP 800-82 R3 - High OT Overlay
  56. NIST SP 800-160 (Vol 2, Rev 1)
  57. NIST SP 800-161 R1 UDP1
  58. NIST SP 800-161 R1 UDP1 - C-SCRM Baseline
  59. NIST SP 800-161 R1 UDP1 - Flow Down Baseline
  60. NIST SP 800-161 R1 UDP1 - Level 1 Baseline
  61. NIST SP 800-161 R1 UDP1 - Level 2 Baseline
  62. NIST SP 800-161 R1 UDP1 - Level 3 Baseline
  63. NIST SP 800-171 R2
  64. NIST SP 800-171 R3
  65. NIST SP 800-171A
  66. NIST SP 800-171A R3
  67. NIST SP 800-172
  68. NIST SP 800-207
  69. NIST SP 800-218
  70. NIST Cybersecurity Framework (v2.0)
  71. OECD Privacy Principles (2010)
  72. OWASP Top 10 (2025)
  73. Payment Card Industry Data Security Standard (PCI DSS) (v4.01)
  74. Payment Card Industry Data Security Standard (PCI DSS) - SAQ A (v4.0.1)
  75. Payment Card Industry Data Security Standard (PCI DSS) - SAQ A-EP (v4.0.1)
  76. Payment Card Industry Data Security Standard (PCI DSS) - SAQ B (v4.0.1)
  77. Payment Card Industry Data Security Standard (PCI DSS) - SAQ B-IP (v4.0.1)
  78. Payment Card Industry Data Security Standard (PCI DSS) - SAQ C (v4.0.1)
  79. Payment Card Industry Data Security Standard (PCI DSS) - SAQ C-VT (v4.0.1)
  80. Payment Card Industry Data Security Standard (PCI DSS) - SAQ D Merchant (v4.0.1)
  81. Payment Card Industry Data Security Standard (PCI DSS) - SAQ D Service Provider (v4.0.1)
  82. Payment Card Industry Data Security Standard (PCI DSS) - SAQ P2PE (v4.0.1)
  83. Data Privacy Management Principle (DPMP) (2025)
  84. SIG (2025)
  85. SPARTA Countermeasures
  86. SWIFT Customer Security Controls Framework (2025)
  87. TISAX ISA (6.0.3)
  88. UL 2900-1 (2017)
  89. UL 2900-2-2 (2016)
  90. UN Regulation No. 155 (2021)
  91. UNECE WP.29 (2020)

SCF Mapped US-Specific Laws, Regulations & Frameworks (LRF)

There are currently 68 United States-specific LRF, both at the Federal and State levels: 

  1. CERT-RMM (v1.2)
  2. Children's Online Privacy Protection Act (COPPA) (2024)
  3. CISA Secure Software Development Attestation Form (SSDAF) (2024)
  4. CISA Trusted Internet Connections 3.0 Security Capabilities Catalog (TIC 3.0)
  5. CISA Cross-Sector Cybersecurity Performance Goals (CPG) (2.0)
  6. Criminal Justice Information Services (CJIS) Security Policy (v6.0)
  7. Cybersecurity Capability Maturity Model (C2M2) (v2.1)
  8. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 1
  9. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 1 Assessment Objectives
  10. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 2
  11. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 3
  12. Data Privacy Framework (2023)
  13. Department of War (DoW) - Zero Trust Execution Roadmap (v1.1)
  14. Department of War (DoW) - Zero Trust Reference Architecture (v2)
  15. DFARS 252.204-7012
  16. Executive Order 14028 - Improving the Nation's Cybersecurity
  17. Fair & Accurate Credit Transactions Act (FACTA) & Fair Credit Reporting Act (FCRA) (2023)
  18. FAR 52.204-21
  19. FAR 52.204-25 (NDAA Section 889)
  20. FAR 52.204-27
  21. Farm Credit Administration (FCA) Cyber Risk Management (2023)
  22. Food & Drug Administration (FDA) 21 CFR Part 11 (2025)
  23. FedRAMP R5 - Low Baseline
  24. FedRAMP R5 - Moderate Baseline
  25. FedRAMP R5 - High Baseline
  26. FedRAMP R5 - Li-SAAS Baseline
  27. Family Educational Rights and Privacy Act (FERPA) (2010)
  28. FINRA Cybersecurity Rules
  29. US Fair Information Practice Principles (FIPPs) (1973)
  30. Federal Trade Commission (FTC) Act
  31. Gramm Leach Bliley Act (GLBA) (2023)
  32. HHS § 155.260 (2016)
  33. HIPAA Administrative Simplification (2013)
  34. HIPAA Security Rule (2013)
  35. IRS 1075 (2021)
  36. MARS-E Document Suite (2.0)
  37. NERC Critical Infrastructure Protection (CIP) (2024)
  38. National Industrial Security Program Operating Manual (NISPOM) (2020)
  39. Safeguarding of NNPI (2010)
  40. SEC Cybersecurity Rule (2023)
  41. SOX (2002)
  42. TSA Security Directive 1580/82-2022-01
  43. Alaska Personal Information Protection Act (PIPA) (2009)
  44. California SB327 (2018)
  45. California Consumer Privacy Act (CCPA) (2026)
  46. California SB1386 (2002)
  47. Colorado Privacy Act (2021)
  48. Illinois Biometric Information Privacy Act (BIPA) (2008)
  49. Illinois Identity Protection Act (IPA) (2009)
  50. Illinois Personal Information Protection Act (PIPA) (2006)
  51. Massachusetts 201 CMR 17.00 (2008)
  52. Nevada Privacy Law (2023)
  53. Nevada Operation of Gaming Establishment (NOGE) Regulation 5.260 (2024)
  54. Nevada SB220 (2019)
  55. New York Department of Financial Services 23NYCRR Part 500 (2023 Amendment 2)
  56. New York SHIELD Act (SB S5575B) (2019)
  57. Oregon Consumer Information Protection Act (ORS 646A) (2025)
  58. Oregon Consumer Privacy Act (SB 619) (2023)
  59. Tennessee Information Protection Act (TIPA) (2025)
  60. Texas Identity Theft Enforcement and Protection Act (BC521) (2009)
  61. Texas Consumer Data Protection Act (2025)
  62. Texas DIR Security Control Standards Catalog (v2.2)
  63. Texas SB820 (2019)
  64. Texas Safe Harbor Law (SB2610) (2025)
  65. TX-RAMP 2.0 - Level 1
  66. TX-RAMP 2.0 - Level 2
  67. Virginia Consumer Data Protection Act (2023)
  68. Vermont Data Broker Registration Act (Act 171 of 2018)

SCF Mapped EMEA-Specific Laws, Regulations & Frameworks (LRF)

There are currently 51 EMEA-specific LRF, both at the EU and member state levels: 

  1. EU Artificial Intelligence Act (AI Act) (2024)
  2. EU Cyber Resilience Act (CRA) (2022)
  3. EU Cyber Resilience Act Annexes (CRA Annexes) (2022)
  4. EU EBA Guidelines on ICT and Security Risk Management (2025)
  5. EU Digital Operational Resilience Act (DORA) (2023)
  6. EU General Data Protection Regulation (GDPR) (2016)
  7. EU NIS2 Directive (2022)
  8. EU NIS2 Annex (2024)
  9. EU Second Payment Services Directive (PSD2) (2015)
  10. Austria - Federal Act concerning the Protection of Personal Data (2000)
  11. Belgium - Act of 8 December 1992
  12. Germany - Federal Data Protection Act (2017)
  13. Germany - Banking Supervisory Requirements for IT (2017)
  14. Germany - Cloud Computing Compliance Controls Catalogue (C5) (2020)
  15. Greece - Protection of Individuals with Regard to the Processing of Personal Data (1997)
  16. Hungary - Informational Self-Determination and Freedom of Information (2011)
  17. Ireland - Data Protection Act (DPA) (2003)
  18. Israel - Cybersecurity Methodology for an Organization v1.0
  19. Israel - Protection of Privacy Law, 5741 (1981)
  20. Italy - Personal Data Protection Code (2003)
  21. Kenya - Data Protection Act (DPA) (2019)
  22. Nigeria - Data Protection Regulation (DPR) (2019)
  23. Norway - Personal Data Act (PDA) (2018)
  24. Poland - Act of 29 August 1997 on the Protection of Personal Data
  25. Qatar - Personal Data Privacy Protection Law (PDPPL) (2020)
  26. Russia - Federal Law of 27 (2006)
  27. Saudi Arabia - Critical Systems Cybersecurity Controls (CSCC – 1: 2019)
  28. Saudi Arabia - Cybersecurity Guidelines for Internet of Things (CGIoT-1:2024)
  29. Saudi Arabia - Essential Cybersecurity Controls (ECC – 1 : 2018)
  30. Saudi Arabia - Operational Technology Cybersecurity Controls (OTCC -1: 2022)
  31. Saudi Arabia - Personal Data Protection Law (PDPL) (2023)
  32. Saudi Arabia - SACS-002 Third Party Cybersecurity Standard (2022)
  33. Saudi Arabia - SAMA CSF Version 1.0 (2017)
  34. Serbia - Act of 9 November 2018 on Personal Data Protection
  35. South Africa - Protection of Personal Information Act (POPIA) (2013)
  36. Spain - BOE-A-2022-7191
  37. Spain - Royal Decree 1720/2007
  38. Spain - Royal Decree 311/2022
  39. Spain - ICT Security Guide CCN-STIC 825 (2023)
  40. Switzerland - FADP
  41. Turkey - Law on the Protection of Personal Data (LPPD) (2016)
  42. UAE - National Information Assurance Framework (NIAF) (2023)
  43. UK - Cyber Assessment Framework (CAF) (v4.0)
  44. UK - Cyber Assessment Framework for Aviation Guidance (CAP1850) (2020)
  45. UK - Cyber Essentials (v3.3)
  46. UK - Defstan 05-138 (2024)
  47. UK - Defstan 05-138 (2024) - L0
  48. UK - Defstan 05-138 (2024) - L1
  49. UK - Defstan 05-138 (2024) - L2
  50. UK - Defstan 05-138 (2024) - L3
  51. UK - Data Protection Act (DPA) (1998)

SCF Mapped APAC-Specific Laws, Regulations & Frameworks (LRF)

There are currently 29 APAC-specific LRF:

  1. Australia - Essential Eight (2024)
  2. Australia - Privacy Act of 1998
  3. Australia - Privacy Principles (2026)
  4. Australia - Information Security Manual (ISM) (June 2024)
  5. Australia - Code of Practice - Securing the Internet of Things for Consumers (2020)
  6. Australia - Prudential Standard CPS 230 (2023)
  7. Australia - Prudential Standard CPS 234 (2019)
  8. China - Cybersecurity Law (2017)
  9. China - Data Security Law (2021)
  10. China - Decision on Strengthening Network Information Protection (2012)
  11. China - Personal Information Protection Law (2021)
  12. Hong Kong - Personal Data Ordinance (2022)
  13. India - DPDPA (2023)
  14. India - Privacy Rules (2011)
  15. India - SEBI CSCRF (2024)
  16. Japan - Act on the Protection of Personal Information (2020)
  17. Japan - Information System Security Management and Assessment Program (ISMAP)
  18. Malaysia - Personal Data Protection Act (PDPA) (2010)
  19. New Zealand - HISF MLHSP (2023)
  20. New Zealand - HISF MicroSmall (2023)
  21. New Zealand - HISF Guidance for Suppliers (2023)
  22. New Zealand - Information Security Manual (ISM) (v3.9)
  23. New Zealand - Privacy Act (2020)
  24. Philippines - Data Privacy Act (DPA) (2012)
  25. Singapore - Personal Data Protection Ac (PDPA) (2012)
  26. Singapore - Cyber Hygiene Practice (2019)
  27. Singapore - Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines (2021)
  28. South Korea - Personal Information Protection Act (PIPA) (2011)
  29. Taiwan - Personal Data Protection Act (PDPA) (2025)

SCF Mapped Americas (Non-US)-Specific Laws, Regulations & Frameworks (LRF)

There are currently 11 Americas-specifc (non-USA) LRF:

  1. Argentina - Protection of Personal Data (2018)
  2. Bahamas - DPA (2003)
  3. Bermuda - Bermuda Monetary Authority Code of Conduct (2020)
  4. Brazil - General Data Protection Law (LGPD) (2018)
  5. Canada - OSFI Cyber Security Self-Assessment Guidance
  6. Canada - OSFI B-13 (2022)
  7. Canada - ITSP.10.171 (2025)
  8. Canada - Personal Information Protection and Electronic Documents Act (PIPEDA) (2000)
  9. Chile - Act 19628 (1999)
  10. Colombia - Law 1581 (2012)
  11. Mexico - Federal Law on Protection of Personal Data held by Private Parties (2010)


1 of 1 Items
  • Excel version of STRM mapping

    STRM Bundle - Excel Versions

    This is for a digital download of the current Excel spreadsheet versions of the Set Theory Relationship Mapping (STRM) used to crosswalk the Secure Controls Framework (SCF).  There is a one (1) month period of time to access the STRM download (from...

    $20.00
    Add to Cart
1 of 1 Items

© 2026 Secure Controls Framework All rights reserved. | Sitemap