Supported Frameworks

SCF maps 260+ regulatory and industry frameworks to a unified control set

Act 19628 - Protection of Personal Data

22 controls

Act of 29 August 1997 on the Protection of Personal Data

29 controls

Act of 8 December 1992

59 controls

Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18)

56 controls

Act on the Protection of Personal Information (June 2020)

58 controls

AICPA Trust Services Criteria (TSC) with (2022 points of focus) Note: used for SOC 2 audits

412 controls

AK - Alaska Personal Information Protection Act (PIPA)

17 controls

APEC Privacy Framework (2015)

14 controls

Australia - Code of Practice - Securing the Internet of Things for Consumers

15 controls

Australia Essential Eight

37 controls

Australian Government Information Security Manual (ISM) (June 2024)

336 controls

Australia Privacy Principles

26 controls

B-13

151 controls

Banking Supervisory Requirements for IT (BAIT)

91 controls

Bermuda Monetary Authority Cyber Code of Conduct

61 controls

BOE-A-2022-7191

73 controls

California Consumer Privacy Act (CCPA) January 2026 (amended California Privacy Rights Act (CPRA))

258 controls

CA - SB1386

1 controls

CA - SB327

8 controls

CERT Resilience Management Model v1.2

292 controls

Children's Online Privacy Protection Act (COPPA)

6 controls

China Cybersecurity Law of the People's Republic of China (China Cybersecurity Law) 2017

27 controls

China Data Security Law of the People's Republic of China

15 controls

CISA Cross-Sector Cybersecurity Performance Goals (CPG)

127 controls

CISA Secure Software Development Attestation Form (SSDAF)

43 controls

Cloud Computing Compliance Controls Catalogue (C5) 2020

239 controls

Cloud Controls Matrix (CCM) v4

334 controls

CO - Colorado Privacy Act

53 controls

Committee of Sponsoring Organizations (COSO) 2017 Framework

103 controls

Control Objectives for Information and Related Technologies (COBIT) 2019

149 controls

Criminal Justice Information Services (CJIS) Security Policy v5.9.3

223 controls

Critical Security Controls (CSC) version 8.1

234 controls

Critical Security Controls (CSC) version 8.1 - IG1

91 controls

Critical Security Controls (CSC) version 8.1 - IG2

187 controls

Critical Security Controls (CSC) version 8.1 - IG3

206 controls

Critical Systems Cybersecurity Controls (CSCC – 1: 2019)

152 controls

CSA IoT Security Controls Framework v2

261 controls

Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850)

43 controls

Cyber Assessment Framework (CAF) v4.0

67 controls

Cyber Essentials

26 controls

Cyber Hygiene Practice

21 controls

Cybersecurity Capability Maturity Model (C2M2) v2.1

219 controls

Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) - 17 CFR Parts 229, 232, 239, 240, and 249

39 controls

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1

52 controls

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1 Assessment Objectives

14 controls

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 2

198 controls

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 3

222 controls

Cybersecurity Methodology for an Organization v1.0

393 controls

Data Privacy Act of 2012

30 controls

Data Privacy Framework (DPF)

31 controls

Data Protection Act

18 controls

Data Protection Act

10 controls

Data Protection Act (2003)

25 controls

Decision on Strengthening Network Information Protection

10 controls

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - 7012

27 controls

Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections 3.0 Security Capabilities Catalog

150 controls

Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF)

202 controls

Digital Operational Resilience Act (DORA) (2023)

103 controls

DoD Zero Trust Execution Roadmap

117 controls

DoD Zero Trust Reference Architecture v2

37 controls

ENISA NIS2 Annex

224 controls

ENISA NIS2 (Directive (EU) 2022/2555)

68 controls

Essential Cybersecurity Controls (ECC – 1 : 2018)

190 controls

EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)

119 controls

EU Cyber Resilience Act

18 controls

EU Cyber Resilience Act - Annexes

23 controls

European Banking Authority (EBA) Guidelines on ICT and security risk management

148 controls

European Union Agency for Network and Information Security (ENISA)

61 controls

Executive Order 14028 (EO 14028)

44 controls

Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA)

2 controls

Fair Information Practice Principles (FIPPs)

30 controls

Family Educational Rights and Privacy Act (FERPA)

16 controls

Farm Credit Administration (FCA) Cyber Risk Management

81 controls

Federal Acquisition Regulation (FAR) 52.204-21

54 controls

Federal Acquisition Regulation (FAR) 52.204-25 (NDAA Section 889)

1 controls

Federal Acquisition Regulation (FAR) 52.204-27 Prohibition on a ByteDance Covered Application

5 controls

Federal Act concerning the Protection of Personal Data (DSG 2000)

63 controls

Federal Act on Data Protection (FADP)

16 controls

Federal Data Protection Act

18 controls

Federal Financial Institutions Examination Council (FFIEC)

72 controls

Federal Law of 27 July 2006 N 152-FZ

28 controls

Federal Law on Protection of Personal Data held by Private Parties

23 controls

Federal Risk and Authorization Management Program R4 (FedRAMP R4)

432 controls

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (high baseline)

431 controls

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (Li-SAAS) baseline)

150 controls

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (low baseline)

150 controls

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (moderate baseline)

342 controls

Federal Risk and Authorization Management Program R5 (FedRAMP)

423 controls

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (high baseline)

423 controls

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (Li-SAAS) baseline)

175 controls

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (low baseline)

176 controls

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (moderate baseline)

343 controls

Federal Trade Commission (FTC) Act

3 controls

Financial Industry Regulatory Authority (FINRA)

4 controls

Food & Drug Administration (FDA) 21 CFR Part 11

48 controls

General Data Protection Law (LGPD)

33 controls

General Data Protection Regulation (GDPR)

42 controls

Generally Accepted Privacy Principles (GAPP)

50 controls

GovRAMP Core

86 controls

GovRAMP High

441 controls

GovRAMP Low

230 controls

GovRAMP Moderate

347 controls

Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023)

72 controls

Health Industry Cybersecurity Practices (HICP) - Large Practice

233 controls

Health Industry Cybersecurity Practices (HICP) - Medium Practice

138 controls

Health Industry Cybersecurity Practices (HICP) - Small Practice

83 controls

HHS § 155.260 Privacy and Security of Personally Identifiable Information.

36 controls

HIPAA Administrative Simplification (2013)

171 controls

HIPAA Security Rule (includes mapping to NIST SP 800-66 R2)

136 controls

HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

102 controls

ICT Security Guide CCN-STIC 825

99 controls

IEC 62443-4-2:2019 - Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components

129 controls

IEC TR 60601-4-5:2021 - Medical electrical equipment - Part 4-5: Guidance and interpretation - Safety-related technical security specifications

26 controls

IL - Illinois Biometric Information Privacy Act (BIPA)

11 controls

IL - Illinois Identity Protection Act (IPA)

5 controls

IL - Illinois Personal Information Protection Act (PIPA)

10 controls

India Digital Personal Data Protection Act 2023

41 controls

Informational Self-Determination and Freedom of Information (Act CXII of 2011)

27 controls

Information Technology Rules (Privacy Rules)

12 controls

Insurance Data Security Model Law (MDL-668)

58 controls

Internal Revenue Service (IRS) 1075

445 controls

International Maritime Organization (IMO) Guidelines on Maritime Cyber Risk Management

75 controls

International Traffic in Arms Regulation (ITAR) [limited to Part 120]

23 controls

ISO/IEC 22301:2019 - Security and resilience — Business continuity management systems — Requirements

31 controls

ISO/IEC 27001:2022 - Information Security Management Systems (ISMS) - Requirements

51 controls

ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection - Information security controls

316 controls

ISO/IEC 27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

215 controls

ISO/IEC 27018:2014 - Code of Practice for PI in Public Clouds Acting as PI Processors

17 controls

ISO/IEC 27701: 2025 - Privacy information management systems

59 controls

ISO/IEC 29100:2024 Information technology — Security techniques — Privacy framework

43 controls

ISO/IEC 31000:2009 - Risk Management

18 controls

ISO/IEC 31010:2009 - Risk Assessment Techniques

29 controls

ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system

149 controls

ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering

102 controls

Japan Information System Security Management and Assessment Program (ISMAP)

248 controls

Kenya Data Protection Act (2019)

41 controls

Law 1581 of 2012

29 controls

Law No. 18,331 - Protection of Personal Data and Action "Habeas Data"

32 controls

MA - 201 CMR 17.00

44 controls

Ministry of Defence Standard 05-138 (14 May 2024)

214 controls

MITRE ATT&CK - NIST 800-53 mappings

128 controls

Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines (2021)

214 controls

MPA Content Security Best Practices Common Guidelines v5.1

230 controls

National Industrial Security Program Operating Manual (NISPOM)

179 controls

National Science & Technology Council (NSTC) NSPM-33

47 controls

Naval Nuclear Propulsion Information (NNPI)

122 controls

New Zealand Information Security Manual (NZISM) v3.6

291 controls

Nigeria Data Protection Regulation (2019)

25 controls

NIST AI 100-1 (Artificial Intelligence Risk Management Framework 1.0)

158 controls

NIST AI 600-1 (AI RMF Generative Artificial Intelligence Profile)

139 controls

NIST Cybersecurity Framework (CSF) v2.0

253 controls

NIST Privacy Framework v1.0

187 controls

NIST SP 800-160 - Systems Security Engineering

44 controls

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

341 controls

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM Baseline)

126 controls

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Flow Down)

94 controls

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 1)

86 controls

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 2)

261 controls

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 3)

271 controls

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information

136 controls

NIST SP 800-171A R3 - Assessing Security Requirements for Controlled Unclassified Information

217 controls

NIST SP 800-171 R2 - Protecting CUI in Nonfederal Systems and Organizations

252 controls

NIST SP 800-171 R3 - Protecting CUI in Nonfederal Systems and Organizations

408 controls

NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

74 controls

NIST SP 800-207 - Zero Trust Architecture

95 controls

NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1:

58 controls

NIST SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2

37 controls

NIST SP 800-39 - Managing Information Security Risk

21 controls

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations

652 controls

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (high baseline)

361 controls

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (low baseline)

151 controls

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline)

286 controls

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations

777 controls

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (high baseline)

421 controls

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (low baseline)

199 controls

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline)

343 controls

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (privacy baseline)

117 controls

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (Select Not Otherwise Categorized (NOC) controls)

392 controls

NIST SP 800-63B - Digital Identity Guidelines (partial mapping)

5 controls

NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security - High OT Overlay

437 controls

NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security - Moderate OT Overlay

357 controls

NIST SP 800-82 R3 - Guide to Industrial Control Systems (ICS) Security- Low OT Overlay

208 controls

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) 2024

122 controls

NV - Nevada Operation of Gaming Establishments - Regulation 5.260 (Cybersecurity)

20 controls

NV - SB220 (Nevada Privacy Law)

7 controls

NY - Cybersecurity Requirements for Financial Services Companies (DFS 23 NYCRR500) - 2023 Amendment 2

157 controls

NY - SHIELD Act (SB S5575B)

28 controls

NZ Health Information Security Framework (2022)

123 controls

OECD Privacy Principles

14 controls

Office of the Superintendent of Financial Institutions Canada (OSFI) - Cyber Security Self-Assessment Guidance

141 controls

Operational Technology Cybersecurity Controls (OTCC -1: 2022)

198 controls

OR - Consumer Privacy Act (SB 619)

34 controls

OR - ORS 646A

41 controls

OWASP Top 10 Most Critical Web Application Security Risks

131 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.01

364 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A

70 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A-EP

239 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B

58 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B-IP

121 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C

229 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C-VT

115 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Merchant

323 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Service Provider

341 controls

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ P2PE

47 controls

Personal Data Act

23 controls

Personal Data Act

25 controls

Personal Data Ordinance

14 controls

Personal Data Privacy Protection Law (PDPPL)

56 controls

Personal Data Protection Act

27 controls

Personal Data Protection Act

23 controls

Personal Data Protection Act of 2010

25 controls

Personal Data Protection Act of 2012

30 controls

Personal Data Protection Code

28 controls

Personal Data Protection Law

19 controls

Personal Information Protection Act

37 controls

Personal Information Protection and Electronic Documents Act (PIPEDA)

28 controls

Personal Information Protection Law of the People's Republic of China

79 controls

Privacy Act of 1998

23 controls

Privacy Act of 2020

20 controls

Protecting controlled information in non-Government of Canada systems and organizations (ITSP.10.171)

408 controls

Protection of Individuals with Regard to the Processing of Personal Data (2472/1997)

17 controls

Protection of Personal Data - MEN-2018-147-APN-PTE

25 controls

Protection of Personal Information Act (POPIA)

101 controls

Protection of Personal Law No. 25,326

30 controls

Protection of Privacy Law, 5741 – 1981

22 controls

Protection of the Person in the Processing of His Personal Data

17 controls

Prudential Standard CPS 230 - Operational Risk Management

41 controls

Prudential Standard CPS 234 Information Security

52 controls

Regulation on Protection of Personal Data in Electronic Communications Sector

17 controls

Royal Decree 1720/2007 (protection of personal data)

17 controls

SACS-002 - Third Party Cybersecurity Standard

185 controls

Sarbanes Oxley Act (SOX)

2 controls

Saudi Arabia IoT CGIoT-1:2024

119 controls

Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF) Version 1.0 (May 2017)

50 controls

Saudi Arabia Personal Data Protection Law (PDPL)

36 controls

SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)

170 controls

Second Payment Services Directive (PSD2)

30 controls

Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)

69 controls

Shared Assessments Standard Information Gathering Questionnaire (SIG) 2025

127 controls

Social Security Administration (SSA) Electronic Information Exchange Security Requirements

109 controls

Space Attack Research & Tactic Analysis (SPARTA) Countermeasures

81 controls

Spain Royal Decree 311/2022

73 controls

Standard 200-1

25 controls

SWIFT Customer Security Controls Framework 2021

127 controls

TN - Information Protection Act

30 controls

Trusted Information Security Assessment Exchange (TISAX) ISA 6.0.3

155 controls

TX - BC521

13 controls

TX - Consumer Data Protection Act (CDPA)

28 controls

TX - DIR Security Control Standards Catalog v2.0

208 controls

TX - SB 2610 (Safe Harbor Law)

6 controls

TX - SB820

7 controls

TX - Texas Risk & Authorization Management Program (TX-RAMP) Level 1

144 controls

TX - Texas Risk & Authorization Management Program (TX-RAMP) Level 2

331 controls

UAE National Information Assurance Framework (NIAF)

20 controls

UL 2900-1 - Software Cybersecurity for Network-Connectable Products

64 controls

UNECE WP.29

44 controls

UN Regulation No. 155 - Cyber security and cyber security management system

44 controls

US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0

375 controls

VA - Virginia Consumer Data Protection Act (2023)

44 controls

VT - Act 171 of 2018 (Data Broker Registration Act)

59 controls
Sign In to Explore