Compliance
U.S. Federal Standards
Focus: Security and privacy controls for federal information systems.
Applies to: Any U.S. federal contractor or agency.
Focus: Digital identity guidelines (authentication, identity proofing).
Applies to: Federal systems handling digital identities.
Focus: Cybersecurity risk management framework (Identify, Protect, Detect, Respond, Recover).
Applies to: Voluntary for most, but mandated for U.S. federal agencies.
- Focus: Safeguarding and dissemination controls for sensitive unclassified information (e.g., technical, financial, or proprietary data).
- Applies to: Federal agencies, contractors, and any organization handling CUI under federal contracts or agreements.
International & Industry Standards
Focus: Requirements for information security management systems (ISMS).
Status: Not legally required, but globally recognized best practice.
Focus: Implementation guidance for ISO 27001 controls.
Status: Advisory companion to ISO 27001.
Focus: Security, availability, processing integrity, confidentiality, and privacy of customer data.
Applies to: Service organizations (SaaS, cloud providers).
Focus: Protection of EU/EEA citizen data (right to erasure, breach reporting).
Applies to: Any global company processing EU resident data.
Focus: Privacy rights for California residents (data access, opt-out of sales).
Applies to: Companies with CA resident data meeting revenue/data thresholds.
Focus: Securing cardholder data (encryption, access controls).
Applies to: Any entity handling credit/debit card transactions.
Sector-Specific Regulations
Focus: Protection of healthcare data (PHI).
Applies to: Healthcare providers, insurers, and business associates.
Focus: Financial data protection (privacy notices, safeguards).
Applies to: Banks, lenders, insurance companies, and financial advisors.
Focus: Financial reporting integrity and auditing.
Applies to: All U.S. publicly traded companies.
Focus: Privacy of student education records.
Applies to: U.S. educational institutions receiving federal funding.