IRS Publication 1075

United States

169 domains

176 controls

IRS Tax Information Security Guidelines. Required for federal/state/local agencies handling Federal Tax Information.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (169)

Exhibit 6

1 controls

Controls in the Exhibit 6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-SCSEM	Safeguard Computer Security Evaluation Matrix	Use IRS-published Safeguard Computer Security Evaluation Matrices (SCSEMs) to assess FTI system configurations; SCSEMs c...

Exhibit 7

1 controls

Controls in the Exhibit 7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-CONTRACTOR-LANGUAGE	Exhibit 7 Contract Language for Contractors	Include the IRS Publication 1075 Exhibit 7 mandatory contract language verbatim in all contracts where contractors will...

Section 1.4.7

1 controls

Controls in the Section 1.4.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-OFFSHORE	Prohibition on Offshore Access	FTI must not be accessed, processed, or stored by personnel located outside US territories; all support personnel includ...

Section 10

1 controls

Controls in the Section 10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-IMPROPER-DISCLOSURE	Reporting Improper Inspections or Disclosures	Report any improper inspection or disclosure of FTI to TIGTA and IRS Office of Safeguards within 24 hours of identificat...

Section 4.3

1 controls

Controls in the Section 4.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-PRINT-CONTROL	FTI Printout Inventory and Destruction	Maintain inventory of FTI printouts and physical records; destroy FTI printouts via shredding (cross-cut to 5/16 inch by...

Section 4.4

1 controls

Controls in the Section 4.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-COMMINGLING	FTI Commingling Identification	Identify FTI when commingled with non-FTI data and ensure it remains identifiable for handling, audit, and destruction p...

Section 6.2

1 controls

Controls in the Section 6.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-NDA	Non-Disclosure Agreements	Require all personnel (employees and contractors) with FTI access to sign a non-disclosure agreement prior to access and...

Section 6.3

1 controls

Controls in the Section 6.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-DISCLOSURE-AWARENESS	Disclosure Awareness Training	Provide annual disclosure awareness training to all personnel with FTI access covering IRC 6103 disclosure rules, IRC 72...

Section 7.1

1 controls

Controls in the Section 7.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-SAFEGUARDS-SSR	Safeguard Security Report (SSR)	Submit Safeguard Security Report (SSR) every six years (or upon significant change) describing all measures used to ensu...

Section 7.2

1 controls

Controls in the Section 7.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-SAFEGUARDS-REPORTING	Safeguard Activity Report (SAR)	Submit annual Safeguard Activity Report (SAR) to IRS Office of Safeguards detailing safeguard activities, FTI environmen...

Section 7.3

1 controls

Controls in the Section 7.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-SAFEGUARDS-REVIEW	On-Site Safeguard Review	Cooperate with on-site safeguard reviews conducted by IRS Office of Safeguards on approximately three-year cycle; provid...

Section 7.4

1 controls

Controls in the Section 7.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-SAFEGUARDS-CAP	Corrective Action Plan (CAP)	Develop and submit Corrective Action Plan to IRS Office of Safeguards in response to findings from safeguards reviews; t...

Section 7.5

1 controls

Controls in the Section 7.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-DATA-WAREHOUSE	Data Warehouse Notification	Notify IRS Office of Safeguards 45 days before commingling FTI in a data warehouse or before significant changes to exis...

Section 9.3.1.1

1 controls

Controls in the Section 9.3.1.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-1	Policy and Procedures	Develop and disseminate access control policy and procedures; review at least annually (FedRAMP parameter); update follo...

Section 9.3.1.10

1 controls

Controls in the Section 9.3.1.10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-12	Session Termination	Automatically terminate user session after FedRAMP-defined conditions (idle timeout, trigger events).

Section 9.3.1.11

1 controls

Controls in the Section 9.3.1.11 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-14	Permitted Actions Without Identification or Authentication	Identify and document actions allowed without identification or authentication.

Section 9.3.1.12

2 controls

Controls in the Section 9.3.1.12 domain of IRS Publication 1075 — 2 controls
Code	Title	Description
AC-17	Remote Access	Establish usage restrictions, configuration requirements, and authorize remote access prior to allowing.
AC-17(2)	Protection of Confidentiality and Integrity Using Encryption	Implement cryptographic mechanisms to protect remote access sessions; FIPS-validated.

Section 9.3.1.13

1 controls

Controls in the Section 9.3.1.13 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-18	Wireless Access	Establish configuration requirements, usage restrictions, authorize wireless access.

Section 9.3.1.14

1 controls

Controls in the Section 9.3.1.14 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-19	Access Control for Mobile Devices	Establish configuration requirements and usage restrictions for mobile devices.

Section 9.3.1.15

1 controls

Controls in the Section 9.3.1.15 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-20	Use of External Systems	Establish terms and conditions for use of external systems; prohibit unless authorized.

Section 9.3.1.16

1 controls

Controls in the Section 9.3.1.16 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-21	Information Sharing	Enable authorized users to determine whether access authorizations match sharing restrictions.

Section 9.3.1.17

1 controls

Controls in the Section 9.3.1.17 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-22	Publicly Accessible Content	Designate users authorized to post; train them; review content quarterly for nonpublic information.

Section 9.3.1.2

4 controls

Controls in the Section 9.3.1.2 domain of IRS Publication 1075 — 4 controls
Code	Title	Description
AC-2	Account Management	Manage accounts; review at least monthly for privileged, every six months for non-privileged (FedRAMP); notify within Fe...
AC-2(1)	Automated System Account Management	Support account management via automated mechanisms; required at HIGH baseline.
AC-2(3)	Disable Accounts	Disable accounts within FedRAMP-defined timeframe when no longer required, terminated, or inactive (35 days inactive).
AC-2(5)	Inactivity Logout	Require users to log out when inactivity exceeds FedRAMP-defined period (15 minutes for non-mobile, 30 for mobile).

Section 9.3.1.3

1 controls

Controls in the Section 9.3.1.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-3	Access Enforcement	Enforce approved authorizations for logical access in accordance with policy.

Section 9.3.1.4

1 controls

Controls in the Section 9.3.1.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-4	Information Flow Enforcement	Enforce approved information flow control policies between connected systems and within the system.

Section 9.3.1.5

1 controls

Controls in the Section 9.3.1.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-5	Separation of Duties	Identify and document duties requiring separation; define access authorizations to support.

Section 9.3.1.6

2 controls

Controls in the Section 9.3.1.6 domain of IRS Publication 1075 — 2 controls
Code	Title	Description
AC-6	Least Privilege	Employ least privilege; allow only authorized access necessary to accomplish assigned tasks.
AC-6(9)	Log Use of Privileged Functions	Log execution of privileged functions.

Section 9.3.1.7

1 controls

Controls in the Section 9.3.1.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-7	Unsuccessful Logon Attempts	Enforce limit of 3 consecutive invalid logon attempts within 15 minutes (FedRAMP); lock for 30 min or until released.

Section 9.3.1.8

1 controls

Controls in the Section 9.3.1.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-8	System Use Notification	Display approved system use notification/banner before granting access; FedRAMP requires specific language.

Section 9.3.1.9

1 controls

Controls in the Section 9.3.1.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AC-11	Device Lock	Prevent further access by initiating device lock after 15 minutes inactivity (FedRAMP) or upon user request.

Section 9.3.10.1

1 controls

Controls in the Section 9.3.10.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-1	Policy and Procedures	Develop and review media protection policy at least annually.

Section 9.3.10.2

1 controls

Controls in the Section 9.3.10.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-2	Media Access	Restrict access to FedRAMP-defined types of digital and non-digital media to authorized personnel.

Section 9.3.10.3

1 controls

Controls in the Section 9.3.10.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-3	Media Marking	Mark system media indicating distribution limitations, handling caveats, security markings.

Section 9.3.10.4

1 controls

Controls in the Section 9.3.10.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-4	Media Storage	Physically control and securely store FedRAMP-defined types of media within FedRAMP-defined controlled areas.

Section 9.3.10.5

1 controls

Controls in the Section 9.3.10.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-5	Media Transport	Protect and control media during transport outside controlled areas; maintain accountability; document activities; restr...

Section 9.3.10.6

1 controls

Controls in the Section 9.3.10.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-6	Media Sanitization	Sanitize media prior to disposal, release, or reuse using FedRAMP-defined methods (NIST SP 800-88).

Section 9.3.10.7

1 controls

Controls in the Section 9.3.10.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MP-7	Media Use	Restrict or prohibit use of FedRAMP-defined types of media on FedRAMP-defined systems using safeguards.

Section 9.3.11.1

1 controls

Controls in the Section 9.3.11.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-1	Policy and Procedures	Develop and review physical/environmental policy at least annually.

Section 9.3.11.10

1 controls

Controls in the Section 9.3.11.10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-11	Emergency Power	Provide short-term uninterruptible power supply for orderly shutdown or transition to long-term alternate power.

Section 9.3.11.11

1 controls

Controls in the Section 9.3.11.11 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-12	Emergency Lighting	Employ and maintain automatic emergency lighting activating on power outage covering emergency exits.

Section 9.3.11.12

1 controls

Controls in the Section 9.3.11.12 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-13	Fire Protection	Employ and maintain fire suppression and detection devices independent of energy source.

Section 9.3.11.13

1 controls

Controls in the Section 9.3.11.13 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-14	Environmental Controls	Maintain temperature and humidity within FedRAMP-defined acceptable levels; monitor at FedRAMP frequency.

Section 9.3.11.14

1 controls

Controls in the Section 9.3.11.14 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-15	Water Damage Protection	Protect system from damage from water leakage by providing master shutoff valves accessible to key personnel.

Section 9.3.11.15

1 controls

Controls in the Section 9.3.11.15 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-16	Delivery and Removal	Authorize and control system components entering/exiting facility; maintain records.

Section 9.3.11.16

1 controls

Controls in the Section 9.3.11.16 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-17	Alternate Work Site	Determine alternate work sites; employ FedRAMP-defined controls at alternate sites; assess effectiveness.

Section 9.3.11.17

1 controls

Controls in the Section 9.3.11.17 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-18	Location of System Components	Position system components to minimize damage from physical/environmental hazards and unauthorized access; HIGH only.

Section 9.3.11.2

1 controls

Controls in the Section 9.3.11.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-2	Physical Access Authorizations	Develop, approve, maintain list of individuals with authorized facility access; review at least quarterly (FedRAMP).

Section 9.3.11.3

1 controls

Controls in the Section 9.3.11.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-3	Physical Access Control	Enforce physical access at entry/exit points; verify authorizations; control ingress/egress; maintain audit logs.

Section 9.3.11.4

1 controls

Controls in the Section 9.3.11.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-4	Access Control for Transmission	Control physical access to system distribution and transmission lines.

Section 9.3.11.5

1 controls

Controls in the Section 9.3.11.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-5	Access Control for Output Devices	Control physical access to output from system devices to prevent unauthorized individuals from obtaining output.

Section 9.3.11.6

1 controls

Controls in the Section 9.3.11.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-6	Monitoring Physical Access	Monitor physical access to facility; review access logs at least weekly (FedRAMP); coordinate review with IR.

Section 9.3.11.7

1 controls

Controls in the Section 9.3.11.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-8	Visitor Access Records	Maintain visitor access records for FedRAMP-defined period (1 year); review records monthly (FedRAMP).

Section 9.3.11.8

1 controls

Controls in the Section 9.3.11.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-9	Power Equipment and Cabling	Protect power equipment and cabling from damage and destruction.

Section 9.3.11.9

1 controls

Controls in the Section 9.3.11.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PE-10	Emergency Shutoff	Provide capability for emergency shutoff of power; protect from accidental activation.

Section 9.3.12.1

1 controls

Controls in the Section 9.3.12.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PL-1	Policy and Procedures	Develop and review planning policy at least annually.

Section 9.3.12.2

1 controls

Controls in the Section 9.3.12.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PL-2	System Security and Privacy Plans	Develop SSP that aligns with FedRAMP template; review and update annually.

Section 9.3.12.3

1 controls

Controls in the Section 9.3.12.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PL-4	Rules of Behavior	Establish and provide rules describing user responsibilities; receive signed acknowledgement.

Section 9.3.13.1

1 controls

Controls in the Section 9.3.13.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-1	Policy and Procedures	Develop and review personnel security policy at least annually.

Section 9.3.13.2

1 controls

Controls in the Section 9.3.13.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-2	Position Risk Designation	Assign risk designation to positions; review and update at least every three years.

Section 9.3.13.3

1 controls

Controls in the Section 9.3.13.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-3	Personnel Screening	Screen individuals prior to authorizing access; rescreen at FedRAMP frequency per position risk; US citizenship may appl...

Section 9.3.13.4

1 controls

Controls in the Section 9.3.13.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-4	Personnel Termination	Disable access and revoke authenticators within FedRAMP-defined time (same day); conduct exit interview; retrieve proper...

Section 9.3.13.5

1 controls

Controls in the Section 9.3.13.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-5	Personnel Transfer	Review/confirm ongoing operational need for access when personnel transfer; modify access; notify within FedRAMP timefra...

Section 9.3.13.6

1 controls

Controls in the Section 9.3.13.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-6	Access Agreements	Develop access agreements; review and update annually; require signature before access.

Section 9.3.13.7

1 controls

Controls in the Section 9.3.13.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-7	External Personnel Security	Establish personnel security requirements for external providers; require providers to notify within FedRAMP timeframe o...

Section 9.3.13.8

1 controls

Controls in the Section 9.3.13.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PS-8	Personnel Sanctions	Employ formal sanctions for personnel failing to comply with security/privacy policies; notify defined personnel within...

Section 9.3.14.1

1 controls

Controls in the Section 9.3.14.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
RA-1	Policy and Procedures	Develop and review risk assessment policy at least annually.

Section 9.3.14.2

1 controls

Controls in the Section 9.3.14.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
RA-2	Security Categorization	Categorize system per FIPS 199; document; review and update annually.

Section 9.3.14.3

1 controls

Controls in the Section 9.3.14.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
RA-3	Risk Assessment	Conduct risk assessment annually (FedRAMP); document; review and update.

Section 9.3.14.4

1 controls

Controls in the Section 9.3.14.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
RA-5	Vulnerability Monitoring and Scanning	Scan for vulnerabilities monthly (FedRAMP); OS/network weekly, web app monthly, database monthly; remediate within FedRA...

Section 9.3.14.5

1 controls

Controls in the Section 9.3.14.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
RA-7	Identifies and Analyzes Risk	The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis f...

Section 9.3.15.1

1 controls

Controls in the Section 9.3.15.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SA-1	Logging and Monitoring	Collect, retain and monitor logs from IT and OT assets to detect anomalous activity.

Section 9.3.15.2

1 controls

Controls in the Section 9.3.15.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SA-4	Acquisition Process	Include security/privacy requirements in contracts; FedRAMP-defined assurance requirements.

Section 9.3.15.3

1 controls

Controls in the Section 9.3.15.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SA-5	System Documentation	Obtain administrator and user documentation; protect; distribute to FedRAMP-defined personnel.

Section 9.3.15.4

1 controls

Controls in the Section 9.3.15.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SA-8	Security and Privacy Engineering Principles	Apply FedRAMP-defined systems security and privacy engineering principles in development.

Section 9.3.15.5

1 controls

Controls in the Section 9.3.15.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SA-9	External System Services	Require providers of external system services to comply with security/privacy requirements; document oversight roles.

Section 9.3.15.6

1 controls

Controls in the Section 9.3.15.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SA-11	Developer Testing and Evaluation	Require developer to test at FedRAMP-defined depth and coverage; document; correct flaws.

Section 9.3.16.1

1 controls

Controls in the Section 9.3.16.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-1	Policy and Procedures	Develop and review system/comms protection policy at least annually.

Section 9.3.16.10

1 controls

Controls in the Section 9.3.16.10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-15	Collaborative Computing Devices and Applications	Prohibit remote activation of collaborative computing devices (cameras, mics) without explicit user indication; provide...

Section 9.3.16.11

1 controls

Controls in the Section 9.3.16.11 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-17	Public Key Infrastructure Certificates	Issue public key certificates under FedRAMP-defined policy or obtain from approved service providers.

Section 9.3.16.12

1 controls

Controls in the Section 9.3.16.12 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-18	Mobile Code	Define acceptable and unacceptable mobile code; authorize use; monitor.

Section 9.3.16.13

1 controls

Controls in the Section 9.3.16.13 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-20	Secure Name/Address Resolution Service (Authoritative)	Provide artifacts for additional data origin authentication and integrity verification (DNSSEC) for child zones; FedRAMP...

Section 9.3.16.14

1 controls

Controls in the Section 9.3.16.14 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-21	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	Request and perform data origin authentication and data integrity verification on name/address resolution responses; DNS...

Section 9.3.16.15

1 controls

Controls in the Section 9.3.16.15 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-22	Architecture and Provisioning for Name/Address Resolution Service	Ensure DNS systems are fault-tolerant and implement role separation.

Section 9.3.16.16

1 controls

Controls in the Section 9.3.16.16 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-23	Session Authenticity	Protect authenticity of communications sessions.

Section 9.3.16.17

1 controls

Controls in the Section 9.3.16.17 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-28	Protection of Information at Rest	Protect confidentiality and integrity of FedRAMP-defined information at rest.

Section 9.3.16.18

1 controls

Controls in the Section 9.3.16.18 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-39	Process Isolation	Maintain separate execution domain for each executing system process.

Section 9.3.16.2

1 controls

Controls in the Section 9.3.16.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-2	Separation of System and User Functionality	Separate user functionality from system management functionality.

Section 9.3.16.3

1 controls

Controls in the Section 9.3.16.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-4	Information in Shared System Resources	Prevent unauthorized and unintended information transfer via shared system resources.

Section 9.3.16.4

1 controls

Controls in the Section 9.3.16.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-5	Denial-of-Service Protection	Protect against or limit effects of DoS attacks using FedRAMP-defined safeguards.

Section 9.3.16.5

1 controls

Controls in the Section 9.3.16.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-7	Boundary Protection	Monitor/control communications at external boundary and key internal boundaries; implement subnetworks for publicly acce...

Section 9.3.16.6

1 controls

Controls in the Section 9.3.16.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-8	Transmission Confidentiality and Integrity	Protect confidentiality and integrity of transmitted information using cryptographic mechanisms.

Section 9.3.16.7

1 controls

Controls in the Section 9.3.16.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-10	Network Disconnect	Terminate network connection at end of session or after FedRAMP-defined inactivity period (no longer than 30 minutes).

Section 9.3.16.8

1 controls

Controls in the Section 9.3.16.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-12	Cryptographic Key Establishment and Management	Establish and manage cryptographic keys per FedRAMP requirements (FIPS-validated, key escrow/recovery as appropriate).

Section 9.3.16.9

1 controls

Controls in the Section 9.3.16.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SC-13	Cryptographic Protection	Implement FedRAMP-defined cryptographic uses and approved cryptography (FIPS 140 validated).

Section 9.3.17.1

1 controls

Controls in the Section 9.3.17.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-1	Policy and Procedures	Develop and review system/information integrity policy at least annually.

Section 9.3.17.10

1 controls

Controls in the Section 9.3.17.10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-12	Information Management and Retention	Manage and retain information consistent with applicable laws, regulations, policies, standards.

Section 9.3.17.11

1 controls

Controls in the Section 9.3.17.11 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-16	Memory Protection	Implement FedRAMP-defined safeguards to protect memory from unauthorized code execution (DEP, ASLR).

Section 9.3.17.2

1 controls

Controls in the Section 9.3.17.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-2	Flaw Remediation	Identify, report, and correct system flaws; remediate within FedRAMP-defined timeframes (HIGH critical 15d, high 30d).

Section 9.3.17.3

1 controls

Controls in the Section 9.3.17.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-3	Malicious Code Protection	Implement signature-based and non-signature-based malicious code protection; configure to scan endpoints and entry/exit...

Section 9.3.17.4

1 controls

Controls in the Section 9.3.17.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-4	System Monitoring	Monitor system to detect attacks; identify unauthorized use; deploy monitoring devices at boundaries and key internal po...

Section 9.3.17.5

1 controls

Controls in the Section 9.3.17.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-5	Security Alerts, Advisories, and Directives	Receive alerts/advisories/directives from FedRAMP-defined external organizations (US-CERT, CISA); generate internal; dis...

Section 9.3.17.6

1 controls

Controls in the Section 9.3.17.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-7	Software, Firmware, and Information Integrity	Employ integrity verification tools to detect unauthorized changes to software, firmware, information; HIGH only.

Section 9.3.17.7

1 controls

Controls in the Section 9.3.17.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-8	Spam Protection	Employ spam protection at entry/exit points; update spam protection mechanisms when new releases available.

Section 9.3.17.8

1 controls

Controls in the Section 9.3.17.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-10	Information Input Validation	Check validity of FedRAMP-defined information inputs.

Section 9.3.17.9

1 controls

Controls in the Section 9.3.17.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
SI-11	Error Handling	Generate error messages providing necessary info without revealing sensitive info; reveal only to authorized.

Section 9.3.2.1

1 controls

Controls in the Section 9.3.2.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AT-1	Policy and Procedures	Develop, disseminate, and review awareness and training policy and procedures at least annually.

Section 9.3.2.2

1 controls

Controls in the Section 9.3.2.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AT-2	Literacy Training and Awareness	Provide security awareness training within FedRAMP-defined timeframe of onboarding, on system change, and at least annua...

Section 9.3.2.3

1 controls

Controls in the Section 9.3.2.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AT-3	Role-Based Training	Provide role-based security training to personnel with significant security responsibilities before authorizing access a...

Section 9.3.2.4

1 controls

Controls in the Section 9.3.2.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AT-4	Training Records	Document and monitor security training; retain records for FedRAMP-defined period (5 years).

Section 9.3.3.1

1 controls

Controls in the Section 9.3.3.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-1	Policy and Procedures	Develop and review audit/accountability policy annually.

Section 9.3.3.10

1 controls

Controls in the Section 9.3.3.10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-11	Audit Record Retention	Retain audit records for at least one year (FedRAMP minimum) with 90 days immediately accessible online.

Section 9.3.3.11

1 controls

Controls in the Section 9.3.3.11 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-12	Audit Record Generation	Provide audit record generation capability on all system components specified in AU-2.

Section 9.3.3.2

1 controls

Controls in the Section 9.3.3.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-2	Event Logging	Identify event types selected for logging including FedRAMP minimum list; review and update at least annually.

Section 9.3.3.3

1 controls

Controls in the Section 9.3.3.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-3	Content of Audit Records	Audit records must contain: type, when, where, source, outcome, identity associated.

Section 9.3.3.4

1 controls

Controls in the Section 9.3.3.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-4	Audit Log Storage Capacity	Allocate audit log storage capacity to accommodate FedRAMP-defined retention period.

Section 9.3.3.5

1 controls

Controls in the Section 9.3.3.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-5	Response to Audit Logging Process Failures	Alert defined personnel on audit failure within FedRAMP timeframe; take defined action (overwrite oldest, shutdown, stop...

Section 9.3.3.6

1 controls

Controls in the Section 9.3.3.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-6	Audit Record Review, Analysis, and Reporting	Review and analyze audit records at least weekly (FedRAMP); report findings to defined personnel.

Section 9.3.3.7

1 controls

Controls in the Section 9.3.3.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-7	Audit Record Reduction and Report Generation	Provide capability for audit record reduction and on-demand report generation.

Section 9.3.3.8

1 controls

Controls in the Section 9.3.3.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-8	Time Stamps	Use internal system clocks; record timestamps with FedRAMP-defined granularity (1 second), UTC or known offset.

Section 9.3.3.9

1 controls

Controls in the Section 9.3.3.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
AU-9	Protection of Audit Information	Protect audit information and tools from unauthorized access, modification, deletion.

Section 9.3.4.1

1 controls

Controls in the Section 9.3.4.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-1	Policy and Procedures	Develop and review assessment/authorization policy at least annually.

Section 9.3.4.2

1 controls

Controls in the Section 9.3.4.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-2	Control Assessments	Assess controls annually (FedRAMP); third-party assessor (3PAO) required; produce SAR.

Section 9.3.4.3

1 controls

Controls in the Section 9.3.4.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-3	Information Exchange	Approve and manage exchange of information with external systems using ISA, MOU, contract; review annually.

Section 9.3.4.4

1 controls

Controls in the Section 9.3.4.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-5	Plan of Action and Milestones	Develop POAM; update at least monthly (FedRAMP); track remediation timelines (HIGH 30 days, MOD 90).

Section 9.3.4.5

1 controls

Controls in the Section 9.3.4.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-6	Authorization	Senior official authorizes system; reauthorize every three years or upon significant change.

Section 9.3.4.6

1 controls

Controls in the Section 9.3.4.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-7	Continuous Monitoring	Establish continuous monitoring strategy with FedRAMP-defined metrics, monitoring frequencies, ongoing assessments.

Section 9.3.4.7

1 controls

Controls in the Section 9.3.4.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-8	Penetration Testing	Conduct penetration testing annually on FedRAMP-defined systems and components.

Section 9.3.4.8

1 controls

Controls in the Section 9.3.4.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CA-9	Internal System Connections	Authorize internal connections of components to system; document interface characteristics.

Section 9.3.5.1

1 controls

Controls in the Section 9.3.5.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-1	Policy and Procedures	Develop and review configuration management policy annually.

Section 9.3.5.10

1 controls

Controls in the Section 9.3.5.10 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-11	User-Installed Software	Establish policies governing installation of software by users; enforce; monitor compliance.

Section 9.3.5.2

1 controls

Controls in the Section 9.3.5.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-2	Baseline Configuration	Develop and maintain baseline configurations; review and update annually (FedRAMP) and when required.

Section 9.3.5.3

1 controls

Controls in the Section 9.3.5.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-3	Configuration Change Control	Determine, document, and approve changes; track, review, audit; CAB or equivalent; analyze security impact.

Section 9.3.5.4

1 controls

Controls in the Section 9.3.5.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-4	Impact Analyses	Analyze changes to determine potential security/privacy impacts.

Section 9.3.5.5

1 controls

Controls in the Section 9.3.5.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-5	Access Restrictions for Change	Define, document, approve, enforce physical and logical access restrictions for changes.

Section 9.3.5.6

1 controls

Controls in the Section 9.3.5.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-6	Configuration Settings	Establish/document configuration settings using checklists; CIS/USGCB/DISA STIG when available; HIGH baseline.

Section 9.3.5.7

1 controls

Controls in the Section 9.3.5.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-7	Least Functionality	Configure system to provide only essential capabilities; prohibit unnecessary functions, services, ports, protocols.

Section 9.3.5.8

1 controls

Controls in the Section 9.3.5.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-8	System Component Inventory	Develop and document inventory of system components; review and update at least monthly (FedRAMP).

Section 9.3.5.9

1 controls

Controls in the Section 9.3.5.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CM-10	Software Usage Restrictions	Use software in accordance with contracts and copyright laws; track licenses; document peer-to-peer file sharing control...

Section 9.3.6.1

1 controls

Controls in the Section 9.3.6.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-1	Policy and Procedures	Develop and review contingency planning policy at least annually.

Section 9.3.6.2

1 controls

Controls in the Section 9.3.6.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-2	Contingency Plan	Develop contingency plan; review and update annually (FedRAMP); coordinate with related plans.

Section 9.3.6.3

1 controls

Controls in the Section 9.3.6.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-3	Contingency Training	Provide contingency training to users assigned roles; within FedRAMP timeframe of role assignment and at least annually.

Section 9.3.6.4

1 controls

Controls in the Section 9.3.6.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-4	Contingency Plan Testing	Test contingency plan at least annually (FedRAMP) using FedRAMP-defined tests; review test results.

Section 9.3.6.5

1 controls

Controls in the Section 9.3.6.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-6	Alternate Storage Site	Establish alternate storage site with agreements to permit storage and retrieval of system backup information.

Section 9.3.6.6

1 controls

Controls in the Section 9.3.6.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-7	Alternate Processing Site	Establish alternate processing site with agreements for resumption of operations within FedRAMP-defined RTO.

Section 9.3.6.7

1 controls

Controls in the Section 9.3.6.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-8	Telecommunications Services	Establish alternate telecommunications services with agreements to permit resumption of system operations.

Section 9.3.6.8

1 controls

Controls in the Section 9.3.6.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-9	System Backup	Conduct backups of user-level, system-level, and security-related documentation; FedRAMP-defined frequency (daily increm...

Section 9.3.6.9

1 controls

Controls in the Section 9.3.6.9 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
CP-10	System Recovery and Reconstitution	Provide for recovery and reconstitution of system to known state within RTO.

Section 9.3.7.1

1 controls

Controls in the Section 9.3.7.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IA-1	Policy and Procedures	Develop and review identification and authentication policy at least annually.

Section 9.3.7.2

2 controls

Controls in the Section 9.3.7.2 domain of IRS Publication 1075 — 2 controls
Code	Title	Description
IA-2	Identification and Authentication (Organizational Users)	Uniquely identify and authenticate organizational users and associate identity with processes acting on behalf of users.
IA-2(12)	Acceptance of PIV Credentials	Accept and electronically verify Personal Identity Verification credentials.

Section 9.3.7.3

1 controls

Controls in the Section 9.3.7.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IA-3	Device Identification and Authentication	Uniquely identify and authenticate devices before establishing connection.

Section 9.3.7.4

1 controls

Controls in the Section 9.3.7.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IA-4	Identifier Management	Manage identifiers; uniquely identify; prevent reuse for FedRAMP-defined period.

Section 9.3.7.5

2 controls

Controls in the Section 9.3.7.5 domain of IRS Publication 1075 — 2 controls
Code	Title	Description
IA-5	Authenticator Management	Manage authenticators; verify identity prior to issuing; establish initial content; protect.
IA-5(1)	Password-Based Authentication	Enforce password complexity per NIST SP 800-63B; minimum 12 characters (FedRAMP); compare against breach lists.

Section 9.3.7.6

1 controls

Controls in the Section 9.3.7.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IA-6	Authentication Feedback	Obscure authentication feedback during authentication process.

Section 9.3.7.7

1 controls

Controls in the Section 9.3.7.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IA-7	Cryptographic Module Authentication	Implement authentication to cryptographic modules meeting FIPS 140 (FedRAMP requires FIPS-validated).

Section 9.3.7.8

1 controls

Controls in the Section 9.3.7.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IA-8	Identification and Authentication (Non-Organizational Users)	Uniquely identify and authenticate non-organizational users (e.g., federal customers).

Section 9.3.8.1

1 controls

Controls in the Section 9.3.8.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-1	Event Detection and Triage	Detect, triage and declare cyber events using documented criteria and severity levels.

Section 9.3.8.2

1 controls

Controls in the Section 9.3.8.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-2	Incident Response and Recovery	Respond to, contain and recover from cyber incidents affecting IT and OT functions.

Section 9.3.8.3

1 controls

Controls in the Section 9.3.8.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-3	Continuity of Operations	Plan, exercise and maintain continuity of the function during and after cyber incidents.

Section 9.3.8.4

1 controls

Controls in the Section 9.3.8.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-4	Incident Handling	Implement IR capability for preparation, detection/analysis, containment, eradication, recovery.

Section 9.3.8.5

1 controls

Controls in the Section 9.3.8.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-5	Incident Monitoring	Track and document incidents.

Section 9.3.8.6

1 controls

Controls in the Section 9.3.8.6 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-6	Incident Reporting	Require personnel to report incidents to organizational authorities within FedRAMP timeframe; report to FedRAMP PMO and...

Section 9.3.8.7

1 controls

Controls in the Section 9.3.8.7 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-7	Incident Response Assistance	Provide IR support resource (help desk, support group) for incident handling assistance.

Section 9.3.8.8

1 controls

Controls in the Section 9.3.8.8 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
IR-8	Incident Response Plan	Develop and implement IRP; review and update annually; distribute.

Section 9.3.9.1

1 controls

Controls in the Section 9.3.9.1 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MA-1	Policy and Procedures	Develop and review maintenance policy at least annually.

Section 9.3.9.2

1 controls

Controls in the Section 9.3.9.2 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MA-2	Controlled Maintenance	Schedule, document, review records of maintenance, repair, replacement of components.

Section 9.3.9.3

1 controls

Controls in the Section 9.3.9.3 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MA-3	Maintenance Tools	Approve, control, monitor use of maintenance tools.

Section 9.3.9.4

1 controls

Controls in the Section 9.3.9.4 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MA-4	Nonlocal Maintenance	Approve and monitor nonlocal maintenance activities; use strong authentication.

Section 9.3.9.5

1 controls

Controls in the Section 9.3.9.5 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
MA-5	Maintenance Personnel	Establish process for authorizing maintenance personnel; maintain list of authorized personnel; supervise unauthorized.

Section 9.4 / Exhibit 16

1 controls

Controls in the Section 9.4 / Exhibit 16 domain of IRS Publication 1075 — 1 controls
Code	Title	Description
PUB1075-CLOUD-FEDRAMP	Cloud Computing and FedRAMP	FTI may only be processed in cloud environments meeting FedRAMP Moderate (or higher) authorization; obtain CSP Pub 1075...

Your Compliance Coverage

If you comply with IRS Publication 1075, you already cover:

Australia eSafety Commissioner — Online Safety Expectations for Industry

7 controls mapped

Compare →

GLI-33 — Gaming Laboratories International Event Wagering Systems

7 controls mapped

Compare →

Singapore Government Instruction Manual on ICT&SS Management (IM8)

6 controls mapped

Compare →

+ 615 more: ASEAN Data Management Framework (3%), NIST SP 800-190 (3%)

See all 618 mapped frameworks ↓

Maps to 618 other frameworks

176 total controls

Australia eSafety Commissioner — Online Safety Expectations for Industry

7 source controls mapped|8 target controls covered

GLI-33 — Gaming Laboratories International Event Wagering Systems

7 source controls mapped|7 target controls covered

Singapore Government Instruction Manual on ICT&SS Management (IM8)

6 source controls mapped|5 target controls covered

ASEAN Data Management Framework

6 source controls mapped|7 target controls covered

NIST SP 800-190

6 source controls mapped|4 target controls covered

NIST SP 800-144

6 source controls mapped|4 target controls covered

New Zealand Information Security Manual (NZISM)

6 source controls mapped|6 target controls covered

NIST SP 800-146

6 source controls mapped|4 target controls covered

ISO 27017

6 source controls mapped|4 target controls covered

AWS Well-Architected Security Pillar

6 source controls mapped|4 target controls covered

C5 (Germany)

6 source controls mapped|4 target controls covered

Azure Security Benchmark

6 source controls mapped|5 target controls covered

Notifiable Data Breaches Scheme (Australia)

6 source controls mapped|8 target controls covered

EU Digital Markets Act

6 source controls mapped|7 target controls covered

FTC Health Breach Notification Rule

6 source controls mapped|9 target controls covered

UK Product Security and Telecommunications Infrastructure Act (PSTI)

6 source controls mapped|7 target controls covered

EAR — Export Administration Regulations

6 source controls mapped|7 target controls covered

European Accessibility Act (Directive (EU) 2019/882)

6 source controls mapped|8 target controls covered

Regulation (EU) 2023/1115 on deforestation-free supply chains

6 source controls mapped|7 target controls covered

Ontario Accessibility for Ontarians with Disabilities Act (AODA) — IASR Web Standard

6 source controls mapped|7 target controls covered

NIS2 Directive (Directive (EU) 2022/2555)

6 source controls mapped|7 target controls covered

US ITAR and EAR — Export Control and Data Security

6 source controls mapped|7 target controls covered

US SEC Digital Assets and Crypto Regulatory Framework

6 source controls mapped|10 target controls covered

Australia Consumer Data Right — Banking (CDR)

6 source controls mapped|7 target controls covered

NIST SP 800-145

6 source controls mapped|4 target controls covered

ISMAP (Japan)

6 source controls mapped|4 target controls covered

ISO 27018

6 source controls mapped|4 target controls covered

CAIQ (CSA)

6 source controls mapped|4 target controls covered

MTCS (Singapore)

6 source controls mapped|4 target controls covered

Oman National Cybersecurity Framework

5 source controls mapped|4 target controls covered

CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines

5 source controls mapped|4 target controls covered

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

5 source controls mapped|5 target controls covered

Canada ITSG-33 — IT Security Risk Management

5 source controls mapped|7 target controls covered

MARS-E — Minimum Acceptable Risk Standards for Exchanges

5 source controls mapped|5 target controls covered

South Korea Cloud Security Assurance Program (CSAP)

5 source controls mapped|5 target controls covered

NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity

5 source controls mapped|7 target controls covered

C2M2

5 source controls mapped|5 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

5 source controls mapped|3 target controls covered

NIS2 Directive

5 source controls mapped|7 target controls covered

FedRAMP Rev 5

5 source controls mapped|10 target controls covered

NIST Cybersecurity Framework 2.0

5 source controls mapped|5 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

5 source controls mapped|6 target controls covered

RBI Cybersecurity Framework for Banks

5 source controls mapped|6 target controls covered

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

5 source controls mapped|6 target controls covered

South Korea ISMS-P

5 source controls mapped|3 target controls covered

NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements

5 source controls mapped|5 target controls covered

CIS Controls v8

5 source controls mapped|9 target controls covered

US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule

5 source controls mapped|3 target controls covered

IAEA Nuclear Security Series — Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

5 source controls mapped|6 target controls covered

CSA CCM v4

5 source controls mapped|4 target controls covered

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)

5 source controls mapped|5 target controls covered

CSA STAR (Security, Trust, Assurance, and Risk)

5 source controls mapped|5 target controls covered

ILO Nursing Personnel Convention C149 (1977)

5 source controls mapped|5 target controls covered

6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673)

5 source controls mapped|7 target controls covered

ISO 8000 — Data Quality

5 source controls mapped|5 target controls covered

FATF Recommendation 16 — Virtual Asset Travel Rule

5 source controls mapped|5 target controls covered

Privacy by Design (PbD) — Seven Foundational Principles

5 source controls mapped|3 target controls covered

BS 65000:2014 — Guidance on Organizational Resilience

5 source controls mapped|3 target controls covered

UK Telecommunications (Security) Act 2021

5 source controls mapped|6 target controls covered

EIOPA Guidelines on ICT Security and Governance (2023)

5 source controls mapped|4 target controls covered

TISAX — Trusted Information Security Assessment Exchange

5 source controls mapped|4 target controls covered

Telecommunications Sector Security Reforms (TSSR)

5 source controls mapped|4 target controls covered

Defence Security Principles Framework (DSPF)

5 source controls mapped|7 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

5 source controls mapped|6 target controls covered

NIST SP 800-82 Rev 3 — Guide to OT Security

5 source controls mapped|6 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

5 source controls mapped|4 target controls covered

Modern Slavery Act 2018 (Australia)

4 source controls mapped|9 target controls covered

DFARS 252.204-7012 — Safeguarding Covered Defense Information

4 source controls mapped|6 target controls covered

Connecticut Data Privacy Act (CTDPA)

4 source controls mapped|7 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

4 source controls mapped|6 target controls covered

NAIC Insurance Data Security Model Law (MDL-668)

4 source controls mapped|10 target controls covered

TNFD Recommendations

4 source controls mapped|6 target controls covered

AASB S2 Climate-related Disclosures

4 source controls mapped|6 target controls covered

US OFAC Sanctions Compliance Framework

4 source controls mapped|5 target controls covered

Ghana Cybersecurity Act

4 source controls mapped|4 target controls covered

API 1164

4 source controls mapped|3 target controls covered

Spain ENS

4 source controls mapped|3 target controls covered

NIST SP 800-172

4 source controls mapped|3 target controls covered

DoD Zero Trust Reference Architecture

4 source controls mapped|3 target controls covered

ANSSI Cybersecurity Framework

4 source controls mapped|3 target controls covered

BSI IT-Grundschutz

4 source controls mapped|3 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

4 source controls mapped|6 target controls covered

NIST AI 600-1 Generative AI Profile

4 source controls mapped|6 target controls covered

NIST SP 1800-32

4 source controls mapped|3 target controls covered

Cyber Essentials Plus

4 source controls mapped|3 target controls covered

CISA Zero Trust Maturity Model

4 source controls mapped|3 target controls covered

C-TPAT — Customs-Trade Partnership Against Terrorism

4 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5

4 source controls mapped|4 target controls covered

FTC Safeguards Rule (16 CFR Part 314)

4 source controls mapped|5 target controls covered

EU AI Act

4 source controls mapped|5 target controls covered

DO-326A / ED-202A

4 source controls mapped|3 target controls covered

Australian Energy Sector Cyber Security Framework (AESCSF)

4 source controls mapped|5 target controls covered

ISO 27019

4 source controls mapped|3 target controls covered

IEC 62443

4 source controls mapped|3 target controls covered

Canada Artificial Intelligence and Data Act (AIDA)

4 source controls mapped|3 target controls covered

UK Defence Standard 05-138 — Cyber Security for Defence Suppliers

4 source controls mapped|3 target controls covered

NIST SP 800-171

4 source controls mapped|4 target controls covered

UAE Virtual Asset Regulatory Authority (VARA) Regulations

4 source controls mapped|3 target controls covered

IEEE 1686

4 source controls mapped|3 target controls covered

FISMA

4 source controls mapped|3 target controls covered

COPPA

4 source controls mapped|5 target controls covered

NIST SP 800-53A

4 source controls mapped|4 target controls covered

FedRAMP High

4 source controls mapped|4 target controls covered

NIST SP 800-53 Rev 5 HIGH

4 source controls mapped|4 target controls covered

FedRAMP Moderate

4 source controls mapped|4 target controls covered

South Korea PIPA

4 source controls mapped|3 target controls covered

WCO Authorised Economic Operator (AEO) Framework

4 source controls mapped|4 target controls covered

LGPD

4 source controls mapped|3 target controls covered

MTCS — Multi-Tier Cloud Security (Singapore)

4 source controls mapped|4 target controls covered

Belgium CyberFundamentals

4 source controls mapped|3 target controls covered

BIMCO Cyber Security

4 source controls mapped|3 target controls covered

NERC CIP

4 source controls mapped|2 target controls covered

Saudi NCA ECC

4 source controls mapped|3 target controls covered

TSA Pipeline Security

4 source controls mapped|4 target controls covered

UK Data Protection Act 2018

4 source controls mapped|3 target controls covered

TSA Pipeline Cybersecurity Directives

4 source controls mapped|3 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

4 source controls mapped|6 target controls covered

Florida Digital Bill of Rights (SB 262)

4 source controls mapped|3 target controls covered

German Supply Chain Due Diligence Act (LkSG)

3 source controls mapped|4 target controls covered

UK Modern Slavery Act 2015

3 source controls mapped|4 target controls covered

AML/CTF Act 2006 (Australia)

3 source controls mapped|4 target controls covered

UNESCO Recommendation on the Ethics of AI

3 source controls mapped|3 target controls covered

Voluntary Principles on Security and Human Rights (VPs)

3 source controls mapped|5 target controls covered

OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (2023 Update)

3 source controls mapped|4 target controls covered

ILO Tripartite Declaration of Principles concerning Multinational Enterprises (MNE Declaration)

3 source controls mapped|4 target controls covered

COSO Internal Control — Integrated Framework (2013)

3 source controls mapped|4 target controls covered

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

3 source controls mapped|6 target controls covered

Malaysia PDPA 2010

3 source controls mapped|2 target controls covered

China PIPL

3 source controls mapped|2 target controls covered

Bahrain PDPL

3 source controls mapped|2 target controls covered

IEEE 7000

3 source controls mapped|2 target controls covered

ASIS SPC.1-2009 — Organizational Resilience Standard

3 source controls mapped|2 target controls covered

EN 50126, EN 50128, and EN 50129 — Railway Applications - Reliability, Availability, Maintainability and Safety (RAMS)

3 source controls mapped|5 target controls covered

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)

3 source controls mapped|4 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

3 source controls mapped|2 target controls covered

AS9100D — Aerospace Quality Management System

3 source controls mapped|3 target controls covered

ISO/IEC 27003:2017

3 source controls mapped|3 target controls covered

China AI Regulations

3 source controls mapped|2 target controls covered

CTDPA (Connecticut Data Privacy Act)

3 source controls mapped|2 target controls covered

ISO/IEC 29147:2018

3 source controls mapped|4 target controls covered

Nigeria NDPR

3 source controls mapped|2 target controls covered

NIST SP 800-122

3 source controls mapped|2 target controls covered

ISO/IEC 23894:2023

3 source controls mapped|6 target controls covered

POPIA

3 source controls mapped|2 target controls covered

FERPA

3 source controls mapped|2 target controls covered

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

3 source controls mapped|2 target controls covered

Union Customs Code (UCC) - Regulation (EU) No 952/2013

3 source controls mapped|4 target controls covered

CCPA/CPRA

3 source controls mapped|2 target controls covered

PCAOB AS 2201 — Audit of Internal Control Over Financial Reporting (ICFR)

3 source controls mapped|5 target controls covered

Nebraska Data Privacy Act

3 source controls mapped|2 target controls covered

FBI CJIS Security Policy

3 source controls mapped|3 target controls covered

OECD AI Principles

3 source controls mapped|2 target controls covered

EU NIS2 Directive — Transport Sector Requirements

3 source controls mapped|3 target controls covered

AS9100D:2016 — Quality Management Systems for Aviation, Space, and Defence

3 source controls mapped|2 target controls covered

PDPA Singapore

3 source controls mapped|2 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|2 target controls covered

Kenya DPA

3 source controls mapped|2 target controls covered

Kenya Data Protection Act

3 source controls mapped|2 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

3 source controls mapped|5 target controls covered

New Zealand Privacy Act

3 source controls mapped|2 target controls covered

New Hampshire Privacy Act

3 source controls mapped|2 target controls covered

APPI

3 source controls mapped|2 target controls covered

BREEAM — Building Research Establishment Environmental Assessment Method

3 source controls mapped|2 target controls covered

AICPA Privacy Management Framework (PMF)

3 source controls mapped|3 target controls covered

ISO 42001

3 source controls mapped|2 target controls covered

Switzerland FADP

3 source controls mapped|2 target controls covered

GAMP 5 — Good Automated Manufacturing Practice

3 source controls mapped|5 target controls covered

FAA Cybersecurity Framework for Aviation

3 source controls mapped|8 target controls covered

Liechtenstein DPA

3 source controls mapped|2 target controls covered

IATF 16949:2016 — Quality Management System for Automotive Production

3 source controls mapped|4 target controls covered

Colorado Privacy Act

3 source controls mapped|2 target controls covered

South Korea Personal Information Protection Act (PIPA)

3 source controls mapped|6 target controls covered

ISO/IEC 27031:2011

3 source controls mapped|2 target controls covered

Privacy Act 1988 (Australia)

3 source controls mapped|2 target controls covered

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

3 source controls mapped|5 target controls covered

Kuwait National Cybersecurity Framework

3 source controls mapped|5 target controls covered

ISO 41001:2018 — Facility Management Systems

3 source controls mapped|4 target controls covered

ISO 39001:2012 — Road Traffic Safety Management

3 source controls mapped|4 target controls covered

ISO 50001:2018 — Energy Management Systems

3 source controls mapped|4 target controls covered

ISO 22313:2020 — Guidance on Business Continuity Management Systems

3 source controls mapped|4 target controls covered

India DPDP Act

3 source controls mapped|2 target controls covered

China Personal Information Protection Law (PIPL)

3 source controls mapped|4 target controls covered

Oregon Consumer Privacy Act

3 source controls mapped|2 target controls covered

Mauritius DPA

3 source controls mapped|2 target controls covered

Chile DPL

3 source controls mapped|2 target controls covered

Jamaica DPA

3 source controls mapped|2 target controls covered

ISO 27701

3 source controls mapped|2 target controls covered

Peru DPL

3 source controls mapped|2 target controls covered

ISO/IEC 29134:2023

3 source controls mapped|5 target controls covered

ISO/IEC 27014:2020

3 source controls mapped|4 target controls covered

NIST SP 800-53 Rev 5 MODERATE

3 source controls mapped|3 target controls covered

NIST SP 800-53 Rev 5 LOW

3 source controls mapped|3 target controls covered

Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data

3 source controls mapped|2 target controls covered

Delaware Online Privacy and Protection Act (proposed)

3 source controls mapped|2 target controls covered

Bermuda Personal Information Protection Act 2016 (PIPA)

3 source controls mapped|3 target controls covered

Barbados Data Protection Act 2019

3 source controls mapped|2 target controls covered

Iowa Consumer Data Protection Act

3 source controls mapped|2 target controls covered

NIS2 Directive Implementing Acts

3 source controls mapped|5 target controls covered

ISO 13485

3 source controls mapped|2 target controls covered

Qatar DPL

3 source controls mapped|2 target controls covered

PDPA Thailand

3 source controls mapped|2 target controls covered

Maryland Online Data Privacy Act

3 source controls mapped|2 target controls covered

Mexico LFPDPPP

3 source controls mapped|2 target controls covered

PIPEDA

3 source controls mapped|2 target controls covered

Norway PDPA

3 source controls mapped|2 target controls covered

ISO/IEC 27557:2022 — Organisational Privacy Risk Management

3 source controls mapped|6 target controls covered

Kentucky Consumer Data Protection Act

3 source controls mapped|2 target controls covered

ISO 45001

3 source controls mapped|2 target controls covered

3GPP Security Architecture (TS 33.501 — 5G Security)

3 source controls mapped|6 target controls covered

Australia AI Ethics Framework

3 source controls mapped|2 target controls covered

ISO 22000

3 source controls mapped|2 target controls covered

SQF Code Edition 9 — Safe Quality Food

3 source controls mapped|3 target controls covered

GDPR

3 source controls mapped|3 target controls covered

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

3 source controls mapped|6 target controls covered

UAE Federal Data Protection Law

3 source controls mapped|3 target controls covered

Saudi PDPL

3 source controls mapped|2 target controls covered

DORA

3 source controls mapped|5 target controls covered

Indiana Consumer Data Protection Act

3 source controls mapped|2 target controls covered

Turkey KVKK

3 source controls mapped|2 target controls covered

Montana Consumer Data Privacy Act

3 source controls mapped|2 target controls covered

Iceland DPA

3 source controls mapped|2 target controls covered

EU GMP Annex 11: Computerised Systems

3 source controls mapped|4 target controls covered

Florida Digital Bill of Rights (FDBR)

3 source controls mapped|4 target controls covered

Vietnam PDPD

3 source controls mapped|2 target controls covered

Japan AI Guidelines

3 source controls mapped|2 target controls covered

EMV 3-D Secure (3DS2) — Payment Authentication Protocol

3 source controls mapped|4 target controls covered

New Jersey Data Privacy Act

3 source controls mapped|2 target controls covered

Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct

3 source controls mapped|2 target controls covered

Law No. 172-13 on the Protection of Personal Data

3 source controls mapped|2 target controls covered

Brazil AI Framework

3 source controls mapped|2 target controls covered

Argentina PDPA

3 source controls mapped|2 target controls covered

NIST Privacy Framework 1.0

3 source controls mapped|2 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

3 source controls mapped|2 target controls covered

Philippines DPA

3 source controls mapped|2 target controls covered

Chile Personal Data Protection Law (Law No. 21.719)

3 source controls mapped|4 target controls covered

ISO 26262:2018 — Functional Safety for Road Vehicles

3 source controls mapped|2 target controls covered

Indonesia PDP Law

3 source controls mapped|2 target controls covered

Minnesota Consumer Data Privacy Act

3 source controls mapped|2 target controls covered

Utah Consumer Privacy Act

3 source controls mapped|2 target controls covered

Trinidad and Tobago Data Protection Act 2011

3 source controls mapped|5 target controls covered

Czech Republic Act on the Protection of Personal Data (Act No. 110/2019 Coll.)

3 source controls mapped|5 target controls covered

Botswana Data Protection Act (2024)

3 source controls mapped|6 target controls covered

UK GDPR (UK General Data Protection Regulation)

3 source controls mapped|2 target controls covered

UK Online Safety Act 2023

3 source controls mapped|6 target controls covered

SSAE 18 — Attestation Standards (SOC Reporting)

3 source controls mapped|5 target controls covered

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

3 source controls mapped|2 target controls covered

Tennessee IPA

3 source controls mapped|2 target controls covered

UAE PDPL

3 source controls mapped|2 target controls covered

Laos Law on Prevention and Combating Cybercrime (2015)

3 source controls mapped|6 target controls covered

French Sapin II Law (Law No. 2016-1691)

3 source controls mapped|3 target controls covered

Singapore Cybersecurity Act 2018

3 source controls mapped|2 target controls covered

Texas Data Privacy Act

3 source controls mapped|2 target controls covered

Rwanda DPL

3 source controls mapped|2 target controls covered

Taiwan PDPA

3 source controls mapped|2 target controls covered

CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)

3 source controls mapped|2 target controls covered

UK AI Regulation Framework

3 source controls mapped|2 target controls covered

Uruguay DPL

3 source controls mapped|2 target controls covered

Singapore AI Governance Framework

3 source controls mapped|2 target controls covered

Saudi Arabia PDPL

3 source controls mapped|2 target controls covered

UK Age Appropriate Design Code (Children's Code)

3 source controls mapped|2 target controls covered

UNICEF Policy Guidance on AI for Children (2021)

3 source controls mapped|1 target controls covered

Virginia CDPA

3 source controls mapped|2 target controls covered

IAIS Insurance Core Principles (ICPs)

3 source controls mapped|2 target controls covered

SWIFT Customer Security Programme (CSP)

3 source controls mapped|3 target controls covered

ASIC Cyber Resilience Good Practices

3 source controls mapped|3 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114)

3 source controls mapped|5 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA)

3 source controls mapped|6 target controls covered

Spain Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD)

3 source controls mapped|4 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

3 source controls mapped|3 target controls covered

ISO/IEC 27006:2024

3 source controls mapped|4 target controls covered

ISO/IEC 27400:2022

3 source controls mapped|4 target controls covered

UK Gambling Commission — Cyber Resilience Requirements

3 source controls mapped|5 target controls covered

EU Medical Devices Regulation (MDR 2017/745)

3 source controls mapped|6 target controls covered

ISO 28001:2007 Supply Chain Security Management

3 source controls mapped|3 target controls covered

ASD Information Security Manual (ISM)

3 source controls mapped|3 target controls covered

US NRC 10 CFR 73.54 — Cyber Security for Nuclear Power Plants

3 source controls mapped|4 target controls covered

EU Taxonomy Regulation

2 source controls mapped|6 target controls covered

South Africa Promotion of Access to Information Act (PAIA)

2 source controls mapped|2 target controls covered

Sweden Data Protection Act (Dataskyddslag, 2018:218)

2 source controls mapped|2 target controls covered

ISO 20400:2017 — Sustainable Procurement

2 source controls mapped|3 target controls covered

EU Better Internet for Kids (BIK+) Strategy

2 source controls mapped|3 target controls covered

SASB Standards (ISSB Integrated)

2 source controls mapped|2 target controls covered

SASB Standards

2 source controls mapped|2 target controls covered

Critical Infrastructure Risk Management Program (CIRMP) Rules 2023

2 source controls mapped|3 target controls covered

MARS-E

2 source controls mapped|1 target controls covered

ISO 27799

2 source controls mapped|1 target controls covered

EASA Part-IS — Information Security in Aviation

2 source controls mapped|2 target controls covered

NIST SP 800-37

2 source controls mapped|3 target controls covered

IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems

2 source controls mapped|1 target controls covered

ISO 31000

2 source controls mapped|3 target controls covered

China Data Security Law (DSL)

2 source controls mapped|3 target controls covered

India CERT-In Cyber Security Directions 2022

2 source controls mapped|1 target controls covered

GLOBALG.A.P. Integrated Farm Assurance (IFA) Standard v6

2 source controls mapped|2 target controls covered

COSO ERM

2 source controls mapped|3 target controls covered

MDS2 (Medical Device)

2 source controls mapped|1 target controls covered

ISO 27005

2 source controls mapped|3 target controls covered

Lloyd's of London Cyber Insurance Requirements and Underwriting Standards

2 source controls mapped|2 target controls covered

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

2 source controls mapped|3 target controls covered

FSSC 22000 — Food Safety System Certification

2 source controls mapped|2 target controls covered

Nevada Gaming Control Board Cybersecurity Requirements

2 source controls mapped|3 target controls covered

Lloyd's Minimum Standards — Cyber Security

2 source controls mapped|3 target controls covered

NFPA 1600 — Standard on Continuity, Emergency, and Crisis Management

2 source controls mapped|1 target controls covered

CDP (formerly Carbon Disclosure Project)

2 source controls mapped|3 target controls covered

NIST SP 800-30

2 source controls mapped|3 target controls covered

ASEAN Guide on AI Governance and Ethics

2 source controls mapped|1 target controls covered

APRA CPS 230 Operational Risk Management

2 source controls mapped|1 target controls covered

Authorised Economic Operator (AEO) Programmes — Global Standards

2 source controls mapped|1 target controls covered

FDA 21 CFR Part 11

2 source controls mapped|1 target controls covered

Colorado Privacy Act (CPA)

2 source controls mapped|1 target controls covered

IRM Enterprise Risk Management Framework (Institute of Risk Management)

2 source controls mapped|3 target controls covered

EU Digital Services Act

2 source controls mapped|2 target controls covered

NIST SP 800-39

2 source controls mapped|3 target controls covered

US Consumer Product Safety Commission (CPSC) — Connected Product Safety

2 source controls mapped|1 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

2 source controls mapped|2 target controls covered

NIST Privacy Framework Version 1.0

2 source controls mapped|1 target controls covered

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

2 source controls mapped|3 target controls covered

Customs-Trade Partnership Against Terrorism (C-TPAT)

2 source controls mapped|3 target controls covered

Critical Raw Materials Act (Proposed Regulation COM(2023) 192)

2 source controls mapped|3 target controls covered

EU Chips Act (Regulation (EU) 2023/1781) — potential incorrect regulation number

2 source controls mapped|3 target controls covered

Equator Principles (EP4, 2020)

2 source controls mapped|1 target controls covered

Australia IRAP — Information Security Registered Assessors Program

2 source controls mapped|1 target controls covered

NIST SP 800-66

2 source controls mapped|1 target controls covered

APRA CPS 220 Risk Management

2 source controls mapped|1 target controls covered

Colorado Artificial Intelligence Act (proposed SB 24-205)

2 source controls mapped|1 target controls covered

Nigeria Open Banking Regulatory Framework (CBN, 2023)

2 source controls mapped|1 target controls covered

Korea PIPA

2 source controls mapped|1 target controls covered

Japan APPI

2 source controls mapped|1 target controls covered

Own Risk and Solvency Assessment (ORSA) — NAIC Model Act

2 source controls mapped|3 target controls covered

Vermont Artificial Intelligence and Consumer Data Act (AICDA)

2 source controls mapped|1 target controls covered

BSI C5 — Cloud Computing Compliance Criteria Catalogue

2 source controls mapped|1 target controls covered

Responsible Minerals Initiative (RMI) — Responsible Minerals Assurance Process

2 source controls mapped|3 target controls covered

APRA SPS 220 Risk Management (Superannuation)

2 source controls mapped|1 target controls covered

UK Security and Emergency Measures Direction (SEMD) — Water Industry

2 source controls mapped|1 target controls covered

Zambia Data Protection Act (2021)

2 source controls mapped|1 target controls covered

SEC Climate Disclosure Rule

2 source controls mapped|1 target controls covered

UK FCA/PRA Operational Resilience Framework

2 source controls mapped|1 target controls covered

SOC for Cybersecurity — Cybersecurity Risk Management Examination

2 source controls mapped|1 target controls covered

Security of Critical Infrastructure Act 2018 (SOCI)

2 source controls mapped|1 target controls covered

TEFCA — Trusted Exchange Framework and Common Agreement

2 source controls mapped|2 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

2 source controls mapped|2 target controls covered

FFIEC Cybersecurity Assessment Tool (CAT)

2 source controls mapped|1 target controls covered

NATO AQAP 2110 — Quality Assurance Requirements for Design, Development, and Production

2 source controls mapped|1 target controls covered

NIST SP 800-171A — Assessing CUI Security Requirements

2 source controls mapped|1 target controls covered

DISA Security Technical Implementation Guides (STIGs)

2 source controls mapped|1 target controls covered

PropTech Security Standards — Smart Building Cybersecurity

2 source controls mapped|1 target controls covered

Australian Information Security Manual

2 source controls mapped|1 target controls covered

ISO 27001:2022

2 source controls mapped|1 target controls covered

ISO 14001

2 source controls mapped|2 target controls covered

EU Machinery Regulation (Regulation (EU) 2023/1230)

2 source controls mapped|5 target controls covered

EDM Council CDMC — Cloud Data Management Capability Framework

2 source controls mapped|4 target controls covered

Proposal for a Regulation on the European Health Data Space (EHDS)

2 source controls mapped|2 target controls covered

NIST SP 800-34 Rev 1 — Contingency Planning Guide

2 source controls mapped|3 target controls covered

EDM Council DCAM — Data Management Capability Assessment Model

2 source controls mapped|4 target controls covered

US Children's Online Privacy Protection Act (COPPA) and COPPA 2.0 Proposed Updates

2 source controls mapped|4 target controls covered

Online Safety Act 2021 (Australia)

2 source controls mapped|4 target controls covered

OECD AI Principles (2024 Update)

1 source controls mapped|2 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

1 source controls mapped|3 target controls covered

ISO 26000:2010

1 source controls mapped|3 target controls covered

ICMM Mining Principles (2024 Update)

1 source controls mapped|1 target controls covered

UN Guiding Principles on Business and Human Rights (UNGPs)

1 source controls mapped|3 target controls covered

ILO Declaration on Fundamental Principles and Rights at Work (Core Conventions)

1 source controls mapped|3 target controls covered

Ethical Trading Initiative (ETI) Base Code

1 source controls mapped|1 target controls covered

TCFD Recommendations

1 source controls mapped|1 target controls covered

Global Cross-Border Privacy Rules (Global CBPR) Forum

1 source controls mapped|1 target controls covered

Philippines Data Privacy Act (RA 10173)

1 source controls mapped|1 target controls covered

GRI Standards

1 source controls mapped|1 target controls covered

ISSB Standards

1 source controls mapped|1 target controls covered

CSRD

1 source controls mapped|1 target controls covered

FATF 40 Recommendations

1 source controls mapped|1 target controls covered

EU SFDR (Sustainable Finance Disclosure Regulation)

1 source controls mapped|1 target controls covered

APEC Cross-Border Privacy Rules (CBPR) System

1 source controls mapped|1 target controls covered

ISO/IEC 30111:2019

1 source controls mapped|3 target controls covered

ISO/IEC 27011:2024

1 source controls mapped|3 target controls covered

3GPP 5G Security Architecture (TS 33.501)

1 source controls mapped|2 target controls covered

ISO 19011

1 source controls mapped|3 target controls covered

ISO 15189:2022 — Medical Laboratories Requirements for Quality and Competence

1 source controls mapped|6 target controls covered

Belgium Data Protection Act (Wet van 30 juli 2018, Loi du 30 juillet 2018)

1 source controls mapped|2 target controls covered

3GPP Security

1 source controls mapped|1 target controls covered

21 CFR Part 58 — Good Laboratory Practice (GLP)

1 source controls mapped|2 target controls covered

BRCGS Global Standard for Food Safety Issue 9

1 source controls mapped|3 target controls covered

IEC 62351 — Power Systems Communication Security

1 source controls mapped|1 target controls covered

FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)

1 source controls mapped|3 target controls covered

EU ePrivacy Directive (2002/58/EC)

1 source controls mapped|4 target controls covered

IFRS 17 — Insurance Contracts

1 source controls mapped|2 target controls covered

EU Carbon Border Adjustment Mechanism (CBAM)

1 source controls mapped|4 target controls covered

EU Cyber Solidarity Act (Regulation (EU) 2025/38)

1 source controls mapped|4 target controls covered

EU Digital Services Act (Regulation (EU) 2022/2065)

1 source controls mapped|1 target controls covered

EU Energy Performance of Buildings Directive (EPBD Recast) – Draft Directive (2023/0317 COD)

1 source controls mapped|3 target controls covered

EU European Media Freedom Act (EMFA)

1 source controls mapped|5 target controls covered

EU Maritime Single Window Environment Regulation (EU) 2019/1239

1 source controls mapped|5 target controls covered

EU Pay Transparency Directive (Directive (EU) 2023/970)

1 source controls mapped|6 target controls covered

Proposal for a Directive on improving working conditions in platform work (COM(2023) 491)

1 source controls mapped|6 target controls covered

EU Product Liability Directive (Directive (EU) 2023/2845)

1 source controls mapped|6 target controls covered

EU Seveso III Directive (Directive 2012/18/EU)

1 source controls mapped|5 target controls covered

EU Taxonomy Regulation (Regulation 2020/852)

1 source controls mapped|4 target controls covered

EU Taxonomy for Sustainable Activities (Regulation 2020/852)

1 source controls mapped|2 target controls covered

eIDAS 2.0 — EU Digital Identity Regulation

1 source controls mapped|3 target controls covered

MiFID II / MiFIR

1 source controls mapped|1 target controls covered

Egypt Personal Data Protection Law (Law No. 151 of 2020)

1 source controls mapped|6 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

1 source controls mapped|4 target controls covered

Costa Rica Personal Data Protection Law (Law No. 8968) as amended by Executive Decree No. 42089-MGP

1 source controls mapped|4 target controls covered

Turkey Personal Data Protection Law (KVKK — Law No. 6698)

1 source controls mapped|4 target controls covered

Ethiopia Personal Data Protection Proclamation (No. 1321/2024)

1 source controls mapped|4 target controls covered

Côte d'Ivoire Law No. 2013-450 on the Protection of Personal Data

1 source controls mapped|3 target controls covered

Kazakhstan Law on Personal Data and Their Protection (No. 94-V)

1 source controls mapped|4 target controls covered

Uzbekistan Law on Personal Data (No. ZRU-547)

1 source controls mapped|4 target controls covered

Georgia Law on Personal Data Protection (2012)

1 source controls mapped|4 target controls covered

Colombia Data Protection Law (Law 1581 of 2012)

1 source controls mapped|4 target controls covered

Panama Law on Personal Data Protection (Law No. 81 of 2019)

1 source controls mapped|4 target controls covered

Portugal Law No. 58/2019 — Data Protection Implementation Act

1 source controls mapped|6 target controls covered

Montenegro Law on Personal Data Protection (2023)

1 source controls mapped|6 target controls covered

North Macedonia Law on Personal Data Protection (2020)

1 source controls mapped|5 target controls covered

Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)

1 source controls mapped|6 target controls covered

Uruguay Personal Data Protection Act (Law No. 18.331)

1 source controls mapped|5 target controls covered

Serbia Law on Personal Data Protection (2018)

1 source controls mapped|4 target controls covered

Lithuania Law on Legal Protection of Personal Data (2018)

1 source controls mapped|2 target controls covered

Romania Law No. 190/2018 on Data Protection Measures (GDPR Implementation)

1 source controls mapped|6 target controls covered

Malta Data Protection Act (Cap. 586, 2018)

1 source controls mapped|6 target controls covered

Oman Personal Data Protection Law (Royal Decree 6/2022)

1 source controls mapped|4 target controls covered

Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)

1 source controls mapped|4 target controls covered

Cambodia Sub-Decree on Personal Data Protection (Sub-Decree No. 134)

1 source controls mapped|6 target controls covered

UNCITRAL Model Law on Electronic Commerce (1996, updated 2005)

1 source controls mapped|4 target controls covered

Brazil Open Finance (Resolução Conjunta No. 1/2020)

1 source controls mapped|5 target controls covered

South Korea Korea Internet Self-Governance Organisation (KISO) Code of Ethics

1 source controls mapped|5 target controls covered

Australia NHMRC National Statement on Ethical Conduct in Human Research

1 source controls mapped|2 target controls covered

SWIFT CSCF v2024

1 source controls mapped|3 target controls covered

EU AI Liability Directive

1 source controls mapped|4 target controls covered

EU Audiovisual Media Services Directive (AVMSD, Directive 2010/13/EU as amended by Directive 2018/1808 and Directive (EU) 2023/2586)

1 source controls mapped|2 target controls covered

Cook Islands Electronic Transactions Act 2003

1 source controls mapped|3 target controls covered

US Americans with Disabilities Act (ADA) — Title III Digital Accessibility

1 source controls mapped|3 target controls covered

EU Network Code on Cybersecurity for the Electricity Sector

1 source controls mapped|3 target controls covered

EU General Product Safety Regulation (GPSR, Regulation 2023/988)

1 source controls mapped|5 target controls covered

Digital Services Act (DSA) - Regulation (EU) 2022/2065

1 source controls mapped|3 target controls covered

Paraguay Law on Protection of Personal Data (Law No. 6534/2020)

1 source controls mapped|4 target controls covered

Jordan Draft Personal Data Protection Law (2022)

1 source controls mapped|4 target controls covered

EU In Vitro Diagnostic Medical Devices Regulation (IVDR)

1 source controls mapped|2 target controls covered

Luxembourg Law of 1 August 2018 on Data Protection (GDPR Implementation)

1 source controls mapped|5 target controls covered

Japan Act on Specified Commercial Transactions (ASCT) — Digital Services

1 source controls mapped|5 target controls covered

Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

1 source controls mapped|4 target controls covered

EU Web Accessibility Directive (Directive 2016/2102)

1 source controls mapped|3 target controls covered

African Union Malabo Convention

1 source controls mapped|3 target controls covered

Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)

1 source controls mapped|2 target controls covered

Tunisia Organic Law on Personal Data Protection (Law No. 2004-63)

1 source controls mapped|2 target controls covered

Senegal Law on Personal Data Protection (Law No. 2008-12)

1 source controls mapped|3 target controls covered

Morocco Data Protection Law (09-08)

1 source controls mapped|4 target controls covered

Peru Personal Data Protection Law (Law No. 29733)

1 source controls mapped|3 target controls covered

Ukraine Law on Personal Data Protection (Law No. 2297-VI)

1 source controls mapped|3 target controls covered

Netherlands GDPR Implementation Act (UAVG — Uitvoeringswet AVG, 2018)

1 source controls mapped|5 target controls covered

Poland Act on Personal Data Protection (Ustawa o ochronie danych osobowych, 2018)

1 source controls mapped|5 target controls covered

Latvia Personal Data Processing Law (Fizisko personu datu apstrades likums, 2018)

1 source controls mapped|7 target controls covered

Finland Data Protection Act (Tietosuojalaki, 1050/2018)

1 source controls mapped|5 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

1 source controls mapped|4 target controls covered

Russia Federal Law on Personal Data (152-FZ)

1 source controls mapped|4 target controls covered

Act on the Implementation of the General Data Protection Regulation (OG 42/2018)

1 source controls mapped|3 target controls covered

Greece Law 4624/2019 — Hellenic Data Protection Authority (HDPA) Implementation Act

1 source controls mapped|2 target controls covered

Fiji Data Protection Bill (2020)

1 source controls mapped|5 target controls covered

Zimbabwe Data Protection Act (2021)

1 source controls mapped|4 target controls covered

Uganda Data Protection and Privacy Act (2019)

1 source controls mapped|4 target controls covered

BSIMM

1 source controls mapped|1 target controls covered

USMCA Chapter 19 — Digital Trade (United States-Mexico-Canada Agreement)

1 source controls mapped|1 target controls covered

OWASP ASVS

1 source controls mapped|1 target controls covered

ISO 20000-1

1 source controls mapped|2 target controls covered

ISO 45001:2018

1 source controls mapped|1 target controls covered

ISO 9001:2015

1 source controls mapped|2 target controls covered

ISO/IEC 42001:2023

1 source controls mapped|2 target controls covered

ISO 22301:2019

1 source controls mapped|2 target controls covered

US Foreign Corrupt Practices Act (FCPA)

1 source controls mapped|1 target controls covered

ISO/IEC 23837 — Security Requirements for Quantum Key Distribution

1 source controls mapped|3 target controls covered

Angola Personal Data Protection Law (Law No. 22/11)

1 source controls mapped|4 target controls covered

ISO/IEC 29115:2023 — Entity Authentication Assurance Framework

1 source controls mapped|1 target controls covered

Armenia Law on Protection of Personal Data (2015)

1 source controls mapped|3 target controls covered

IEC 60601-1 — Medical Electrical Equipment Safety

1 source controls mapped|2 target controls covered

Science Based Targets initiative (SBTi) Corporate Standard

1 source controls mapped|2 target controls covered

ISO/IEC 27007:2020

1 source controls mapped|1 target controls covered

ISO/IEC 29100:2024

1 source controls mapped|3 target controls covered

Italy Personal Data Protection Code (Legislative Decree No. 196/2003, amended 2018)

1 source controls mapped|1 target controls covered

BCBS 239

1 source controls mapped|3 target controls covered

ISO 31000:2018

1 source controls mapped|1 target controls covered

India Account Aggregator Framework (RBI)

1 source controls mapped|1 target controls covered

Kuwait Data Privacy Protection Regulation (KDPPR, 2021 — CMA Directive)

1 source controls mapped|3 target controls covered

ICAO Annex 17 — Aviation Security (AVSEC)

1 source controls mapped|3 target controls covered

Azerbaijan Law on Personal Data (2010)

1 source controls mapped|1 target controls covered

ISO 27002:2022

1 source controls mapped|2 target controls covered

ISO 13485:2016

1 source controls mapped|1 target controls covered

ISO/IEC 27004:2016

1 source controls mapped|3 target controls covered

Bosnia and Herzegovina Law on Protection of Personal Data (2006, amended 2011)

1 source controls mapped|3 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

1 source controls mapped|3 target controls covered

ISO/IEC 27050 — Electronic Discovery (Parts 1-4)

1 source controls mapped|1 target controls covered

PCI DSS 4.0

1 source controls mapped|1 target controls covered

ISO/IEC 38500:2024 — Governance of IT

1 source controls mapped|3 target controls covered

Pakistan Personal Data Protection Bill 2023

1 source controls mapped|3 target controls covered

RICS Professional Standards — Data and Technology in Property

1 source controls mapped|1 target controls covered

South Korea Credit Information Act

1 source controls mapped|1 target controls covered

ISPE GAMP 5 — A Risk-Based Approach to Compliant GxP Computerised Systems

1 source controls mapped|3 target controls covered

Australia My Health Records Act 2012

1 source controls mapped|4 target controls covered

ISO 37000:2021 — Governance of Organizations

1 source controls mapped|3 target controls covered

Cyber Security Act 2024 (Australia)

1 source controls mapped|1 target controls covered

NIST SP 800-124 Rev 2 — Mobile Device Security

1 source controls mapped|3 target controls covered

ETSI ISG QKD - Quantum Key Distribution

1 source controls mapped|3 target controls covered

ICH E6(R2) Good Clinical Practice — Data Integrity and Electronic Systems

1 source controls mapped|1 target controls covered

NATO STANAG 4774/4778 — Confidentiality Metadata Labels

1 source controls mapped|3 target controls covered

ECB TIBER-EU Framework

1 source controls mapped|1 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

1 source controls mapped|2 target controls covered

UK Open Banking Standard

1 source controls mapped|1 target controls covered

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)

1 source controls mapped|1 target controls covered

ICH Q10 — Pharmaceutical Quality System

1 source controls mapped|3 target controls covered

MITRE ATT&CK

1 source controls mapped|1 target controls covered

Virginia Consumer Data Protection Act (VCDPA)

1 source controls mapped|1 target controls covered

COSO Enterprise Risk Management (ERM) Framework (2017)

1 source controls mapped|2 target controls covered

IRS Publication 1075 — Tax Information Security Guidelines

1 source controls mapped|1 target controls covered

Brunei Personal Data Protection Order 2024 (PDPO)

1 source controls mapped|6 target controls covered

Singapore Payment Services Act (PSA) — Digital Payment Token Regulation

1 source controls mapped|5 target controls covered

Singapore Protection from Online Falsehoods and Manipulation Act (POFMA, 2019)

1 source controls mapped|3 target controls covered

Australia Online Safety Act 2021

1 source controls mapped|4 target controls covered

Tanzania Personal Data Protection Act (Draft)

1 source controls mapped|4 target controls covered

Jamaica Data Protection Act 2020

1 source controls mapped|3 target controls covered

Mauritius Data Protection Act 2017

1 source controls mapped|2 target controls covered

Kenya Data Protection Act 2019

1 source controls mapped|3 target controls covered

Ghana Data Protection Act 2012 (Act 843)

1 source controls mapped|2 target controls covered

Cayman Islands Data Protection Act 2017 (DPA)

1 source controls mapped|4 target controls covered

UK Construction (Design and Management) Regulations 2015 (CDM 2015)

1 source controls mapped|3 target controls covered

Denmark Data Protection Act (Databeskyttelsesloven, 2018)

1 source controls mapped|4 target controls covered

MAS TRM

1 source controls mapped|1 target controls covered

SOC 2

1 source controls mapped|2 target controls covered

SSDF (NIST)

1 source controls mapped|1 target controls covered

PCI PIN Security

1 source controls mapped|1 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

1 source controls mapped|1 target controls covered

EU Data Act

1 source controls mapped|2 target controls covered

AICPA SOC 3

1 source controls mapped|1 target controls covered

O-RAN Alliance Security Specifications (O-RAN.WG11)

1 source controls mapped|3 target controls covered

SWIFT CSCF

1 source controls mapped|1 target controls covered

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

1 source controls mapped|3 target controls covered

ISO 56002

1 source controls mapped|4 target controls covered

ISO 37002:2021 — Whistleblowing Management Systems

1 source controls mapped|3 target controls covered

ECSS Software Engineering Standards

1 source controls mapped|3 target controls covered

SSAE 18 SOC 1 — Report on Controls at a Service Organisation (ICFR)

1 source controls mapped|1 target controls covered

Digital Economy Partnership Agreement (DEPA)

1 source controls mapped|2 target controls covered

ISO 22739:2024 — Blockchain and Distributed Ledger Technologies Vocabulary

1 source controls mapped|3 target controls covered

ECSS-E-ST-40C: Space Engineering — Software

1 source controls mapped|3 target controls covered

ISO/SAE 21434

1 source controls mapped|1 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

1 source controls mapped|3 target controls covered

HKMA SPM

1 source controls mapped|1 target controls covered

NIST SP 800-137

1 source controls mapped|1 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

1 source controls mapped|2 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

1 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

1 source controls mapped|3 target controls covered

Wisconsin Data Privacy Act (SB 670)

1 source controls mapped|3 target controls covered

21 CFR Part 211 — Current Good Manufacturing Practice

1 source controls mapped|1 target controls covered

PCI DSS v4.0

1 source controls mapped|3 target controls covered

NIST SP 800-183

1 source controls mapped|1 target controls covered

ISO/IEC 17025:2017 — General Requirements for Testing and Calibration Laboratories

1 source controls mapped|3 target controls covered

OWASP MASVS

1 source controls mapped|1 target controls covered

DO-178C / ED-12C — Software Considerations in Airborne Systems

1 source controls mapped|3 target controls covered

DAMA-DMBOK2 — Data Management Body of Knowledge (2nd Edition)

1 source controls mapped|3 target controls covered

ISO/IEC 25012:2008 — Data Quality Model

1 source controls mapped|2 target controls covered

ISO 22320:2018

1 source controls mapped|3 target controls covered

ITU Radio Regulations and Space Security Standards

1 source controls mapped|1 target controls covered

NIST SP 800-207

1 source controls mapped|1 target controls covered

UK Bribery Act 2010

1 source controls mapped|3 target controls covered

ISO 19650 — Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

1 source controls mapped|3 target controls covered

NIST SP 800-128

1 source controls mapped|1 target controls covered

Israel Protection of Privacy Law (5741-1981)

1 source controls mapped|3 target controls covered

NIST SP 800-160

1 source controls mapped|1 target controls covered

Automotive SPICE (ASPICE) v4.0 — Process Assessment Model

1 source controls mapped|2 target controls covered

Singapore Payment Services Act 2019 (PSA) — Digital Payment Token Provisions

1 source controls mapped|1 target controls covered

FDA Quality Management System Regulation (QMSR)

1 source controls mapped|1 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

1 source controls mapped|1 target controls covered

NIST SP 800-88

1 source controls mapped|1 target controls covered

California IoT Security Law

1 source controls mapped|1 target controls covered

OpenSSF Scorecard

1 source controls mapped|1 target controls covered

MITRE D3FEND

1 source controls mapped|1 target controls covered

APRA Prudential Standard CPS 234 — Information Security (Australia)

1 source controls mapped|1 target controls covered

Tennessee Information Protection Act (TIPA)

1 source controls mapped|1 target controls covered

NIST SP 800-187

1 source controls mapped|1 target controls covered

NIST SP 800-123

1 source controls mapped|1 target controls covered

NIST SP 800-181

1 source controls mapped|1 target controls covered

PSD2 SCA

1 source controls mapped|1 target controls covered

FFIEC IT Examination Handbook

1 source controls mapped|1 target controls covered

NIST SP 800-161

1 source controls mapped|1 target controls covered

OSFI B-13

1 source controls mapped|1 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

1 source controls mapped|1 target controls covered

PTES

1 source controls mapped|1 target controls covered

UNECE WP.29 R155

1 source controls mapped|1 target controls covered

Proposal for a Regulation on Cyber Resilience Act (CRA)

1 source controls mapped|1 target controls covered

Regional Comprehensive Economic Partnership (RCEP) — E-Commerce Chapter

1 source controls mapped|2 target controls covered

AICPA SOC 1

1 source controls mapped|1 target controls covered

Open Banking Security

1 source controls mapped|1 target controls covered

ISO 14064 — Greenhouse Gas Accounting and Verification (Parts 1-3)

1 source controls mapped|1 target controls covered

SIG (Shared Assessments)

1 source controls mapped|1 target controls covered

NIST SP 800-61

1 source controls mapped|1 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

1 source controls mapped|1 target controls covered

NIST SP 800-92

1 source controls mapped|1 target controls covered

HL7 FHIR Security Framework

1 source controls mapped|1 target controls covered

OWASP Top 10:2025

1 source controls mapped|1 target controls covered

UK Building Safety Act 2022

1 source controls mapped|2 target controls covered

UK PSTI Act

1 source controls mapped|1 target controls covered

WHO Global Strategy on Digital Health 2020-2025

1 source controls mapped|1 target controls covered

SLSA

1 source controls mapped|1 target controls covered

RFC 2350 — Expectations for Computer Security Incident Response (BCP 21)

1 source controls mapped|3 target controls covered

NIST SP 800-150

1 source controls mapped|1 target controls covered

NIST SP 800-218

1 source controls mapped|1 target controls covered

SWIFT CSP

1 source controls mapped|1 target controls covered

ITAR — International Traffic in Arms Regulations

1 source controls mapped|2 target controls covered

NIST SP 800-63

1 source controls mapped|1 target controls covered

GLBA

1 source controls mapped|1 target controls covered

EU Payment Services Directive (PSD2) – Under Review

1 source controls mapped|3 target controls covered

APRA CPS 234

1 source controls mapped|1 target controls covered

OWASP SAMM

1 source controls mapped|1 target controls covered

ISO 27043

1 source controls mapped|1 target controls covered

WCAG 2.2

1 source controls mapped|1 target controls covered

COBIT 2019

1 source controls mapped|1 target controls covered

ETSI EN 303 645

1 source controls mapped|1 target controls covered

PCI P2PE

1 source controls mapped|1 target controls covered

NIST SP 800-115

1 source controls mapped|1 target controls covered

EU Clinical Trials Regulation (CTR 536/2014)

1 source controls mapped|1 target controls covered

China Cybersecurity Law (CSL)

1 source controls mapped|1 target controls covered

PCI SSF

1 source controls mapped|1 target controls covered

UNECE WP.29 R156

1 source controls mapped|1 target controls covered

Compare IRS Publication 1075 with Australia eSafety Commissioner — Online Safety Expectations for Industry

Frequently Asked Questions

What is IRS Publication 1075?

IRS Publication 1075 is a compliance framework from United States with 169 domains and 176 controls. IRS Tax Information Security Guidelines. Required for federal/state/local agencies handling Federal Tax Information. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does IRS Publication 1075 have?

IRS Publication 1075 has 176 controls organised across 169 domains. The largest domains are Section 9.3.1.2 (4 controls), Section 9.3.1.12 (2 controls), Section 9.3.1.6 (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does IRS Publication 1075 map to?

IRS Publication 1075 maps to 618 other compliance frameworks. The top mapping partners are Australia eSafety Commissioner — Online Safety Expectations for Industry (4% coverage), GLI-33 — Gaming Laboratories International Event Wagering Systems (4% coverage), Singapore Government Instruction Manual on ICT&SS Management (IM8) (3% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with IRS Publication 1075 compliance?

Start your IRS Publication 1075 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about IRS Publication 1075 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 176 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required