NIST SP 800-172

United States

v2021

17 domains

69 controls

Enhanced Security Requirements for Protecting CUI

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (17)

AC

3 controls

Controls in the AC domain of NIST SP 800-172 — 3 controls
Code	Title	Description
3.1.1e	Dual Authorization for Sensitive System Operations	Employ dual authorization to execute critical or sensitive system and organizational operations affecting CUI.
3.1.2e	Restrict Access to Systems and System Components to Defined Security Domains	Restrict access to systems and components to only those information resources owned, provisioned, or issued by the organ...
3.1.3e	Employ Secure Information Transfer Solutions	Employ secure information transfer solutions to control information flows between security domains on connected systems.

AT

2 controls

Controls in the AT domain of NIST SP 800-172 — 2 controls
Code	Title	Description
3.2.1e	Provide Awareness Training on Advanced Persistent Threat	Provide awareness training upon initial hire, annually, and when system changes occur, focused on recognizing and respon...
3.2.2e	Practical Exercises in Awareness Training	Include practical exercises in awareness training for managers, senior executives, and selected personnel that reinforce...

CA

1 controls

Controls in the CA domain of NIST SP 800-172 — 1 controls
Code	Title	Description
3.12.1e	Penetration Testing by Independent Agents	Conduct penetration testing at least annually, leveraging automated scanning tools and ad hoc tests using subject matter...

CM

3 controls

Controls in the CM domain of NIST SP 800-172 — 3 controls
Code	Title	Description
3.4.1e	Authoritative Source for Software and Firmware	Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approve...
3.4.2e	Automated Detection and Remediation of Unauthorized Software	Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove the compo...
3.4.3e	Automated Inventory of System Components	Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inv...

IA

3 controls

Controls in the IA domain of NIST SP 800-172 — 3 controls
Code	Title	Description
3.5.1e	Identification of Systems, Components, and Devices	Identify and authenticate systems and system components, where possible, before establishing a network connection using...
3.5.2e	Password Manager Use	Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and accoun...
3.5.3e	Multifactor Authentication for Local, Network, and Remote Access	Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and accoun...

IR

2 controls

Controls in the IR domain of NIST SP 800-172 — 2 controls
Code	Title	Description
3.6.1e	Establish Security Operations Center (SOC)	Establish and maintain a security operations center that operates 24/7, with allowance for remote/on-call staff.
3.6.2e	Establish and Maintain a Cyber Incident Response Team	Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours.

MA

1 controls

Controls in the MA domain of NIST SP 800-172 — 1 controls
Code	Title	Description
3.7.6e	Maintenance Operations Performed by Authorized Personnel	Verify the integrity and correctness of security critical or essential software as defined by the organization, ensuring...

NIST SP 800-172: Access Control & Identity

6 controls

Managing access to information systems (NIST SP 800-172)

Controls in the NIST SP 800-172: Access Control & Identity domain of NIST SP 800-172 — 6 controls
Code	Title	Description
NIST172-01	Account management and provisioning	Account management and provisioning. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Access Control & I...
NIST172-02	Access enforcement and least privilege	Access enforcement and least privilege. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Access Control...
NIST172-03	Multi-factor authentication requirements	Multi-factor authentication requirements. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Access Contro...
NIST172-04	Remote access controls	Remote access controls. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Access Control & Identity.
NIST172-05	Wireless access restrictions	Wireless access restrictions. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Access Control & Identity...
NIST172-06	Identity proofing and verification	Identity proofing and verification. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Access Control & Id...

NIST SP 800-172: Audit & Accountability

5 controls

Audit logging and accountability measures (NIST SP 800-172)

Controls in the NIST SP 800-172: Audit & Accountability domain of NIST SP 800-172 — 5 controls
Code	Title	Description
NIST172-28	Audit event logging and storage	Audit event logging and storage. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Audit & Accountability...
NIST172-29	Audit record review and analysis	Audit record review and analysis. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Audit & Accountabilit...
NIST172-30	Time synchronization	Time synchronization. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Audit & Accountability.
NIST172-31	Audit log protection and retention	Audit log protection and retention. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Audit & Accountabil...
NIST172-32	Accountability and non-repudiation	Accountability and non-repudiation. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Audit & Accountabil...

NIST SP 800-172: Configuration Management

5 controls

Managing system configurations securely (NIST SP 800-172)

Controls in the NIST SP 800-172: Configuration Management domain of NIST SP 800-172 — 5 controls
Code	Title	Description
NIST172-23	Baseline configuration establishment	Baseline configuration establishment. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Configuration Man...
NIST172-24	Configuration change control	Configuration change control. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Configuration Management.
NIST172-25	Security impact analysis	Security impact analysis. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Configuration Management.
NIST172-26	System component inventory	System component inventory. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Configuration Management.
NIST172-27	Software usage restrictions	Software usage restrictions. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Configuration Management.

NIST SP 800-172: Incident Response

5 controls

Detecting and responding to security incidents (NIST SP 800-172)

Controls in the NIST SP 800-172: Incident Response domain of NIST SP 800-172 — 5 controls
Code	Title	Description
NIST172-18	Incident response planning and testing	Incident response planning and testing. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Incident Respon...
NIST172-19	Incident handling and containment	Incident handling and containment. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Incident Response.
NIST172-20	Incident reporting and notification	Incident reporting and notification. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Incident Response.
NIST172-21	Forensic analysis capabilities	Forensic analysis capabilities. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Incident Response.
NIST172-22	Lessons learned and improvement	Lessons learned and improvement. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Incident Response.

NIST SP 800-172: Risk Assessment & Management

5 controls

Identifying and managing cybersecurity risks (NIST SP 800-172)

Controls in the NIST SP 800-172: Risk Assessment & Management domain of NIST SP 800-172 — 5 controls
Code	Title	Description
NIST172-13	Risk assessment procedures	Risk assessment procedures. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Risk Assessment & Managemen...
NIST172-14	Vulnerability scanning and management	Vulnerability scanning and management. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Risk Assessment...
NIST172-15	Security categorization	Security categorization. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Risk Assessment & Management.
NIST172-16	Threat intelligence integration	Threat intelligence integration. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Risk Assessment & Mana...
NIST172-17	Continuous monitoring strategy	Continuous monitoring strategy. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: Risk Assessment & Manag...

NIST SP 800-172: System & Communications Protection

6 controls

Protecting systems and communications (NIST SP 800-172)

Controls in the NIST SP 800-172: System & Communications Protection domain of NIST SP 800-172 — 6 controls
Code	Title	Description
NIST172-07	Boundary protection and segmentation	Boundary protection and segmentation. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: System & Communic...
NIST172-08	Cryptographic protection of data	Cryptographic protection of data. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: System & Communicatio...
NIST172-09	Denial-of-service protection	Denial-of-service protection. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: System & Communications P...
NIST172-10	Transmission confidentiality and integrity	Transmission confidentiality and integrity. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: System & Co...
NIST172-11	Session management controls	Session management controls. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: System & Communications Pr...
NIST172-12	Network monitoring and defense	Network monitoring and defense. Control from NIST SP 800-172 framework, domain: NIST SP 800-172: System & Communications...

PS

2 controls

Controls in the PS domain of NIST SP 800-172 — 2 controls
Code	Title	Description
3.9.1e	Enhanced Personnel Screening	Conduct enhanced personnel screening that reflects applicable laws, executive orders, directives, policies, regulations,...
3.9.2e	Insider Threat Program	Ensure organizational systems are protected if adverse information develops or is obtained about individuals with access...

RA

7 controls

Controls in the RA domain of NIST SP 800-172 — 7 controls
Code	Title	Description
3.11.1e	Threat-Aware Risk Assessment	Employ threat intelligence, at a minimum from open or commercial sources and any DoD-provided sources, as part of a risk...
3.11.2e	Threat Hunting	Conduct cyber threat hunting activities to search for indicators of compromise in organizational systems and detect, tra...
3.11.3e	Advanced Automation and Analytics Capabilities	Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizati...
3.11.4e	Security Solution Rationale Document	Document or reference in the system security plan the security solution selected, the rationale for the security solutio...
3.11.5e	Assess Effectiveness of Security Solutions	Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, o...
3.11.6e	Supply Chain Risk Management	Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
3.11.7e	Supply Chain Risk Management Plan	Develop a plan for managing supply chain risks; protect against supply chain risks; and update the plan at least annuall...

SC

6 controls

Controls in the SC domain of NIST SP 800-172 — 6 controls
Code	Title	Description
3.13.1e	Network Segmentation by Security Domain	Employ secure information transfer solutions to control information flows between security domains on connected systems,...
3.13.2e	Concept of Least Privilege in System Engineering	Apply the concept of least privilege when developing, designing, implementing, configuring, and operating systems, syste...
3.13.3e	Diversification of System Components	Employ diverse system components to reduce the extent of malicious code propagation and the dependence on common compone...
3.13.4e	Use Trusted Communications Paths for Privileged Access	Employ technical and procedural means to confuse and mislead adversaries through deception (decoys, mirages, dazzles, de...
3.13.5e	Randomness in System Operations	Employ technical and procedural means to confuse and mislead adversaries through change-management randomization or unpr...
3.13.6e	Verify Identity of Endpoint Hardware	Employ hardware-enforced trust mechanisms such as TPM-based attestation to verify the identity and integrity of endpoint...

SI

7 controls

Controls in the SI domain of NIST SP 800-172 — 7 controls
Code	Title	Description
3.14.1e	Verify Integrity of Security Critical Software and Firmware	Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic signatu...
3.14.2e	Monitor Organizational Systems with Specialized Capabilities	Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior using adva...
3.14.3e	Information Inputs Validation	Ensure that organizational systems are not reliant on commercial sources of supply that may be compromised by foreign ad...
3.14.4e	Refresh Systems and Components from a Trusted Baseline	Refresh organizational systems and system components from a known, trusted state at a defined frequency to reduce dwell...
3.14.5e	Verify Integrity After Reauthentication	Conduct reviews of persistent organizational storage locations at a defined frequency and remove CUI that is no longer n...
3.14.6e	Use Threat Indicator Information for Detection	Use threat indicator information relevant to the information and systems being protected and effective mitigations obtai...
3.14.7e	Verify Correctness of Security Functions	Verify the correctness of security critical or essential software, firmware, and hardware components through review, ana...

Your Compliance Coverage

If you comply with NIST SP 800-172, you already cover:

DoD Zero Trust Reference Architecture

30%

21 controls mapped

Compare →

Belgium CyberFundamentals

30%

21 controls mapped

Compare →

CISA Zero Trust Maturity Model

30%

21 controls mapped

Compare →

+ 534 more: ANSSI Cybersecurity Framework (30%), Spain ENS (30%)

See all 537 mapped frameworks ↓

Maps to 537 other frameworks

69 total controls

DoD Zero Trust Reference Architecture

21 source controls mapped|20 target controls covered

30%

Belgium CyberFundamentals

21 source controls mapped|20 target controls covered

30%

CISA Zero Trust Maturity Model

21 source controls mapped|20 target controls covered

30%

ANSSI Cybersecurity Framework

21 source controls mapped|21 target controls covered

30%

Spain ENS

21 source controls mapped|20 target controls covered

30%

BSI IT-Grundschutz

21 source controls mapped|20 target controls covered

30%

Cyber Essentials Plus

21 source controls mapped|18 target controls covered

30%

Ghana Cybersecurity Act

21 source controls mapped|20 target controls covered

30%

NIST SP 800-171

21 source controls mapped|21 target controls covered

30%

FISMA

21 source controls mapped|20 target controls covered

30%

NIST SP 800-53A

21 source controls mapped|18 target controls covered

30%

Saudi NCA ECC

21 source controls mapped|20 target controls covered

30%

CSA CCM v4

20 source controls mapped|28 target controls covered

29%

NIST SP 800-53 Rev 5

20 source controls mapped|28 target controls covered

29%

ISO 27001:2022

19 source controls mapped|18 target controls covered

28%

FedRAMP Rev 5

19 source controls mapped|28 target controls covered

28%

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

19 source controls mapped|13 target controls covered

28%

South Korea ISMS-P

19 source controls mapped|10 target controls covered

28%

DISA Security Technical Implementation Guides (STIGs)

19 source controls mapped|18 target controls covered

28%

Australian Energy Sector Cyber Security Framework (AESCSF)

19 source controls mapped|17 target controls covered

28%

ASD Information Security Manual (ISM)

18 source controls mapped|29 target controls covered

26%

NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements

18 source controls mapped|13 target controls covered

26%

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

18 source controls mapped|12 target controls covered

26%

TISAX — Trusted Information Security Assessment Exchange

18 source controls mapped|15 target controls covered

26%

NIST SP 800-82 Rev 3 — Guide to OT Security

18 source controls mapped|11 target controls covered

26%

FAA Cybersecurity Framework for Aviation

18 source controls mapped|11 target controls covered

26%

NIST SP 800-146

17 source controls mapped|12 target controls covered

25%

CAIQ (CSA)

17 source controls mapped|12 target controls covered

25%

NIST SP 800-171A — Assessing CUI Security Requirements

17 source controls mapped|19 target controls covered

25%

ISMAP (Japan)

17 source controls mapped|12 target controls covered

25%

Azure Security Benchmark

17 source controls mapped|13 target controls covered

25%

ISO 27017

17 source controls mapped|12 target controls covered

25%

ISO 27018

17 source controls mapped|12 target controls covered

25%

Canada ITSG-33 — IT Security Risk Management

17 source controls mapped|12 target controls covered

25%

New Zealand Information Security Manual (NZISM)

17 source controls mapped|10 target controls covered

25%

MARS-E — Minimum Acceptable Risk Standards for Exchanges

17 source controls mapped|10 target controls covered

25%

South Korea Cloud Security Assurance Program (CSAP)

17 source controls mapped|11 target controls covered

25%

NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity

17 source controls mapped|10 target controls covered

25%

CSA STAR (Security, Trust, Assurance, and Risk)

17 source controls mapped|10 target controls covered

25%

IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems

17 source controls mapped|8 target controls covered

25%

NIST SP 800-144

17 source controls mapped|12 target controls covered

25%

MTCS (Singapore)

17 source controls mapped|12 target controls covered

25%

C5 (Germany)

17 source controls mapped|12 target controls covered

25%

NIST SP 800-145

17 source controls mapped|12 target controls covered

25%

AWS Well-Architected Security Pillar

17 source controls mapped|12 target controls covered

25%

NIST SP 800-190

17 source controls mapped|12 target controls covered

25%

Oman National Cybersecurity Framework

17 source controls mapped|8 target controls covered

25%

OWASP DevSecOps Maturity Model (DSOMM)

17 source controls mapped|11 target controls covered

25%

CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines

16 source controls mapped|16 target controls covered

23%

US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule

16 source controls mapped|17 target controls covered

23%

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

16 source controls mapped|18 target controls covered

23%

OWASP Top 10:2025

16 source controls mapped|8 target controls covered

23%

UK Defence Standard 05-138 — Cyber Security for Defence Suppliers

16 source controls mapped|10 target controls covered

23%

NIST Privacy Framework 1.0

16 source controls mapped|10 target controls covered

23%

PCI DSS v4.0

16 source controls mapped|16 target controls covered

23%

FFIEC Cybersecurity Assessment Tool (CAT)

16 source controls mapped|9 target controls covered

23%

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

15 source controls mapped|14 target controls covered

22%

Defence Security Principles Framework (DSPF)

15 source controls mapped|20 target controls covered

22%

Protective Security Policy Framework (PSPF) Release 2024

15 source controls mapped|18 target controls covered

22%

FTC Safeguards Rule (16 CFR Part 314)

15 source controls mapped|15 target controls covered

22%

FTC GLBA Safeguards Rule (16 CFR Part 314)

15 source controls mapped|14 target controls covered

22%

ASIC Cyber Resilience Good Practices

15 source controls mapped|8 target controls covered

22%

EU GMP Annex 11: Computerised Systems

15 source controls mapped|5 target controls covered

22%

SWIFT Customer Security Programme (CSP)

15 source controls mapped|8 target controls covered

22%

CNCF Cloud Native Security (Cloud Native Computing Foundation)

14 source controls mapped|7 target controls covered

20%

Telecommunications Sector Security Reforms (TSSR)

14 source controls mapped|11 target controls covered

20%

HKMA Cyber Resilience Assessment Framework (C-RAF)

14 source controls mapped|10 target controls covered

20%

UK Gambling Commission — Cyber Resilience Requirements

14 source controls mapped|8 target controls covered

20%

TSA Pipeline Security

14 source controls mapped|13 target controls covered

20%

TSA Pipeline Cybersecurity Directives

14 source controls mapped|8 target controls covered

20%

FBI CJIS Security Policy

13 source controls mapped|12 target controls covered

19%

HIPAA Security Rule

13 source controls mapped|14 target controls covered

19%

NIS2 Directive Implementing Acts

13 source controls mapped|17 target controls covered

19%

NAIC Insurance Data Security Model Law (MDL-668)

13 source controls mapped|10 target controls covered

19%

API 1164

13 source controls mapped|12 target controls covered

19%

DO-326A / ED-202A

13 source controls mapped|12 target controls covered

19%

C2M2

13 source controls mapped|13 target controls covered

19%

IEC 62443

13 source controls mapped|12 target controls covered

19%

BIMCO Cyber Security

13 source controls mapped|12 target controls covered

19%

IEEE 1686

13 source controls mapped|12 target controls covered

19%

NIS2 Directive

13 source controls mapped|15 target controls covered

19%

ISO 27019

13 source controls mapped|12 target controls covered

19%

NIST SP 1800-32

13 source controls mapped|12 target controls covered

19%

IAEA Nuclear Security Series — Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

13 source controls mapped|7 target controls covered

19%

ISO/SAE 21434

12 source controls mapped|11 target controls covered

17%

NIST SP 800-161

12 source controls mapped|10 target controls covered

17%

ISO 27043

12 source controls mapped|12 target controls covered

17%

NIST SP 800-115

12 source controls mapped|11 target controls covered

17%

NIST SP 800-123

12 source controls mapped|11 target controls covered

17%

California IoT Security Law

12 source controls mapped|11 target controls covered

17%

ISO 27002:2022

12 source controls mapped|12 target controls covered

17%

NIST SP 800-128

12 source controls mapped|11 target controls covered

17%

MITRE D3FEND

12 source controls mapped|12 target controls covered

17%

MITRE ATT&CK

12 source controls mapped|11 target controls covered

17%

NIST SP 800-160

12 source controls mapped|11 target controls covered

17%

OWASP ASVS

12 source controls mapped|11 target controls covered

17%

FDA 21 CFR Part 11

12 source controls mapped|8 target controls covered

17%

ETSI EN 303 645

12 source controls mapped|12 target controls covered

17%

Singapore Government Instruction Manual on ICT&SS Management (IM8)

12 source controls mapped|6 target controls covered

17%

NIST SP 800-137

12 source controls mapped|12 target controls covered

17%

MDS2 (Medical Device)

12 source controls mapped|8 target controls covered

17%

Proposal for a Regulation on Cyber Resilience Act (CRA)

12 source controls mapped|11 target controls covered

17%

BSIMM

12 source controls mapped|11 target controls covered

17%

HL7 FHIR Security Framework

12 source controls mapped|11 target controls covered

17%

OWASP MASVS

12 source controls mapped|9 target controls covered

17%

NIST SP 800-150

12 source controls mapped|10 target controls covered

17%

MARS-E

12 source controls mapped|8 target controls covered

17%

ISO 27799

12 source controls mapped|8 target controls covered

17%

UK Telecommunications (Security) Act 2021

12 source controls mapped|15 target controls covered

17%

ISO 13485

12 source controls mapped|9 target controls covered

17%

3GPP Security

12 source controls mapped|11 target controls covered

17%

GLI-33 — Gaming Laboratories International Event Wagering Systems

12 source controls mapped|11 target controls covered

17%

EIOPA Guidelines on ICT Security and Governance (2023)

12 source controls mapped|11 target controls covered

17%

CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)

12 source controls mapped|10 target controls covered

17%

NIST SP 800-63

12 source controls mapped|10 target controls covered

17%

SLSA

12 source controls mapped|11 target controls covered

17%

NIST SP 800-207

12 source controls mapped|10 target controls covered

17%

OpenSSF Scorecard

12 source controls mapped|13 target controls covered

17%

PTES

12 source controls mapped|11 target controls covered

17%

NIST SP 800-66

12 source controls mapped|8 target controls covered

17%

UNECE WP.29 R156

12 source controls mapped|11 target controls covered

17%

NIST SP 800-187

12 source controls mapped|12 target controls covered

17%

SIG (Shared Assessments)

12 source controls mapped|11 target controls covered

17%

NIST SP 800-183

12 source controls mapped|11 target controls covered

17%

NIST SP 800-92

12 source controls mapped|11 target controls covered

17%

NIST SP 800-88

12 source controls mapped|11 target controls covered

17%

UK PSTI Act

12 source controls mapped|11 target controls covered

17%

NIST SP 800-61

12 source controls mapped|10 target controls covered

17%

SSDF (NIST)

12 source controls mapped|11 target controls covered

17%

NIST SP 800-218

12 source controls mapped|11 target controls covered

17%

OWASP SAMM

12 source controls mapped|10 target controls covered

17%

UNECE WP.29 R155

12 source controls mapped|10 target controls covered

17%

NIST SP 800-181

12 source controls mapped|12 target controls covered

17%

O-RAN Alliance Security Specifications (O-RAN.WG11)

12 source controls mapped|6 target controls covered

17%

NIST Cybersecurity Framework 2.0

12 source controls mapped|12 target controls covered

17%

CIS Controls v8

11 source controls mapped|10 target controls covered

16%

Australian Information Security Manual

11 source controls mapped|6 target controls covered

16%

HITECH Act

11 source controls mapped|3 target controls covered

16%

ISO/IEC 27400:2022

11 source controls mapped|5 target controls covered

16%

CISA Secure by Design Principles

11 source controls mapped|9 target controls covered

16%

SOC for Cybersecurity — Cybersecurity Risk Management Examination

11 source controls mapped|5 target controls covered

16%

US ITAR and EAR — Export Control and Data Security

11 source controls mapped|10 target controls covered

16%

RBI Cybersecurity Framework for Banks

11 source controls mapped|7 target controls covered

16%

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

11 source controls mapped|11 target controls covered

16%

COPPA

10 source controls mapped|5 target controls covered

14%

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

10 source controls mapped|11 target controls covered

14%

Kenya DPA

10 source controls mapped|5 target controls covered

14%

Kenya Data Protection Act

10 source controls mapped|5 target controls covered

14%

India DPDP Act

10 source controls mapped|5 target controls covered

14%

Law No. 172-13 on the Protection of Personal Data

10 source controls mapped|5 target controls covered

14%

Ley Orgánica de Protección de Datos Personales (LOPDP)

10 source controls mapped|5 target controls covered

14%

Bahrain PDPL

10 source controls mapped|5 target controls covered

14%

Indonesia PDP Law

10 source controls mapped|5 target controls covered

14%

CCPA/CPRA

10 source controls mapped|5 target controls covered

14%

Turkey KVKK

10 source controls mapped|5 target controls covered

14%

Mexico LFPDPPP

10 source controls mapped|5 target controls covered

14%

Indiana Consumer Data Protection Act

10 source controls mapped|5 target controls covered

14%

Delaware Online Privacy and Protection Act (proposed)

10 source controls mapped|5 target controls covered

14%

Nebraska Data Privacy Act

10 source controls mapped|5 target controls covered

14%

Nigeria NDPR

10 source controls mapped|5 target controls covered

14%

Privacy Act 1988 (Australia)

10 source controls mapped|5 target controls covered

14%

ISO 27701

10 source controls mapped|5 target controls covered

14%

CTDPA (Connecticut Data Privacy Act)

10 source controls mapped|5 target controls covered

14%

APPI

10 source controls mapped|5 target controls covered

14%

Argentina PDPA

10 source controls mapped|5 target controls covered

14%

Montana Consumer Data Privacy Act

10 source controls mapped|5 target controls covered

14%

Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data

10 source controls mapped|7 target controls covered

14%

DORA

10 source controls mapped|7 target controls covered

14%

Chile DPL

10 source controls mapped|5 target controls covered

14%

New Hampshire Privacy Act

10 source controls mapped|5 target controls covered

14%

Mauritius DPA

10 source controls mapped|5 target controls covered

14%

Jamaica DPA

10 source controls mapped|5 target controls covered

14%

FERPA

10 source controls mapped|5 target controls covered

14%

Malaysia PDPA 2010

10 source controls mapped|5 target controls covered

14%

ASD Strategies to Mitigate Cyber Security Incidents

10 source controls mapped|11 target controls covered

14%

Colorado Privacy Act

10 source controls mapped|5 target controls covered

14%

Kentucky Consumer Data Protection Act

10 source controls mapped|5 target controls covered

14%

Maryland Online Data Privacy Act

10 source controls mapped|5 target controls covered

14%

Iowa Consumer Data Protection Act

10 source controls mapped|5 target controls covered

14%

ISO/IEC 27011:2024

10 source controls mapped|6 target controls covered

14%

Switzerland FADP

10 source controls mapped|5 target controls covered

14%

LGPD

10 source controls mapped|6 target controls covered

14%

Iceland DPA

10 source controls mapped|5 target controls covered

14%

Liechtenstein DPA

10 source controls mapped|5 target controls covered

14%

ISO 20000-1

10 source controls mapped|5 target controls covered

14%

Minnesota Consumer Data Privacy Act

10 source controls mapped|5 target controls covered

14%

NIST SP 800-122

10 source controls mapped|5 target controls covered

14%

Peru DPL

10 source controls mapped|5 target controls covered

14%

New Jersey Data Privacy Act

10 source controls mapped|5 target controls covered

14%

Sigstore — Software Artifact Signing and Verification

10 source controls mapped|8 target controls covered

14%

PDPA Thailand

10 source controls mapped|5 target controls covered

14%

Tennessee IPA

10 source controls mapped|5 target controls covered

14%

Taiwan PDPA

10 source controls mapped|5 target controls covered

14%

Philippines DPA

10 source controls mapped|5 target controls covered

14%

Oregon Consumer Privacy Act

10 source controls mapped|5 target controls covered

14%

Rwanda DPL

10 source controls mapped|5 target controls covered

14%

UK Data Protection Act 2018

10 source controls mapped|5 target controls covered

14%

PIPEDA

10 source controls mapped|5 target controls covered

14%

New Zealand Privacy Act

10 source controls mapped|5 target controls covered

14%

UAE PDPL

10 source controls mapped|5 target controls covered

14%

Vietnam PDPD

10 source controls mapped|5 target controls covered

14%

PDPA Singapore

10 source controls mapped|5 target controls covered

14%

Qatar DPL

10 source controls mapped|5 target controls covered

14%

Norway PDPA

10 source controls mapped|5 target controls covered

14%

China PIPL

10 source controls mapped|5 target controls covered

14%

Utah Consumer Privacy Act

10 source controls mapped|5 target controls covered

14%

Saudi Arabia PDPL

10 source controls mapped|5 target controls covered

14%

POPIA

10 source controls mapped|5 target controls covered

14%

Texas Data Privacy Act

10 source controls mapped|5 target controls covered

14%

Uruguay DPL

10 source controls mapped|5 target controls covered

14%

Virginia CDPA

10 source controls mapped|5 target controls covered

14%

C-TPAT — Customs-Trade Partnership Against Terrorism

10 source controls mapped|9 target controls covered

14%

Customs-Trade Partnership Against Terrorism (C-TPAT)

10 source controls mapped|7 target controls covered

14%

ISO/IEC 27010:2015

9 source controls mapped|5 target controls covered

13%

OWASP API Security Top 10:2023

9 source controls mapped|5 target controls covered

13%

ITIL 4

9 source controls mapped|4 target controls covered

13%

NERC CIP

9 source controls mapped|8 target controls covered

13%

PropTech Security Standards — Smart Building Cybersecurity

9 source controls mapped|6 target controls covered

13%

US NRC 10 CFR 73.54 — Cyber Security for Nuclear Power Plants

9 source controls mapped|5 target controls covered

13%

SSAE 18 — Attestation Standards (SOC Reporting)

9 source controls mapped|9 target controls covered

13%

BSI C5 — Cloud Computing Compliance Criteria Catalogue

9 source controls mapped|3 target controls covered

13%

South Korea PIPA

9 source controls mapped|4 target controls covered

13%

Bermuda Personal Information Protection Act 2016 (PIPA)

9 source controls mapped|4 target controls covered

13%

EAR — Export Administration Regulations

8 source controls mapped|11 target controls covered

12%

Chile Personal Data Protection Law (Law No. 21.719)

8 source controls mapped|4 target controls covered

12%

DFARS 252.204-7012 — Safeguarding Covered Defense Information

8 source controls mapped|4 target controls covered

12%

IEC 62351 — Power Systems Communication Security

8 source controls mapped|3 target controls covered

12%

EU Digital Markets Act

8 source controls mapped|8 target controls covered

12%

IRS Publication 1075 — Tax Information Security Guidelines

8 source controls mapped|3 target controls covered

12%

Philippines Data Privacy Act (RA 10173)

8 source controls mapped|7 target controls covered

12%

SSAE 18 SOC 1 — Report on Controls at a Service Organisation (ICFR)

8 source controls mapped|5 target controls covered

12%

SWIFT CSCF

8 source controls mapped|6 target controls covered

12%

US Executive Order 14028 — Improving the Nation's Cybersecurity

8 source controls mapped|3 target controls covered

12%

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)

8 source controls mapped|6 target controls covered

12%

SOC 2

8 source controls mapped|5 target controls covered

12%

TEFCA — Trusted Exchange Framework and Common Agreement

8 source controls mapped|5 target controls covered

12%

PCI DSS 4.0

8 source controls mapped|3 target controls covered

12%

WCO Authorised Economic Operator (AEO) Framework

8 source controls mapped|11 target controls covered

12%

NIST Privacy Framework Version 1.0

8 source controls mapped|2 target controls covered

12%

FFIEC IT Examination Handbook

7 source controls mapped|5 target controls covered

10%

Turkey Personal Data Protection Law (KVKK — Law No. 6698)

7 source controls mapped|4 target controls covered

10%

APRA CPS 234

7 source controls mapped|5 target controls covered

10%

MAS TRM

7 source controls mapped|5 target controls covered

10%

BCBS 239

7 source controls mapped|5 target controls covered

10%

NIST AI Risk Management Framework (AI RMF 1.0)

7 source controls mapped|6 target controls covered

10%

NIST AI 600-1 Generative AI Profile

7 source controls mapped|6 target controls covered

10%

HKMA SPM

7 source controls mapped|5 target controls covered

10%

GLBA

7 source controls mapped|5 target controls covered

10%

AS9100D:2016 — Quality Management Systems for Aviation, Space, and Defence

7 source controls mapped|3 target controls covered

10%

OSFI B-13

7 source controls mapped|5 target controls covered

10%

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)

7 source controls mapped|5 target controls covered

10%

Nigeria Open Banking Regulatory Framework (CBN, 2023)

7 source controls mapped|3 target controls covered

10%

PCI P2PE

7 source controls mapped|5 target controls covered

10%

Open Banking Security

7 source controls mapped|5 target controls covered

10%

PCI PIN Security

7 source controls mapped|5 target controls covered

10%

PSD2 SCA

7 source controls mapped|5 target controls covered

10%

AICPA SOC 3

7 source controls mapped|5 target controls covered

10%

SWIFT CSP

7 source controls mapped|5 target controls covered

10%

AICPA SOC 1

7 source controls mapped|5 target controls covered

10%

PCI SSF

7 source controls mapped|5 target controls covered

10%

China Data Security Law (DSL)

7 source controls mapped|5 target controls covered

10%

US EPA Safe Drinking Water Act (SDWA) — Cybersecurity Requirements

7 source controls mapped|4 target controls covered

10%

NIS2 Directive (Directive (EU) 2022/2555)

7 source controls mapped|8 target controls covered

10%

ISO 28001:2007 Supply Chain Security Management

7 source controls mapped|4 target controls covered

10%

Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct

7 source controls mapped|5 target controls covered

10%

EU Maritime Single Window Environment Regulation (EU) 2019/1239

7 source controls mapped|2 target controls covered

10%

ASEAN Data Management Framework

7 source controls mapped|6 target controls covered

10%

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)

7 source controls mapped|3 target controls covered

10%

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

7 source controls mapped|6 target controls covered

10%

COSO Internal Control — Integrated Framework (2013)

7 source controls mapped|5 target controls covered

10%

Australia Consumer Data Right — Banking (CDR)

7 source controls mapped|10 target controls covered

10%

Voluntary Principles on Security and Human Rights (VPs)

7 source controls mapped|5 target controls covered

10%

Japan FSA Cybersecurity Guidelines for Financial Institutions

7 source controls mapped|7 target controls covered

10%

Notifiable Data Breaches Scheme (Australia)

7 source controls mapped|7 target controls covered

10%

FTC Health Breach Notification Rule

7 source controls mapped|7 target controls covered

10%

UK Product Security and Telecommunications Infrastructure Act (PSTI)

7 source controls mapped|7 target controls covered

10%

European Accessibility Act (Directive (EU) 2019/882)

7 source controls mapped|8 target controls covered

10%

Regulation (EU) 2023/1115 on deforestation-free supply chains

7 source controls mapped|7 target controls covered

10%

Ontario Accessibility for Ontarians with Disabilities Act (AODA) — IASR Web Standard

7 source controls mapped|7 target controls covered

10%

US SEC Digital Assets and Crypto Regulatory Framework

7 source controls mapped|8 target controls covered

10%

Australia eSafety Commissioner — Online Safety Expectations for Industry

7 source controls mapped|7 target controls covered

10%

Security of Critical Infrastructure Act 2018 (SOCI)

7 source controls mapped|5 target controls covered

10%

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

7 source controls mapped|4 target controls covered

10%

Kuwait National Cybersecurity Framework

7 source controls mapped|4 target controls covered

10%

US Consumer Product Safety Commission (CPSC) — Connected Product Safety

7 source controls mapped|2 target controls covered

10%

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

7 source controls mapped|6 target controls covered

10%

Critical Raw Materials Act (Proposed Regulation COM(2023) 192)

7 source controls mapped|6 target controls covered

10%

EU Chips Act (Regulation (EU) 2023/1781) — potential incorrect regulation number

7 source controls mapped|6 target controls covered

10%

NIST SP 800-124 Rev 2 — Mobile Device Security

6 source controls mapped|5 target controls covered

Digital Economy Partnership Agreement (DEPA)

6 source controls mapped|5 target controls covered

EDM Council CDMC — Cloud Data Management Capability Framework

6 source controls mapped|3 target controls covered

ISO 26262:2018 — Functional Safety for Road Vehicles

6 source controls mapped|3 target controls covered

GAMP 5 — Good Automated Manufacturing Practice

6 source controls mapped|4 target controls covered

AS9100D — Aerospace Quality Management System

6 source controls mapped|3 target controls covered

ISO/IEC 27003:2017

6 source controls mapped|3 target controls covered

EASA Part-IS — Information Security in Aviation

6 source controls mapped|5 target controls covered

Defence Industry Security Program (DISP)

6 source controls mapped|3 target controls covered

ASIS SPC.1-2009 — Organizational Resilience Standard

6 source controls mapped|2 target controls covered

APRA CPS 230 Operational Risk Management

6 source controls mapped|3 target controls covered

Nevada Gaming Control Board Cybersecurity Requirements

6 source controls mapped|8 target controls covered

Lloyd's Minimum Standards — Cyber Security

6 source controls mapped|8 target controls covered

MTCS — Multi-Tier Cloud Security (Singapore)

6 source controls mapped|2 target controls covered

Singapore Cybersecurity Act 2018

6 source controls mapped|3 target controls covered

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

6 source controls mapped|2 target controls covered

NFPA 1600 — Standard on Continuity, Emergency, and Crisis Management

6 source controls mapped|2 target controls covered

UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities

6 source controls mapped|2 target controls covered

India CERT-In Cyber Security Directions 2022

6 source controls mapped|2 target controls covered

Laos Law on Prevention and Combating Cybercrime (2015)

6 source controls mapped|5 target controls covered

French Sapin II Law (Law No. 2016-1691)

6 source controls mapped|3 target controls covered

ASEAN Guide on AI Governance and Ethics

6 source controls mapped|2 target controls covered

UAE Federal Data Protection Law

6 source controls mapped|2 target controls covered

GDPR

6 source controls mapped|3 target controls covered

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

6 source controls mapped|2 target controls covered

Barbados Data Protection Act 2019

6 source controls mapped|1 target controls covered

ISO/IEC 29147:2018

6 source controls mapped|5 target controls covered

BREEAM — Building Research Establishment Environmental Assessment Method

6 source controls mapped|2 target controls covered

AICPA Privacy Management Framework (PMF)

6 source controls mapped|3 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

6 source controls mapped|4 target controls covered

UK Modern Slavery Act 2015

6 source controls mapped|2 target controls covered

Zambia Data Protection Act (2021)

6 source controls mapped|3 target controls covered

Trinidad and Tobago Data Protection Act 2011

6 source controls mapped|2 target controls covered

UK GDPR (UK General Data Protection Regulation)

6 source controls mapped|2 target controls covered

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

6 source controls mapped|2 target controls covered

Czech Republic Act on the Protection of Personal Data (Act No. 110/2019 Coll.)

6 source controls mapped|2 target controls covered

Botswana Data Protection Act (2024)

6 source controls mapped|2 target controls covered

Canada Artificial Intelligence and Data Act (AIDA)

6 source controls mapped|3 target controls covered

GLOBALG.A.P. Integrated Farm Assurance (IFA) Standard v6

6 source controls mapped|3 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

6 source controls mapped|3 target controls covered

UK Security and Emergency Measures Direction (SEMD) — Water Industry

6 source controls mapped|4 target controls covered

3GPP Security Architecture (TS 33.501 — 5G Security)

5 source controls mapped|7 target controls covered

Connecticut Data Privacy Act (CTDPA)

5 source controls mapped|6 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

5 source controls mapped|3 target controls covered

Modern Slavery Act 2018 (Australia)

5 source controls mapped|4 target controls covered

EMV 3-D Secure (3DS2) — Payment Authentication Protocol

5 source controls mapped|5 target controls covered

ILO Nursing Personnel Convention C149 (1977)

5 source controls mapped|3 target controls covered

6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673)

5 source controls mapped|3 target controls covered

ISO 8000 — Data Quality

5 source controls mapped|3 target controls covered

FATF Recommendation 16 — Virtual Asset Travel Rule

5 source controls mapped|4 target controls covered

Privacy by Design (PbD) — Seven Foundational Principles

5 source controls mapped|3 target controls covered

BS 65000:2014 — Guidance on Organizational Resilience

5 source controls mapped|3 target controls covered

UK Open Banking Standard

5 source controls mapped|5 target controls covered

RFC 2350 — Expectations for Computer Security Incident Response (BCP 21)

5 source controls mapped|5 target controls covered

Zimbabwe Data Protection Act (2021)

5 source controls mapped|3 target controls covered

DAMA-DMBOK2 — Data Management Body of Knowledge (2nd Edition)

5 source controls mapped|2 target controls covered

EU Cyber Solidarity Act (Regulation (EU) 2025/38)

5 source controls mapped|1 target controls covered

ISO 27005

4 source controls mapped|4 target controls covered

ISO/IEC 27557:2022 — Organisational Privacy Risk Management

4 source controls mapped|3 target controls covered

NATO AQAP 2110 — Quality Assurance Requirements for Design, Development, and Production

4 source controls mapped|2 target controls covered

ISO/IEC 30111:2019

4 source controls mapped|4 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114)

4 source controls mapped|2 target controls covered

APRA Prudential Standard CPS 234 — Information Security (Australia)

4 source controls mapped|4 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

4 source controls mapped|2 target controls covered

ICAO Annex 17 — Aviation Security (AVSEC)

4 source controls mapped|2 target controls covered

ITU-T X.805 — Security Architecture for End-to-End Communications

4 source controls mapped|2 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

4 source controls mapped|3 target controls covered

Colorado Privacy Act (CPA)

4 source controls mapped|5 target controls covered

Vermont Artificial Intelligence and Consumer Data Act (AICDA)

4 source controls mapped|3 target controls covered

ASD Essential Eight Maturity Model

4 source controls mapped|8 target controls covered

AML/CTF Act 2006 (Australia)

4 source controls mapped|2 target controls covered

ILO Tripartite Declaration of Principles concerning Multinational Enterprises (MNE Declaration)

4 source controls mapped|3 target controls covered

Authorised Economic Operator (AEO) Programmes — Global Standards

4 source controls mapped|2 target controls covered

ISO 42001

4 source controls mapped|2 target controls covered

Australia AI Ethics Framework

4 source controls mapped|2 target controls covered

UAE Virtual Asset Regulatory Authority (VARA) Regulations

4 source controls mapped|4 target controls covered

US OFAC Sanctions Compliance Framework

4 source controls mapped|5 target controls covered

Japan AI Guidelines

4 source controls mapped|2 target controls covered

Brazil AI Framework

4 source controls mapped|2 target controls covered

IEEE 7000

4 source controls mapped|2 target controls covered

China AI Regulations

4 source controls mapped|2 target controls covered

EU AI Act

4 source controls mapped|2 target controls covered

Singapore AI Governance Framework

4 source controls mapped|2 target controls covered

UK AI Regulation Framework

4 source controls mapped|2 target controls covered

OECD AI Principles

4 source controls mapped|2 target controls covered

ISO 19011

3 source controls mapped|5 target controls covered

ISO 15189:2022 — Medical Laboratories Requirements for Quality and Competence

3 source controls mapped|5 target controls covered

3GPP 5G Security Architecture (TS 33.501)

3 source controls mapped|7 target controls covered

ECSS-E-ST-40C: Space Engineering — Software

3 source controls mapped|2 target controls covered

ECSS Software Engineering Standards

3 source controls mapped|2 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

3 source controls mapped|4 target controls covered

DO-178C / ED-12C — Software Considerations in Airborne Systems

3 source controls mapped|2 target controls covered

Automotive SPICE (ASPICE) v4.0 — Process Assessment Model

3 source controls mapped|1 target controls covered

Cyber Security Act 2024 (Australia)

3 source controls mapped|3 target controls covered

FIRST CSIRT Services Framework and Standards

3 source controls mapped|3 target controls covered

Pakistan Personal Data Protection Bill 2023

3 source controls mapped|1 target controls covered

China Cybersecurity Law (CSL)

3 source controls mapped|2 target controls covered

ISO 22320:2018

3 source controls mapped|3 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

3 source controls mapped|1 target controls covered

EU In Vitro Diagnostic Medical Devices Regulation (IVDR)

3 source controls mapped|1 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

3 source controls mapped|1 target controls covered

Serbia Law on Personal Data Protection (2018)

3 source controls mapped|1 target controls covered

Kuwait Data Privacy Protection Regulation (KDPPR, 2021 — CMA Directive)

3 source controls mapped|1 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

3 source controls mapped|1 target controls covered

EU Better Internet for Kids (BIK+) Strategy

3 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

3 source controls mapped|1 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

3 source controls mapped|1 target controls covered

Canada's Anti-Spam Legislation (CASL)

3 source controls mapped|1 target controls covered

Singapore Payment Services Act (PSA) — Digital Payment Token Regulation

3 source controls mapped|2 target controls covered

Tanzania Personal Data Protection Act (Draft)

3 source controls mapped|1 target controls covered

Cayman Islands Data Protection Act 2017 (DPA)

3 source controls mapped|1 target controls covered

Latvia Personal Data Processing Law (Fizisko personu datu apstrades likums, 2018)

3 source controls mapped|1 target controls covered

Brunei Personal Data Protection Order 2024 (PDPO)

3 source controls mapped|1 target controls covered

Ghana Data Protection Act 2012 (Act 843)

3 source controls mapped|1 target controls covered

GHG Protocol

3 source controls mapped|1 target controls covered

ISO/IEC 25012:2008 — Data Quality Model

3 source controls mapped|1 target controls covered

FATF 40 Recommendations

3 source controls mapped|1 target controls covered

ICH E6(R3) — Good Clinical Practice

3 source controls mapped|1 target controls covered

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

3 source controls mapped|1 target controls covered

Australia My Health Records Act 2012

3 source controls mapped|1 target controls covered

EU Data Act

3 source controls mapped|1 target controls covered

OWASP Top 10 for LLM Applications 2025

3 source controls mapped|4 target controls covered

CDP (formerly Carbon Disclosure Project)

3 source controls mapped|3 target controls covered

AASB S2 Climate-related Disclosures

3 source controls mapped|3 target controls covered

Union Customs Code (UCC) - Regulation (EU) No 952/2013

3 source controls mapped|2 target controls covered

EN 50126, EN 50128, and EN 50129 — Railway Applications - Reliability, Availability, Maintainability and Safety (RAMS)

3 source controls mapped|2 target controls covered

ISO 45001

3 source controls mapped|1 target controls covered

Australia IRAP — Information Security Registered Assessors Program

3 source controls mapped|1 target controls covered

ISO 22000

3 source controls mapped|1 target controls covered

ISO 41001:2018 — Facility Management Systems

3 source controls mapped|1 target controls covered

ISO 39001:2012 — Road Traffic Safety Management

3 source controls mapped|1 target controls covered

ISO 50001:2018 — Energy Management Systems

3 source controls mapped|1 target controls covered

ISO 22313:2020 — Guidance on Business Continuity Management Systems

3 source controls mapped|1 target controls covered

ISO 31000

3 source controls mapped|3 target controls covered

Saudi PDPL

3 source controls mapped|1 target controls covered

Korea PIPA

3 source controls mapped|1 target controls covered

Japan APPI

3 source controls mapped|1 target controls covered

China Personal Information Protection Law (PIPL)

3 source controls mapped|1 target controls covered

COSO ERM

3 source controls mapped|3 target controls covered

IRM Enterprise Risk Management Framework (Institute of Risk Management)

3 source controls mapped|3 target controls covered

TNFD Recommendations

3 source controls mapped|1 target controls covered

EU Digital Services Act

3 source controls mapped|2 target controls covered

PCAOB AS 2201 — Audit of Internal Control Over Financial Reporting (ICFR)

3 source controls mapped|2 target controls covered

ISO/IEC 29134:2023

3 source controls mapped|4 target controls covered

ISO/IEC 27014:2020

3 source controls mapped|2 target controls covered

ISO/IEC 23894:2023

3 source controls mapped|3 target controls covered

FedRAMP High

3 source controls mapped|4 target controls covered

NIST SP 800-53 Rev 5 HIGH

3 source controls mapped|4 target controls covered

IRS Publication 1075

3 source controls mapped|4 target controls covered

FedRAMP Moderate

3 source controls mapped|4 target controls covered

NIST SP 800-53 Rev 5 MODERATE

3 source controls mapped|3 target controls covered

NIST SP 800-53 Rev 5 LOW

3 source controls mapped|3 target controls covered

Critical Infrastructure Risk Management Program (CIRMP) Rules 2023

3 source controls mapped|3 target controls covered

German Supply Chain Due Diligence Act (LkSG)

3 source controls mapped|2 target controls covered

Equator Principles (EP4, 2020)

3 source controls mapped|1 target controls covered

APRA CPS 220 Risk Management

3 source controls mapped|1 target controls covered

Colorado Artificial Intelligence Act (proposed SB 24-205)

3 source controls mapped|1 target controls covered

SQF Code Edition 9 — Safe Quality Food

3 source controls mapped|2 target controls covered

FSSC 22000 — Food Safety System Certification

3 source controls mapped|2 target controls covered

Florida Digital Bill of Rights (FDBR)

3 source controls mapped|1 target controls covered

Lloyd's of London Cyber Insurance Requirements and Underwriting Standards

3 source controls mapped|2 target controls covered

IATF 16949:2016 — Quality Management System for Automotive Production

3 source controls mapped|2 target controls covered

South Korea Personal Information Protection Act (PIPA)

3 source controls mapped|1 target controls covered

ISO/IEC 27031:2011

3 source controls mapped|1 target controls covered

EU NIS2 Directive — Transport Sector Requirements

3 source controls mapped|1 target controls covered

OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (2023 Update)

3 source controls mapped|1 target controls covered

Responsible Minerals Initiative (RMI) — Responsible Minerals Assurance Process

3 source controls mapped|4 target controls covered

UK Online Safety Act 2023

3 source controls mapped|3 target controls covered

NIST SP 800-30

3 source controls mapped|3 target controls covered

UK Age Appropriate Design Code (Children's Code)

3 source controls mapped|1 target controls covered

UNICEF Policy Guidance on AI for Children (2021)

3 source controls mapped|1 target controls covered

UNESCO Recommendation on the Ethics of AI

3 source controls mapped|2 target controls covered

Own Risk and Solvency Assessment (ORSA) — NAIC Model Act

3 source controls mapped|3 target controls covered

UK FCA/PRA Operational Resilience Framework

3 source controls mapped|2 target controls covered

APRA SPS 220 Risk Management (Superannuation)

3 source controls mapped|1 target controls covered

NIST SP 800-39

3 source controls mapped|3 target controls covered

NIST SP 800-37

3 source controls mapped|3 target controls covered

SEC Climate Disclosure Rule

3 source controls mapped|1 target controls covered

ISO/IEC 23837 — Security Requirements for Quantum Key Distribution

2 source controls mapped|4 target controls covered

ISO 22739:2024 — Blockchain and Distributed Ledger Technologies Vocabulary

2 source controls mapped|4 target controls covered

ISO/IEC 29115:2023 — Entity Authentication Assurance Framework

2 source controls mapped|4 target controls covered

NSA Quantum-Resistant (QR) Cryptography Migration Guidance

2 source controls mapped|4 target controls covered

FIDO2 and W3C WebAuthn Standard

2 source controls mapped|3 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

2 source controls mapped|3 target controls covered

EDM Council DCAM — Data Management Capability Assessment Model

2 source controls mapped|2 target controls covered

SASB Standards (ISSB Integrated)

2 source controls mapped|2 target controls covered

SASB Standards

2 source controls mapped|2 target controls covered

CWE Top 25 Most Dangerous Software Weaknesses (2024)

2 source controls mapped|6 target controls covered

eIDAS 2.0 — EU Digital Identity Regulation

2 source controls mapped|2 target controls covered

FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)

2 source controls mapped|4 target controls covered

Florida Digital Bill of Rights (SB 262)

2 source controls mapped|3 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA)

2 source controls mapped|4 target controls covered

ISO/IEC 27006:2024

2 source controls mapped|2 target controls covered

ECB TIBER-EU Framework

2 source controls mapped|4 target controls covered

ESRB Privacy Certified

1 source controls mapped|2 target controls covered

Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

1 source controls mapped|2 target controls covered

ISO 31000:2018

1 source controls mapped|2 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

1 source controls mapped|5 target controls covered

NIST SP 800-34 Rev 1 — Contingency Planning Guide

1 source controls mapped|1 target controls covered

NSA CNSA Suite 2.0 — Commercial National Security Algorithm Suite

1 source controls mapped|3 target controls covered

ISO/IEC 42001:2023

1 source controls mapped|1 target controls covered

ENISA Privacy-Enhancing Technologies Reports and Recommendations

1 source controls mapped|2 target controls covered

NATO STANAG 4774/4778 — Confidentiality Metadata Labels

1 source controls mapped|2 target controls covered

ISO 55001

1 source controls mapped|1 target controls covered

ISO 37301

1 source controls mapped|1 target controls covered

ISPE GAMP 5 — A Risk-Based Approach to Compliant GxP Computerised Systems

1 source controls mapped|1 target controls covered

ISO 30401

1 source controls mapped|1 target controls covered

ISO 9001

1 source controls mapped|1 target controls covered

ISO 37001

1 source controls mapped|1 target controls covered

ICH Q10 — Pharmaceutical Quality System

1 source controls mapped|1 target controls covered

Armenia Law on Protection of Personal Data (2015)

1 source controls mapped|2 target controls covered

Russia Federal Law on Personal Data (152-FZ)

1 source controls mapped|1 target controls covered

FIDO2 / WebAuthn — Passwordless Authentication Standard

1 source controls mapped|3 target controls covered

Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)

1 source controls mapped|2 target controls covered

Wisconsin Data Privacy Act (SB 670)

1 source controls mapped|3 target controls covered

Tennessee Information Protection Act (TIPA)

1 source controls mapped|2 target controls covered

SWIFT CSCF v2024

1 source controls mapped|1 target controls covered

Proposal for a Regulation on the European Health Data Space (EHDS)

1 source controls mapped|1 target controls covered

USMCA Chapter 19 — Digital Trade (United States-Mexico-Canada Agreement)

1 source controls mapped|1 target controls covered

EN 301 549 — ICT Accessibility Requirements

1 source controls mapped|1 target controls covered

Regional Comprehensive Economic Partnership (RCEP) — E-Commerce Chapter

1 source controls mapped|1 target controls covered

EU Payment Services Directive (PSD2) – Under Review

1 source controls mapped|3 target controls covered

WCAG 2.2

1 source controls mapped|2 target controls covered

ITAR — International Traffic in Arms Regulations

1 source controls mapped|2 target controls covered

US Automated Commercial Environment (ACE) — CBP Trade Data Requirements

1 source controls mapped|1 target controls covered

ISO 19650 — Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

1 source controls mapped|1 target controls covered

EU Clinical Trials Regulation (CTR 536/2014)

1 source controls mapped|1 target controls covered

ILO Declaration on Fundamental Principles and Rights at Work (Core Conventions)

1 source controls mapped|1 target controls covered

Angola Personal Data Protection Law (Law No. 22/11)

1 source controls mapped|1 target controls covered

ISO/IEC 17025:2017 — General Requirements for Testing and Calibration Laboratories

1 source controls mapped|1 target controls covered

MiFID II / MiFIR

1 source controls mapped|1 target controls covered

Samoa Telecommunications Act (2005) — Privacy & Data Protection

1 source controls mapped|2 target controls covered

Uganda Data Protection and Privacy Act (2019)

1 source controls mapped|1 target controls covered

APEC Cross-Border Privacy Rules (CBPR) System

1 source controls mapped|1 target controls covered

UN Guiding Principles on Business and Human Rights (UNGPs)

1 source controls mapped|1 target controls covered

EU Taxonomy Regulation

1 source controls mapped|1 target controls covered

UK Building Safety Act 2022

1 source controls mapped|1 target controls covered

SA8000:2014 — Social Accountability Standard

1 source controls mapped|1 target controls covered

SEC Cybersecurity Disclosure Rules

1 source controls mapped|1 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

1 source controls mapped|1 target controls covered

EU Medical Devices Regulation (MDR 2017/745)

1 source controls mapped|3 target controls covered

Spain Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD)

1 source controls mapped|1 target controls covered

IAIS Insurance Core Principles (ICPs)

1 source controls mapped|1 target controls covered

IEC 60601-1 — Medical Electrical Equipment Safety

1 source controls mapped|1 target controls covered

21 CFR Part 211 — Current Good Manufacturing Practice

1 source controls mapped|3 target controls covered

ISO 14064 — Greenhouse Gas Accounting and Verification (Parts 1-3)

1 source controls mapped|1 target controls covered

FDA Quality Management System Regulation (QMSR)

1 source controls mapped|1 target controls covered

NATO Cyber Defence Standards and NCIRC (NATO Computer Incident Response Capability)

1 source controls mapped|1 target controls covered

Space ISAC (Information Sharing and Analysis Center) — Threat Framework

1 source controls mapped|1 target controls covered

Compare NIST SP 800-172 with DoD Zero Trust Reference Architecture

Frequently Asked Questions

What is NIST SP 800-172?

NIST SP 800-172 is a compliance framework from United States with 17 domains and 69 controls. Enhanced Security Requirements for Protecting CUI It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-172 have?

NIST SP 800-172 has 69 controls organised across 17 domains. The largest domains are RA (7 controls), SI (7 controls), NIST SP 800-172: Access Control & Identity (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-172 map to?

NIST SP 800-172 maps to 537 other compliance frameworks. The top mapping partners are DoD Zero Trust Reference Architecture (30% coverage), Belgium CyberFundamentals (30% coverage), CISA Zero Trust Maturity Model (30% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST SP 800-172 compliance?

Start your NIST SP 800-172 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-172 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 69 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 701 frameworks.

Get Started Free →

Free forever — no credit card required