Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

Common Cybersecurity Regulations

Regulatory obligations are required by law, but are rules issued by a regulating body (e.g., a government agency). Regulatory requirements tend to change more often than statutory requirements, due to how difficult it can be to change a law. This page provides a concise reference for the most impactful US cybersecurity regulations — their scope, who they apply to, enforcement, and how the SCF CCF™ maps to each.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Common Controls Framework™ (CCF™)

The SCF is the Common Controls Framework™ (CCF™) — a free metaframework with 1,400+ controls across 33 domains, mapped to 200+ laws, regulations and frameworks — including CMMC, DFARS and NY DFS 23 NYCRR 500. Available under Creative Commons licensing.

Importable into GRC platforms · .csv and NIST OSCAL JSON formats · Validated using NIST IR 8477 STRM set theory

US Regulatory Requirements

Key Cybersecurity Regulations

The three most broadly impactful US cybersecurity regulations — covering defense contractors, financial institutions, and the broader federal supply chain.

CMMC

Cybersecurity Maturity Model Certification

US Federal
DoD / Defense
Applies to
DoD contractors and subcontractors who handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
Codified In
Title 32, Part 170 of the Code of Federal Regulations
Key Requires
Three-level maturity model (L1–L3); NIST SP 800-171 implementation; third-party C3PAO assessment for Level 2; annual self-attestation
Enforcement
Loss of contract eligibility; False Claims Act liability (treble damages); potential debarment
Certification
Yes — DoD CMMC certification via C3PAO or DIBCAC
SCF Domains
GOV, IAC, MNT, CFG, NET, SA, SCF, RA, IRO
Deep Dive: CMMC →

DFARS 252.204-70XX

Defense Federal Acquisition Regulation Supplement

US Federal
DoD / Defense
Applies to
Defense contractors and subcontractors storing, processing or transmitting Controlled Unclassified Information (CUI)
Key Clauses
252.204-7008 (pre-award); 252.204-7012 (safeguarding + 72hr incident reporting); 252.204-7019 (SPRS); 252.204-7020 (DoD audit); 252.204-7021 (CMMC)
Key Requires
Full implementation of NIST SP 800-171 (110 controls); SSP and POA&M documentation; SPRS score submission; 72-hour cyber incident reporting
Enforcement
Breach of contract; False Claims Act liability ($9M+ settlements); contract termination; suspension/debarment
Certification
Yes — via CMMC (clause -7021)
SCF Domains
GOV, IAC, MNT, CFG, NET, SA, SCF, RA, IRO, TPM
Deep Dive: DFARS →

NY DFS 23 NYCRR 500

New York Department of Financial Services Cybersecurity Regulation

US — New York
Financial Services
Applies to
NY-licensed financial institutions — banks, insurers, mortgage companies, money transmitters, virtual currency businesses, and health/life insurers operating in New York
Key Requires
Written cybersecurity program; designated CISO; annual penetration testing; MFA for external/privileged access; 72-hour incident notification; annual compliance certification by April 15
Enforcement
Civil monetary penalties up to tens of millions; consent orders; license revocation; public enforcement disclosure (Robinhood $30M; EyeMed $4.5M)
Certification
No official cert — SCF CAP can issue SCF Certified – NY DFS 23 NYCRR 500
SCF Domains
GOV, IAC, RA, MON, IRO, TPM, BCD, TRN
Deep Dive: NY DFS 23 NYCRR 500 →
Enforcement Reference

Cybersecurity Regulation Enforcement Comparison

Enforcement mechanisms and exposure vary significantly across regulations. This reference covers the primary enforcement levers — actual consequences depend on severity, intent, and remediation efforts.

Regulation
Jurisdiction
Primary Enforcement
Criminal Exposure?
Certification Required?
CMMC
US Federal (DoD)
Loss of contract eligibility; False Claims Act (treble damages)
Yes — via FCA qui tam provisions
Yes — C3PAO or DIBCAC (Level 2+)
DFARS 252.204-7012
US Federal (DoD)
Breach of contract; FCA liability; $9M+ settlements on record
Yes — via False Claims Act
Yes — via CMMC clause -7021
DFARS 252.204-7019
US Federal (DoD)
Ineligibility to bid; SPRS score scrutiny during source selection
Yes — score inflation = FCA fraud
No — self-assessed SPRS score
NY DFS 23 NYCRR 500
New York State
Civil monetary penalties; consent orders; license suspension/revocation
No (civil regulatory)
No — annual self-certification to DFS
FAR 52.204-21
US Federal
Contract termination; suspension/debarment
Yes — via FCA if misrepresented
No — self-attestation
FINRA Cybersecurity Rules
US (Self-Regulatory)
Fines, suspensions, and expulsion from FINRA membership
No (regulatory)
No

Enforcement mechanisms shown are indicative. Actual consequences vary based on severity, cooperation, and remediation. This is not legal advice.

Get Started

See Every Regulation Mapped in the SCF

Every regulation on this page — and 80+ more — is mapped to specific SCF controls in the free SCF download. One unified control set. Every applicable regulation satisfied.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap