Laws vs Regulations vs Frameworks

The Three Categories

Laws, Regulations & Frameworks — Three Fundamentally Different Things

Each category creates different types of obligations, enforced by different authorities, with different consequences for non-compliance. The SCF categorizes all 200+ mapped compliance sources into exactly these three buckets.

Law

A statute enacted by a legislative body — Congress, a state legislature, or a foreign parliament — that creates legally binding obligations for organizations within its jurisdiction. Non-compliance is a violation of the law itself.

Created by

Legislative body (Congress, Parliament, state legislature)

Enforced by

Courts, regulatory agencies, law enforcement

Penalties

Civil fines, criminal prosecution, private right of action

Mandatory?

Yes — for entities within jurisdiction

Examples

HIPAA, GLBA, SOX, GDPR, CCPA, TX SB 2610

Regulation

A rule issued by a regulatory agency under authority granted by a law. Regulations fill in the operational specifics that laws leave to agencies — defining exactly what organizations must do to comply with the law’s intent.

Created by

Regulatory agency (DoD, HHS, NYDFS, SEC) under statutory authority

Enforced by

The issuing regulatory agency

Penalties

Regulatory fines, license revocation, contract termination, debarment

Mandatory?

Yes — for regulated entities in the agency’s scope

Examples

CMMC, DFARS 252.204-70XX, NY DFS Part 500, FedRAMP

Framework

A voluntary set of best-practice guidance developed by a standards body, industry group, or government agency — without statutory authority. Adoption is optional unless a contract or law specifically requires it.

Created by

NIST, ISO, CIS, ISACA, PCI SSC, AICPA, HITRUST

Enforced by

Not enforced — voluntary adoption unless contractually required

Penalties

None from the framework itself; contract or customer penalties may apply

Mandatory?

No — but may be required by contract or used as a “reasonable” standard

Examples

NIST CSF, ISO 27001, CIS Controls, SOC 2, HITRUST

Why the Distinction Matters

Misclassifying Compliance Obligations Has Real Consequences

Organizations that treat voluntary frameworks as mandatory obligations waste resources. Organizations that treat mandatory laws as optional frameworks face regulatory fines, litigation, and criminal exposure. The SCF addresses this by classifying all 1,400+ controls using the MCR / DSR distinction — Minimum Compliance Requirements (legally mandated) vs Discretionary Security Requirements (voluntary best practice).

MCR gaps are legal liability. A gap in a Minimum Compliance Requirement is not a security recommendation — it is a violation of a binding legal obligation with associated penalties.

DSR gaps are risk decisions. A gap in a Discretionary Security Requirement is a business risk decision, not a legal violation. Organizations can accept DSR risk with appropriate documentation.

✓

Frameworks can become MCRs. A voluntary framework becomes mandatory when a law, regulation, or contract specifically requires it — e.g., NIST SP 800-171 is a framework, but DFARS and CMMC make it mandatory for DoD contractors.

✓

The SCF maps both. Every SCF control is tagged MCR or DSR, enabling organizations to instantly identify which gaps are legal mandates vs. risk management decisions.

Side-by-Side Comparison

Laws, Regulations & Frameworks — Key Attributes

Attribute

⚖ Law

📝 Regulation

📚 Framework

Source of Authority

Legislature

Regulatory Agency

Standards Body / Industry

Legal Basis

Statutory — enacted by vote

Administrative — agency rulemaking

None — voluntary adoption

Mandatory?

Yes — within jurisdiction

Yes — for regulated entities

No — unless contract requires

Enforcement

Courts, DOJ, state AGs

Regulatory agency audits & exams

Customer/contractual pressure

Penalty

Civil fines, criminal prosecution

Regulatory fines, debarment

Contract penalties; reputational

Private Right of Action?

Often yes (HIPAA, CCPA)

Rarely

How Specific?

Principles-based

Prescriptive; specific

Varies; often control-based

SCF MCR Tag?

Yes — MCR

DSR (unless law/reg requires)

Examples

HIPAA, GDPR, SOX, GLBA, CCPA

CMMC, DFARS, NY DFS, FedRAMP

NIST CSF, ISO 27001, CIS, SOC 2

The Crossover

How Voluntary Frameworks Become Mandatory Obligations

The most important nuance in this topic: voluntary frameworks do not stay voluntary. They become de-facto or de-jure mandatory through three distinct mechanisms.

Mechanism 1 — Regulatory Incorporation

A regulation explicitly requires adoption of a framework. The framework itself has no legal authority — but the regulation does. Non-compliance carries regulatory penalties.

Example: NIST SP 800-171 is a voluntary NIST publication. But DFARS 252.204-7012 makes it mandatory for all DoD contractors handling CUI. CMMC Level 2 further mandates third-party assessment against it.

Mechanism 2 — Contractual Requirement

A customer or partner requires framework compliance as a condition of doing business. The framework remains voluntary under law — but the contract makes it mandatory.

Example: SOC 2 is a voluntary AICPA framework. But enterprise customers routinely require SOC 2 Type II reports as a condition of vendor onboarding — making it a de-facto requirement for B2B SaaS companies.

Mechanism 3 — “Reasonable” Standard

Courts treat widely-adopted frameworks as the definition of “reasonable” cybersecurity. Ignoring them creates liability — not for violating the framework, but for failing to meet the standard it defines.

Example: The FTC Act requires “reasonable” data security. The NIST CSF is widely treated as evidence of reasonableness by regulators — deviation without justification is a litigation risk even without a specific legal mandate.

How the SCF Handles All Three

One Framework. Laws, Regulations, and Frameworks — All Mapped.

The SCF CCF™ maps to 200+ laws, regulations, and frameworks using the NIST IR 8477 Set Theory Relationship Mapping (STRM) methodology. Every mapped source is classified as a law, regulation, or framework — and every SCF control is tagged with its MCR/DSR status based on which mandatory sources require it.

This means organizations using the SCF know — for every control — whether implementing it satisfies a legally mandatory obligation or represents voluntary best-practice investment. There is no ambiguity about what is required vs. what is recommended.

✓

All 200+ sources classified as law, regulation, or framework in the SCF LRF catalog

✓

Every control tagged MCR (mandatory) or DSR (discretionary) based on the organization’s applicable LRF profile

✓

STRM crosswalks show exactly which specific provisions of each law/regulation/framework map to each SCF control

✓

GRC platforms can import the SCF via CSV or NIST OSCAL JSON to automate MCR tracking

Laws vs Regulations vs Frameworks

Laws, Regulations & Frameworks — Three Fundamentally Different Things

Law

Regulation

Framework

Misclassifying Compliance Obligations Has Real Consequences

Laws, Regulations & Frameworks — Key Attributes

How Voluntary Frameworks Become Mandatory Obligations

Mechanism 1 — Regulatory Incorporation

Mechanism 2 — Contractual Requirement

Mechanism 3 — "Reasonable" Standard

One Framework. Laws, Regulations, and Frameworks — All Mapped.

See Every Law, Regulation & Framework the SCF Maps

How Voluntary Frameworks Become Mandatory Obligations

Mechanism 1 — Regulatory Incorporation

Mechanism 2 — Contractual Requirement

Mechanism 3 — “Reasonable” Standard

One Framework. Laws, Regulations, and Frameworks — All Mapped.

See Every Law, Regulation & Framework the SCF Maps