Laws, regulations, compliance mandates, and enforcement guidance
34 total articles
HIPAA requirement limiting PHI access to the minimum amount necessary for the intended purpose, enforced through role-based access controls and disclosure review procedures.
California consumer privacy rights including rights to know, delete, opt out of sale, and non-discrimination, with CPRA amendments expanding to correction and sensitive data limits.
Virginia comprehensive privacy law establishing consumer data rights, controller obligations, and data protection assessment requirements for organizations targeting Virginia residents.
CCPA expansion introducing new consumer rights, the California Privacy Protection Agency, sensitive data restrictions, and data minimization principles effective January 2023.
Legally binding contracts required under GDPR Article 28 defining processing scope, security obligations, and rights between data controllers and processors.
FTC-enforced requirements for protecting children's online privacy, mandating verifiable parental consent and data minimization for services collecting data from users under 13.
Pre-approved EU contractual terms providing data protection safeguards for international personal data transfers, with four modules covering different party relationships.
Legal instruments and technical safeguards enabling lawful international personal data transfers while maintaining equivalent protection levels across jurisdictions.
Laws mandating that data be stored or processed within specific geographic boundaries, requiring organizations to implement region-specific infrastructure and data routing controls.
EU-approved internal corporate data protection policies enabling multinational groups to transfer personal data freely between entities worldwide with GDPR-equivalent protections.
The EU-US Data Privacy Framework replacing the invalidated Privacy Shield, providing legal basis for transatlantic data transfers with new intelligence oversight safeguards.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques used for threat modeling, detection engineering, and security gap analysis.
CIS Controls v8 provides 18 prioritized cybersecurity safeguards in three implementation groups, widely used as a practical security baseline.
The CJIS Security Policy sets minimum security requirements for accessing FBI criminal justice databases, applying to all entities handling criminal justice information.
TX-RAMP is a Texas state mandate requiring cloud service providers to meet defined security standards before serving state agencies.
StateRAMP provides standardized cloud security authorization for state and local governments, modeled after the federal FedRAMP program.
DFARS clause 252.204-7012 requires defense contractors to implement NIST SP 800-171 controls and report cyber incidents within 72 hours.
EAR governs the export of commercial and dual-use items from the U.S., including encryption and cybersecurity tools, administered by the Bureau of Industry and Security.
ITAR controls the export of defense articles and technical data, requiring U.S. government authorization before sharing with foreign persons.
NIST SP 800-171 defines 110 security requirements for protecting Controlled Unclassified Information in nonfederal organizations.
NIST SP 800-53 is the comprehensive catalog of over 1,000 security and privacy controls used as the baseline for FISMA, FedRAMP, and federal cybersecurity.
FERPA protects the privacy of student education records at institutions receiving federal funding, with consequences including loss of federal funding.
FISMA requires federal agencies to implement comprehensive information security programs following NIST guidelines, with annual reporting to OMB.
SOX IT controls are the technical safeguards publicly traded companies must implement to ensure integrity of financial reporting systems.
CMMC is a DoD certification framework requiring defense contractors to meet tiered cybersecurity maturity levels to handle Controlled Unclassified Information.
GDPR Article 17 grants EU residents the right to request deletion of their personal data, with significant penalties for non-compliance.
PCI DSS v4.0 is the global standard for securing payment card data, requiring organizations to implement controls across networks, access, and monitoring.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
GLBA requires financial institutions to protect customer data through comprehensive information security programs and transparent privacy practices.
SOC 2 Type II evaluates the design and effectiveness of security controls over time for service organizations, required by most enterprise buyers.
The EU's DORA regulation for financial sector ICT risk management, incident reporting, and third-party oversight requirements.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
GDPR mandates security measures for personal data including encryption, resilience, and 72-hour breach notification.
SEC rules require public companies to disclose material cyber incidents within 4 business days and report risk management annually.
Continue your mission