Build Trust,

Not Checklists

Managing multiple frameworks at once

has never been easier. Learn how

All Frameworks Supported by Ignyte Platform

SOC 2
Finance I Universal

Service Organization Control (SOC) 2 is a voluntary standard; however, prospects or clients may require its vendors to formally show compliance with organizational controls around the effectiveness of security, availability, the integrity of processes, and privacy or confidentiality. It is a means to identify 3rd-party technology risks with processes and systems that handle user data. Read more

SOC 3
Finance I Universal

Service Organization Control (SOC) 3 is a freely distributed, general use report that provides assurance about the organizational controls for prospects/clients who don’t need or have the expertise to use a SOC2 report effectively. Read more

CCPA
Privacy I USA

California Consumer Privacy Act (CCPA) is a state statute created to enhance California residents’ consumer privacy protection and rights at the consumer level. While it is specific to California, it has a broader reach when an organization is doing business in California and processing/storing its residents’ data. Read more

CSC by CIS
Privacy I Universal

Critical Security Controls (CSC) – Center of Internet Security provides actionable activity-based recommendations to help organizations stop current dangerous cyber-attacks and improve cyber defense. Read more

CJIS
Privacy I USA

Criminal Justice Information Services (CJIS) applies to the law enforcement to provide controls around protecting criminal justice information, at rest or in transit, and applies to every person that has access to or supports this information – from creating, viewing, editing, transmitting, sharing, storing to destruction. It integrates guidance from multiple sources such as NIST, federal law, directives (presidential, FBI), and criminal justice system decisions. Read more

CMMC
Government I USA

Cybersecurity Maturity Model Certification (CMMC) is a DoD program for the Defense Industrial Base (DIB) to protect sensitive information with national security ramifications. The program is a three-tiered model that progressively builds upon the lower levels to more advanced requirements. CMMC is designed to enhance an organization’s cybersecurity posture, and tier compliance depends on the sensitivity of the data the contractor/subcontractor is handling. Read more

CNSS Instruction No. 1253
Privacy I USA

Committee on National Security Systems (CNSS) Instruction No. 1253 is designed for information systems security engineers, authoring officials, senior information security officers, and other roles. It covers the first two steps of NIST Risk Management Framework (RMF) and is a companion guidance to NIST 800-53. Read more

COSO
Privacy I Universal

Committee of Sponsoring Organizations (COSO) has developed several Frameworks for Enterprise Risk Management (ERM), several around Internal Control, as well as a report on fraudulent financial reporting. COSO is considered an authority on internal control and thought leaders for the governance of risk management and fraud deterrence. Read more

DAAPM
Government I USA

Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM) is the adoption of NIST RMF standards as a guide for Assessment & Authorization of IS (Information Systems) to help build reciprocity and streamline efforts across all federal agencies, directed explicitly at cleared NISP (National Industrial Security Program) contractors processing classified information. The framework provides structured, repeatable risk management processes around the use and operation of information systems. Read more

DFARS 252.204-7008
Government I USA

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 covers acquisition and contracts, and specifically addresses compliance around the safeguarding of “covered defense information controls” – it has close ties to 252.204-7012, which provides definitions and guidance. Read more

DFARS 252.204-7012
Government I USA

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 covers acquisition and contracts, it provides definitions and guidance for safeguarding “Covered Defense Information” using adequate security and enhancing security such as FedRAMP requirements. The clause also requires reporting of cyber incidents within 72 hours. Read more

FedRAMP
Government I USA

Federal Risk and Authorization Management Program (FedRAMP) developed a risk-based framework to ensure security around cloud services used by the government at the federal level. Accredited Third-Party assessors (3PAOs) evaluate cloud services providers (CSPs) to determine if their service(s) meet the security requirements to become an authorized provider. Read more

FERPA
Government I USA

Family Educational Rights and Privacy Act (FERPA) was developed to protect education records for students of all ages and at all levels of the education system, and including applicable programs. It covers both parents and student rights to control their records and blocking the disclosure of PII (personally identifiable information) within those records without written consent. Read more

FFIEC
Finance I USA

Federal Financial Institutions Examination Council (FFIEC) ensures that uniform principles, reporting forms, and standards are in place for federally regulated financial institutions, holding companies, and their non-financial subsidiaries. It consists of multiple agencies, including the FDIC, NCUA, Office of the Comptroller of the Currency, Federal Reserve System, and Consumer Financial Protection Bureau including the FDIC, NCUA, Office of the Comptroller of the Currency, Federal Reserve System, and Consumer Financial Protection Bureau. Read more

FISCAM
Government I USA

Federal Information System Controls Audit Manual (FISCAM) provides auditor guidance for determining information systems confidentiality, integrity, and availability and evaluating that they are consistent with government auditing standards. FISCAM aligns with NIST guidelines in regard to FISMA compliance. Read more

FISMA
Government I USA

Federal Information Security Modernization Act (FISMA) is specific to federal agencies, contractors, and any sources that operationally support agency assets. It requires the implementation of agency-wide programs to develop and document information security around information and systems, continuous monitoring, compliance, and reporting. Read more

GDPR
Privacy I EU

General Data Protection Regulation (GDPR), while an EU regulation, it does impact any entities doing business with the EU. The regulation protects personal data related to identified or identifiable persons. Personal data examples include, but not limited to, name, ID number, online ID, or one or multiple factors related to the person’s social identity. Read more

GLBA
Finance I USA

Gramm-Leach-Bliley Act (GLBA) ensures the safeguarding of confidential customer PII (personally identifiable information) gathered from customer records (paper, electronic, or other forms) by a financial institution and its affiliates. Read more

HITRUST
Healthcare I USA

Health Information Trust Alliance (HITRUST) programs/services center around the certifiable framework, HITRUST CSF, which provides structure, guidance, transparency, and authoritative source cross-references to ensure data protection compliance. Authoritative sources of security and privacy controls include NIST, HIPAA, GDPR, and others. Read more

HIPAA
Healthcare I USA

Health Insurance Portability and Accountability Act (HIPAA) is a federal mandate that addressed the need for standards protecting the flow of sensitive health information also known as PHI or protected health information and the need for patient privacy and consent/knowledge when “covered entities” disclose PHI. Read more

IRS 1075
Government I USA

Internal Revenue Service (IRS) 1075is specific to federal tax information (FTI) and the protection of this data from disclosure, illegal use, and review without specific permission from the IRS. Read more

COBIT
Finance I Universal

Control Objectives for Information Technologies (COBIT) framework by ISACA focuses on IT management and governance. The main components of COBIT are a domain-based framework, process descriptions, control objectives or high-level requirements, management guidelines around responsibilities, agreeable goals, performance measurement, etc., and a maturity model to help identify gaps and address them. It can be used for designing an organization’s IT system or as an audit tool. COBIT ties to other frameworks such as COSP, ITIL, ISO 27000, and others. Read more

ISO 17020
Government I USA

Conformity assessment — requirements for the operation of various types of bodies performing inspection – ISO/IEC 17020:2012. It provides a set of requirements or clauses used in a conformity assessment to become an accredited inspection body. An organization needs to show competence in being impartial, identifying conflicts of interest, resource and quality management (control of documents & records), and consistency in inspection processes & services. It also requires internal oversight such as regular management review meetings, impartial internal audits, and continuous improvement through corrective and preventive actions. Read more

ISO 27001
Government I USA

The primary requirement of Information Security Management Systems (ISMS) – ISO/IEC 27001 – is establishing an Information Security Management System that helps make information assets more secure. It requires the examination of information security risks, potential threats, vulnerabilities, associated impacts, and risk treatments to address the identified risks directly and ensure the appropriate information security controls are scoped and in place and monitored on an ongoing basis for opportunities to improve. Read more

NISPOM
Government I USA

National Industrial Security Program Operating Manual (NISPOM) is designed to prevent classified information from unauthorized disclosure and to report certain activities such as foreign travel or contacts by cleared individuals with classified access. It is meant to protect against potential national security threats and maintain the integrity of security clearance eligibility. Read more

NIST SP 800-37
Government I USA

National Institute of Standards and Technology (NIST) SP 800-37 is designed to help organizations manage risk and satisfy federal laws, policies, and regulations, such as FISMA. It defines and guides the use of its Risk Management Framework (RMF) around federal information systems that collect, process, maintain, use, share, or dispose of digital or hardcopy information. 800-37 applies to the private sector voluntarily as guidelines for handling security and privacy risks. Read more

NIST 800-171
Government I USA

National Institute of Standards and Technology (NIST) 800-171 focuses on protecting Controlled Unclassified Information or CUI and provides baseline requirements for CMMC 2.0. This is essential for non-government systems and entities handling CUI, in the fulfillment of a government contract, by outlining recommended security protocols for protecting CUI’s confidentiality when processing, storing, or transmitting it. Read more

PCI DSS
Privacy I USA

Payment Card Industry Data Security Standard (PCI DSS) is specific to handling credit-related data and the need to secure/protect it end-to-end. The standard requires annual compliance validation for any business or provider that processes credit/debit transactions. It has 12 technical and operational requirements for protecting this type of data, from firewalls and encryption to anti-virus software, system access monitoring, and information security policies, to name a few. Read more

PHI
Healthcare I USA

Protected Health Information (PHI) encompasses business and associated entities covered by HIPAA – it is healthcare data associated with individual records (past, present, future) that are created, sent/received, or stored. Individual or combinations of data that could be used to identify a person is considered PHI – such as name, address, email, SSN, etc., for a total of 18 data identifiers. Read more

SOX
Finance I USA

Sarbanes Oxley Act (SOX) helps protect investors against corporate financial fraud through tough penalties and stricter record keeping requirements and applies to accountants, auditors, and corporate officers. The key takeaways include requiring an officer’s written confirmation that financial reports comply with SEC requirements. The establishment of internal controls by management/auditors and the reporting methods ensure accuracy. And protection against destruction/falsification of records, record retention, and what hardcopy or electronic records need to be stored. Read more