{ "$comment": "Locked at Phase 1.2. Hand-curated multi-version catalogue of frameworks the Splunk Monitoring Use Cases catalogue maps against. Each framework has 1..n versions. Each version carries its own clause_grammar, clause_examples, clause_url_template, common_clauses[] with priority_weights, and pending_changes[]. derives_from graph propagates parent mappings to derivative frameworks with per-clause divergences. Authoritative sources are ingested separately under data/crosswalks/olir and data/crosswalks/oscal; this file is the project-level index. See LEGAL.md for the disclaimer and per-source licence attributions. Replaces data/regulations.draft.json, which remains only for Phase 0.2 reproducibility. v1.1.0 (2026-04-20, Regulation-to-UC Story Redesign Phase 1): each commonClauses[] entry MAY additionally carry optional 'obligationText' (string, 40-600 chars, the regulator's own requirement in plain-but-faithful language) and 'obligationSource' (URL, deep link to the regulator-published paragraph the obligationText was extracted from). Backfilled tier-by-tier; consumed by api/v1/compliance/clauses/*.json, api/v1/compliance/story/*.json, and the clause-navigator / compliance-story HTML surfaces.", "schemaVersion": "1.1.0", "lastUpdated": "2026-04-20", "priorityWeightRubric": { "$comment": "Weights derived from regulator-published priority language. Rubric: 1.0 = the regulator uses 'must' / mandatory / baseline-required; 0.7 = the regulator uses 'should' or includes this as a moderate-baseline control; 0.4 = 'may' / enhancement / addressable / recommended; 0.2 = informative / example / appendix.", "must": 1.0, "should": 0.7, "may": 0.4, "informative": 0.2 }, "frameworks": [ { "id": "gdpr", "name": "General Data Protection Regulation", "shortName": "GDPR", "tier": 1, "jurisdiction": [ "EU", "EEA" ], "tags": [ "privacy", "data-protection" ], "aliases": [ "GDPR", "Regulation (EU) 2016/679" ], "versions": [ { "version": "2016/679", "authoritativeUrl": "https://eur-lex.europa.eu/eli/reg/2016/679/oj", "effectiveFrom": "2018-05-25", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?(\\([a-z]\\))?(\\([a-z]\\))?$", "clauseExamples": [ "Art.5", "Art.32(1)(b)", "Art.32(1)(b)(c)", "Art.15", "Art.33" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/reg/2016/679/oj#{clause}", "commonClauses": [ { "clause": "Art.5", "topic": "Principles of processing", "priorityWeight": 1.0 }, { "clause": "Art.6", "topic": "Lawful basis", "priorityWeight": 1.0 }, { "clause": "Art.7", "topic": "Conditions for consent", "priorityWeight": 0.7 }, { "clause": "Art.15", "topic": "Right of access", "priorityWeight": 1.0 }, { "clause": "Art.16", "topic": "Right to rectification", "priorityWeight": 0.7 }, { "clause": "Art.17", "topic": "Right to erasure", "priorityWeight": 1.0 }, { "clause": "Art.18", "topic": "Right to restrict processing", "priorityWeight": 0.7 }, { "clause": "Art.20", "topic": "Right to data portability", "priorityWeight": 0.7 }, { "clause": "Art.21", "topic": "Right to object", "priorityWeight": 0.7 }, { "clause": "Art.22", "topic": "Automated decision making", "priorityWeight": 0.7 }, { "clause": "Art.25", "topic": "Data protection by design and by default", "priorityWeight": 1.0 }, { "clause": "Art.28", "topic": "Processor obligations", "priorityWeight": 1.0 }, { "clause": "Art.30", "topic": "Records of processing", "priorityWeight": 1.0 }, { "clause": "Art.32", "topic": "Security of processing", "priorityWeight": 1.0, "obligationText": "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.", "obligationSource": "https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e2930-1-1" }, { "clause": "Art.33", "topic": "Breach notification to supervisory authority", "priorityWeight": 1.0, "obligationText": "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.", "obligationSource": "https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3002-1-1" }, { "clause": "Art.34", "topic": "Breach communication to data subjects", "priorityWeight": 1.0 }, { "clause": "Art.35", "topic": "DPIA", "priorityWeight": 0.7 }, { "clause": "Art.44", "topic": "International transfers — general principle", "priorityWeight": 1.0 }, { "clause": "Art.45", "topic": "Transfers via adequacy decision", "priorityWeight": 0.7 }, { "clause": "Art.46", "topic": "Transfers subject to safeguards", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "hipaa-security", "name": "HIPAA Security Rule", "shortName": "HIPAA Security", "tier": 1, "jurisdiction": [ "US" ], "tags": [ "healthcare", "phi" ], "aliases": [ "HIPAA", "HIPAA Security Rule", "45 CFR 164 Subpart C" ], "versions": [ { "version": "2013-final", "authoritativeUrl": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C", "effectiveFrom": "2013-09-23", "sunsetOn": null, "clauseGrammar": "^§164\\.(30[0-9]|31[0-9]|40[0-9]|41[0-9]|50[0-9]|51[0-9]|52[0-9]|53[0-9])(\\([a-z]\\))?(\\(\\d+\\))?(\\([ivx]+\\))?(\\([A-Z]\\))?$", "clauseExamples": [ "§164.308(a)(1)", "§164.312(b)", "§164.312(e)(1)", "§164.308(a)(7)(ii)(D)", "§164.402", "§164.404(b)", "§164.502(a)", "§164.514(d)" ], "grammarNotes": "Accepts Security Rule (§164.3xx), Breach Notification Rule (§164.4xx), and Privacy Rule (§164.5xx) sections; the 'HIPAA Security' shortName historically tagged Privacy/Breach Notification references too, and Phase 3.1 splits them into dedicated HIPAA Privacy and HIPAA Breach Notification entries.", "clauseUrlTemplate": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-{section}#p-{clause}", "commonClauses": [ { "clause": "§164.308(a)(1)", "topic": "Security management process", "priorityWeight": 1.0 }, { "clause": "§164.308(a)(3)", "topic": "Workforce security", "priorityWeight": 1.0 }, { "clause": "§164.308(a)(4)", "topic": "Information access management", "priorityWeight": 1.0 }, { "clause": "§164.308(a)(5)", "topic": "Security awareness and training", "priorityWeight": 0.7 }, { "clause": "§164.308(a)(6)", "topic": "Security incident procedures", "priorityWeight": 1.0 }, { "clause": "§164.308(a)(7)", "topic": "Contingency plan", "priorityWeight": 1.0 }, { "clause": "§164.308(a)(8)", "topic": "Evaluation", "priorityWeight": 0.7 }, { "clause": "§164.310(a)(1)", "topic": "Facility access controls", "priorityWeight": 1.0 }, { "clause": "§164.310(d)(1)", "topic": "Device and media controls", "priorityWeight": 0.7 }, { "clause": "§164.312(a)(1)", "topic": "Access control", "priorityWeight": 1.0 }, { "clause": "§164.312(a)(2)(iv)", "topic": "Encryption and decryption", "priorityWeight": 0.7 }, { "clause": "§164.312(b)", "topic": "Audit controls", "priorityWeight": 1.0, "obligationText": "A covered entity or business associate must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.", "obligationSource": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(b)" }, { "clause": "§164.312(c)(1)", "topic": "Integrity", "priorityWeight": 1.0 }, { "clause": "§164.312(d)", "topic": "Person or entity authentication", "priorityWeight": 1.0 }, { "clause": "§164.312(e)(1)", "topic": "Transmission security", "priorityWeight": 1.0 } ], "pendingChanges": [ { "date": "2026-01-06", "note": "HHS NPRM proposing Security Rule updates (cybersecurity requirements, MFA, encryption). Monitor federalregister.gov/d/2024-30983." } ] } ] }, { "id": "pci-dss", "name": "Payment Card Industry Data Security Standard", "shortName": "PCI DSS", "tier": 1, "jurisdiction": [ "GLOBAL" ], "tags": [ "payments", "cardholder-data" ], "aliases": [ "PCI DSS", "PCI-DSS" ], "versions": [ { "version": "v3.2.1", "authoritativeUrl": "https://www.pcisecuritystandards.org/document_library/", "effectiveFrom": "2018-05-01", "sunsetOn": "2024-03-31", "clauseGrammar": "^\\d+(\\.\\d+){1,3}(\\.[a-z])?$", "clauseExamples": [ "10.2.1", "8.2.3", "11.3.1" ], "clauseUrlTemplate": "https://listings.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf#clause={clause}", "commonClauses": [ { "clause": "3.4", "topic": "PAN rendering unreadable", "priorityWeight": 1.0 }, { "clause": "8.2.3", "topic": "Strong password parameters", "priorityWeight": 1.0 }, { "clause": "10.1", "topic": "Audit trail linking access to user", "priorityWeight": 1.0 }, { "clause": "10.2", "topic": "Audit events required to be logged", "priorityWeight": 1.0 }, { "clause": "10.5", "topic": "Log integrity", "priorityWeight": 1.0 }, { "clause": "10.6", "topic": "Log review", "priorityWeight": 1.0 }, { "clause": "11.4", "topic": "Intrusion detection", "priorityWeight": 0.7 } ], "pendingChanges": [ { "date": "2024-03-31", "note": "v3.2.1 retired; v4.0.x is the sole valid version from 1 April 2024." } ] }, { "version": "v4.0", "authoritativeUrl": "https://www.pcisecuritystandards.org/document_library/", "effectiveFrom": "2022-03-31", "sunsetOn": null, "clauseGrammar": "^\\d+(\\.\\d+){1,3}(\\.[a-z])?$", "clauseExamples": [ "1.2.1", "10.2.1.1", "11.4.1", "12.3.1" ], "clauseUrlTemplate": "https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf#clause={clause}", "commonClauses": [ { "clause": "1.2", "topic": "Network security controls configuration", "priorityWeight": 1.0 }, { "clause": "1.3", "topic": "CDE network boundary", "priorityWeight": 1.0 }, { "clause": "2.2", "topic": "Secure system component configuration", "priorityWeight": 1.0 }, { "clause": "3.3", "topic": "Sensitive authentication data not stored", "priorityWeight": 1.0 }, { "clause": "3.5", "topic": "PAN protection", "priorityWeight": 1.0 }, { "clause": "4.2", "topic": "Strong cryptography for CHD in transit", "priorityWeight": 1.0 }, { "clause": "5.2", "topic": "Anti-malware mechanisms", "priorityWeight": 1.0 }, { "clause": "6.2", "topic": "Bespoke software developed securely", "priorityWeight": 1.0 }, { "clause": "6.3", "topic": "Vulnerabilities identified and addressed", "priorityWeight": 1.0 }, { "clause": "7.2", "topic": "Access granted on least privilege", "priorityWeight": 1.0 }, { "clause": "8.3", "topic": "Strong authentication", "priorityWeight": 1.0 }, { "clause": "8.4", "topic": "MFA", "priorityWeight": 1.0 }, { "clause": "8.6", "topic": "Application and system accounts", "priorityWeight": 1.0 }, { "clause": "10.2", "topic": "Audit logs captured for all system components", "priorityWeight": 1.0, "obligationText": "Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. Audit logs capture all individual user access to cardholder data; all actions taken by any individual with administrative access, including any interactive use of application or system accounts; all access to audit logs; all invalid logical access attempts; all changes to identification and authentication credentials; the initialization, stopping or pausing of the existing audit logs; and the creation and deletion of system-level objects.", "obligationSource": "https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf#page=170" }, { "clause": "10.3", "topic": "Audit logs protected from modification", "priorityWeight": 1.0 }, { "clause": "10.4", "topic": "Time synchronised", "priorityWeight": 1.0 }, { "clause": "10.6", "topic": "Logs reviewed", "priorityWeight": 1.0 }, { "clause": "10.7", "topic": "Log retention", "priorityWeight": 1.0 }, { "clause": "11.3", "topic": "External and internal vulnerabilities identified", "priorityWeight": 1.0 }, { "clause": "11.4", "topic": "Intrusion detection / prevention", "priorityWeight": 1.0 }, { "clause": "12.3", "topic": "Targeted risk analysis", "priorityWeight": 0.7 }, { "clause": "12.10", "topic": "Security incident response", "priorityWeight": 1.0 } ], "pendingChanges": [ { "date": "2025-03-31", "note": "Future-dated v4.0 requirements (including 3.5.1.2, 8.4.2 MFA, 11.3.1.2) become effective." } ] } ] }, { "id": "soc-2", "name": "SOC 2 Trust Services Criteria", "shortName": "SOC 2", "tier": 1, "jurisdiction": [ "US", "GLOBAL" ], "tags": [ "assurance", "service-providers" ], "aliases": [ "SOC 2", "SOC2", "Trust Services Criteria" ], "versions": [ { "version": "2017 TSC", "versionNotes": "2017 Trust Services Criteria with the 2022 Points of Focus (POF) supplement; POF is advisory not a new version.", "authoritativeUrl": "https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services", "effectiveFrom": "2018-12-15", "sunsetOn": null, "clauseGrammar": "^(CC|A|C|P|PI)\\d+(\\.\\d+)?$", "clauseExamples": [ "CC6.1", "CC7.2", "A1.2", "C1.1", "P1.1" ], "clauseUrlTemplate": "https://www.aicpa-cima.com/tsc2017#{clause}", "commonClauses": [ { "clause": "CC1.1", "topic": "Integrity and ethical values", "priorityWeight": 0.7 }, { "clause": "CC2.1", "topic": "Internal communication", "priorityWeight": 0.7 }, { "clause": "CC3.1", "topic": "Risk assessment", "priorityWeight": 1.0 }, { "clause": "CC5.1", "topic": "Control activities", "priorityWeight": 1.0 }, { "clause": "CC6.1", "topic": "Logical access controls", "priorityWeight": 1.0 }, { "clause": "CC6.6", "topic": "Encryption in transit", "priorityWeight": 1.0 }, { "clause": "CC6.7", "topic": "System boundaries and data transmission", "priorityWeight": 1.0 }, { "clause": "CC7.1", "topic": "System operations monitoring", "priorityWeight": 1.0 }, { "clause": "CC7.2", "topic": "System monitoring for anomalies", "priorityWeight": 1.0 }, { "clause": "CC7.3", "topic": "Evaluated events and incidents", "priorityWeight": 1.0 }, { "clause": "CC7.4", "topic": "Incident response", "priorityWeight": 1.0 }, { "clause": "CC8.1", "topic": "Change management", "priorityWeight": 1.0 }, { "clause": "CC9.1", "topic": "Risk mitigation activities", "priorityWeight": 0.7 }, { "clause": "A1.2", "topic": "Availability commitments", "priorityWeight": 0.7 }, { "clause": "C1.1", "topic": "Confidentiality", "priorityWeight": 0.7 }, { "clause": "P1.1", "topic": "Privacy notice", "priorityWeight": 0.4 } ], "pendingChanges": [] } ] }, { "id": "sox-itgc", "name": "SOX — PCAOB AS 2201 ITGCs", "shortName": "SOX ITGC", "tier": 1, "jurisdiction": [ "US" ], "tags": [ "financial-reporting", "itgc" ], "aliases": [ "SOX", "SOX ITGC", "PCAOB AS 2201", "Sarbanes-Oxley" ], "versions": [ { "version": "PCAOB AS 2201", "authoritativeUrl": "https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201", "effectiveFrom": "2007-11-15", "sunsetOn": null, "clauseGrammar": "^ITGC\\.[A-Za-z]+\\.[A-Za-z]+$", "clauseExamples": [ "ITGC.AccessMgmt.Provisioning", "ITGC.ChangeMgmt.Approval", "ITGC.Logging.Continuity" ], "clauseUrlTemplate": "https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201#{clause}", "commonClauses": [ { "clause": "ITGC.AccessMgmt.Provisioning", "topic": "User provisioning", "priorityWeight": 1.0 }, { "clause": "ITGC.AccessMgmt.Termination", "topic": "Timely deprovisioning", "priorityWeight": 1.0 }, { "clause": "ITGC.AccessMgmt.Privileged", "topic": "Privileged access", "priorityWeight": 1.0 }, { "clause": "ITGC.AccessMgmt.SOD", "topic": "Segregation of duties", "priorityWeight": 1.0 }, { "clause": "ITGC.AccessMgmt.Review", "topic": "Periodic access review", "priorityWeight": 0.7 }, { "clause": "ITGC.ChangeMgmt.Authorization", "topic": "Change authorised", "priorityWeight": 1.0 }, { "clause": "ITGC.ChangeMgmt.Testing", "topic": "Change tested", "priorityWeight": 1.0 }, { "clause": "ITGC.ChangeMgmt.Approval", "topic": "Change approved", "priorityWeight": 1.0 }, { "clause": "ITGC.Operations.JobSchedule", "topic": "Batch scheduling and monitoring", "priorityWeight": 0.7 }, { "clause": "ITGC.Operations.Backup", "topic": "Backup and restore", "priorityWeight": 1.0 }, { "clause": "ITGC.Logging.Continuity", "topic": "Audit trail completeness", "priorityWeight": 1.0 }, { "clause": "ITGC.Logging.Review", "topic": "Log review", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "iso-27001", "name": "ISO/IEC 27001 — ISMS", "shortName": "ISO 27001", "tier": 1, "jurisdiction": [ "GLOBAL" ], "tags": [ "isms", "certification" ], "aliases": [ "ISO 27001", "ISO/IEC 27001" ], "versions": [ { "version": "2013", "authoritativeUrl": "https://www.iso.org/standard/54534.html", "effectiveFrom": "2013-10-01", "sunsetOn": "2025-10-31", "clauseGrammar": "^(A\\.)?\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "A.12.4.1", "A.9.2.5", "6.1" ], "clauseUrlTemplate": "https://www.iso.org/standard/54534.html#{clause}", "commonClauses": [ { "clause": "A.9.2.5", "topic": "Review of user access rights (2013)", "priorityWeight": 1.0 }, { "clause": "A.12.4.1", "topic": "Event logging (2013)", "priorityWeight": 1.0 }, { "clause": "A.12.4.2", "topic": "Protection of log information (2013)", "priorityWeight": 1.0 }, { "clause": "A.12.4.3", "topic": "Administrator and operator logs (2013)", "priorityWeight": 0.7 }, { "clause": "A.16.1.2", "topic": "Reporting information security events (2013)", "priorityWeight": 1.0 } ], "pendingChanges": [ { "date": "2025-10-31", "note": "2013 edition retired; organisations must transition to 2022." } ] }, { "version": "2022", "authoritativeUrl": "https://www.iso.org/standard/27001", "effectiveFrom": "2022-10-25", "sunsetOn": null, "clauseGrammar": "^(A\\.)?\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "A.8.15", "A.8.16", "A.5.23", "6.1" ], "clauseUrlTemplate": "https://www.iso.org/standard/27001#{clause}", "commonClauses": [ { "clause": "6.1", "topic": "Risk assessment", "priorityWeight": 1.0 }, { "clause": "6.2", "topic": "Information-security objectives", "priorityWeight": 1.0 }, { "clause": "7.2", "topic": "Competence", "priorityWeight": 0.7 }, { "clause": "7.5", "topic": "Documented information", "priorityWeight": 0.7 }, { "clause": "8.1", "topic": "Operational planning", "priorityWeight": 0.7 }, { "clause": "8.2", "topic": "Information-security risk assessment", "priorityWeight": 1.0 }, { "clause": "9.1", "topic": "Monitoring, measurement, analysis, evaluation", "priorityWeight": 1.0 }, { "clause": "9.2", "topic": "Internal audit", "priorityWeight": 1.0 }, { "clause": "A.5.7", "topic": "Threat intelligence (2022 new)", "priorityWeight": 0.7 }, { "clause": "A.5.15", "topic": "Access control", "priorityWeight": 1.0 }, { "clause": "A.5.18", "topic": "Access rights review", "priorityWeight": 1.0 }, { "clause": "A.5.23", "topic": "Information security in cloud services (2022 new)", "priorityWeight": 1.0 }, { "clause": "A.5.24", "topic": "Incident management planning", "priorityWeight": 1.0 }, { "clause": "A.5.25", "topic": "Assessment and decision on events", "priorityWeight": 1.0 }, { "clause": "A.8.2", "topic": "Privileged access rights", "priorityWeight": 1.0 }, { "clause": "A.8.9", "topic": "Configuration management (2022 new)", "priorityWeight": 1.0 }, { "clause": "A.8.12", "topic": "Data leakage prevention", "priorityWeight": 1.0 }, { "clause": "A.8.15", "topic": "Logging", "priorityWeight": 1.0 }, { "clause": "A.8.16", "topic": "Monitoring activities", "priorityWeight": 1.0 }, { "clause": "A.8.17", "topic": "Clock synchronisation", "priorityWeight": 0.7 }, { "clause": "A.8.23", "topic": "Web filtering (2022 new)", "priorityWeight": 0.7 }, { "clause": "A.8.25", "topic": "Secure development life cycle", "priorityWeight": 1.0 }, { "clause": "A.8.28", "topic": "Secure coding (2022 new)", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "nist-csf", "name": "NIST Cybersecurity Framework", "shortName": "NIST CSF", "tier": 1, "jurisdiction": [ "US", "GLOBAL" ], "tags": [ "framework", "outcomes" ], "aliases": [ "NIST CSF", "Cybersecurity Framework" ], "versions": [ { "version": "1.1", "authoritativeUrl": "https://www.nist.gov/cyberframework/framework", "effectiveFrom": "2018-04-16", "sunsetOn": null, "clauseGrammar": "^(ID|PR|DE|RS|RC)\\.[A-Z]{2}(-[0-9]+)?$", "clauseExamples": [ "ID.AM-1", "PR.AC-1", "DE.AE-3" ], "clauseUrlTemplate": "https://www.nist.gov/cyberframework/framework#{clause}", "commonClauses": [ { "clause": "ID.AM-1", "topic": "Physical devices inventory", "priorityWeight": 1.0 }, { "clause": "PR.AC-1", "topic": "Identities and credentials managed", "priorityWeight": 1.0 }, { "clause": "DE.AE-3", "topic": "Event data collection and correlation", "priorityWeight": 1.0 } ], "pendingChanges": [ { "date": "2024-02-26", "note": "CSF 2.0 released; 1.1 remains referenced by legacy contracts." } ] }, { "version": "2.0", "authoritativeUrl": "https://www.nist.gov/cyberframework", "effectiveFrom": "2024-02-26", "sunsetOn": null, "clauseGrammar": "^(GV|ID|PR|DE|RS|RC)\\.[A-Z]{2}(-[0-9]+)?$", "clauseExamples": [ "GV.OC-01", "ID.AM-01", "PR.AA-01", "DE.CM-01" ], "clauseUrlTemplate": "https://csrc.nist.gov/pubs/cswp/29/final#{clause}", "commonClauses": [ { "clause": "GV.OC-01", "topic": "Organisational context", "priorityWeight": 0.7 }, { "clause": "GV.RM-01", "topic": "Risk management strategy", "priorityWeight": 1.0 }, { "clause": "GV.RR-01", "topic": "Organisational leadership", "priorityWeight": 0.7 }, { "clause": "ID.AM-01", "topic": "Asset inventory", "priorityWeight": 1.0 }, { "clause": "ID.RA-01", "topic": "Risk assessment", "priorityWeight": 1.0 }, { "clause": "PR.AA-01", "topic": "Authentication", "priorityWeight": 1.0 }, { "clause": "PR.AA-05", "topic": "Access permissions", "priorityWeight": 1.0 }, { "clause": "PR.DS-01", "topic": "Data-at-rest protection", "priorityWeight": 1.0 }, { "clause": "PR.DS-02", "topic": "Data-in-transit protection", "priorityWeight": 1.0 }, { "clause": "PR.PS-04", "topic": "Log generation", "priorityWeight": 1.0 }, { "clause": "DE.AE-02", "topic": "Anomalies and events analysis", "priorityWeight": 1.0 }, { "clause": "DE.CM-01", "topic": "Network monitoring", "priorityWeight": 1.0 }, { "clause": "DE.CM-03", "topic": "Personnel activity monitoring", "priorityWeight": 1.0 }, { "clause": "DE.CM-09", "topic": "Environment monitoring", "priorityWeight": 0.7 }, { "clause": "RS.MA-01", "topic": "Incident management", "priorityWeight": 1.0 }, { "clause": "RS.AN-03", "topic": "Incident analysis", "priorityWeight": 1.0 }, { "clause": "RC.RP-01", "topic": "Recovery plan execution", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "nist-800-53", "name": "NIST SP 800-53 Rev. 5", "shortName": "NIST 800-53", "tier": 1, "jurisdiction": [ "US" ], "tags": [ "controls", "federal" ], "aliases": [ "NIST 800-53", "NIST SP 800-53", "800-53 Rev 5", "NIST SP 800-53 Rev. 5" ], "versions": [ { "version": "Rev. 5", "authoritativeUrl": "https://csrc.nist.gov/pubs/sp/800/53/r5/final", "effectiveFrom": "2020-09-23", "sunsetOn": null, "clauseGrammar": "^[A-Z]{2}-[0-9]+(\\([0-9]+\\))?$", "clauseExamples": [ "AC-2", "AU-6", "AU-9(3)", "SI-4(4)" ], "clauseUrlTemplate": "https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number={clause}", "commonClauses": [ { "clause": "AC-2", "topic": "Account management", "priorityWeight": 1.0 }, { "clause": "AC-3", "topic": "Access enforcement", "priorityWeight": 1.0 }, { "clause": "AC-6", "topic": "Least privilege", "priorityWeight": 1.0 }, { "clause": "AU-2", "topic": "Event logging", "priorityWeight": 1.0 }, { "clause": "AU-3", "topic": "Content of audit records", "priorityWeight": 1.0 }, { "clause": "AU-6", "topic": "Audit review, analysis, and reporting", "priorityWeight": 1.0 }, { "clause": "AU-8", "topic": "Time stamps", "priorityWeight": 1.0 }, { "clause": "AU-9", "topic": "Protection of audit information", "priorityWeight": 1.0 }, { "clause": "AU-12", "topic": "Audit record generation", "priorityWeight": 1.0 }, { "clause": "CM-2", "topic": "Baseline configuration", "priorityWeight": 1.0 }, { "clause": "CM-6", "topic": "Configuration settings", "priorityWeight": 1.0 }, { "clause": "CP-9", "topic": "System backup", "priorityWeight": 1.0 }, { "clause": "IA-2", "topic": "Identification and authentication (users)", "priorityWeight": 1.0 }, { "clause": "IA-5", "topic": "Authenticator management", "priorityWeight": 1.0 }, { "clause": "IR-4", "topic": "Incident handling", "priorityWeight": 1.0 }, { "clause": "PM-1", "topic": "Information security program plan", "priorityWeight": 0.7 }, { "clause": "PS-4", "topic": "Personnel termination", "priorityWeight": 1.0 }, { "clause": "RA-5", "topic": "Vulnerability scanning", "priorityWeight": 1.0 }, { "clause": "SC-7", "topic": "Boundary protection", "priorityWeight": 1.0 }, { "clause": "SC-8", "topic": "Transmission confidentiality and integrity", "priorityWeight": 1.0 }, { "clause": "SC-13", "topic": "Cryptographic protection", "priorityWeight": 1.0 }, { "clause": "SI-4", "topic": "System monitoring", "priorityWeight": 1.0 }, { "clause": "SR-3", "topic": "Supply chain controls and processes", "priorityWeight": 0.7 }, { "clause": "PT-3", "topic": "Personally identifiable information processing purposes", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "nis2", "name": "EU NIS2 Directive", "shortName": "NIS2", "tier": 1, "jurisdiction": [ "EU" ], "tags": [ "critical-infrastructure", "supply-chain" ], "aliases": [ "NIS2", "EU NIS2", "Directive (EU) 2022/2555" ], "versions": [ { "version": "Directive (EU) 2022/2555", "authoritativeUrl": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "effectiveFrom": "2024-10-17", "sunsetOn": null, "clauseGrammar": "^(Art\\.\\d+(\\(\\d+\\)(\\([a-z]\\))?)?|Annex\\s+(I|II))$", "clauseExamples": [ "Art.20(1)", "Art.21(2)(h)", "Art.23(4)(a)", "Annex I" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#{clause}", "commonClauses": [ { "clause": "Art.2", "topic": "Art.2", "priorityWeight": 0.6, "obligationText": "Art.2(1) — Legacy NIS2 mapping already present in the catalogue; retained so generated UC evidence remains traceable.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.3", "topic": "Art.3", "priorityWeight": 0.6, "obligationText": "Art.3 essential and important entities — create or uplift UCs for essential vs important classification, sector/subsector, entity list update cadence, contact details, IP ranges, and two-year review evidence.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.12", "topic": "Art.12", "priorityWeight": 0.6, "obligationText": "Art.12 coordinated vulnerability disclosure and European vulnerability database — create UCs for vulnerability disclosure intake, ENISA/CVE feed monitoring, coordinated disclosure deadlines, and remediation linkage.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.20", "topic": "Governance", "priorityWeight": 1.0, "obligationText": "Legacy NIS2 mapping already present in the catalogue; retained so generated UC evidence remains traceable.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.20(1)", "topic": "Art.20(1)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.20(2)", "topic": "Art.20(2)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(1)", "topic": "Art.21(1)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)", "topic": "Legacy NIS2 mapping already present in the catalogue", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(a)", "topic": "Risk analysis and information-system security policies", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(b)", "topic": "Incident handling", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(c)", "topic": "Business continuity and crisis management", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(d)", "topic": "Supply-chain security", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(e)", "topic": "Security in acquisition, development and maintenance", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(f)", "topic": "Policies and procedures effectiveness", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(g)", "topic": "Cyber-hygiene and training", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(h)", "topic": "Cryptography and encryption", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(i)", "topic": "Human resources and access control", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(2)(j)", "topic": "MFA and secure communications", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(3)", "topic": "Art.21(3)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(4)", "topic": "Art.21(4)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.21(5)", "topic": "Art.21(5)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.22", "topic": "Art.22", "priorityWeight": 0.6, "obligationText": "Art.22 coordinated security risk assessments of critical supply chains — track affected ICT products/services, supplier exposure, action items, and board reporting.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "contributing" }, { "clause": "Art.23", "topic": "Reporting obligations", "priorityWeight": 1.0, "obligationText": "Art.23(4) — Legacy NIS2 mapping already present in the catalogue; retained so generated UC evidence remains traceable.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(1)", "topic": "Legacy NIS2 mapping already present in the catalogue", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(2)", "topic": "Legacy NIS2 mapping already present in the catalogue", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(3)(a)", "topic": "Art.23(3)(a)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(3)(b)", "topic": "Art.23(3)(b)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(4)", "topic": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(4)(a)", "topic": "Art.23(4)(a)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(4)(b)", "topic": "Art.23(4)(b)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(4)(c)", "topic": "Art.23(4)(c)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(4)(d)", "topic": "Art.23(4)(d)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(4)(e)", "topic": "Art.23(4)(e)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(5)", "topic": "Art.23(5)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(6)", "topic": "Art.23(6)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(7)", "topic": "Art.23(7)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(10)", "topic": "Art.23(10)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.23(11)", "topic": "Art.23(11)", "priorityWeight": 1.0, "obligationText": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.24", "topic": "Art.24", "priorityWeight": 0.6, "obligationText": "Art.24 cybersecurity certification schemes — UCs for certified ICT products/services register, certificate expiry, certification gap, certification exception, and procurement control.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.25", "topic": "Art.25", "priorityWeight": 0.6, "obligationText": "Art.25 standardisation — UCs for standard adoption evidence, policy-to-standard mapping, and framework crosswalk dashboard.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "contributing" }, { "clause": "Art.26", "topic": "Art.26", "priorityWeight": 0.6, "obligationText": "Art.26 jurisdiction and territoriality — UCs for main establishment, member-state service footprint, EU representative, establishment with highest EU employees, and representative contact recency.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.27", "topic": "Art.27", "priorityWeight": 0.6, "obligationText": "Art.27 registry of entities — UCs for registry submission status, DNS/TLD/cloud/data-centre/CDN/MSP/MSSP/online marketplace/search/social provider fields, IP ranges, and three-month change deadline.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.28", "topic": "Art.28", "priorityWeight": 0.6, "obligationText": "Art.28 domain name registration data — UCs for WHOIS/RDAP/domain-contact completeness, domain registration data accuracy, registrar access logs, DNSSEC state, unauthorised DNS changes, and privacy-safe access logging.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.29", "topic": "Art.29", "priorityWeight": 0.6, "obligationText": "Art.29 cybersecurity information-sharing arrangements — UCs for participation register, sharing agreement, shared indicator ingestion, indicator use in detections, confidentiality approval, and feed health.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.30", "topic": "Art.30", "priorityWeight": 0.6, "obligationText": "Art.30 voluntary notification of relevant information — UCs for voluntary notification workflow, near-miss reporting, cyber-threat report submission, and post-submission action tracking.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.31", "topic": "Art.31", "priorityWeight": 0.6, "obligationText": "Art.31 general aspects concerning supervision and enforcement — UCs for compliance posture, evidence readiness, and audit trail continuity.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "contributing" }, { "clause": "Art.32", "topic": "Legacy NIS2 mapping already present in the catalogue", "priorityWeight": 0.6, "obligationText": "Legacy NIS2 mapping already present in the catalogue; retained so generated UC evidence remains traceable.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.33", "topic": "Legacy NIS2 mapping already present in the catalogue", "priorityWeight": 0.6, "obligationText": "Legacy NIS2 mapping already present in the catalogue; retained so generated UC evidence remains traceable.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Art.34", "topic": "Art.34", "priorityWeight": 0.6, "obligationText": "Art.34 administrative fines — UCs for fine exposure dashboard tied to Art.21/23 non-compliance, seriousness, duration, repeated violations, failure to notify/remedy, obstruction of audits, false/grossly inaccurate information, damage, negligence, mitigation actions, certification/code adherence, and cooperation level.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "contributing" }, { "clause": "Art.35", "topic": "Art.35", "priorityWeight": 0.6, "obligationText": "Art.35 personal-data-breach overlap with GDPR — UCs for NIS2/GDPR incident correlation, supervisory authority notification linkage, duplicate-fine prevention evidence, and breach-notification consistency.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Annex I", "topic": "Annex I", "priorityWeight": 0.7, "obligationText": "Annex I sectors of high criticality — create sector overlays and data-source bundles for energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" }, { "clause": "Annex II", "topic": "Annex II", "priorityWeight": 0.7, "obligationText": "Annex II other critical sectors — create sector overlays and data-source bundles for postal/courier, waste, chemicals, food, manufacturing, digital providers, and research.", "obligationSource": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "coverageDecision": "partial" } ], "pendingChanges": [ { "date": "2024-10-17", "note": "Member-state transposition deadline; some national laws still in draft." }, { "date": "2024-10-17", "note": "Member-state transposition deadline; national requirements, forms, contacts, and penalties vary and must be tracked locally." }, { "date": "2024-10-17", "note": "Commission Implementing Regulation (EU) 2024/2690 adds technical and methodological requirements for specified digital entity types; mapped in data/per-regulation/nis2-coverage-expansion.json." } ], "obligationModel": { "sourceMap": "data/nis2-source-map.json", "coverageMatrix": "data/per-regulation/nis2-coverage-expansion.json", "methodology": "docs/nis2-monitoring-methodology.md", "externalReviewPack": "docs/nis2-external-review-pack.md", "coverageTaxonomy": [ "direct", "partial", "contributing", "not-monitorable" ], "reviewConfidence": [ "official-text-clear", "guidance-supported", "engineering-judgement", "requires-legal-review" ], "noOverclaimingPolicy": "Splunk produces monitoring and evidence; it does not guarantee NIS2 legal compliance." } } ] }, { "id": "dora", "name": "EU Digital Operational Resilience Act", "shortName": "DORA", "tier": 1, "jurisdiction": [ "EU" ], "tags": [ "financial-services", "operational-resilience" ], "aliases": [ "DORA", "EU DORA", "Regulation (EU) 2022/2554" ], "versions": [ { "version": "Regulation (EU) 2022/2554", "authoritativeUrl": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "effectiveFrom": "2025-01-17", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?(\\([a-z]\\))?$", "clauseExamples": [ "Art.5", "Art.9", "Art.9(4)(c)", "Art.10", "Art.28", "Art.28(3)" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj#{clause}", "commonClauses": [ { "clause": "Art.5", "topic": "ICT risk-management governance", "priorityWeight": 1.0 }, { "clause": "Art.6", "topic": "ICT risk-management framework", "priorityWeight": 1.0 }, { "clause": "Art.7", "topic": "ICT systems, protocols and tools", "priorityWeight": 1.0 }, { "clause": "Art.8", "topic": "Identification", "priorityWeight": 1.0 }, { "clause": "Art.9", "topic": "Protection and prevention", "priorityWeight": 1.0 }, { "clause": "Art.10", "topic": "Detection", "priorityWeight": 1.0 }, { "clause": "Art.11", "topic": "Response and recovery", "priorityWeight": 1.0 }, { "clause": "Art.12", "topic": "Backup policies and recovery methods", "priorityWeight": 1.0 }, { "clause": "Art.17", "topic": "ICT-related incident management process", "priorityWeight": 1.0 }, { "clause": "Art.18", "topic": "Classification of ICT-related incidents", "priorityWeight": 1.0 }, { "clause": "Art.19", "topic": "Reporting of major ICT-related incidents", "priorityWeight": 1.0 }, { "clause": "Art.24", "topic": "Digital operational-resilience testing", "priorityWeight": 0.7 }, { "clause": "Art.26", "topic": "Threat-led penetration testing", "priorityWeight": 0.7 }, { "clause": "Art.28", "topic": "ICT third-party risk", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "cmmc", "name": "Cybersecurity Maturity Model Certification", "shortName": "CMMC", "tier": 1, "jurisdiction": [ "US" ], "tags": [ "defense", "federal" ], "aliases": [ "CMMC", "CMMC 2.0" ], "versions": [ { "version": "2.0", "authoritativeUrl": "https://dodcio.defense.gov/CMMC/", "effectiveFrom": "2024-12-16", "sunsetOn": null, "clauseGrammar": "^[A-Z]{2}\\.L[1-3]-\\d+\\.\\d+\\.\\d+$", "clauseExamples": [ "AC.L2-3.1.1", "AU.L2-3.3.1", "SC.L2-3.13.8" ], "clauseUrlTemplate": "https://dodcio.defense.gov/CMMC/#{clause}", "commonClauses": [ { "clause": "AC.L2-3.1.1", "topic": "Authorized access to systems", "priorityWeight": 1.0 }, { "clause": "AC.L2-3.1.5", "topic": "Least privilege", "priorityWeight": 1.0 }, { "clause": "AU.L2-3.3.1", "topic": "Create audit records", "priorityWeight": 1.0 }, { "clause": "AU.L2-3.3.2", "topic": "Ensure unique user traceability", "priorityWeight": 1.0 }, { "clause": "AU.L2-3.3.5", "topic": "Audit reporting and correlation", "priorityWeight": 1.0 }, { "clause": "CM.L2-3.4.1", "topic": "Baseline configurations", "priorityWeight": 1.0 }, { "clause": "IR.L2-3.6.1", "topic": "Incident handling capability", "priorityWeight": 1.0 }, { "clause": "SC.L2-3.13.8", "topic": "Cryptographic mechanisms for CUI in transit", "priorityWeight": 1.0 }, { "clause": "SI.L2-3.14.6", "topic": "Monitor for attacks", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "nerc-cip", "name": "NERC Critical Infrastructure Protection", "shortName": "NERC CIP", "tier": 2, "jurisdiction": [ "US", "CA" ], "tags": [ "energy", "ics", "ot" ], "aliases": [ "NERC CIP" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx", "effectiveFrom": "2016-07-01", "sunsetOn": null, "clauseGrammar": "^CIP-\\d{3}(-\\d+(\\.\\d+[a-z]?)?)?(\\s+R\\d+(\\.\\d+)?)?(\\s+Part\\s+\\d+(\\.\\d+)?)?$", "clauseExamples": [ "CIP-005-7 R1", "CIP-007-6 R4.1", "CIP-002-5.1a R1", "CIP-005-6 R1 Part 1.3" ], "clauseUrlTemplate": "https://www.nerc.com/pa/Stand/Reliability%20Standards/{clause}.pdf", "commonClauses": [ { "clause": "CIP-002-5.1a R1", "topic": "BES cyber system identification", "priorityWeight": 1.0 }, { "clause": "CIP-005-7 R1", "topic": "Electronic security perimeter", "priorityWeight": 1.0 }, { "clause": "CIP-007-6 R4", "topic": "Security event monitoring", "priorityWeight": 1.0 }, { "clause": "CIP-008-6 R1", "topic": "Incident response", "priorityWeight": 1.0 }, { "clause": "CIP-010-4 R1", "topic": "Configuration change management", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "iec-62443", "name": "IEC 62443 Industrial Automation and Control Systems Security", "shortName": "IEC 62443", "tier": 2, "jurisdiction": [ "GLOBAL" ], "tags": [ "ics", "ot" ], "aliases": [ "IEC 62443", "ISA/IEC 62443" ], "versions": [ { "version": "2013-ongoing", "authoritativeUrl": "https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards", "effectiveFrom": "2013-01-01", "sunsetOn": null, "clauseGrammar": "^((SR|FR|CR|NDR)\\s\\d+(\\.\\d+)*|\\d+(\\.\\d+){1,3})$", "clauseExamples": [ "SR 2.8", "FR 6.2", "4.2.2", "4.3.4.5" ], "grammarNotes": "Accepts both the '-3-3' System / Foundational Requirement notation (SR/FR/CR/NDR N.N) and the '-2-1' numeric section paths (N.N, N.N.N, N.N.N.N).", "clauseUrlTemplate": "https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards#{clause}", "commonClauses": [ { "clause": "SR 1.1", "topic": "Human user identification and authentication", "priorityWeight": 1.0 }, { "clause": "SR 2.8", "topic": "Auditable events", "priorityWeight": 1.0 }, { "clause": "SR 2.9", "topic": "Audit storage capacity", "priorityWeight": 0.7 }, { "clause": "FR 6.2", "topic": "Continuous monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "api-rp-1164", "name": "API Recommended Practice 1164 — Pipeline Control Systems Cybersecurity", "shortName": "API RP 1164", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "energy", "pipeline", "ics" ], "aliases": [ "API RP 1164" ], "versions": [ { "version": "3rd edition", "authoritativeUrl": "https://www.api.org/products-and-services/standards/important-standards-announcements/standard-1164", "effectiveFrom": "2021-08-01", "sunsetOn": null, "clauseGrammar": "^\\d+(\\.\\d+)*$", "clauseExamples": [ "5.3", "6.2.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "5.3", "topic": "Access control", "priorityWeight": 1.0 }, { "clause": "6.2.1", "topic": "Logging and monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "tsa-sd", "name": "TSA Pipeline Security Directive", "shortName": "TSA SD", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "pipeline", "transportation" ], "aliases": [ "TSA Pipeline Security Directive", "SD Pipeline-2021" ], "versions": [ { "version": "SD02C", "authoritativeUrl": "https://www.tsa.gov/sd02c", "effectiveFrom": "2022-07-27", "sunsetOn": null, "clauseGrammar": "^[IVX]+(\\.[A-Z])?$", "clauseExamples": [ "III.B", "IV.A" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "III.A", "topic": "Cybersecurity plan", "priorityWeight": 1.0 }, { "clause": "III.D", "topic": "Cybersecurity assessment", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "fedramp", "name": "Federal Risk and Authorization Management Program", "shortName": "FedRAMP", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "cloud", "federal" ], "aliases": [ "FedRAMP" ], "versions": [ { "version": "Rev.5 Baselines", "authoritativeUrl": "https://www.fedramp.gov/baselines/", "effectiveFrom": "2023-05-30", "sunsetOn": null, "clauseGrammar": "^[A-Z]{2}-[0-9]+(\\([0-9]+\\))?$", "clauseExamples": [ "AC-2", "AU-6" ], "clauseUrlTemplate": "https://www.fedramp.gov/baselines/#{clause}", "commonClauses": [ { "clause": "AC-2", "topic": "Account management", "priorityWeight": 1.0 }, { "clause": "AU-6", "topic": "Audit review, analysis, reporting", "priorityWeight": 1.0 }, { "clause": "SI-4", "topic": "System monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "fisma", "name": "Federal Information Security Modernization Act", "shortName": "FISMA", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "federal" ], "aliases": [ "FISMA" ], "versions": [ { "version": "2014", "authoritativeUrl": "https://www.congress.gov/bill/113th-congress/senate-bill/2521", "effectiveFrom": "2014-12-18", "sunsetOn": null, "clauseGrammar": "^§\\d+[a-z]?(\\([a-z0-9]+\\))?(\\([a-z0-9]+\\))?$", "clauseExamples": [ "§3554(b)(1)", "§3553", "§3554(b)(5)" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§3554(b)(1)", "topic": "Information security program", "priorityWeight": 1.0 }, { "clause": "§3554(b)(5)", "topic": "Security controls and monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "eu-ai-act", "name": "EU AI Act", "shortName": "EU AI Act", "tier": 2, "jurisdiction": [ "EU" ], "tags": [ "ai", "risk-management" ], "aliases": [ "EU AI Act", "Regulation (EU) 2024/1689" ], "versions": [ { "version": "Regulation (EU) 2024/1689", "authoritativeUrl": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj", "effectiveFrom": "2026-08-02", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Art.12", "Art.19", "Art.26" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj#{clause}", "commonClauses": [ { "clause": "Art.12", "topic": "Record-keeping (logging)", "priorityWeight": 1.0 }, { "clause": "Art.13", "topic": "Transparency and information", "priorityWeight": 0.7 }, { "clause": "Art.14", "topic": "Human oversight", "priorityWeight": 1.0 }, { "clause": "Art.15", "topic": "Accuracy, robustness, cybersecurity", "priorityWeight": 1.0 }, { "clause": "Art.19", "topic": "Automatically generated logs", "priorityWeight": 1.0 }, { "clause": "Art.26", "topic": "High-risk AI obligations for deployers", "priorityWeight": 1.0 } ], "pendingChanges": [ { "date": "2026-08-02", "note": "High-risk AI obligations enter force." } ] } ] }, { "id": "eu-cra", "name": "EU Cyber Resilience Act", "shortName": "EU CRA", "tier": 2, "jurisdiction": [ "EU" ], "tags": [ "product-security", "supply-chain" ], "aliases": [ "EU CRA", "Cyber Resilience Act" ], "versions": [ { "version": "Regulation (EU) 2024/2847", "authoritativeUrl": "https://eur-lex.europa.eu/eli/reg/2024/2847/oj", "effectiveFrom": "2027-12-11", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Art.13", "Art.14" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/reg/2024/2847/oj#{clause}", "commonClauses": [ { "clause": "Art.13", "topic": "Obligations of manufacturers", "priorityWeight": 1.0 }, { "clause": "Art.14", "topic": "Reporting of actively exploited vulnerabilities", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "psd2", "name": "Revised Payment Services Directive", "shortName": "PSD2", "tier": 2, "jurisdiction": [ "EU" ], "tags": [ "payments" ], "aliases": [ "PSD2", "EU PSD2" ], "versions": [ { "version": "Directive (EU) 2015/2366", "authoritativeUrl": "https://eur-lex.europa.eu/eli/dir/2015/2366/oj", "effectiveFrom": "2018-01-13", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Art.95", "Art.96", "Art.97" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/dir/2015/2366/oj#{clause}", "commonClauses": [ { "clause": "Art.95", "topic": "Management of operational and security risks", "priorityWeight": 1.0 }, { "clause": "Art.96", "topic": "Incident reporting", "priorityWeight": 1.0 }, { "clause": "Art.97", "topic": "Strong customer authentication", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "mifid-ii", "name": "Markets in Financial Instruments Directive II", "shortName": "MiFID II", "tier": 2, "jurisdiction": [ "EU" ], "tags": [ "financial-services" ], "aliases": [ "MiFID II" ], "versions": [ { "version": "Directive 2014/65/EU", "authoritativeUrl": "https://eur-lex.europa.eu/eli/dir/2014/65/oj", "effectiveFrom": "2018-01-03", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Art.16", "Art.17" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/dir/2014/65/oj#{clause}", "commonClauses": [ { "clause": "Art.16(7)", "topic": "Record keeping of communications", "priorityWeight": 1.0 }, { "clause": "Art.17", "topic": "Algorithmic trading controls", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "fda-part-11", "name": "FDA 21 CFR Part 11", "shortName": "FDA Part 11", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "lifesciences", "gxp" ], "aliases": [ "FDA 21 CFR Part 11", "Part 11" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11", "effectiveFrom": "1997-08-20", "sunsetOn": null, "clauseGrammar": "^§11\\.\\d+(\\([a-z]\\))?(\\(\\d+\\))?$", "clauseExamples": [ "§11.10(e)", "§11.200" ], "clauseUrlTemplate": "https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11/section-11.{section}#{clause}", "commonClauses": [ { "clause": "§11.10(e)", "topic": "Audit trails", "priorityWeight": 1.0 }, { "clause": "§11.10(d)", "topic": "System access limited to authorized individuals", "priorityWeight": 1.0 }, { "clause": "§11.200", "topic": "Electronic signatures", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "swift-csp", "name": "SWIFT Customer Security Programme", "shortName": "SWIFT CSP", "tier": 2, "jurisdiction": [ "GLOBAL" ], "tags": [ "financial-services", "payments" ], "aliases": [ "SWIFT CSP" ], "versions": [ { "version": "CSCF v2025", "authoritativeUrl": "https://www.swift.com/myswift/customer-security-programme-csp/security-controls", "effectiveFrom": "2025-01-01", "sunsetOn": null, "clauseGrammar": "^\\d+\\.\\d+[A-Z]?$", "clauseExamples": [ "1.1", "6.1", "6.4" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "1.1", "topic": "SWIFT environment protection", "priorityWeight": 1.0 }, { "clause": "6.1", "topic": "Malware protection", "priorityWeight": 1.0 }, { "clause": "6.4", "topic": "Logging and monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "apra-cps-234", "name": "APRA CPS 234 Information Security", "shortName": "APRA CPS 234", "tier": 2, "jurisdiction": [ "AU" ], "tags": [ "financial-services" ], "aliases": [ "APRA CPS 234", "CPS 234" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.apra.gov.au/information-security", "effectiveFrom": "2019-07-01", "sunsetOn": null, "clauseGrammar": "^\\d+$", "clauseExamples": [ "23", "36" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "15", "topic": "Policy framework", "priorityWeight": 0.7 }, { "clause": "23", "topic": "Incident management", "priorityWeight": 1.0 }, { "clause": "36", "topic": "Notification of incidents", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "ccpa", "name": "California Consumer Privacy Act / CPRA", "shortName": "CCPA/CPRA", "tier": 2, "jurisdiction": [ "US-CA" ], "tags": [ "privacy", "consumer-rights" ], "aliases": [ "CCPA", "CPRA" ], "versions": [ { "version": "CPRA (as amended)", "authoritativeUrl": "https://cppa.ca.gov/regulations/", "effectiveFrom": "2023-01-01", "sunsetOn": null, "clauseGrammar": "^§\\d+\\.\\d+(\\.\\d+)?(\\([a-z]\\))?$", "clauseExamples": [ "§1798.100", "§1798.105" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§1798.100", "topic": "Consumer right to know", "priorityWeight": 1.0 }, { "clause": "§1798.105", "topic": "Consumer right to delete", "priorityWeight": 1.0 }, { "clause": "§1798.150", "topic": "Private right of action for data breaches", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "pipl", "name": "China Personal Information Protection Law", "shortName": "PIPL", "tier": 2, "jurisdiction": [ "CN" ], "tags": [ "privacy" ], "aliases": [ "PIPL" ], "versions": [ { "version": "2021", "authoritativeUrl": "http://www.npc.gov.cn/npc/c2/c30834/202108/t20210820_313088.html", "effectiveFrom": "2021-11-01", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+$", "clauseExamples": [ "Art.38", "Art.51" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Art.38", "topic": "Cross-border transfer conditions", "priorityWeight": 1.0 }, { "clause": "Art.51", "topic": "Information security measures", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "uk-gdpr", "name": "UK General Data Protection Regulation", "shortName": "UK GDPR", "tier": 2, "jurisdiction": [ "UK" ], "tags": [ "privacy" ], "aliases": [ "UK GDPR" ], "versions": [ { "version": "post-Brexit", "authoritativeUrl": "https://www.legislation.gov.uk/eur/2016/679/contents", "effectiveFrom": "2021-01-01", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?(\\([a-z]\\))?$", "clauseExamples": [ "Art.5", "Art.32" ], "clauseUrlTemplate": "https://www.legislation.gov.uk/eur/2016/679/article/{clause}", "commonClauses": [ { "clause": "Art.32", "topic": "Security of processing", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "swiss-nfadp", "name": "Swiss Federal Act on Data Protection (nFADP)", "shortName": "Swiss nFADP", "tier": 2, "jurisdiction": [ "CH" ], "tags": [ "privacy" ], "aliases": [ "nFADP", "Swiss FADP" ], "versions": [ { "version": "2020 revision", "authoritativeUrl": "https://www.fedlex.admin.ch/eli/cc/2022/491/en", "effectiveFrom": "2023-09-01", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\([a-z]\\))?$", "clauseExamples": [ "Art.7", "Art.24" ], "clauseUrlTemplate": "https://www.fedlex.admin.ch/eli/cc/2022/491/en#{clause}", "commonClauses": [ { "clause": "Art.7", "topic": "Privacy by design", "priorityWeight": 1.0 }, { "clause": "Art.24", "topic": "Data breach notification", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "lgpd", "name": "Lei Geral de Proteção de Dados Pessoais", "shortName": "LGPD", "tier": 2, "jurisdiction": [ "BR" ], "tags": [ "privacy" ], "aliases": [ "LGPD" ], "versions": [ { "version": "Lei nº 13.709/2018", "authoritativeUrl": "http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm", "effectiveFrom": "2020-09-18", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\([a-z]\\))?$", "clauseExamples": [ "Art.46", "Art.48" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Art.46", "topic": "Security measures", "priorityWeight": 1.0 }, { "clause": "Art.48", "topic": "Breach notification", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "appi", "name": "Japan Act on the Protection of Personal Information", "shortName": "APPI", "tier": 2, "jurisdiction": [ "JP" ], "tags": [ "privacy" ], "aliases": [ "APPI" ], "versions": [ { "version": "2022 amendments", "authoritativeUrl": "https://www.ppc.go.jp/en/legal/", "effectiveFrom": "2022-04-01", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+$", "clauseExamples": [ "Art.23", "Art.26" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Art.23", "topic": "Security control action", "priorityWeight": 1.0 }, { "clause": "Art.26", "topic": "Leakage reporting", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "hitrust", "name": "HITRUST CSF", "shortName": "HITRUST", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "healthcare", "certification" ], "aliases": [ "HITRUST", "HITRUST CSF" ], "versions": [ { "version": "v11", "authoritativeUrl": "https://hitrustalliance.net/csf-overview/", "effectiveFrom": "2023-01-01", "sunsetOn": null, "clauseGrammar": "^\\d{2}\\.[a-z]+$", "clauseExamples": [ "01.a", "01.b", "09.aa" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "09.aa", "topic": "Audit logging", "priorityWeight": 1.0 }, { "clause": "01.b", "topic": "User access management", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "eidas", "name": "EU eIDAS Regulation", "shortName": "eIDAS", "tier": 2, "jurisdiction": [ "EU" ], "tags": [ "identity", "trust-services" ], "aliases": [ "eIDAS 2.0" ], "versions": [ { "version": "Regulation (EU) 2024/1183", "authoritativeUrl": "https://eur-lex.europa.eu/eli/reg/2024/1183/oj", "effectiveFrom": "2024-05-20", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Art.19", "Art.24" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/reg/2024/1183/oj#{clause}", "commonClauses": [ { "clause": "Art.24", "topic": "Requirements for qualified trust service providers", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "hipaa-privacy", "name": "HIPAA Privacy Rule", "shortName": "HIPAA Privacy", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "healthcare", "phi" ], "aliases": [ "HIPAA Privacy Rule", "45 CFR 164 Subpart E" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E", "effectiveFrom": "2003-04-14", "sunsetOn": null, "clauseGrammar": "^§164\\.5(0[0-9]|1[0-9]|2[0-9])(\\([a-z]\\))?(\\(\\d+\\))?$", "clauseExamples": [ "§164.502(a)", "§164.504(e)", "§164.514(a)", "§164.528" ], "clauseUrlTemplate": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-{section}#{clause}", "commonClauses": [ { "clause": "§164.502(a)", "topic": "Uses and disclosures of PHI — general rules", "priorityWeight": 1.0 }, { "clause": "§164.504(e)", "topic": "Business Associate contracts", "priorityWeight": 1.0 }, { "clause": "§164.514(a)", "topic": "De-identification of PHI", "priorityWeight": 0.7 }, { "clause": "§164.528", "topic": "Accounting of disclosures", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "sg-pdpa", "name": "Singapore Personal Data Protection Act", "shortName": "SG PDPA", "tier": 2, "jurisdiction": [ "SG" ], "tags": [ "privacy" ], "aliases": [ "PDPA", "SG PDPA", "Singapore PDPA" ], "versions": [ { "version": "2020 amended", "authoritativeUrl": "https://sso.agc.gov.sg/Act/PDPA2012", "effectiveFrom": "2021-02-01", "sunsetOn": null, "clauseGrammar": "^§\\d+[A-Z]?(\\(\\d+\\))?$", "clauseExamples": [ "§24", "§26A", "§26B" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§24", "topic": "Protection of personal data obligation", "priorityWeight": 1.0 }, { "clause": "§26A", "topic": "Data breach notification", "priorityWeight": 1.0 }, { "clause": "§26B", "topic": "Criteria for notifiability", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "uk-nis", "name": "UK Network and Information Systems Regulations 2018", "shortName": "UK NIS", "tier": 2, "jurisdiction": [ "UK" ], "tags": [ "critical-infrastructure" ], "aliases": [ "UK NIS", "NIS Regulations (UK)" ], "versions": [ { "version": "2018", "authoritativeUrl": "https://www.legislation.gov.uk/uksi/2018/506/contents", "effectiveFrom": "2018-05-10", "sunsetOn": null, "clauseGrammar": "^(Reg\\.|Schedule )\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Reg.8", "Reg.11(1)", "Schedule 2" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Reg.10", "topic": "OES security duties", "priorityWeight": 1.0 }, { "clause": "Reg.11", "topic": "Incident reporting", "priorityWeight": 1.0 } ], "pendingChanges": [ { "status": "replacement-proposed", "note": "Cyber Security and Resilience Bill to supersede NIS 2018 by 2026-2027." } ] } ] }, { "id": "asd-e8", "name": "ASD Essential Eight Maturity Model", "shortName": "ASD E8", "tier": 2, "jurisdiction": [ "AU" ], "tags": [ "baseline", "government" ], "aliases": [ "Essential Eight", "ASD E8", "ASD Essential Eight" ], "versions": [ { "version": "Nov 2023", "authoritativeUrl": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model", "effectiveFrom": "2023-11-30", "sunsetOn": null, "clauseGrammar": "^E8\\.(0[1-8])(\\.ML[1-3])?$", "clauseExamples": [ "E8.01", "E8.01.ML2", "E8.08.ML3" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "E8.01", "topic": "Application control", "priorityWeight": 1.0 }, { "clause": "E8.03", "topic": "Configure MS Office macro settings", "priorityWeight": 1.0 }, { "clause": "E8.05", "topic": "Restrict administrative privileges", "priorityWeight": 1.0 }, { "clause": "E8.06", "topic": "Patch operating systems", "priorityWeight": 1.0 }, { "clause": "E8.08", "topic": "Regular backups", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "fca-ss1-21", "name": "FCA SS1/21 Operational Resilience", "shortName": "FCA SS1/21", "tier": 2, "jurisdiction": [ "UK" ], "tags": [ "financial", "operational-resilience" ], "aliases": [ "FCA SS1/21", "SS1/21" ], "versions": [ { "version": "2021", "authoritativeUrl": "https://www.fca.org.uk/publication/policy/ps21-3.pdf", "effectiveFrom": "2022-03-31", "sunsetOn": null, "clauseGrammar": "^(§|Para\\.|Section )\\d+(\\.\\d+)?$", "clauseExamples": [ "§1.1", "Para.3.4", "Section 5" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§1.1", "topic": "Identify important business services", "priorityWeight": 1.0 }, { "clause": "§2.1", "topic": "Set impact tolerances", "priorityWeight": 1.0 }, { "clause": "§3.1", "topic": "Scenario testing", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "mas-trm", "name": "MAS Technology Risk Management Guidelines", "shortName": "MAS TRM", "tier": 2, "jurisdiction": [ "SG" ], "tags": [ "financial" ], "aliases": [ "MAS TRM" ], "versions": [ { "version": "2021", "authoritativeUrl": "https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/trm-guidelines-18-january-2021.pdf", "effectiveFrom": "2021-01-18", "sunsetOn": null, "clauseGrammar": "^§\\d+(\\.\\d+){0,3}$", "clauseExamples": [ "§4.1.1", "§8.2.3", "§11.1.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§4.1.1", "topic": "Technology risk governance", "priorityWeight": 1.0 }, { "clause": "§8.1.1", "topic": "IT operations — incident mgmt", "priorityWeight": 1.0 }, { "clause": "§11.1.1", "topic": "System resilience", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "rbi-cyber", "name": "RBI Cyber Security Framework for Banks", "shortName": "RBI Cyber", "tier": 2, "jurisdiction": [ "IN" ], "tags": [ "financial" ], "aliases": [ "RBI Cyber", "RBI Cyber Security Framework" ], "versions": [ { "version": "2016 (as amended)", "authoritativeUrl": "https://rbi.org.in/Scripts/NotificationUser.aspx?Id=10435", "effectiveFrom": "2016-06-02", "sunsetOn": null, "clauseGrammar": "^Annex[- ]?[A-Z](\\-\\d+)?$|^§\\d+$", "clauseExamples": [ "Annex-A", "Annex-B-2", "§4" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Annex-A", "topic": "Baseline cyber-security controls", "priorityWeight": 1.0 }, { "clause": "Annex-B", "topic": "Cyber-crisis management plan", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "bait-kait", "name": "BaFin Banking/Insurance Supervisory Requirements for IT (BAIT/KAIT)", "shortName": "BAIT/KAIT", "tier": 2, "jurisdiction": [ "DE" ], "tags": [ "financial" ], "aliases": [ "BAIT", "KAIT" ], "versions": [ { "version": "Aug 2021", "authoritativeUrl": "https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Rundschreiben/2021/rs_1021_BAIT_en.html", "effectiveFrom": "2021-08-16", "sunsetOn": null, "clauseGrammar": "^§\\d+(\\.\\d+)?$", "clauseExamples": [ "§3", "§5.1", "§9.4" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§5", "topic": "Identity & access management", "priorityWeight": 1.0 }, { "clause": "§9", "topic": "ICT operations management", "priorityWeight": 1.0 } ], "pendingChanges": [ { "status": "dora-overlap", "note": "DORA supersedes portions for EU financial entities from 2025-01-17." } ] } ] }, { "id": "bsi-kritisv", "name": "BSI KRITIS-Verordnung", "shortName": "BSI-KritisV", "tier": 2, "jurisdiction": [ "DE" ], "tags": [ "critical-infrastructure" ], "aliases": [ "BSI-KritisV", "KRITIS-V" ], "versions": [ { "version": "2021 (as amended)", "authoritativeUrl": "https://www.gesetze-im-internet.de/bsi-kritisv/", "effectiveFrom": "2021-01-01", "sunsetOn": null, "clauseGrammar": "^§\\d+[a-z]?$", "clauseExamples": [ "§2", "§8", "§8a" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§8a", "topic": "Security in IT systems", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "hkma-tm-g-2", "name": "HKMA TM-G-2 General Principles for Technology Risk Management", "shortName": "HKMA TM-G-2", "tier": 2, "jurisdiction": [ "HK" ], "tags": [ "financial" ], "aliases": [ "HKMA TM-G-2", "TM-G-2" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.hkma.gov.hk/eng/regulatory-resources/regulatory-guides/supervisory-policy-manual/", "effectiveFrom": "2003-06-18", "sunsetOn": null, "clauseGrammar": "^§\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "§3.1", "§5.2.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§3", "topic": "Governance of technology risk", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "it-grundschutz", "name": "BSI IT-Grundschutz Compendium", "shortName": "IT-Grundschutz", "tier": 2, "jurisdiction": [ "DE" ], "tags": [ "baseline" ], "aliases": [ "IT-Grundschutz", "Grundschutz" ], "versions": [ { "version": "2023 Edition", "authoritativeUrl": "https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html", "effectiveFrom": "2023-02-01", "sunsetOn": null, "clauseGrammar": "^[A-Z]{2,4}(\\.\\d+)*(\\.[AMS]\\d+)?$", "clauseExamples": [ "ORP.1", "CON.1", "OPS.1.1.2", "OPS.1.1.2.A1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "OPS.1.1.2", "topic": "Ordered ICT operation", "priorityWeight": 1.0 }, { "clause": "ORP.4", "topic": "Identity & access", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "it-sig-2", "name": "German IT-Sicherheitsgesetz 2.0", "shortName": "IT-SiG 2.0", "tier": 2, "jurisdiction": [ "DE" ], "tags": [ "critical-infrastructure", "supply-chain" ], "aliases": [ "IT-SiG 2.0" ], "versions": [ { "version": "2021", "authoritativeUrl": "https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*[@attr_id=%27bgbl121s1122.pdf%27]", "effectiveFrom": "2021-05-28", "sunsetOn": null, "clauseGrammar": "^§\\d+[a-z]?(\\(\\d+\\))?$", "clauseExamples": [ "§8a", "§8b(4)" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§8a", "topic": "Security measures for KRITIS operators", "priorityWeight": 1.0 }, { "clause": "§8b", "topic": "National IT situation centre notification", "priorityWeight": 1.0 } ], "pendingChanges": [ { "status": "nis2-transposition", "note": "NIS2UmsuCG will transpose NIS2 and supersede IT-SiG 2.0 portions." } ] } ] }, { "id": "no-kbf-nve", "name": "Norwegian Kraftberedskapsforskriften (NVE Power-sector emergency preparedness regulation)", "shortName": "NO KBF", "tier": 2, "jurisdiction": [ "NO" ], "tags": [ "critical-infrastructure", "utilities" ], "aliases": [ "Kraftberedskapsforskriften", "KBF" ], "versions": [ { "version": "2012 as amended", "authoritativeUrl": "https://lovdata.no/dokument/SF/forskrift/2012-12-07-1157", "effectiveFrom": "2013-01-01", "sunsetOn": null, "clauseGrammar": "^§\\d+(-\\d+)?$", "clauseExamples": [ "§6-1", "§6-2" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§6-1", "topic": "Informasjonssikkerhet", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "nesa-uae-ias", "name": "UAE NESA Information Assurance Standards", "shortName": "NESA IAS", "tier": 2, "jurisdiction": [ "AE" ], "tags": [ "baseline", "government" ], "aliases": [ "NESA IAS", "NESA UAE IAS" ], "versions": [ { "version": "v2 (2020)", "authoritativeUrl": "https://www.nesa.gov.ae/", "effectiveFrom": "2020-01-01", "sunsetOn": null, "clauseGrammar": "^T\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "T1.1", "T2.3.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "T3.2", "topic": "Access control management", "priorityWeight": 1.0 }, { "clause": "T4.3", "topic": "Audit trails, logging and information-system monitoring", "priorityWeight": 1.0 }, { "clause": "T6.3", "topic": "Information security incident management", "priorityWeight": 1.0 }, { "clause": "T3.5", "topic": "Cryptographic controls and key management", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "pra-ss2-21", "name": "PRA SS2/21 Outsourcing and third-party risk management", "shortName": "PRA SS2/21", "tier": 2, "jurisdiction": [ "UK" ], "tags": [ "financial" ], "aliases": [ "SS2/21" ], "versions": [ { "version": "2021", "authoritativeUrl": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "effectiveFrom": "2022-03-31", "sunsetOn": null, "clauseGrammar": "^(§|Para\\.)\\d+(\\.\\d+)?$", "clauseExamples": [ "§3.2", "Para.4.15" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§3.2", "topic": "Proportionality", "priorityWeight": 1.0 }, { "clause": "§9", "topic": "Business continuity & exit plans", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "no-personopplysningsloven", "name": "Norwegian Personopplysningsloven (Personal Data Act)", "shortName": "NO Personopplysningsloven", "tier": 2, "jurisdiction": [ "NO" ], "tags": [ "privacy" ], "aliases": [ "Personopplysningsloven" ], "versions": [ { "version": "2018", "authoritativeUrl": "https://lovdata.no/dokument/NL/lov/2018-06-15-38", "effectiveFrom": "2018-07-20", "sunsetOn": null, "clauseGrammar": "^§\\d+$", "clauseExamples": [ "§1", "§8" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§8", "topic": "Processing of special categories of personal data", "priorityWeight": 1.0 }, { "clause": "§2", "topic": "Territorial and material scope", "priorityWeight": 0.7 }, { "clause": "§14", "topic": "Automated individual decision-making restrictions", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "no-petroleumsforskriften", "name": "Norwegian Petroleumsforskriften (Petroleum Safety regulation)", "shortName": "NO Petroleumsforskriften", "tier": 2, "jurisdiction": [ "NO" ], "tags": [ "critical-infrastructure", "oil-gas" ], "aliases": [ "Petroleumsforskriften" ], "versions": [ { "version": "1997 as amended", "authoritativeUrl": "https://lovdata.no/dokument/SF/forskrift/1997-06-27-653", "effectiveFrom": "1997-07-01", "sunsetOn": null, "clauseGrammar": "^§\\d+(-\\d+)?$", "clauseExamples": [ "§3", "§15" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§15", "topic": "Health, safety and environmental (HSE) management requirements", "priorityWeight": 1.0 }, { "clause": "§11", "topic": "Emergency preparedness and response", "priorityWeight": 1.0 }, { "clause": "§3", "topic": "General operator obligations for safety and security", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "au-privacy-act", "name": "Australian Privacy Act 1988 and Notifiable Data Breaches scheme", "shortName": "AU Privacy Act", "tier": 2, "jurisdiction": [ "AU" ], "tags": [ "privacy" ], "aliases": [ "Privacy Act 1988", "APP", "NDB" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.legislation.gov.au/C2004A03712/latest/text", "effectiveFrom": "1988-12-14", "sunsetOn": null, "clauseGrammar": "^(APP\\s?\\d+(\\.\\d+)?|§\\d+[A-Z]{0,2}[A-Z]?)$", "clauseExamples": [ "APP 1", "APP 11.1", "§26WK" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "APP 1", "topic": "Open and transparent management of personal info", "priorityWeight": 1.0 }, { "clause": "APP 11", "topic": "Security of personal information", "priorityWeight": 1.0 }, { "clause": "§26WK", "topic": "NDB — notifiable data breach", "priorityWeight": 1.0 } ], "pendingChanges": [ { "status": "reform-in-progress", "note": "Privacy Act Review Report (2023) reforms progressing through Parliament." } ] } ] }, { "id": "qcb-cyber", "name": "Qatar Central Bank Cybersecurity Framework", "shortName": "QCB Cyber", "tier": 2, "jurisdiction": [ "QA" ], "tags": [ "financial" ], "aliases": [ "QCB Cyber" ], "versions": [ { "version": "2018", "authoritativeUrl": "https://www.qcb.gov.qa/", "effectiveFrom": "2018-06-01", "sunsetOn": null, "clauseGrammar": "^§\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "§3.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§3.1", "topic": "Cybersecurity governance and strategy", "priorityWeight": 1.0 }, { "clause": "§4.1", "topic": "Cyber risk identification and management", "priorityWeight": 1.0 }, { "clause": "§6.2", "topic": "Cyber incident management and response", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "sama-csf", "name": "SAMA Cyber Security Framework", "shortName": "SAMA CSF", "tier": 2, "jurisdiction": [ "SA" ], "tags": [ "financial" ], "aliases": [ "SAMA CSF" ], "versions": [ { "version": "v1.0 (2017)", "authoritativeUrl": "https://www.sama.gov.sa/en-US/Laws/BankingRules/SAMA%20Cyber%20Security%20Framework.pdf", "effectiveFrom": "2017-05-01", "sunsetOn": null, "clauseGrammar": "^\\d+(\\.\\d+){0,3}$", "clauseExamples": [ "3.1.1", "4.2.1.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "3.1.1", "topic": "Cyber security governance", "priorityWeight": 1.0 }, { "clause": "3.3.5", "topic": "Security monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "sa-pdpl", "name": "Saudi Personal Data Protection Law", "shortName": "SA PDPL", "tier": 2, "jurisdiction": [ "SA" ], "tags": [ "privacy" ], "aliases": [ "SA PDPL", "Saudi PDPL" ], "versions": [ { "version": "current", "authoritativeUrl": "https://sdaia.gov.sa/en/SDAIA/about/Files/PersonalDataEnglish.pdf", "effectiveFrom": "2023-09-14", "sunsetOn": null, "clauseGrammar": "^Art\\.\\s*\\d+$", "clauseExamples": [ "Art. 6", "Art. 20" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Art. 19", "topic": "Data security and protection obligations", "priorityWeight": 1.0 }, { "clause": "Art. 20", "topic": "Personal data breach notification", "priorityWeight": 1.0 }, { "clause": "Art. 6", "topic": "Lawful grounds and consent for processing", "priorityWeight": 1.0 }, { "clause": "Art. 29", "topic": "Cross-border personal data transfers", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "no-sikkerhetsloven", "name": "Norwegian Sikkerhetsloven (National Security Act)", "shortName": "NO Sikkerhetsloven", "tier": 2, "jurisdiction": [ "NO" ], "tags": [ "critical-infrastructure", "government" ], "aliases": [ "Sikkerhetsloven" ], "versions": [ { "version": "2018", "authoritativeUrl": "https://lovdata.no/dokument/NL/lov/2018-06-01-24", "effectiveFrom": "2019-01-01", "sunsetOn": null, "clauseGrammar": "^§\\d+-\\d+$", "clauseExamples": [ "§5-2", "§6-1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§5-3", "topic": "Risk assessment and documentation of security level", "priorityWeight": 1.0 }, { "clause": "§6-2", "topic": "Protection of classified / security-graded information", "priorityWeight": 1.0 }, { "clause": "§6-1", "topic": "General preventive security measures", "priorityWeight": 1.0 }, { "clause": "§5-2", "topic": "Internal control and annual security review", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "cjis", "name": "FBI CJIS Security Policy", "shortName": "CJIS", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "law-enforcement", "government" ], "aliases": [ "CJIS", "CJIS Security Policy" ], "versions": [ { "version": "v5.9.4", "authoritativeUrl": "https://le.fbi.gov/cjis-division/cjis-security-policy-resource-center", "effectiveFrom": "2023-12-14", "sunsetOn": null, "clauseGrammar": "^\\d+(\\.\\d+){1,3}$", "clauseExamples": [ "5.5.1", "5.13.3.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "5.5.1", "topic": "Access control - identification", "priorityWeight": 1.0 }, { "clause": "5.13.3", "topic": "Incident response", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "fca-smcr", "name": "FCA Senior Managers and Certification Regime", "shortName": "FCA SM&CR", "tier": 2, "jurisdiction": [ "UK" ], "tags": [ "financial", "governance" ], "aliases": [ "SM&CR", "FCA SM&CR" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.fca.org.uk/firms/senior-managers-certification-regime", "effectiveFrom": "2016-03-07", "sunsetOn": null, "clauseGrammar": "^(SMR|SYSC|COCON)\\s?\\d+(\\.\\d+)?$", "clauseExamples": [ "SMR 1", "SYSC 3.2", "COCON 2" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "SMR 1", "topic": "Senior Management Functions, Statements of Responsibilities", "priorityWeight": 1.0 }, { "clause": "SYSC 3.2", "topic": "Internal controls, systems and audit arrangements", "priorityWeight": 1.0 }, { "clause": "COCON 2", "topic": "Individual Conduct Rules (including acting with integrity/due care)", "priorityWeight": 1.0 }, { "clause": "SYSC 4.1", "topic": "General organisational requirements", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "uk-cyber-essentials", "name": "UK NCSC Cyber Essentials", "shortName": "Cyber Essentials", "tier": 2, "jurisdiction": [ "UK" ], "tags": [ "baseline", "supply-chain" ], "aliases": [ "Cyber Essentials", "Cyber Essentials Plus" ], "versions": [ { "version": "Montpellier (2025)", "authoritativeUrl": "https://www.ncsc.gov.uk/cyberessentials/overview", "effectiveFrom": "2025-04-28", "sunsetOn": null, "clauseGrammar": "^CE\\.[A-Z]{2,3}\\.\\d+$", "clauseExamples": [ "CE.BF.1", "CE.SAU.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "CE.BF.1", "topic": "Boundary firewalls", "priorityWeight": 1.0 }, { "clause": "CE.SAU.1", "topic": "Secure authentication & access", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "nzism", "name": "New Zealand Information Security Manual", "shortName": "NZISM", "tier": 2, "jurisdiction": [ "NZ" ], "tags": [ "government", "baseline" ], "aliases": [ "NZISM" ], "versions": [ { "version": "3.7", "authoritativeUrl": "https://www.nzism.gcsb.govt.nz/", "effectiveFrom": "2024-10-01", "sunsetOn": null, "clauseGrammar": "^§\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "§12.4", "§16.6.1" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§16.6.9", "topic": "Event logging requirements", "priorityWeight": 1.0 }, { "clause": "§16.1.32", "topic": "User identification, authentication and access management", "priorityWeight": 1.0 }, { "clause": "§17.2.17", "topic": "Information security incident management and response", "priorityWeight": 1.0 }, { "clause": "§12.4", "topic": "Information security documentation and policy", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "meta-multi", "name": "Placeholder: multi-regulation or jurisdiction-generic", "shortName": "Multiple", "tier": 3, "jurisdiction": [ "GLOBAL" ], "tags": [ "meta" ], "aliases": [ "Multiple", "APAC breach laws" ], "$comment": "Placeholder entry used when the UC legitimately spans multiple regulations and the source markdown did not enumerate them. UCs mapped to meta-multi must be re-tagged during SME review in Phase 5.", "versions": [ { "version": "n/a", "authoritativeUrl": null, "effectiveFrom": null, "sunsetOn": null, "clauseGrammar": "^.+$", "clauseExamples": [ "see-uc-description" ], "clauseUrlTemplate": null, "commonClauses": [], "pendingChanges": [] } ] }, { "id": "eu-aml", "name": "EU Anti-Money-Laundering Framework", "shortName": "EU AML", "tier": 2, "jurisdiction": [ "EU" ], "tags": [ "financial-services" ], "aliases": [ "EU AML", "AMLD6" ], "versions": [ { "version": "6AMLD / AMLR 2024", "authoritativeUrl": "https://eur-lex.europa.eu/eli/reg/2024/1624/oj", "effectiveFrom": "2024-07-09", "sunsetOn": null, "clauseGrammar": "^Art\\.\\d+(\\(\\d+\\))?$", "clauseExamples": [ "Art.9", "Art.18" ], "clauseUrlTemplate": "https://eur-lex.europa.eu/eli/reg/2024/1624/oj#{clause}", "commonClauses": [ { "clause": "Art.9", "topic": "Internal policies and controls", "priorityWeight": 1.0 }, { "clause": "Art.18", "topic": "Customer due diligence", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "coso", "name": "Committee of Sponsoring Organizations — Internal Control / ERM Framework", "shortName": "COSO", "tier": 2, "jurisdiction": [ "US", "Global" ], "tags": [ "governance", "internal-controls", "financial-reporting" ], "aliases": [ "COSO ICFR", "COSO ERM", "COSO 2013" ], "versions": [ { "version": "2013 ICFR", "authoritativeUrl": "https://www.coso.org/guidance-on-ic", "effectiveFrom": "2013-05-14", "sunsetOn": null, "clauseGrammar": "^Principle\\d+$", "clauseExamples": [ "Principle1", "Principle5", "Principle11" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Principle1", "topic": "Commitment to integrity and ethical values", "priorityWeight": 1.0 }, { "clause": "Principle5", "topic": "Enforces accountability", "priorityWeight": 1.0 }, { "clause": "Principle11", "topic": "Selects and develops general controls over technology", "priorityWeight": 1.0 }, { "clause": "Principle16", "topic": "Ongoing and/or separate evaluations", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "cobit", "name": "COBIT — Control Objectives for Information and Related Technologies", "shortName": "COBIT", "tier": 2, "jurisdiction": [ "Global" ], "tags": [ "governance", "it-governance" ], "aliases": [ "COBIT 2019", "COBIT 5" ], "versions": [ { "version": "2019", "authoritativeUrl": "https://www.isaca.org/resources/cobit", "effectiveFrom": "2018-11-01", "sunsetOn": null, "clauseGrammar": "^[A-Z]{3}\\d{2}(\\.\\d{2})?$", "clauseExamples": [ "APO13.01", "DSS05.03", "MEA02.01" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "APO13.01", "topic": "Manage security — establish and maintain an ISMS", "priorityWeight": 1.0 }, { "clause": "DSS05.03", "topic": "Manage security services — manage endpoint security", "priorityWeight": 1.0 }, { "clause": "MEA02.01", "topic": "Monitor internal controls", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "basel-iii", "name": "Basel III — BCBS Operational Risk and Resilience", "shortName": "Basel III", "tier": 2, "jurisdiction": [ "Global" ], "tags": [ "financial-services", "banking", "operational-risk" ], "aliases": [ "BCBS", "Basel Framework" ], "versions": [ { "version": "BCBS 2021", "authoritativeUrl": "https://www.bis.org/bcbs/publ/d516.htm", "effectiveFrom": "2022-01-01", "sunsetOn": null, "clauseGrammar": "^OPR\\d+\\.\\d+$", "clauseExamples": [ "OPR25.1", "OPR25.8" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "OPR25.1", "topic": "Operational risk management", "priorityWeight": 1.0 }, { "clause": "OPR25.8", "topic": "Business continuity and resilience", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "glba", "name": "Gramm-Leach-Bliley Act — Safeguards Rule", "shortName": "GLBA", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "privacy", "financial-services" ], "aliases": [ "GLBA", "FTC Safeguards Rule" ], "versions": [ { "version": "16 CFR 314 (2023 amendments)", "authoritativeUrl": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314", "effectiveFrom": "2023-06-09", "sunsetOn": null, "clauseGrammar": "^§314\\.\\d+\\([a-z]\\)(\\(\\d+\\))?$", "clauseExamples": [ "§314.4(b)", "§314.4(c)(1)" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§314.4(b)", "topic": "Risk assessment", "priorityWeight": 1.0 }, { "clause": "§314.4(c)(1)", "topic": "Access controls", "priorityWeight": 1.0 }, { "clause": "§314.4(d)(2)", "topic": "Continuous monitoring", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "ferpa", "name": "Family Educational Rights and Privacy Act", "shortName": "FERPA", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "privacy", "education" ], "aliases": [ "FERPA" ], "versions": [ { "version": "20 USC §1232g", "authoritativeUrl": "https://www.ecfr.gov/current/title-34/subtitle-A/part-99", "effectiveFrom": "1974-08-21", "sunsetOn": null, "clauseGrammar": "^§99\\.\\d+$", "clauseExamples": [ "§99.31", "§99.33" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§99.31", "topic": "Conditions for disclosure without consent", "priorityWeight": 1.0 }, { "clause": "§99.33", "topic": "Redisclosure and record-keeping", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "coppa", "name": "Children's Online Privacy Protection Act", "shortName": "COPPA", "tier": 2, "jurisdiction": [ "US" ], "tags": [ "privacy", "children" ], "aliases": [ "COPPA", "COPPA Rule" ], "versions": [ { "version": "16 CFR 312", "authoritativeUrl": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "effectiveFrom": "2013-07-01", "sunsetOn": null, "clauseGrammar": "^§312\\.\\d+$", "clauseExamples": [ "§312.3", "§312.8" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "§312.3", "topic": "Verifiable parental consent obligations", "priorityWeight": 1.0 }, { "clause": "§312.8", "topic": "Data security and confidentiality", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "unece-r155", "name": "UN Regulation No. 155 — Cyber Security Management Systems (CSMS)", "shortName": "UN R155", "tier": 2, "jurisdiction": [ "Global" ], "tags": [ "automotive", "cybersecurity", "ot-iot" ], "aliases": [ "WP.29 R155", "UNECE R155", "UN R155" ], "versions": [ { "version": "2021", "authoritativeUrl": "https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security", "effectiveFrom": "2021-01-22", "sunsetOn": null, "clauseGrammar": "^\\d+\\.\\d+(\\.\\d+){0,2}$", "clauseExamples": [ "7.2.2.2", "7.2.2.5" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "7.2.2.2", "topic": "Risk assessment and mitigation for vehicle cybersecurity", "priorityWeight": 1.0 }, { "clause": "7.2.2.5", "topic": "Monitoring, detecting, and responding to cyber attacks", "priorityWeight": 1.0 } ], "pendingChanges": [] } ] }, { "id": "unece-r156", "name": "UN Regulation No. 156 — Software Update Management Systems (SUMS)", "shortName": "UN R156", "tier": 2, "jurisdiction": [ "Global" ], "tags": [ "automotive", "software-update", "ot-iot" ], "aliases": [ "WP.29 R156", "UNECE R156", "UN R156" ], "versions": [ { "version": "2021", "authoritativeUrl": "https://unece.org/transport/documents/2021/03/standards/un-regulation-no-156-software-update-and-software-update", "effectiveFrom": "2021-01-22", "sunsetOn": null, "clauseGrammar": "^\\d+\\.\\d+(\\.\\d+)?$", "clauseExamples": [ "7.1.1", "7.1.4" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "7.1.1", "topic": "Software update management system processes", "priorityWeight": 1.0 }, { "clause": "7.1.4", "topic": "Recording and reporting of software updates", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] }, { "id": "ferc-cip", "name": "FERC Critical Infrastructure Protection (beyond NERC CIP)", "shortName": "FERC CIP", "tier": 3, "jurisdiction": [ "US" ], "tags": [ "energy", "critical-infrastructure", "ot-iot" ], "aliases": [ "FERC" ], "versions": [ { "version": "current", "authoritativeUrl": "https://www.ferc.gov/industries-data/electric/industry-activities/critical-infrastructure-protection", "effectiveFrom": "2023-01-01", "sunsetOn": null, "clauseGrammar": "^Order\\d+$", "clauseExamples": [ "Order887", "Order893" ], "clauseUrlTemplate": null, "commonClauses": [ { "clause": "Order887", "topic": "Internal network security monitoring for bulk electric systems", "priorityWeight": 1.0 }, { "clause": "Order893", "topic": "Supply chain risk management for BES systems", "priorityWeight": 0.7 } ], "pendingChanges": [] } ] } ], "derivesFrom": { "$comment": "Derivative-regulation graph: each key is a framework id, value is the parent framework it inherits mappings from plus per-clause divergences and an explicit clauseMapping when the derivative renumbers clauses. inheritanceMode controls propagation: 'identity' (derivative preserves parent clause numbers — any parent clause propagates 1:1 unless listed in divergences) or 'mapped' (derivative renumbers — only clauses listed in clauseMapping propagate). scripts/generate_phase3_3_derivatives.py reads this graph to materialise inherited compliance[] entries on UC sidecars, with assurance degraded one step (full → partial → contributing; contributing does not propagate further). Divergences carry an informational note that is attached to the inherited entry via derivationSource.divergenceNote for auditor review.", "uk-gdpr": { "parent": "gdpr", "parentVersion": "2016/679", "inheritanceMode": "identity", "$identityComment": "UK GDPR was formed by onshoring Regulation (EU) 2016/679 into UK law under the European Union (Withdrawal) Act 2018. Clause numbering is preserved 1:1 with EU GDPR; any parent Art.N propagates to UK-GDPR@Art.N unless listed in divergences.", "divergences": [ { "clause": "Art.45", "note": "UK adequacy decisions managed by ICO/UK government, not EU Commission." }, { "clause": "Art.50", "note": "UK's own international cooperation mechanisms apply." } ] }, "swiss-nfadp": { "parent": "gdpr", "parentVersion": "2016/679", "inheritanceMode": "mapped", "clauseMapping": { "$comment": "parent-clause → derivative-clause. Swiss nFADP uses its own article numbering but covers substantially the same topics as GDPR. Mapping is hand-curated against the FDPIC's 2023 nFADP commentary.", "Art.25": "Art.7", "Art.33": "Art.24" }, "divergences": [ { "clause": "Art.5", "note": "nFADP applies 'good faith' principle; GDPR uses 'lawfulness, fairness, transparency'." }, { "clause": "Art.33", "note": "Swiss FDPIC replaces EU supervisory authority for breach notification." } ] }, "lgpd": { "parent": "gdpr", "parentVersion": "2016/679", "inheritanceMode": "mapped", "clauseMapping": { "$comment": "parent-clause → derivative-clause. LGPD (Lei nº 13.709/2018) closely mirrors GDPR but renumbers security and breach articles. Mapping verified against ANPD's 2022 guidance.", "Art.32": "Art.46", "Art.33": "Art.48", "Art.34": "Art.48" }, "divergences": [ { "clause": "Art.6", "note": "LGPD Art.7 enumerates 10 legal bases; slightly different from GDPR's 6." }, { "clause": "Art.33", "note": "ANPD is the competent authority; notification timelines differ." } ] }, "appi": { "parent": "gdpr", "parentVersion": "2016/679", "inheritanceMode": "mapped", "clauseMapping": { "$comment": "parent-clause → derivative-clause. APPI (2022 amendments) uses its own article numbering. Mapping verified against PPC's APPI implementation guidelines.", "Art.32": "Art.23", "Art.33": "Art.26", "Art.34": "Art.26" }, "divergences": [ { "clause": "Art.6", "note": "APPI uses 'purpose of utilisation' rather than GDPR's lawful bases." }, { "clause": "Art.15", "note": "APPI data-subject rights are narrower than GDPR Art.15-22." } ] }, "ccpa": { "parent": "gdpr", "parentVersion": "2016/679", "inheritanceMode": "mapped", "clauseMapping": { "$comment": "parent-clause → derivative-clause. CCPA/CPRA uses §-based Civil Code numbering and is a consumer-privacy statute rather than a comprehensive data-protection regime; only the three commonClauses are mapped. Divergences list still applies: inherited entries gain a divergenceNote so SMEs can flag scope mismatches (e.g. employee data, sale/share definitions).", "Art.15": "§1798.100", "Art.17": "§1798.105", "Art.34": "§1798.150" }, "divergences": [ { "clause": "Art.15", "note": "Right to know is scoped to California residents and consumer context, not employees in most cases." }, { "clause": "Art.17", "note": "Right to delete includes service-provider obligations explicit in CCPA §1798.105." }, { "clause": "Art.7", "note": "CCPA is opt-out, not opt-in; consent not required to collect in most cases." } ] } }, "aliasIndex": { "$comment": "Flat alias → framework-id map used by scripts/gap-analysis and scripts/audit_compliance_mappings to normalise free-text 'Regulations:' strings in legacy markdown. Unknown aliases appear in docs/content-gap-analysis.md.", "gdpr": "gdpr", "uk gdpr": "uk-gdpr", "uk-gdpr": "uk-gdpr", "regulation (eu) 2016/679": "gdpr", "hipaa": "hipaa-security", "hipaa security rule": "hipaa-security", "45 cfr 164": "hipaa-security", "pci dss": "pci-dss", "pci-dss": "pci-dss", "pci dss v4.0": "pci-dss", "pci dss v4": "pci-dss", "pci dss v3.2.1": "pci-dss", "soc 2": "soc-2", "soc2": "soc-2", "soc-2": "soc-2", "trust services criteria": "soc-2", "sox": "sox-itgc", "sox itgc": "sox-itgc", "itgc": "sox-itgc", "sarbanes-oxley": "sox-itgc", "pcaob as 2201": "sox-itgc", "iso 27001": "iso-27001", "iso/iec 27001": "iso-27001", "iso 27001:2022": "iso-27001", "iso 27001:2013": "iso-27001", "nist csf": "nist-csf", "nist csf 2.0": "nist-csf", "cybersecurity framework": "nist-csf", "nist 800-53": "nist-800-53", "nist sp 800-53": "nist-800-53", "800-53 rev 5": "nist-800-53", "nist sp 800-53 rev. 5": "nist-800-53", "nis2": "nis2", "eu nis2": "nis2", "directive (eu) 2022/2555": "nis2", "dora": "dora", "eu dora": "dora", "regulation (eu) 2022/2554": "dora", "cmmc": "cmmc", "cmmc 2.0": "cmmc", "nerc cip": "nerc-cip", "iec 62443": "iec-62443", "api rp 1164": "api-rp-1164", "tsa pipeline security directive": "tsa-sd", "sd02c": "tsa-sd", "fedramp": "fedramp", "fisma": "fisma", "eu ai act": "eu-ai-act", "eu cra": "eu-cra", "eu cyber resilience act": "eu-cra", "cyber resilience act": "eu-cra", "psd2": "psd2", "mifid ii": "mifid-ii", "fda 21 cfr part 11": "fda-part-11", "part 11": "fda-part-11", "swift csp": "swift-csp", "apra cps 234": "apra-cps-234", "cps 234": "apra-cps-234", "ccpa": "ccpa", "cpra": "ccpa", "pipl": "pipl", "swiss nfadp": "swiss-nfadp", "nfadp": "swiss-nfadp", "lgpd": "lgpd", "appi": "appi", "hitrust": "hitrust", "hitrust csf": "hitrust", "eidas": "eidas", "eidas 2.0": "eidas", "eu trust services": "eidas", "eu aml": "eu-aml", "amld6": "eu-aml", "cft framework": "eu-aml", "eu aml/cft framework": "eu-aml", "sox / itgc": "sox-itgc", "fisma / fedramp": "fisma", "eu cyber resilience act (cra)": "eu-cra", "eidas 2.0 / eu trust services": "eidas", "lei geral de proteção de dados (lgpd)": "lgpd", "pdpa sg": "sg-pdpa", "singapore personal data protection act": "sg-pdpa", "pipl art.38": "pipl", "iso/iec 27001:2022": "iso-27001", "nis regulations (uk)": "uk-nis", "asd essential eight": "asd-e8", "essential eight": "asd-e8", "fca ss1/21 operational resilience": "fca-ss1-21", "mas trm": "mas-trm", "rbi cyber security framework": "rbi-cyber", "bait/kait": "bait-kait", "bsi-kritisv": "bsi-kritisv", "hkma tm-g-2": "hkma-tm-g-2", "it-grundschutz": "it-grundschutz", "it-sig 2.0": "it-sig-2", "kraftberedskapsforskriften; nve": "no-kbf-nve", "nesa uae ias": "nesa-uae-ias", "pra ss2/21 outsourcing": "pra-ss2-21", "personopplysningsloven; datatilsynet": "no-personopplysningsloven", "petroleumsforskriften; psa": "no-petroleumsforskriften", "privacy act 1988 (cth); ndb": "au-privacy-act", "qatar central bank cybersecurity": "qcb-cyber", "sama cyber security framework": "sama-csf", "saudi pdpl": "sa-pdpl", "sikkerhetsloven; nsm veiledning": "no-sikkerhetsloven", "cjis security policy": "cjis", "fca sm&cr": "fca-smcr", "cyber essentials": "uk-cyber-essentials", "nzism": "nzism", "coso": "coso", "coso icfr": "coso", "coso erm": "coso", "cobit": "cobit", "cobit 2019": "cobit", "cobit 5": "cobit", "basel iii": "basel-iii", "bcbs": "basel-iii", "basel framework": "basel-iii", "glba": "glba", "gramm-leach-bliley": "glba", "ftc safeguards": "glba", "ferpa": "ferpa", "coppa": "coppa", "coppa rule": "coppa", "apac breach laws": "meta-multi", "multiple": "meta-multi" } }