Your framework, your way
Security & Privacy
CIS Controls V8
A prioritized set of cybersecurity best practices developed by the Center for Internet Security (CIS) to help organizations strengthen their cyber defenses by focusing on the most effective actions against known threats.
FAR 52.204-21
Federal Acquisition Regulation that mandates basic safeguarding requirements for contractor information systems handling Federal Contract Information (FCI). Required for 2.0 Level 1 compliance.
ISO/IEC 17020:2012
Specifies requirements for the competence of bodies performing inspection and for the impartiality and consistency of their inspection activities.
ISO/IEC 17021-1:2025
Defines the requirements for bodies providing audit and certification of management systems, ensuring their competence, consistency, and impartiality.
ISO 27001:2022
Global benchmark to demonstrate an elective Information Security Management System (ISMS). For businesses selling to customers outside of the US.
ISO/IEC 27006:2015 with Amendment 1:2020
Sets specific requirements for bodies auditing and certifying ISMSs to ensure impartial and competent certification under ISO/IEC 27001.
ISO/IEC 27006-2:2021
Provides additional requirements for certification bodies that perform ISO/IEC 27701 audits, focusing on privacy information management systems.
ISO/IEC 27701:2019
An extension to ISO/IEC 27001 and 27002, specifying requirements and guidance for establishing a privacy information management system (PIMS).
NIST CSF 2.0
A voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity risks, updated to improve usability and coverage across sectors.
NIST SP 800-53 Rev 5
A comprehensive catalog of security and privacy controls developed by the National Institute of Standards and Technology (NIST) for federal information systems and organizations. Required for FISMA compliance and FedRAMP.
NIST SP 800-171 Rev 2
Prescribes security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Required for 2.0 Level 2 compliance.
SOC 2
AICPA standardized framework to prove a company’s security posture to prospective customers.
Government & Regulatory
CCPA
A landmark California privacy law that gives residents rights over their personal data, including the ability to know, access, delete, and opt out of the sale of personal information collected by businesses.
CMMC 2.0
A U.S. Department of Defense (DoD) framework that ensures defense contractors implement appropriate cybersecurity practices to protect Controlled Unclassified Information (CUI). It has three levels of maturity, aligned primarily with NIST SP 800-171.
DFARS clause 252.204-7012
DFARS is a supplement to the Federal Acquisition Regulation (FAR) that outlines specific cybersecurity requirements for DoD contractors, including the obligation to implement NIST SP 800-171 controls for protecting CUI.
DPF (Data Privacy Framework)
A set of agreements between the U.S., EU, UK, and Switzerland that enables the legal transfer of personal data from those regions to certified U.S. companies, ensuring compliance with European-style data protection standards.
FedRAMP
Ensures that cloud service providers (CSPs) meet strict federal security requirements, primarily based on NIST SP 800-53, before they can be used by U.S. government agencies.
FISMA
A framework for managing information security risk and mandates the use of standards like NIST SP 800-53 to ensure the confidentiality, integrity, and availability of federal data and systems.
GDPR (General Data Protection Regulation)
European Union law that governs how organizations collect, use, store, and protect personal data of individuals in the EU, emphasizing transparency, consent, data rights, and strong penalties for non-compliance.
Gramm-Leach-Bliley Act (GLBA)
Requires financial institutions to protect the privacy and security of consumers’ personal financial information through safeguards, privacy notices, and limits on data sharing.
HIPAA
U.S. federal law that sets national standards to protect the privacy and security of individuals’ health information, ensuring that healthcare providers, insurers, and their business associates safeguard Protected Health Information (PHI) both electronically and physically.
MA 201 CMR 17.00
A Massachusetts regulation that requires businesses to implement a comprehensive written information security program (WISP) to protect personal information of Massachusetts residents.
NYDFS Section 500
a cybersecurity regulation issued by the New York State Department of Financial Services (NYDFS). It mandates that financial institutions implement robust cybersecurity programs to protect sensitive consumer data.
Sarbanes-Oxley (SOX)
Imposes strict requirements on public companies, including internal controls over financial reporting, executive certification of financial statements, and independent auditor oversight, with the goal of preventing fraud and restoring trust in financial markets.
Aberrant is presently working on TX-RAMP and GovRAMP.
Need something else? Aberrant can also support custom controls, contact us for more information.
Ready to systematize compliance?
Pick your framework and we'll show you how Aberrant makes compliance systematic and scalable.