Framework Library
Every framework mapped into USR/UCB, in one searchable library.
248 authoritative sources — standards, certifications, and regulatory mandates — that 3HUE's USR framework and the AiVRIC UCB control baseline map into a single governed program. Search by name, or filter by region.
27001:2013 - Information Security Management Systems (ISMS) - Requirements
27001:2022 - Information Security Management Systems (ISMS) - Requirements
27002:2013 - Code of Practice for Information Security Controls
27002:2022 - Information security, cybersecurity and privacy protection - Information security controls
27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
27018:2014 - Code of Practice for PI in Public Clouds Acting as PI Processors
27701:2019 - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
2900-1 - Software Cybersecurity for Network-Connectable Products
29100:2011 - Privacy Framework
31000:2009 - Risk Management
31010:2009 - Risk Assessment Techniques
Act 19628 - Protection of Personal Data
Act of 29 August 1997 on the Protection of Personal Data
Act of 8 December 1992
Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18)
Act on the Protection of Personal Information (June 2020)
AK - Alaska Personal Information Protection Act (PIPA)
Australia - Code of Practice - Securing the Internet of Things for Consumers
Australia Essential Eight
Australia Privacy Principles
Australian Government Information Security Manual (ISM) (June 2024)
B-13
Banking Supervisory Requirements for IT (BAIT)
Bermuda Monetary Authority Cyber Code of Conduct
BOE-A-2022-7191
CA - SB1386
CA - SB327
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) - November 2022 version
CERT Resilience Management Model v1.2
Children's Online Privacy Protection Act (COPPA)
China Cybersecurity Law of the People's Republic of China (China Cybersecurity Law) 2017
China Data Security Law of the People's Republic of China
CISA Cross-Sector Cybersecurity Performance Goals (CPG)
CISA Secure Software Development Attestation Form (SSDAF)
Cloud Computing Compliance Controls Catalogue (C5) 2020
Cloud Controls Matrix (CCM) v4
CO - Colorado Privacy Act
Committee of Sponsoring Organizations (COSO) 2017 Framework
Control Objectives for Information and Related Technologies (COBIT) 2019
Critical Security Controls (CSC) version 8.1
Critical Security Controls (CSC) version 8.1 - IG1
Critical Security Controls (CSC) version 8.1 - IG2
Critical Security Controls (CSC) version 8.1 - IG3
Critical Systems Cybersecurity Controls (CSCC – 1: 2019)
CSA IoT Security Controls Framework v2
Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850)
Cyber Assessment Framework (CAF) v3.1
Cyber Essentials
Cyber Hygiene Practice
Cybersecurity Capability Maturity Model v2.1
Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) - 17 CFR Parts 229, 232, 239, 240, and 249
Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1
Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 2
Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 3
Cybersecurity Methodology for an Organization v1.0
Data Privacy Act of 2012
Data Privacy Framework (DPF)
Data Protection Act
Data Protection Act
Data Protection Act (2003)
Decision on Strengthening Network Information Protection
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - 7012
Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections 3.0 Security Capabilities Catalog
Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF)
DoD Zero Trust Reference Architecture v2
ENISA NIS2 (Directive (EU) 2022/2555)
Essential Cybersecurity Controls (ECC – 1 : 2018)
EU Digital Operational Resilience Act (DORA) (2023)
EU-US Data Privacy Framework
European Banking Authority (EBA) Guidelines on ICT and security risk management
European Union Agency for Network and Information Security (ENISA)
Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA)
Family Educational Rights and Privacy Act (FERPA)
Federal Acquisition Regulation (FAR) 52.204-21
Federal Acquisition Regulation (FAR) 52.204-27 Prohibition on a ByteDance Covered Application
Federal Acquisition Regulation (FAR) 889
Federal Act concerning the Protection of Personal Data (DSG 2000)
Federal Act on Data Protection (FADP)
Federal Data Protection Act
Federal Financial Institutions Examination Council (FFIEC)
Federal Law of 27 July 2006 N 152-FZ
Federal Law on Protection of Personal Data held by Private Parties
Federal Risk and Authorization Management Program R4 (FedRAMP R4)
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (high baseline)
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (Li-SAAS) baseline)
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (low baseline)
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (moderate baseline)
Federal Risk and Authorization Management Program R5 (FedRAMP R5) (high baseline)
Federal Risk and Authorization Management Program R5 (FedRAMP R5) (Li-SAAS) baseline)
Federal Risk and Authorization Management Program R5 (FedRAMP R5) (low baseline)
Federal Risk and Authorization Management Program R5 (FedRAMP R5) (moderate baseline)
Federal Risk and Authorization Management Program R5 (FedRAMP)
Federal Trade Commission (FTC) Act
Financial Industry Regulatory Authority (FINRA)
Food & Drug Administration (FDA) 21 CFR Part 11
General Data Protection Law (LGPD)
General Data Protection Regulation (GDPR)
Generally Accepted Privacy Principles (GAPP)
Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023)
Health Industry Cybersecurity Practices (HICP) - Large Practice
Health Industry Cybersecurity Practices (HICP) - Medium Practice
Health Industry Cybersecurity Practices (HICP) - Small Practice
HIPAA Administrative Simplification (2013)
HIPAA Security Rule (includes mapping to NIST SP 800-66 R2)
HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers
ICT Security Guide CCN-STIC 825
IEC 62443-4-2:2019 - Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components
IEC ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering
IEC TR 60601-4-5:2021
IL - Illinois Biometric Information Privacy Act (PIPA)
IL - Illinois Identity Protection Act (IPA)
IL - Illinois Personal Information Protection Act (PIPA)
India Digital Personal Data Protection Act 2023
Information Technology Rules (Privacy Rules)
Informational Self-Determination and Freedom of Information (Act CXII of 2011)
Insurance Data Security Model Law (MDL-668)
Internal Revenue Service (IRS) 1075
International Traffic in Arms Regulation (ITAR) [limited to Part 120]
ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system
Japan Information System Security Management and Assessment Program (ISMAP)
Kenya Data Protection Act (2019)
Law 1581 of 2012
Law No. 18,331 - Protection of Personal Data and Action "Habeas Data"
MA - 201 CMR 17.00
Ministry of Defence Standard 05-138 (14 May 2024)
MITRE ATT&CK - NIST 800-53 mappings
Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines (2021)
MPA Content Security Best Practices Common Guidelines v5.1
National Industrial Security Program Operating Manual (NISPOM)
National Science & Technology Council (NSTC) NSPM-33
Naval Nuclear Propulsion Information (NNPI)
New Zealand Information Security Manual (NZISM) v3.6
Nigeria Data Protection Regulation (2019)
NIST 800-171A R3
NIST Artificial Intelligence Risk Management Framework (AI RMF) v1.0
NIST Cybersecurity Framework (CSF) v1.1
NIST Cybersecurity Framework (CSF) v2.0
NIST Privacy Framework v1.0
NIST SP 800-160 - Systems Security Engineering
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM Baseline)
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Flow Down)
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 1)
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 2)
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 3)
NIST SP 800-171 R2 - Protecting CUI in Nonfederal Systems and Organizations
NIST SP 800-171 R3
NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information
NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
NIST SP 800-207 - Zero Trust Architecture
NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1:
NIST SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2
NIST SP 800-39 - Managing Information Security Risk
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (high baseline)
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (low baseline)
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline)
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations High Baseline
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Low Baseline
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Moderate Baseline
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Privacy Baseline
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Select Not Otherwise Categorized (NOC) controls
NIST SP 800-63B - Digital Identity Guidelines (partial mapping)
NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security
NIST SP 800-82 R3 - Guide to Industrial Control Systems (ICS) Security
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
NV - SB220
NY - Cybersecurity Requirements for Financial Services Companies (DFS 23 NYCRR500) - 2023 Amendment 2
NY - SHIELD Act (SB S5575B)
NZ Health Information Security Framework (2022)
Office of the Superintendent of Financial Institutions Canada (OSFI) - Cyber Security Self-Assessment Guidance
Operational Technology Cybersecurity Controls (OTCC -1: 2022)
OR - Consumer Privacy Act (SB 619)
OR - ORS 646A
OWASP Top 10 Most Critical Web Application Security Risks
Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A-EP
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B-IP
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C-VT
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Merchant
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Service Provider
Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ P2PE
Payment Card Industry Data Security Standard (PCI DSS) v4.01
Personal Data Act
Personal Data Act
Personal Data Ordinance
Personal Data Privacy Protection Law (PDPPL)
Personal Data Protection Act
Personal Data Protection Act
Personal Data Protection Act of 2010
Personal Data Protection Act of 2012
Personal Data Protection Code
Personal Data Protection Law
Personal Information Protection Act
Personal Information Protection and Electronic Documents Act (PIPEDA)
Personal Information Protection Law of the People's Republic of China
Privacy Act of 1998
Privacy Act of 2020
Protecting controlled information in non-Government of Canada systems and organizations (ITSP.10.171)
Protection of Individuals with Regard to the Processing of Personal Data (2472/1997)
Protection of Personal Data - MEN-2018-147-APN-PTE
Protection of Personal Information Act (POPIA)
Protection of Personal Law No. 25,326
Protection of Privacy Law, 5741 – 1981
Protection of the Person in the Processing of His Personal Data
Prudential Standard CPS 230 - Operational Risk Management
Prudential Standard CPS 234 Information Security
Regulation on Protection of Personal Data in Electronic Communications Sector
Royal Decree 1720/2007 (protection of personal data)
SACS-002 - Third Party Cybersecurity Standard
Sarbanes Oxley Act (SOX)
Saudi Arabia IoT CGIoT-1:2024
Saudi Arabia Personal Data Protection Law (PDPL)
Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF) Version 1.0 (May 2017)
SC - South Carolina Insurance Data Security Act
Second Payment Services Directive (PSD2)
Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)
Service Organization Control - Trust Services Criteria (TSC) - SOC2 (2022 points of focus)
Shared Assessments Standard Information Gathering Questionnaire (SIG) 2024
Social Security Administration (SSA) Electronic Information Exchange Security Requirements
Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
Spain Royal Decree 311/2022
Standard 200-1
StateRAMP Low (Category 1)
StateRAMP Low+ (Category 2)
StateRAMP Moderate (Category 3)
SWIFT Customer Security Controls Framework 2021
TISAX ISA 6.0.3
TN - Information Protection Act
TX - 2019 - SB820
TX - BC521
TX - Consumer Data Protection Act (CDPA)
TX - Cybersecurity Act
TX - DIR Security Control Standards Catalog v2.0
TX - Texas Risk & Authorization Management Program (TX-RAMP)
UAE National Information Assurance Framework (NIAF)
UK General Data Protection Regulation
UN Regulation No. 155 - Cyber security and cyber security management system
UNECE WP.29
US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0
US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy v5.9.3
Virginia Consumer Data Protection Act (2023)
VT - Act 171 of 2018 (Data Broker Registration Act)
Don't see a framework you need?
This library represents a subset of what 3HUE's USR/UCB control mapping supports — ask your account team about additional frameworks relevant to your industry and region.