Framework Library

Every framework mapped into USR/UCB, in one searchable library.

248 authoritative sources — standards, certifications, and regulatory mandates — that 3HUE's USR framework and the AiVRIC UCB control baseline map into a single governed program. Search by name, or filter by region.

248 frameworks
Universal ISO

22301:2019 - Security and resilience — Business continuity management systems — Requirements

Universal ISO

27001:2013 - Information Security Management Systems (ISMS) - Requirements

Universal ISO

27001:2022 - Information Security Management Systems (ISMS) - Requirements

Universal ISO

27002:2013 - Code of Practice for Information Security Controls

Universal ISO

27002:2022 - Information security, cybersecurity and privacy protection - Information security controls

Universal ISO

27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

Universal ISO

27018:2014 - Code of Practice for PI in Public Clouds Acting as PI Processors

Universal ISO

27701:2019 - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

Universal UL

2900-1 - Software Cybersecurity for Network-Connectable Products

Universal ISO

29100:2011 - Privacy Framework

Universal ISO

31000:2009 - Risk Management

Universal ISO

31010:2009 - Risk Assessment Techniques

Americas Chile

Act 19628 - Protection of Personal Data

EMEA Poland

Act of 29 August 1997 on the Protection of Personal Data

EMEA Belgium

Act of 8 December 1992

EMEA Serbia

Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18)

APAC Japan

Act on the Protection of Personal Information (June 2020)

US State

AK - Alaska Personal Information Protection Act (PIPA)

APAC Australia

Australia - Code of Practice - Securing the Internet of Things for Consumers

APAC Australia

Australia Essential Eight

APAC Australia

Australia Privacy Principles

APAC Australia

Australian Government Information Security Manual (ISM) (June 2024)

Americas Canada

B-13

EMEA Germany

Banking Supervisory Requirements for IT (BAIT)

Americas Bermuda

Bermuda Monetary Authority Cyber Code of Conduct

EMEA Spain

BOE-A-2022-7191

US State

CA - SB1386

US State

CA - SB327

US State

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) - November 2022 version

US Federal

CERT Resilience Management Model v1.2

US Federal

Children's Online Privacy Protection Act (COPPA)

APAC China

China Cybersecurity Law of the People's Republic of China (China Cybersecurity Law) 2017

APAC China

China Data Security Law of the People's Republic of China

US Federal

CISA Cross-Sector Cybersecurity Performance Goals (CPG)

US Federal

CISA Secure Software Development Attestation Form (SSDAF)

EMEA Germany

Cloud Computing Compliance Controls Catalogue (C5) 2020

Universal CSA

Cloud Controls Matrix (CCM) v4

US State

CO - Colorado Privacy Act

Universal COSO

Committee of Sponsoring Organizations (COSO) 2017 Framework

Universal ISACA

Control Objectives for Information and Related Technologies (COBIT) 2019

Universal CIS

Critical Security Controls (CSC) version 8.1

Universal CIS

Critical Security Controls (CSC) version 8.1 - IG1

Universal CIS

Critical Security Controls (CSC) version 8.1 - IG2

Universal CIS

Critical Security Controls (CSC) version 8.1 - IG3

EMEA Saudi Arabia

Critical Systems Cybersecurity Controls (CSCC – 1: 2019)

Universal CSA

CSA IoT Security Controls Framework v2

EMEA United Kingdom

Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850)

EMEA United Kingdom

Cyber Assessment Framework (CAF) v3.1

EMEA United Kingdom

Cyber Essentials

APAC Singapore

Cyber Hygiene Practice

US Federal

Cybersecurity Capability Maturity Model v2.1

US Federal

Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) - 17 CFR Parts 229, 232, 239, 240, and 249

US Federal

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1

US Federal

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 2

US Federal

Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 3

EMEA Israel

Cybersecurity Methodology for an Organization v1.0

APAC Philippines

Data Privacy Act of 2012

US Federal

Data Privacy Framework (DPF)

EMEA United Kingdom

Data Protection Act

Americas Bahamas

Data Protection Act

EMEA Ireland

Data Protection Act (2003)

APAC China

Decision on Strengthening Network Information Protection

US Federal

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - 7012

US Federal

Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections 3.0 Security Capabilities Catalog

US Federal

Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF)

US Federal

DoD Zero Trust Reference Architecture v2

EMEA EU

ENISA NIS2 (Directive (EU) 2022/2555)

EMEA Saudi Arabia

Essential Cybersecurity Controls (ECC – 1 : 2018)

EMEA EU

EU Digital Operational Resilience Act (DORA) (2023)

EMEA EU

EU-US Data Privacy Framework

EMEA EU

European Banking Authority (EBA) Guidelines on ICT and security risk management

Universal EU

European Union Agency for Network and Information Security (ENISA)

US Federal

Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA)

US Federal

Family Educational Rights and Privacy Act (FERPA)

US Federal

Federal Acquisition Regulation (FAR) 52.204-21

US Federal

Federal Acquisition Regulation (FAR) 52.204-27 Prohibition on a ByteDance Covered Application

US Federal

Federal Acquisition Regulation (FAR) 889

EMEA Austria

Federal Act concerning the Protection of Personal Data (DSG 2000)

EMEA Switzerland

Federal Act on Data Protection (FADP)

EMEA Germany

Federal Data Protection Act

US Federal

Federal Financial Institutions Examination Council (FFIEC)

EMEA Russia

Federal Law of 27 July 2006 N 152-FZ

Americas Mexico

Federal Law on Protection of Personal Data held by Private Parties

US Federal

Federal Risk and Authorization Management Program R4 (FedRAMP R4)

US Federal

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (high baseline)

US Federal

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (Li-SAAS) baseline)

US Federal

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (low baseline)

US Federal

Federal Risk and Authorization Management Program R4 (FedRAMP R4) (moderate baseline)

US Federal

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (high baseline)

US Federal

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (Li-SAAS) baseline)

US Federal

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (low baseline)

US Federal

Federal Risk and Authorization Management Program R5 (FedRAMP R5) (moderate baseline)

US Federal

Federal Risk and Authorization Management Program R5 (FedRAMP)

US Federal

Federal Trade Commission (FTC) Act

US Federal

Financial Industry Regulatory Authority (FINRA)

US Federal

Food & Drug Administration (FDA) 21 CFR Part 11

Americas Brazil

General Data Protection Law (LGPD)

EMEA EU

General Data Protection Regulation (GDPR)

Universal AICPA

Generally Accepted Privacy Principles (GAPP)

US Federal

Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023)

US Federal

Health Industry Cybersecurity Practices (HICP) - Large Practice

US Federal

Health Industry Cybersecurity Practices (HICP) - Medium Practice

US Federal

Health Industry Cybersecurity Practices (HICP) - Small Practice

US Federal

HIPAA Administrative Simplification (2013)

US Federal

HIPAA Security Rule (includes mapping to NIST SP 800-66 R2)

APAC New Zealand

HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

EMEA Spain

ICT Security Guide CCN-STIC 825

Universal IEC

IEC 62443-4-2:2019 - Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components

Universal IEC

IEC ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering

Universal IEC

IEC TR 60601-4-5:2021

US State

IL - Illinois Biometric Information Privacy Act (PIPA)

US State

IL - Illinois Identity Protection Act (IPA)

US State

IL - Illinois Personal Information Protection Act (PIPA)

APAC India

India Digital Personal Data Protection Act 2023

APAC India

Information Technology Rules (Privacy Rules)

EMEA Hungary

Informational Self-Determination and Freedom of Information (Act CXII of 2011)

Universal NAIC

Insurance Data Security Model Law (MDL-668)

US Federal

Internal Revenue Service (IRS) 1075

US Federal

International Traffic in Arms Regulation (ITAR) [limited to Part 120]

Universal ISO

ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system

APAC Japan

Japan Information System Security Management and Assessment Program (ISMAP)

EMEA Kenya

Kenya Data Protection Act (2019)

Americas Colombia

Law 1581 of 2012

Americas Uruguay

Law No. 18,331 - Protection of Personal Data and Action "Habeas Data"

US State

MA - 201 CMR 17.00

EMEA United Kingdom

Ministry of Defence Standard 05-138 (14 May 2024)

Universal MITRE

MITRE ATT&CK - NIST 800-53 mappings

APAC Singapore

Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines (2021)

Universal MPA

MPA Content Security Best Practices Common Guidelines v5.1

US Federal

National Industrial Security Program Operating Manual (NISPOM)

US Federal

National Science & Technology Council (NSTC) NSPM-33

US Federal

Naval Nuclear Propulsion Information (NNPI)

APAC New Zealand

New Zealand Information Security Manual (NZISM) v3.6

EMEA Nigeria

Nigeria Data Protection Regulation (2019)

Universal NIST

NIST 800-171A R3

Universal NIST

NIST Artificial Intelligence Risk Management Framework (AI RMF) v1.0

Universal NIST

NIST Cybersecurity Framework (CSF) v1.1

Universal NIST

NIST Cybersecurity Framework (CSF) v2.0

Universal NIST

NIST Privacy Framework v1.0

Universal NIST

NIST SP 800-160 - Systems Security Engineering

Universal NIST

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Universal NIST

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM Baseline)

Universal NIST

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Flow Down)

Universal NIST

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 1)

Universal NIST

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 2)

Universal NIST

NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 3)

Universal NIST

NIST SP 800-171 R2 - Protecting CUI in Nonfederal Systems and Organizations

Universal NIST

NIST SP 800-171 R3

Universal NIST

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information

Universal NIST

NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

Universal NIST

NIST SP 800-207 - Zero Trust Architecture

Universal NIST

NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1:

Universal NIST

NIST SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2

Universal NIST

NIST SP 800-39 - Managing Information Security Risk

Universal NIST

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations

Universal NIST

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (high baseline)

Universal NIST

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (low baseline)

Universal NIST

NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline)

Universal NIST

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations

Universal NIST

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations High Baseline

Universal NIST

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Low Baseline

Universal NIST

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Moderate Baseline

Universal NIST

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Privacy Baseline

Universal NIST

NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations Select Not Otherwise Categorized (NOC) controls

Universal NIST

NIST SP 800-63B - Digital Identity Guidelines (partial mapping)

Universal NIST

NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security

Universal NIST

NIST SP 800-82 R3 - Guide to Industrial Control Systems (ICS) Security

US Federal

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

US State

NV - SB220

US State

NY - Cybersecurity Requirements for Financial Services Companies (DFS 23 NYCRR500) - 2023 Amendment 2

US State

NY - SHIELD Act (SB S5575B)

APAC New Zealand

NZ Health Information Security Framework (2022)

Americas Canada

Office of the Superintendent of Financial Institutions Canada (OSFI) - Cyber Security Self-Assessment Guidance

EMEA Saudi Arabia

Operational Technology Cybersecurity Controls (OTCC -1: 2022)

US State

OR - Consumer Privacy Act (SB 619)

US State

OR - ORS 646A

Universal OWASP

OWASP Top 10 Most Critical Web Application Security Risks

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS)

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A-EP

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B-IP

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C-VT

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Merchant

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Service Provider

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ P2PE

Universal PCI SSC

Payment Card Industry Data Security Standard (PCI DSS) v4.01

EMEA Norway

Personal Data Act

EMEA Sweden

Personal Data Act

APAC Hong Kong

Personal Data Ordinance

EMEA Qatar

Personal Data Privacy Protection Law (PDPPL)

EMEA Netherlands

Personal Data Protection Act

APAC Taiwan

Personal Data Protection Act

APAC Malaysia

Personal Data Protection Act of 2010

APAC Singapore

Personal Data Protection Act of 2012

EMEA Italy

Personal Data Protection Code

Americas Peru

Personal Data Protection Law

APAC South Korea

Personal Information Protection Act

Americas Canada

Personal Information Protection and Electronic Documents Act (PIPEDA)

APAC China

Personal Information Protection Law of the People's Republic of China

APAC Australia

Privacy Act of 1998

APAC New Zealand

Privacy Act of 2020

Americas Canada

Protecting controlled information in non-Government of Canada systems and organizations (ITSP.10.171)

EMEA Greece

Protection of Individuals with Regard to the Processing of Personal Data (2472/1997)

Americas Argentina

Protection of Personal Data - MEN-2018-147-APN-PTE

EMEA South Africa

Protection of Personal Information Act (POPIA)

Americas Argentina

Protection of Personal Law No. 25,326

EMEA Israel

Protection of Privacy Law, 5741 – 1981

Americas Costa Rica

Protection of the Person in the Processing of His Personal Data

APAC Australia

Prudential Standard CPS 230 - Operational Risk Management

APAC Australia

Prudential Standard CPS 234 Information Security

EMEA Turkey

Regulation on Protection of Personal Data in Electronic Communications Sector

EMEA Spain

Royal Decree 1720/2007 (protection of personal data)

EMEA Saudi Arabia

SACS-002 - Third Party Cybersecurity Standard

US Federal

Sarbanes Oxley Act (SOX)

EMEA Saudi Arabia

Saudi Arabia IoT CGIoT-1:2024

EMEA Saudi Arabia

Saudi Arabia Personal Data Protection Law (PDPL)

EMEA Saudi Arabia

Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF) Version 1.0 (May 2017)

US State

SC - South Carolina Insurance Data Security Act

EMEA EU

Second Payment Services Directive (PSD2)

US Federal

Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)

Universal AICPA

Service Organization Control - Trust Services Criteria (TSC) - SOC2 (2022 points of focus)

Universal Shared Assessments

Shared Assessments Standard Information Gathering Questionnaire (SIG) 2024

US Federal

Social Security Administration (SSA) Electronic Information Exchange Security Requirements

Universal SPARTA

Space Attack Research & Tactic Analysis (SPARTA) Countermeasures

EMEA Spain

Spain Royal Decree 311/2022

Universal BSI

Standard 200-1

US State

StateRAMP Low (Category 1)

US State

StateRAMP Low+ (Category 2)

US State

StateRAMP Moderate (Category 3)

Universal SWIFT

SWIFT Customer Security Controls Framework 2021

Universal TISAX

TISAX ISA 6.0.3

US State

TN - Information Protection Act

US State

TX - 2019 - SB820

US State

TX - BC521

US State

TX - Consumer Data Protection Act (CDPA)

US State

TX - Cybersecurity Act

US State

TX - DIR Security Control Standards Catalog v2.0

US State

TX - Texas Risk & Authorization Management Program (TX-RAMP)

EMEA UAE

UAE National Information Assurance Framework (NIAF)

EMEA United Kingdom

UK General Data Protection Regulation

Universal United Nations

UN Regulation No. 155 - Cyber security and cyber security management system

Universal United Nations

UNECE WP.29

US Federal

US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0

US Federal

US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy v5.9.3

US State

Virginia Consumer Data Protection Act (2023)

US State

VT - Act 171 of 2018 (Data Broker Registration Act)

Don't see a framework you need?

This library represents a subset of what 3HUE's USR/UCB control mapping supports — ask your account team about additional frameworks relevant to your industry and region.