Explained: Cyber and Privacy Industry Frameworks

by CyberGRX

In support of today's release of Framework Mapper, we put together brief explanations of a few of the different industry standard frameworks and models that Framework Mapper supports. 

Framework Mapper allows you to map our standardized assessment to your organization’s custom controls framework or other industry standard frameworks and models. 

Want to learn more? Join us for an on-demand webinar to learn more about how Framework Mapper drives risk & cost reduction in managing third-party cyber & privacy risk. 


New York State Department of Financial Services put into effect a set of GDPR-like regulations 23 NYCRR 500 in February of 2017. These regulations were put into place to address the number of threats posed to financial systems by criminals in the cyber space.

CPS 234

CPS 234 is a set of regulations put in place by the Australian Prudential Regulation Authority in response to the increase in data breaches in Australia between April 2018 and April 2019.


GDPR stands for “General Data Protection Regulation” and it was enacted in May 2018 by the European Union. The laws put into place thousands of new regulations for organizations around the world to abide by in regard to data security and data protection. 


The National Institute of Standards and Technology (NIST) released version 1.0 of their cybersecurity framework in February 2014. The creation of the framework was a response to the presidential executive order 13636 issued in February 2013. The executive order put a policy in place stating that the United States would enhance security measures to protect the infrastructure of the nation that’s critical to its economics, public health and safety, or security.


National Institute of Standards and Technology (NIST) updated their cybersecurity framework with the 1.1 version release. In this update they focused on revamping areas like authentication and identity, self-assessing risk, managing within the supply chain, and vulnerability disclosure in comparison to the 1.0 release. 

NIST 800-171

NIST 800-1717 is “…a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.” The standards were released based on the Federal Information Security Management Act of 2002.

NIST 800-53 r5

In 2020, NIST released a set of controls pertaining to security and privacy for information systems and organizations called NIST 800-53. The controls are meant to protect organizational operations, assets, individuals, and others from attacks, errors, and failures. The controls are a result of a culmination of business and legal needs, regulations, policies, and guidelines.


The North American Electric Reliability Corporation (NERC) released critical infrastructure protection standards in 2008 pertaining to energy and utility companies in an effort to lessen the risk for attack on the Bulk Electric System.


The Cybersecurity Maturity Model Certification (CMMC) was designed by the Department of Defense to ensure that cybersecurity controls and processes are in place to protect Controlled Unclassified Information (CUI) that resides on its networks


The Payment Card Industry Data Security Standards is a set of standards for organizations that handle the data of different major credit card companies.


The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to put standards into place that protect sensitive patient information from being disclosed without the patient’s consent.


The California Consumer Privacy Act was signed into California law in June 2018 and is a civil code meant to protect privacy and consumer rights of California residents. 

Watch the webinar to learn more