Computer Fraud and Abuse Act (CFAA): Federal law that protects against unauthorized access to computers and networks, making it illegal to intentionally access a computer without authorization or exceeding authorized access
Federal Information Security Management Act (FISMA): Federal law that requires federal agencies to implement information security programs to protect government information, systems, and assets
Health Insurance Portability and Accountability Act (HIPAA): Federal law that provides data privacy and security provisions for safeguarding medical information and protected health information (PHI)
Gramm-Leach-Bliley Act (GLBA): Federal law requiring financial institutions to explain their information-sharing practices and protect sensitive customer data
Sarbanes-Oxley Act (SOX): Federal law that sets requirements for all U.S. public company boards, management, and public accounting firms, including IT controls and data security
Family Educational Rights and Privacy Act (FERPA): Federal law that protects the privacy of student education records and applies to all schools that receive federal funding
NIST Special Publication 800-53: Security and privacy controls framework providing guidelines for securing information systems and organizations
NIST Cybersecurity Framework: Voluntary guidance for private sector organizations to better manage and reduce cybersecurity risk
ISO 27001: International standard providing requirements for information security management systems (ISMS)
CIS Controls: Set of prioritized actions to protect organizations and data from known cyber attack vectors
State Data Breach Notification Laws: State-specific requirements for organizations to notify individuals when their personal information has been compromised in a data breach
California Consumer Privacy Act (CCPA): California state law providing consumers with rights regarding the collection and use of their personal information
NY SHIELD Act: New York state law requiring businesses to implement safeguards for private information and expanding breach notification requirements
Payment Card Industry Data Security Standard (PCI DSS): Security standard for organizations that handle branded credit cards from major card schemes, ensuring protection of cardholder data
Defense Federal Acquisition Regulation Supplement (DFARS): Cybersecurity requirements for contractors working with the Department of Defense
FedRAMP: Government-wide program providing standardized security assessment and authorization for cloud products and services used by federal agencies
Privacy Shield Framework: Framework for transatlantic exchanges of personal data between European countries and the United States
General Data Protection Regulation (GDPR): EU regulation on data protection and privacy that affects organizations handling data of EU residents, even if based in the US
