A consolidation of different cybersecurity and data privacy frameworks in one table, and whether or not they have an official, bona fide certification.
As you will see in the table below, many of them do not have or require a specific certification, though the requirements are often mandatory via legislation.
Sometimes it’s just nice to see them all in one place with handy links to the official sites.
Enjoy!
| Frameworks | Certification/Authorization? |
| NIST Cybersecurity Framework (CSF) Enterprise-level cybersecurity management | No |
| NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations | No |
| NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations | n/a |
| NIST SP 800-53B Control Baselines for Information Systems and Organizations | n/a |
| NIST SP 800-171 Protecting Controlled Unclassified Information in Non-federal Systems and Organizations | Indirect via CMMC |
| FedRAMP US Federal Risk and Authorization Management Program | Authorization |
| FedRAMP 20X Modernized FedRAMP requirements Note: The actual pipeline for accepting FedRAMP 20x submissions will open in FY26 Q4 (July – September, 2026) | Authorization |
| CMMC Cybersecurity Maturity Model Certification | Yes |
| SOC 2 Resources Service Organizational Control 2 | Attestation |
| PCI DSS Payment Card Industry Data Security Standards | Compliance validation |
| CIS Critical Security Controls Center for Internet (CIS) Critical Security Controls | No |
| CSA Cloud Controls Matrix (CCM) Cloud Security Alliance | CSA STAR available for audit and assessment consultancies |
| ISO/IEC 27001 security, cybersecurity and privacy protection — Information security management systems — Requirements International Standards Organization / International Electrotechnical Commission Information | Yes |
| Protected B PBMM Cloud Security Profile Government of Canada security requirements for cloud services processing sensitive government information and workloads | Authorization |
| EU Cybersecurity Certification (EUCC) Framework …provides a unified cybersecurity certification process for Information and Communication Technology (ICT) products | Yes |
| EUCS Cloud Certification Scheme European Cybersecurity Certification Scheme for Cloud Services | Emerging |
| NCSC Cyber Assessment Framework (CAF) Excerpt from site: “…aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions performed by that organisation.” | No |
| NCSC Cyber Essentials / Cyber Essentials Plus The United Kingdom’s Cyber Essentials is the minimum standard of cyber security recommended by the Government for organizations of all sizes. | Yes |
| US HHS HIPAA United States Dept. of Health and Human Services – Health Insurance Portability and Accountability Act of 1996 | No, compliance required |
| HITRUST Health Information Trust Alliance | Yes |
| FFIEC Federal Financial Institutions Examination Council | No |
| NERC CIP North American Electric Reliability Corporation – Critical Infrastructure Protection | No |
