Self-Serve tier

AI governance triple stack — NIST AI RMF 1.0 (Jan 2023) + Generative AI Profile (July 2024) + ISO/IEC 42001:2023 AI Management System + EU AI Act Regulation 2024/1689 (effective Aug 2024 with phased application through Aug 2026) — risk classification, prohibited practices, founda

CISA Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 6 USC 681 et seq.) — 72-hour covered incident reporting + 24-hour ransom payment reporting, sector-by-sector covered-entity definitions, NPRM rule status, and overlap with SEC 33-11216 / NERC CIP / TSA / FERC.

CMMC 2.0 (32 CFR Part 170 Final Rule Oct 2024) vs ISO/IEC 27001:2022 vs FedRAMP control crosswalk — Levels 1/2/3 alignment with NIST SP 800-171 Rev. 2 + 800-172, FedRAMP High/Moderate/Low baselines from NIST SP 800-53 Rev. 5, ISO Annex A 93 controls, and overlap exploitation for

Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554 — effective 17 January 2025 — five pillars (ICT risk management, ICT incident reporting, digital operational resilience testing, ICT third-party risk, information sharing), critical ICT third-party provider desig

EU NIS2 Directive (Directive (EU) 2022/2555) — Essential vs Important entity classification by sector + size, transposition deadline 17 Oct 2024, 24-hour early warning + 72-hour incident notification + 1-month final report cadence, supply chain security, governance liability, and

NIST Cybersecurity Framework 2.0 (Feb 2024) implementation — six functions Govern / Identify / Protect / Detect / Respond / Recover, four-tier maturity model, profile development, cybersecurity supply-chain risk management (C-SCRM) integration, and crosswalk to NIST SP 800-53 Rev

New York DFS Cybersecurity Regulation (23 NYCRR Part 500) — including 2023 Second Amendment — vs New York SHIELD Act (NY Gen Bus Law Section 899-bb) — applicability scope, CISO-level controls, MFA, third-party security, 72-hour incident reporting, ransomware-payment notification,

Ransomware payment OFAC sanctions advisory — Treasury OFAC Updated Advisory (Sept 2021) + ongoing SDN list updates — IEEPA strict liability for sanctioned-entity payments, OFAC reporting, CISA + FBI engagement, and 50-state breach notification matrix coordination.

SEC Cybersecurity Disclosure Final Rule — Release No. 33-11216 (Aug 2023) — material cyber incident 8-K Item 1.05 four-business-day disclosure, Reg S-K Item 106 annual 10-K cyber risk management + governance, attorney-general national-security delay, and materiality determination

SOC 2 Type II vs ISO/IEC 27001:2022 vs PCI DSS v4.0 — Trust Services Criteria (CC, A, C, P, PI), ISMS scope, cardholder data environment (CDE) — vendor due diligence kit, evidence reuse strategy, and overlap exploitation for SaaS / payment-handling vendor assurance.

Cybersecurity Supply Chain Risk Management (C-SCRM) per NIST SP 800-161 Rev. 1 (May 2022) — supplier risk tiering, contractual flow-down, SBOM ingestion (NTIA + CISA), supply-chain incident handling, and overlay with EO 14028 + OMB M-22-18 + CSF 2.0 GOVERN function.

Zero Trust Architecture per NIST SP 800-207 (Aug 2020) and DoD ZT Reference Architecture v2.0 (2022) and CISA ZT Maturity Model v2.0 (April 2023) — seven tenets, policy decision/enforcement points (PDP/PEP), micro-segmentation, identity-centric access, and EO 14028 federal mandat