Compliance & Frameworks
2026 Industry Compliance & Regulatory Frameworks
AdVran maintains compliance expertise across every major regulatory framework. We don't just help you pass audits—we operationalize compliance as a continuous part of your IT and security management.
Aerospace & Defense
4CMMC 2.0 (Level 2/3)
Cybersecurity Maturity Model Certification
Mandatory for DoD contractors handling CUI. Level 2 requires alignment with all 110 NIST 800-171 controls.
DFARS 252.204-7012
Defense Federal Acquisition Regulation Supplement
DoD contract clause requiring adequate security for covered defense information and cyber incident reporting within 72 hours.
ITAR / EAR Export Controls
International Traffic in Arms Regulations
Export controls requiring strict data residency and US-person access restrictions for defense articles and services.
NIST SP 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems
The underlying technical requirement for protecting non-federal systems handling CUI—110 security controls across 14 families.
Financial Services
6EU DORA
Digital Operational Resilience Act
EU regulation establishing digital resilience standards for financial entities and their ICT service providers.
FFIEC IT Examination Handbook
Federal Financial Institutions Examination Council
Interagency guidance for IT examination of financial institutions covering information security, business continuity, and outsourcing.
GLBA (Gramm-Leach-Bliley Act)
Gramm-Leach-Bliley Act
Requires financial institutions to safeguard consumer data, provide transparency, and implement comprehensive information security programs.
PCI DSS 4.0.1
Payment Card Industry Data Security Standard
Global standard for credit card data security; mandates automated log reviews, MFA, and strict network segmentation.
SEC / FINRA Regulations
Securities and Exchange Commission / FINRA Rules
Focus on data retention, electronic communication archiving, and the WORM (Write Once, Read Many) storage requirements for broker-dealers.
SOX (Sarbanes-Oxley Act)
Sarbanes-Oxley Act
Requires public companies to maintain internal controls over financial reporting, with IT controls playing a critical role in audit compliance.
Healthcare & Life Sciences
321 CFR Part 11
FDA Electronic Records and Electronic Signatures
FDA requirement for electronic records and signatures in clinical trials, R&D, and pharmaceutical manufacturing environments.
HIPAA Security & Privacy Rules
Health Insurance Portability and Accountability Act
The baseline for Protected Health Information (PHI) privacy and security in healthcare organizations.
HITECH Act
Health Information Technology for Economic and Clinical Health Act
Mandates strict breach notifications, increases penalties for HIPAA non-compliance, and extends requirements to business associates.
Public Sector
6CJIS Security Policy
Criminal Justice Information Services Security Policy
Strict data security standards for organizations handling law enforcement and criminal justice information.
FedRAMP / StateRAMP
Federal Risk and Authorization Management Program
Security authorizations for cloud service providers selling to federal and state government agencies.
FIPS 140-2/3
Federal Information Processing Standard 140-2
NIST standard specifying security requirements for cryptographic modules used to protect sensitive information.
FISMA
Federal Information Security Modernization Act
Federal framework requiring agencies and contractors to develop, document, and implement agency-wide information security programs.
NIST SP 800-53
Security and Privacy Controls for Information Systems and Organizations
Comprehensive catalog of security and privacy controls for federal systems and organizations, the foundation for FedRAMP and FISMA.
StateRAMP
State Risk and Authorization Management Program
Security authorization framework for cloud service providers serving state and local government agencies.
Manufacturing & Automotive
4ISA/IEC 62443
Industrial Automation and Control Systems Security
The primary standard for securing Industrial Control Systems (ICS) and operational technology environments.
NIST Cybersecurity Framework 2.0
NIST Cybersecurity Framework
Widely adopted security maturity framework organized around Identify, Protect, Detect, Respond, Recover, and Govern functions.
TISAX
Trusted Information Security Assessment Exchange
Automotive industry information security assessment based on ISO 27001, required by major OEMs for supply chain partners.
UNECE WP.29
UN Regulation on Cybersecurity and Software Updates
International regulation requiring automotive manufacturers to implement cybersecurity management systems for vehicle type approval.
Education
4CIPA
Children's Internet Protection Act
Requires schools and libraries receiving E-Rate funding to implement internet safety policies and content filtering.
COPPA
Children's Online Privacy Protection Act
Restricts data collection on minors under 13, critical for K-12 EdTech providers and school districts.
FERPA
Family Educational Rights and Privacy Act
Protects the privacy of student educational records at institutions receiving federal funding.
State Education Standards
State Education Data Privacy Standards
State-specific data privacy regulations for educational institutions, varying by jurisdiction but generally extending FERPA protections.
Energy & Utilities
3API Cybersecurity Standards
American Petroleum Institute Cybersecurity Standards
Industry standards for cybersecurity in petroleum and natural gas operations, including API 1164 for pipeline SCADA security.
NERC CIP Standards
North American Electric Reliability Corporation Critical Infrastructure Protection
Mandatory security standards for the North American bulk power system, enforced with significant financial penalties.
TSA Pipeline Security Directives
Transportation Security Administration Pipeline Security Directives
Required cyber incident reporting and audit readiness for oil and gas pipeline operators.
Legal & Professional Services
2ABA Cybersecurity Guidelines
American Bar Association Cybersecurity Guidelines
ABA formal opinions and guidelines on lawyers' ethical obligations regarding technology and data security.
State Bar Ethics Rules
State Bar Association Ethics and Technology Rules
State-specific ethical obligations for attorneys regarding technology use, data security, and client information protection.
Cross-Industry
6CPNI Protection Rules
Customer Proprietary Network Information Rules
FCC rules protecting customer calling records, service usage data, and billing information held by telecommunications carriers.
FCC Cybersecurity Regulations
Federal Communications Commission Cybersecurity Requirements
FCC regulations requiring telecommunications providers to protect network infrastructure and customer data.
GDPR / CCPA / CPRA
General Data Protection Regulation / California Consumer Privacy Act
Comprehensive data privacy laws for consumer protection, requiring data minimization, consent management, and breach notification.
ISO/IEC 27001:2022
Information Security Management Systems
Global standard for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
SOC 2 Type II
System and Organization Controls 2
Independent audit proving operational and security excellence across trust service criteria: security, availability, processing integrity, confidentiality, and privacy.
State Charity Regulations
State Charitable Organization Data Protection Regulations
State-level regulations governing data protection and security requirements for charitable organizations and nonprofits.