Surety
Framework registry

128+ frameworks built in, mapped to your work.

Surety ships with a registry of every compliance, security, privacy, AI-governance, and supply-chain framework your team is likely to be audited against — from NIST and ISO down to OWASP LLM Top 10 and the EU AI Act. Every change record can be mapped to the controls that apply.

Showing 128 of 128 frameworks
  • NIST SP 800-218 (SSDF)
    Feb 2022

    Secure Software Development Framework

    US Federal19 controls
  • NIST Cybersecurity Framework
    2.0 (2024)

    Identify/Protect/Detect/Respond/Recover/Govern

    US Federal106 controls
  • NIST SP 800-53
    Rev 5

    Federal security & privacy control catalog

    US Federal1,006 controls
  • NIST SP 800-171
    Rev 3

    Protecting CUI in nonfederal systems

    US Federal110 controls
  • NIST AI RMF
    1.0

    AI Risk Management Framework

    US Federal72 controls
  • NIST SP 800-207
    2020

    Zero Trust Architecture

    US Federal28 controls
  • NIST SP 800-160 Vol 1
    Rev 1

    Systems security engineering

    US Federal32 controls
  • NIST SP 800-161
    Rev 1

    Supply chain risk management

    US Federal183 controls
  • FedRAMP Low
    Rev 5

    Federal cloud baseline (low impact)

    US Federal156 controls
  • FedRAMP Moderate
    Rev 5

    Federal cloud baseline (moderate impact)

    US Federal323 controls
  • FedRAMP High
    Rev 5

    Federal cloud baseline (high impact)

    US Federal410 controls
  • FISMA
    2014 (FISMA Modernization Act)

    Federal Information Security Modernization Act

    US Federal17 controls
  • CMMC Level 1
    2.0

    Foundational cyber hygiene (DoD contractors)

    US Federal17 controls
  • CMMC Level 2
    2.0

    Advanced cybersecurity (DoD CUI)

    US Federal110 controls
  • CMMC Level 3
    2.0

    Expert cybersecurity (DoD critical)

    US Federal134 controls
  • FIPS 140-3
    2019

    Cryptographic module validation

    US Federal11 controls
  • NIST SP 800-66
    Rev 2

    HIPAA Security Rule implementation

    US Federal67 controls
  • HIPAA Security Rule
    45 CFR §164

    Health information privacy & security

    US Sectoral78 controls
  • HITECH Act
    2009

    Health Information Technology for Economic and Clinical Health

    US Sectoral15 controls
  • Sarbanes-Oxley
    2002

    Public-company financial reporting controls

    US Sectoral11 controls
  • Gramm-Leach-Bliley Act
    1999

    Financial-institution data protection

    US Sectoral9 controls
  • FERPA
    20 USC §1232g

    Educational records privacy

    US Sectoral6 controls
  • FDA SaMD Cybersecurity
    2023 Guidance

    Premarket cybersecurity for medical devices

    US Sectoral21 controls
  • 21 CFR Part 11
    1997 (current)

    FDA electronic records & signatures

    US Sectoral9 controls
  • PCI DSS
    4.0

    Payment card industry data security

    US Sectoral264 controls
  • StateRAMP Moderate
    Rev 5

    State-government cloud baseline

    US State323 controls
  • TX-RAMP Level 2
    2024

    Texas state cloud authorization

    US State280 controls
  • AZ-RAMP
    Rev 5 aligned

    Arizona state cloud authorization

    US State156 controls
  • California CCPA
    2018 (effective 2020)

    California Consumer Privacy Act

    US State13 controls
  • California CPRA
    2020 (effective 2023)

    California Privacy Rights Act

    US State18 controls
  • NY SHIELD Act
    2019

    NY data security & breach notification

    US State7 controls
  • NY DFS Part 500
    Nov 2023 amendment

    NY financial-services cybersecurity

    US State23 controls
  • GDPR
    Regulation (EU) 2016/679

    EU General Data Protection Regulation

    European Union99 controls
  • EU AI Act
    Regulation 2024/1689

    Risk-based AI system regulation

    European Union113 controls
  • EU Cyber Resilience Act
    Regulation 2024/2847

    Mandatory cybersecurity for digital products

    European Union47 controls
  • EU DORA
    Regulation 2022/2554

    Digital Operational Resilience Act (financial)

    European Union64 controls
  • EU NIS2
    Directive 2022/2555

    Network and information systems security

    European Union35 controls
  • ENISA EUCC
    2024

    EU common cybersecurity certification

    European Union30 controls
  • ETSI EN 303 645
    2.1.1 (2020)

    Consumer IoT cybersecurity

    European Union13 controls
  • eIDAS 2.0
    Regulation 2024/1183

    EU digital identity & trust services

    European Union22 controls
  • ENISA AI Cybersecurity
    2023 Framework

    EU AI cybersecurity guidance

    European Union27 controls
  • EU Cybersecurity Act
    Regulation 2019/881

    EU cyber certification framework

    European Union18 controls
  • ENS (Spain)
    Real Decreto 311/2022

    Spanish National Security Scheme

    European Union73 controls
  • UK Cyber Essentials
    Montpellier (Apr 2025)

    UK gov-baseline cyber hygiene

    United Kingdom5 controls
  • UK Cyber Essentials Plus
    Montpellier

    Audited variant of UK CE

    United Kingdom5 controls
  • UK DPA 2018
    post-Brexit

    UK Data Protection Act

    United Kingdom14 controls
  • AU IRAP
    2024

    Information Security Registered Assessors Program

    APAC92 controls
  • AU ISM
    Sep 2024

    Australian Information Security Manual

    APAC800 controls
  • AU Essential Eight
    Nov 2023

    ACSC priority mitigation strategies

    APAC8 controls
  • NZ NZISM
    v3.7 (2024)

    NZ Information Security Manual

    APAC200 controls
  • SG IMDA AI Verify
    2.0 (2024)

    Singapore AI governance testing

    APAC11 controls
  • SG Model AI Governance
    Gen AI 2024

    Singapore PDPC AI principles

    APAC9 controls
  • JP AI Governance Guidelines
    Apr 2024

    Japan METI AI business guidelines

    APAC10 controls
  • KR PIPA
    Sep 2023 amendment

    Korea Personal Information Protection Act

    APAC17 controls
  • IN DPDP Act
    2023

    India Digital Personal Data Protection Act

    APAC12 controls
  • CA ITSG-33
    Annex 3A (Dec 2014)

    Canadian IT security risk management

    Canada327 controls
  • CA PIPEDA
    2000 (amended 2018)

    Personal Information Protection (Canada)

    Canada10 controls
  • C2M2
    v2.1 (2022)

    Cybersecurity Capability Maturity Model

    Canada356 controls
  • BR LGPD
    Aug 2020

    Brazil Lei Geral de Proteção de Dados

    Latin America18 controls
  • ZA POPIA
    Jul 2021

    South Africa Protection of Personal Information Act

    Africa8 controls
  • ISO/IEC 27001
    2022

    Information security management

    ISO93 controls
  • ISO/IEC 27002
    2022

    ISMS controls (companion to 27001)

    ISO93 controls
  • ISO/IEC 27017
    2015

    Cloud-services security controls

    ISO37 controls
  • ISO/IEC 27018
    2019

    PII in public-cloud processors

    ISO25 controls
  • ISO/IEC 27701
    2019

    Privacy information management

    ISO49 controls
  • ISO/IEC 42001
    2023

    AI management system standard

    ISO38 controls
  • ISO 31000
    2018

    Risk management principles

    ISO8 controls
  • ISO 22301
    2019

    Business continuity management

    ISO25 controls
  • ISO/IEC TR 24028
    2020

    AI trustworthiness overview

    ISO14 controls
  • ISO/IEC 24029-2
    2023

    AI robustness assessment

    ISO11 controls
  • ISO/IEC 23894
    2023

    AI risk management

    ISO16 controls
  • ISO/IEC 5338
    2023

    AI system lifecycle processes

    ISO29 controls
  • ISO/IEC 25010
    2023

    Software product quality model

    ISO9 controls
  • ISO 9001
    2015

    Quality management systems

    ISO10 controls
  • IEC 62443-3-3
    2013

    Industrial automation security (system level)

    IEC100 controls
  • IEC 62443-4-1
    2018

    Industrial secure-product lifecycle

    IEC47 controls
  • IEC 81001-5-1
    2021

    Health-software security lifecycle

    IEC38 controls
  • IEC 82304-1
    2016

    Health-software product safety

    IEC14 controls
  • IEEE 7000 series
    2021

    Ethically aligned systems design

    IEEE12 controls
  • SOC 1
    SSAE 18

    Service-org controls over financial reporting

    Audit / SOC5 controls
  • SOC 2
    2017 TSC (rev 2022)

    Audit framework for service-org controls

    Audit / SOC64 controls
  • SOC 3
    SSAE 18

    Public SOC 2 summary report

    Audit / SOC64 controls
  • CSA CCM
    v4.0.12 (2024)

    Cloud Controls Matrix

    Cloud197 controls
  • CSA STAR
    2024

    Security Trust Assurance & Risk registry

    Cloud261 controls
  • AWS Well-Architected
    2024

    AWS 6-pillar review framework

    Cloud84 controls
  • Azure Well-Architected
    2024

    Microsoft Azure architecture framework

    Cloud87 controls
  • GCP Architecture Framework
    2024

    Google Cloud architecture pillars

    Cloud78 controls
  • HITRUST CSF
    v11.4.0 (2024)

    Healthcare integrated certification

    Healthcare156 controls
  • HL7 FHIR
    R5 (2023)

    Fast Healthcare Interoperability Resources

    Healthcare18 controls
  • IEC 62304
    2006 + Amd 2015

    Medical-device software lifecycle

    Healthcare32 controls
  • BSIMM
    v15 (2024)

    Building Security In Maturity Model

    Industry / consortia125 controls
  • SAFECode Fundamentals
    3rd ed.

    Industry secure-development practices

    Industry / consortia19 controls
  • OWASP SAMM
    v2.1 (2024)

    Software Assurance Maturity Model

    Industry / consortia90 controls
  • OWASP ASVS
    v4.0.3

    Application Security Verification Standard

    Industry / consortia286 controls
  • OWASP MASVS
    v2.0

    Mobile Application Security Verification

    Industry / consortia86 controls
  • OWASP Top 10
    2021

    Web application risks

    Industry / consortia10 controls
  • OWASP API Top 10
    2023

    API security risks

    Industry / consortia10 controls
  • OWASP LLM Top 10
    v1.1 (2024)

    Large-Language-Model application risks

    Industry / consortia10 controls
  • CIS Controls
    v8.1 (2024)

    Critical security controls

    Industry / consortia153 controls
  • CIS Benchmarks
    Current

    Hardening guidance for OS/services

    Industry / consortia100 controls
  • MITRE ATT&CK
    v15.1 (2024)

    Adversary tactics & techniques

    Industry / consortia622 controls
  • MITRE D3FEND
    v0.16 (2024)

    Cyber countermeasures knowledge graph

    Industry / consortia187 controls
  • MITRE CWE Top 25
    2024

    Most dangerous software weaknesses

    Industry / consortia25 controls
  • SANS Top 25
    2024

    Most dangerous programming errors

    Industry / consortia25 controls
  • MITRE EMB3D
    2024

    Embedded-device threat model

    Industry / consortia71 controls
  • COBIT 2019
    Framework + Design

    IT governance & management

    Industry / consortia40 controls
  • ITIL 4
    2019

    IT service management practices

    Industry / consortia34 controls
  • ISACA Risk IT
    2nd ed. (2020)

    IT risk management framework

    Industry / consortia36 controls
  • ISACA ITAF
    4th ed. (2020)

    IT audit framework

    Industry / consortia24 controls
  • SLSA L1
    v1.0

    Build script + provenance

    Supply chain5 controls
  • SLSA L2
    v1.0

    Hosted build platform + signed provenance

    Supply chain8 controls
  • SLSA L3
    v1.0

    Hardened, isolated, unforgeable builds

    Supply chain12 controls
  • SLSA Build Provenance
    v1.2

    Supply-chain integrity levels

    Supply chain7 controls
  • in-toto
    v1.0 (2023)

    Supply-chain attestation framework

    Supply chain9 controls
  • CycloneDX SBOM
    v1.6 (2024)

    Software Bill of Materials standard

    Supply chain12 controls
  • SPDX SBOM
    v2.3 (ISO/IEC 5962:2021)

    Linux Foundation SBOM standard

    Supply chain11 controls
  • Sigstore
    GA (2022+)

    Keyless signing for artifacts

    Supply chain6 controls
  • RFC 9116 security.txt
    Apr 2022

    Standardized vuln-reporting endpoint

    Supply chain5 controls
  • STRIDE
    Microsoft 1999+

    Spoofing/Tampering/Repudiation/Info/DoS/EoP

    Threat modeling6 controls
  • PASTA
    2015 (Tony UcedaVélez)

    Process for Attack Simulation & Threat Analysis

    Threat modeling7 controls
  • LINDDUN
    GO (2023)

    Privacy threat modeling

    Threat modeling7 controls
  • DREAD
    Microsoft

    Damage/Reproducibility/Exploitability/Affected/Discoverability

    Threat modeling5 controls
  • OCTAVE Allegro
    CMU SEI 2007

    Operationally Critical Threat & Vuln Assessment

    Threat modeling8 controls
  • OECD AI Principles
    Updated May 2024

    Intergovernmental AI principles

    AI ethics5 controls
  • UNESCO AI Ethics
    Nov 2021 Recommendation

    Global ethical AI standard

    AI ethics11 controls
  • NIST AI 100-2
    2024

    Adversarial ML taxonomy & mitigations

    AI ethics12 controls
  • ISO/IEC 29100
    2024

    Privacy framework

    Privacy11 controls
  • TCG TPM 2.0
    Rev 1.59

    Trusted Platform Module spec

    Telecom / hardware39 controls