AuditRubric

Security and Compliance Frameworks

Plain-English controls with step-by-step implementation guidance, tool recommendations, and evidence checklists. Free to browse.

CISA Cybersecurity Performance Goals

v2023

The CISA Cybersecurity Performance Goals (CPGs) are a prioritized subset of cybersecurity practices designed to meaningfully reduce risk for organizations of any size. Published by the US Cybersecurity and Infrastructure Security Agency, the CPGs cover the most impactful controls across account security, device security, data protection, vulnerability management, and incident response. They are designed as a starting point, not a ceiling.

Account Security Device Security Data Security Governance and Training Vulnerability Management Supply Chain Response and Recovery
37 controls | 8 critical | 125h est.

CMMC Level 1

v2.0

The Cybersecurity Maturity Model Certification Level 1 defines 17 foundational cybersecurity practices required for any organization handling Federal Contract Information under Department of Defense contracts. The practices derive from FAR 52.204-21 and cover basic safeguarding of contractor information systems. Level 1 is the entry point for DoD contractors and must be self-assessed annually.

Access Control Identification & Authentication Media Protection Physical Protection System & Comms Protection System & Info Integrity
17 controls | 6 critical | 92h est.

HIPAA Security Rule

v2003

The HIPAA Security Rule (45 CFR Part 164) establishes national standards for protecting electronic Protected Health Information (ePHI). It requires covered entities and their business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI. Any healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically must comply.

Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies & Procedures
21 controls | 7 critical | 160h est.

NIST Cybersecurity Framework

v2.0

The NIST Cybersecurity Framework 2.0 provides guidance for organizations to manage and reduce cybersecurity risk. It is organized around six core functions (Govern, Identify, Protect, Detect, Respond, and Recover) that apply to any organization regardless of size, sector, or maturity.

Govern Identify Protect Detect Respond Recover
113 controls | 29 critical | 514h est.

SOC 2

v2017

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA based on the Trust Services Criteria. It evaluates controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. Security (Common Criteria) is required for all SOC 2 reports.

Security Availability Confidentiality
38 controls | 8 critical | 342h est.