CPL-01: Statutory, Regulatory & Contractual Compliance

CPL 10 — Critical Govern

Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.

Control Question: Does the organization facilitate the identification and implementation of relevant statutory, regulatory and contractual controls?

General (56)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC1.5 CC2.2 CC2.3 CC2.3-POF5 CC3.1-POF14 CC3.1-POF5 CC3.1-POF8 CC3.1-POF9
BSI Standard 200-1	7.1 9
COBIT 2019	MEA02.01 MEA02.02 MEA03.01 MEA03.02 MEA03.03 MEA03.04
COSO 2017	Principle 14 Principle 15
CSA CCM 4	A&A-01 A&A-04 GRC-07 STA-06 STA-09 UEM-14
CSA IoT SCF 2	CLS-04 GVN-02 LGL-03 LGL-04 LGL-05 LGL-06 LGL-07 LGL-08 OPA-05
ENISA 2.0	SO25
GovRAMP Low	PL-01
GovRAMP Low+	PL-01
GovRAMP Moderate	PL-01
GovRAMP High	PL-01
IMO Maritime Cyber Risk Management	3.5.3.9
ISO 22301 2019	4.2.2
ISO 27001 2022 (source)	4.1 9.1 9.2 9.2.1 9.2.2
ISO 27002 2022	5.31 8.34
ISO 27017 2015	18.1.1
ISO 27701 2025	4.1 4.2(a) 4.2(b) 4.2(c)
ISO 29100 2024	6.12
ISO 42001 2023	4.1
NIST AI 100-1 (AI RMF) 1.0	GOVERN 1.1
NIST AI 600-1	GOVERN 1.1 GV-1.1-001 MG-4.3-003
NIST Privacy Framework 1.0	GV.PO-P5 GV.MT-P3
NIST 800-53 R4	PL-1 PM-8
NIST 800-53 R4 (low)	PL-1
NIST 800-53 R4 (moderate)	PL-1
NIST 800-53 R4 (high)	PL-1
NIST 800-53 R5 (source)	PL-1 PM-8
NIST 800-53B R5 (privacy) (source)	PL-1
NIST 800-53B R5 (low) (source)	PL-1
NIST 800-53B R5 (moderate) (source)	PL-1
NIST 800-53B R5 (high) (source)	PL-1
NIST 800-53 R5 (NOC) (source)	PM-8
NIST 800-82 R3 LOW OT Overlay	PL-1
NIST 800-82 R3 MODERATE OT Overlay	PL-1
NIST 800-82 R3 HIGH OT Overlay	PL-1
NIST 800-160	3.3 3.3.3 3.3.4 3.4 3.4.1 3.4.2 3.4.3
NIST 800-161 R1	PL-1 PM-8
NIST 800-161 R1 C-SCRM Baseline	PL-1
NIST 800-161 R1 Level 1	PM-8
NIST 800-161 R1 Level 2	PL-1
NIST 800-171 R2 (source)	NFO-PL-1
NIST 800-171 R3 (source)	03.04.11.a 03.12.01
NIST 800-218	PO.1 PO.1.2
NIST CSF 2.0 (source)	GV.OC GV.OC-03 GV.SC-05 PR
PCI DSS 4.0.1 (source)	12.4 12.4.2 A3.1 A3.1.1
PCI DSS 4.0.1 SAQ D Service Provider (source)	12.4.2
Shared Assessments SIG 2025	L.1
TISAX ISA 6	1.1.1 1.2.1 7.1.1 7.1.2
UN R155	7.1.1
UN ECE WP.29	7.1.1
SCF CORE Fundamentals	CPL-01
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	CPL-01
SCF CORE ESP Level 1 Foundational	CPL-01
SCF CORE ESP Level 2 Critical Infrastructure	CPL-01
SCF CORE ESP Level 3 Advanced Threats	CPL-01
SCF CORE AI Model Deployment	CPL-01

US (45)

Framework	Mapping Values
US C2M2 2.1	PROGRAM-1.G.MIL2 PROGRAM-2.I.MIL3
US CERT RMM 1.2	COMP:SG4.SP1 EF:SG3.SP3 EF:SG4.SP1 RRD:SG1.SP1
US CJIS Security Policy 5.9.3 (source)	4.1.1 4.2.1 4.2.2 4.3
US CMS MARS-E 2.0	PL-1 PM-8
US COPPA	6502
US Data Privacy Framework (DPF)	II.7.c III.5.a III.5.b.i
US DoD Zero Trust Execution Roadmap	6.6.1
US DFARS Cybersecurity 252.204-70xx	252.204-7008(b) 252.204-7008(c)(1) 252.204-7008(c)(1)(i) 252.204-7008(c)(1)(i)(A) 252.204-7008(c)(1)(i)(B) 252.204-7008(c)(1)(ii) 252.204-7012(b)(1)(i) 252.204-7012(b)(1)(ii) 252.204-7012(b)(2)(i) 252.204-7012(b)(2)(ii)(A) 252.204-7012(b)(2)(ii)(B) 252.204-7012(b)(2)(ii)(C) 252.204-7012(b)(2)(ii)(D) 252.204-7012(b)(3) 252.204-7012(k) 252.204-7012(l) 252.204-7019(b) 252.204-7019(c)(1) 252.204-7019(c)(2) 252.204-7020(c) 252.204-7021(b) 252.204-7021(c)(1) 252.204-7021(c)(2)
US DHS CISA TIC 3.0	3.UNL.GPAUD
US FCA CRM	609.930(c)(1)(ii) 609.930(d)
US FDA 21 CFR Part 11	11.10 11.10(a) 11.10(b) 11.10(c) 11.10(d) 11.10(e) 11.10(f) 11.10(g) 11.10(h) 11.10(i) 11.10(j) 11.10(k) 11.10(k)(1) 11.10(k)(2) 11.100 11.100(c) 11.100(c)(1) 11.100(c)(2)
US FedRAMP R4	PL-1
US FedRAMP R4 (low)	PL-1
US FedRAMP R4 (moderate)	PL-1
US FedRAMP R4 (high)	PL-1
US FedRAMP R4 (LI-SaaS)	PL-1
US FedRAMP R5 (source)	PL-1
US FedRAMP R5 (low) (source)	PL-1
US FedRAMP R5 (moderate) (source)	PL-1
US FedRAMP R5 (high) (source)	PL-1
US FedRAMP R5 (LI-SaaS) (source)	PL-1
US FFIEC	D1.G.Ov.E.2 D3.PC.Am.B.11
US GLBA CFR 314 2023 (source)	314.4(c)
US HHS 45 CFR 155.260	155.260(a)(4) 155.260(b)(3)(i) 155.260(b)(3)(ii) 155.260(b)(3)(iii) 155.260(b)(3)(iii)(A) 155.260(b)(3)(iii)(B) 155.260(b)(3)(iii)(C) 155.260(e)(1) 155.260(e)(2) 155.260(e)(3) 155.260(e)(4)
US HIPAA Administrative Simplification 2013 (source)	164.306(c) 164.306(d)(1) 164.306(d)(2) 164.314(a)(1) 164.314(a)(2)(ii) 164.504(g)(1)
US HIPAA Security Rule / NIST SP 800-66 R2 (source)	164.306(c) 164.306(d)(1) 164.306(d)(2) 164.314(a)(1) 164.314(a)(2)(ii)
US IRS 1075	1.1 1.6 1.7.1 1.7.1.1 1.7.1.2 1.7.2 1.10.1 1.10.2 1.10.3 2.A.1 2.C.9 2.E.1 2.E.2 2.E.4 2.E.4.1 2.E.4.2 2.E.4.3 2.E.4.4 2.E.5.1 2.E.5.2 2.E.6 2.E.6.3 2.F.2 2.F.4 PL-1
US NERC CIP 2024 (source)	CIP-003-8 1.1.9 CIP-003-8 1.2.6
US NISPOM 2020	8-104
US SSA EIESR 8.0	5.11
US TSA / DHS 1580/82-2022-01	IV.A IV.B IV.B.1 IV.B.2 IV.C.1 IV.C.2 IV.C.2.a IV.C.2.b IV.C.2.c IV.C.2.d IV.C.2.e IV.C.2.e.i IV.C.2.e.ii IV.C.2.e.iii IV.C.2.e.iv IV.C.2.f
US - CA SB327	1798.91.06(a) 1798.91.06(b) 1798.91.06(c) 1798.91.06(d) 1798.91.06(e) 1798.91.06(f) 1798.91.06(g) 1798.91.06(h) 1798.91.06(i)
US - CA CCPA 2025	7013(h) 7022(d) 7023(e) 7050(b) 7072(b) 7123(b)(3) 7200(a) 7200(b)
US - CO Colorado Privacy Act	6-1-1305(1) 6-1-1305(6) 6-1-1307(2) 6-1-1307(3) 6-1-1308(6)
US - IL PIPA	45(a) 45(b) 45(c) 45(d) 50
US - NY DFS 23 NYCRR500 2023 Amd 2	500.17(a)(2) 500.17(b)(1) 500.17(b)(1)(i) 500.17(b)(1)(i)(a) 500.17(b)(1)(i)(b) 500.17(b)(1)(ii) 500.17(b)(1)(ii)(a) 500.17(b)(1)(ii)(b) 500.17(b)(1)(ii)(c) 500.17(b)(2) 500.17(b)(3) 500.17(c) 500.2(b)(6) 500.2(d) 500.2(e)
US - NY SHIELD Act S5575B	4(2)(a) 4(2)(b)(i) 4(2)(b)(ii) 4(2)(b)(ii)(A) 4(2)(b)(ii)(A)(1) 4(2)(b)(ii)(A)(2) 4(2)(b)(ii)(A)(3) 4(2)(b)(ii)(A)(4) 4(2)(b)(ii)(A)(5) 4(2)(b)(ii)(A)(6) 4(2)(b)(ii)(B)(1) 4(2)(b)(ii)(B)(2) 4(2)(b)(ii)(B)(3) 4(2)(b)(ii)(B)(4) 4(2)(b)(ii)(C)(1) 4(2)(b)(ii)(C)(2) 4(2)(b)(ii)(C)(3) 4(2)(b)(ii)(C)(4) 4(2)(c)
US - OR CPA	7(1)(b)
US - TX CDPA	541.101(b)(2)
US - TX DIR Control Standards 2.0	PL-1
US - TX SB 820	11.175(c)
US - TX SB 2610	542.004(a)(4)(A) 542.004(a)(4)(B) 542.004(a)(4)(C) 542.004(b) 542.004(b)(2) 542.004(b)(2)(A) 542.004(b)(2)(B) 542.004(b)(2)(C) 542.004(b)(2)(D) 542.004(b)(3) 542.004(c)
US - TX TX-RAMP Level 1	PL-1
US - TX TX-RAMP Level 2	PL-1
US - VA CDPA 2025	59.1-581.E

EMEA (38)

Framework	Mapping Values
EMEA EU AI Act	16(l) 17.1(a) 21.3 40.1
EMEA EU EBA GL/2019/04	3.1(1) 3.8(92) 3.8(93) 3.8(94) 3.8(95) 3.8(96) 3.8(97) 3.8(98)
EMEA EU DORA	4.1 4.2 4.3 5.4
EMEA EU NIS2	21.1
EMEA EU PSD2	3 29
EMEA Austria	Sec 14 Sec 15
EMEA Belgium	16
EMEA Germany	Sec 9 Sec 9a Annex
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	12.5
EMEA Germany C5 2020	SP-01 PI-02 COM-01
EMEA Greece	10
EMEA Hungary	7
EMEA Ireland	2
EMEA Israel CDMO 1.0	1.3
EMEA Israel	16 17
EMEA Italy	26 31 33 34 35
EMEA Kenya DPA 2019	4(a) 4(b)(i) 4(b)(ii) 51(1) 51(2)(a) 51(2)(b) 51(2)(c) 52(1)(a) 52(1)(b) 52(1)(c) 52(2) 52(3) 54 55(1)(a) 55(1)(b) 55(2)
EMEA Netherlands	12 13 14
EMEA Nigeria DPR 2019	2.1(2) 2.1(3) 3.1(16) 4.1(1) 4.1(6) 4.1(7)
EMEA Norway	13 14
EMEA Poland	1 36
EMEA Qatar PDPPL	2
EMEA Russia	7 19
EMEA Saudi Arabia CSCC-1 2019	1-4
EMEA Saudi Arabia IoT CGIoT-1 2024	1-2-3 1-6-1 2-6-1 2-7-1
EMEA Saudi Arabia ECC-1 2018	1-7-1 1-7-2
EMEA Saudi Arabia PDPL	2.1 30.3
EMEA Saudi Arabia SACS-002	TPC-20 TPC-21 TPC-43
EMEA Saudi Arabia SAMA CSF 1.0	3.2.2 3.2.3 3.3.13
EMEA Serbia 87/2018	5.1 13 49 59
EMEA South Africa	2 3 9 19 21
EMEA Spain BOE-A-2022-7191	3.1 39
EMEA Spain 311/2022	3.1 39
EMEA Spain CCN-STIC 825	7.1.5 [OP.PL.5]
EMEA Sweden	31
EMEA Switzerland	7
EMEA Turkey	12
EMEA UK DEFSTAN 05-138	0001 0002 2314

APAC (24)

Framework	Mapping Values
APAC Australia Privacy Act	APP Part 11
APAC Australia ISM June 2024	ISM-0078 ISM-0854
APAC Australia Prudential Standard CPS230	28
APAC Australia Prudential Standard CPS234	31 35 35(a) 35(b) 36
APAC China Cybersecurity Law	10 21 23 26 27 34 34(5) 41 47 9
APAC China Data Security Law	46
APAC China DNSIP	4
APAC China Privacy Law	32 37 38(4) 42
APAC Hong Kong	Principle 4
APAC India DPDPA 2023	7(c) 7(d) 7(e) 8(1) 8(4)
APAC India ITR	8
APAC India SEBI CSCRF	GV.OC.S2 PR.IP.S13 RS.MA.S5
APAC Japan APPI	20 21 22 26(1) 26(1)(i) 26(1)(ii) 26(2) 26(3) 26(4) 26-2(1) 26-2(1)(i) 26-2(1)(ii) 26-2(2) 26-2(3) 36 37 38 39 51(1) 51(2) 52(1) 53(2) 53(3) 53(1) 53(2) 53(3) 53(4) 54 55
APAC Japan ISMAP	18.1.1
APAC Malaysia	9
APAC New Zealand HISF 2022	HHSP29 HML29 HSUP25
APAC New Zealand HISF Suppliers 2023	HSUP25
APAC New Zealand NZISM 3.6	1.1.64.C.01 1.1.65.C.01 1.1.66.C.01 1.1.66.C.02 1.1.67.C.01
APAC Philippines	25
APAC Singapore	24
APAC Singapore Cyber Hygiene Practice	3.1(a) 3.1(b) 3.1(c)
APAC Singapore MAS TRM 2021	3.2.3
APAC South Korea	3 29
APAC Taiwan	27

Americas (13)

Framework	Mapping Values
Americas Argentina PPL	9
Americas Argentina Reg 132-2018	10.1 10.2
Americas Bahamas	6
Americas Brazil LGPD	7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10
Americas Canada OSFI B-13	1.3.1
Americas Canada ITSP-10-171	03.04.11.A 03.12.01
Americas Canada PIPEDA	Principle 7
Americas Chile	7
Americas Colombia	4
Americas Costa Rica	10
Americas Mexico	19
Americas Peru	9 16 17
Americas Uruguay	23

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.

Level 1 — Performed Informally

Compliance (CPL) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

IT personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.
IT personnel self-identify a set of controls that are used to conduct cybersecurity and data privacy control assessments.
IT personnel perform internal assessments of cybersecurity and data protection controls to determine compliance status.

Level 2 — Planned & Tracked

Compliance (CPL) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data privacy control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
Legal representation is consulted on an as-needed basis.
Cybersecurity personnel perform an informal annual review of existing compliance requirements and researches evolving or new requirements.

Level 3 — Well Defined

Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.

The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for statutory, regulatory and contractual obligations.
The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization to manage compliance efforts.
A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program with regards to GRC operations.
A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
The GRC function, or similar function:
Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
Legal representation is consulted on an as-needed basis.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.

Assessment Objectives

CPL-01_A01 the organization analyzes its business practices to determine applicable statutory, regulatory and/or contractual obligations.
CPL-01_A02 compliance management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
CPL-01_A03 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support compliance management operations.
CPL-01_A04 responsibility and authority for the performance of compliance management-related activities are assigned to designated personnel.
CPL-01_A05 personnel performing compliance management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-CPL-01 Statutory, Regulatory & Contractual Obligations: Documented evidence of applicable statutory, regulatory and/or contractual obligations for cybersecurity & data privacy controls.
Compliance
E-GOV-10 Cybersecurity & Data Protection Controls: Documented evidence of an appropriately-scoped cybersecurity & data protection controls. Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are actually implemented.
Cybersecurity & Data Protection Management

Technology Recommendations

Micro/Small

SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Small

SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Medium

SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Steering committee

Large

SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Steering committee

Enterprise

SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Steering committee