Skip to main content

GOV-17: Cybersecurity & Data Protection Status Reporting

GOV 8 — High Govern

Mechanisms exist to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

Control Question: Does the organization submit status reporting of its cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required?

General (1)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC3.1-POF10 CC3.2-POF3
US (4)
Framework Mapping Values
US SEC Cybersecurity Rule 17 CFR 229.105(b) 17 CFR 229.106(d)
US - CA CCPA 2025 7124(a) 7124(b) 7124(c) 7124(c)(1) 7124(c)(2) 7124(c)(3) 7124(d) 7124(d)(1) 7124(d)(2) 7124(d)(3) 7124(d)(4) 7124(d)(5) 7157(a) 7157(a)(1) 7157(a)(2) 7157(b) 7157(b)(1) 7157(b)(2) 7157(b)(3) 7157(b)(4) 7157(b)(5) 7157(b)(6) 7157(c) 7157(c)(1) 7157(c)(2) 7157(c)(3) 7157(d) 7157(e)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.17(a)(1) 500.17(a)(2)
US - VA CDPA 2025 59.1-580.C
EMEA (1)
Framework Mapping Values
EMEA EU NIS2 Annex 1.2.3
APAC (2)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1587
APAC China Cybersecurity Law 38 54(1)

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to submit status reporting of its cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to submit status reporting of its cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to submit status reporting of its cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to submit status reporting of its cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to submit status reporting of its cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.

Assessment Objectives

  1. GOV-17_A01 applicable statutory and/or regulatory authorities that require submissions of the organization's cybersecurity and/or data privacy program status are identified.
  2. GOV-17_A02 contact information and report formatting requirements for applicable statutory and/or regulatory authorities is identified.
  3. GOV-17_A03 a documented process exists to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.
  4. GOV-17_A04 evidence of historical submissions of the organization's cybersecurity and/or data privacy program status to applicable statutory and/or regulatory authorities is retained.

Evidence Requirements

E-GOV-17 Cybersecurity & Data Privacy Status Reports

Documented evidence of status reports of the organization's cybersecurity and/or data privacy program that were submitted to applicable statutory and/or regulatory authorities.

Cybersecurity & Data Protection Management

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free