{ "total": 258, "privacy_principles": [ { "principle_name": "Data Privacy by Design", "description": "Establish and maintain a comprehensive data privacy program that ensures data privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.", "scf_control": "Cybersecurity & Data Protection Governance Program", "scf_control_id": "GOV-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1", "CC1.1-POF1", "CC1.2", "CC2.3-POF5" ], "GAPP": [ "8.2.1" ], "ISO 27701 2025": [ "5.1", "6.1.3(c)", "7.5.1" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1", "GV.PO-P6" ], "NIST 800-53 R5": [ "PM-1" ], "NIST CSF 2.0": [ "GV", "GV.RM-01", "GV.RM-03", "GV.RR-01", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-09", "ID.RA", "PR", "PR.IR" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)", "164.306(a)(2)", "164.306(a)(3)", "164.316(a)", "164.530(c)(1)" ], "US - AK PIPA": [ "45.48.530" ], "US - CA CCPA 2025": [ "7123(b)(1)" ], "US - TX BC521": [ "521.052" ], "US - VT Act 171 of 2018": [ "2447(a)", "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(a)(2)", "2447(b)", "2447(c)", "2447(c)(1)", "2447(c)(1)(A)", "2447(c)(1)(A)(i)", "2447(c)(1)(A)(ii)", "2447(c)(1)(A)(iii)", "2447(c)(1)(A)(iv)", "2447(c)(1)(A)(v)" ], "APAC Australia Privacy Act": [ "APP Part 1", "APP Part 11" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Data Privacy by Design", "description": "Establish and maintain a comprehensive data privacy program that ensures data privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.", "scf_control": "Data Privacy Program", "scf_control_id": "PRI-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.3-POF6", "CC2.3-POF7", "CC8.1-POF17", "CC8.1-POF18", "P1.0" ], "APEC Privacy Framework 2015": [ "1", "9" ], "ISO 27701 2025": [ "4.4", "5.1", "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.3(h)", "6.2", "6.2(a)", "6.2(b)", "6.2(c)", "6.2(d)", "6.2(e)", "6.2(f)", "6.2(g)", "6.3", "7.1", "7.4", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1", "GV.PO-P5", "GV.PO-P6", "CT.PO-P2", "CM.PO-P1", "CM.AW-P2", "PR.PO-P9" ], "NIST 800-53 R5": [ "PM-18", "PT-1" ], "NIST 800-53B R5 (privacy)": [ "PM-18", "PT-1" ], "NIST CSF 2.0": [ "GV.OC-03" ], "OECD Privacy Principles": [ "8" ], "US Data Privacy Framework (DPF)": [ "III.15.a" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.502(a)", "164.530(a)(1)(i)", "164.530(i)(1)" ], "US - CA CCPA 2025": [ "7002(a)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)", "6-1-1305(7)", "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)", "6-1-1308(6)", "6-1-105(1)(nnn)" ], "US - VA CDPA 2025": [ "59.1-578.A.3" ], "EMEA EU GDPR": [ "12.2", "5.1(a)", "9.1" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.2" ], "APAC Australia Privacy Act": [ "Inferred", "Expectation" ], "APAC Australian Privacy Principles": [ "APP 1" ], "Americas Canada PIPEDA": [ "Principle 1", "Principle 8" ] } }, { "principle_name": "Data Privacy by Design", "description": "Establish and maintain a comprehensive data privacy program that ensures data privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.", "scf_control": "Dissemination of Data Privacy Program Information", "scf_control_id": "PRI-01.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P1.1", "P1.1-POF6" ], "GAPP": [ "2.1.1", "2.2.1", "2.2.2", "2.2.3", "3.1.0", "3.1.1", "3.1.2", "4.1.0", "4.1.1", "4.2.4", "5.1.0", "5.1.1", "6.1.0", "7.1.0", "7.1.1", "8.1.0", "8.1.1", "9.1.0", "9.1.1", "10.1.0", "10.1.1" ], "ISO 27701 2025": [ "6.2(e)", "7.4", "7.5.3(a)" ], "ISO 29100 2024": [ "6.8" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1", "CM.PO-P1", "CM.AW-P1" ], "NIST 800-53 R5": [ "PM-20" ], "NIST 800-53B R5 (privacy)": [ "PM-20" ], "OECD Privacy Principles": [ "6" ], "US FIPPS": [ "8" ], "US - OR CPA": [ "7(1)(a)(B)" ], "US - VA CDPA 2025": [ "59.1-581.A.2" ], "APAC Australian Privacy Principles": [ "APP 1" ] } }, { "principle_name": "Data Privacy by Design", "description": "Establish and maintain a comprehensive data privacy program that ensures data privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.", "scf_control": "Reasonable Data Privacy Practices", "scf_control_id": "PRI-01.11", "crosswalks": { "APEC Privacy Framework 2015": [ "2-1", "2-2" ], "ISO 29100 2024": [ "6.5", "6.8", "6.10" ], "US FIPPS": [ "2", "4" ], "US - CA CCPA 2025": [ "7002(b)", "7002(b)(1)", "7002(b)(2)", "7002(b)(3)", "7002(d)", "7002(d)(1)", "7002(d)(2)", "7027(m)", "7027(m)(1)", "7027(m)(2)", "7027(m)(3)", "7027(m)(4)", "7027(m)(5)", "7027(m)(6)", "7027(m)(7)", "7027(m)(8)" ], "US - VA CDPA 2025": [ "59.1-577.1.B", "59.1-577.1.C", "59.1-577.1.E", "59.1-578.A.4", "59.1-578.F.1.d", "59.1-578.F.2", "59.1-579.A.1", "59.1-579.A.2", "59.1-579.A.3" ] } }, { "principle_name": "Assigned Responsibilities", "description": "Assign accountability through documented roles and responsibilities to qualified data subjects, including key internal and external stakeholders, for maintaining compliance with all applicable data privacy requirements that involves appropriately monitoring and documenting the data privacy program.", "scf_control": "Data Privacy Program", "scf_control_id": "PRI-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.3-POF6", "CC2.3-POF7", "CC8.1-POF17", "CC8.1-POF18", "P1.0" ], "APEC Privacy Framework 2015": [ "1", "9" ], "ISO 27701 2025": [ "4.4", "5.1", "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.3(h)", "6.2", "6.2(a)", "6.2(b)", "6.2(c)", "6.2(d)", "6.2(e)", "6.2(f)", "6.2(g)", "6.3", "7.1", "7.4", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1", "GV.PO-P5", "GV.PO-P6", "CT.PO-P2", "CM.PO-P1", "CM.AW-P2", "PR.PO-P9" ], "NIST 800-53 R5": [ "PM-18", "PT-1" ], "NIST 800-53B R5 (privacy)": [ "PM-18", "PT-1" ], "NIST CSF 2.0": [ "GV.OC-03" ], "OECD Privacy Principles": [ "8" ], "US Data Privacy Framework (DPF)": [ "III.15.a" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.502(a)", "164.530(a)(1)(i)", "164.530(i)(1)" ], "US - CA CCPA 2025": [ "7002(a)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)", "6-1-1305(7)", "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)", "6-1-1308(6)", "6-1-105(1)(nnn)" ], "US - VA CDPA 2025": [ "59.1-578.A.3" ], "EMEA EU GDPR": [ "12.2", "5.1(a)", "9.1" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.2" ], "APAC Australia Privacy Act": [ "Inferred", "Expectation" ], "APAC Australian Privacy Principles": [ "APP 1" ], "Americas Canada PIPEDA": [ "Principle 1", "Principle 8" ] } }, { "principle_name": "Assigned Responsibilities", "description": "Assign accountability through documented roles and responsibilities to qualified data subjects, including key internal and external stakeholders, for maintaining compliance with all applicable data privacy requirements that involves appropriately monitoring and documenting the data privacy program.", "scf_control": "Chief Privacy Officer (CPO)", "scf_control_id": "PRI-01.1", "crosswalks": { "APEC Privacy Framework 2015": [ "9" ], "GAPP": [ "1.1.0", "1.1.2", "1.2.1", "1.2.2", "1.2.8", "1.2.9", "2.1.0", "4.2.3", "8.2.1" ], "ISO 27701 2025": [ "5.1", "5.3" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "GV.PO-P5" ], "NIST 800-53 R5": [ "PM-19" ], "NIST 800-53B R5 (privacy)": [ "PM-19" ], "OECD Privacy Principles": [ "8" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.530(a)(1)(i)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)", "6-1-1308(6)" ] } }, { "principle_name": "Assigned Responsibilities", "description": "Assign accountability through documented roles and responsibilities to qualified data subjects, including key internal and external stakeholders, for maintaining compliance with all applicable data privacy requirements that involves appropriately monitoring and documenting the data privacy program.", "scf_control": "Data Protection Officer (DPO)", "scf_control_id": "PRI-01.4", "crosswalks": { "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "GV.PO-P5", "CT.PO-P2", "CM.PO-P2" ], "US HIPAA Administrative Simplification 2013": [ "164.530(a)(1)(ii)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)", "6-1-1308(6)" ], "EMEA EU GDPR": [ "27.1", "27.3", "27.4", "27.5", "35.2", "37.1", "37.1(a)", "37.1(b)", "37.1(c)", "37.2", "37.3", "37.4", "37.5", "37.6", "37.7", "38.1", "38.2", "38.3", "38.4", "38.5", "38.6", "39.1", "39.1(a)", "39.1(b)", "39.1(c)", "39.1(d)", "39.1(e)", "39.2" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "30.2" ], "APAC India DPDPA 2023": [ "10(2)(a)", "10(2)(a)(iv)" ], "Americas Canada PIPEDA": [ "Sec 6" ] } }, { "principle_name": "Data Classification", "description": "Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, regulatory and contractual contexts.", "scf_control": "Data & Asset Classification", "scf_control_id": "DCH-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "C1.1", "CC2.1", "CC2.1-POF7", "CC6.1-POF1" ], "NIST CSF 2.0": [ "ID.AM-05", "PR.DS" ], "US - CA CCPA 2025": [ "7123(c)(4)(A)" ] } }, { "principle_name": "Data Classification", "description": "Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, regulatory and contractual contexts.", "scf_control": "Personal Data (PD) Categories", "scf_control_id": "PRI-05.7", "crosswalks": { "NIST 800-53 R5": [ "PT-7", "PT-7(1)", "PT-7(2)" ], "NIST 800-53B R5 (privacy)": [ "PT-7", "PT-7(1)", "PT-7(2)" ], "US - CA CCPA 2025": [ "7024(j)", "7024(l)" ], "US - OR CPA": [ "5(4)(a)", "5(4)(e)" ], "US - VA CDPA 2025": [ "59.1-578.C.4" ], "EMEA EU GDPR": [ "13.1(e)", "14.1(d)" ], "APAC Australian Privacy Principles": [ "APP 9" ] } }, { "principle_name": "Registering Databases", "description": "Register applicable databases containing personal data with the appropriate Data Authority, when required.", "scf_control": "Register As A Data Controller and/or Data Processor", "scf_control_id": "PRI-15", "crosswalks": { "US - VT Act 171 of 2018": [ "2446(a)", "2446(a)(1)", "2446(a)(2)", "2446(a)(3)", "2446(a)(3)(A)", "2446(a)(3)(B)", "2446(a)(3)(B)(i)", "2446(a)(3)(B)(ii)", "2446(a)(3)(B)(iii)", "2446(a)(3)(C)", "2446(a)(3)(D)", "2446(a)(3)(E)", "2446(a)(3)(F)", "2446(a)(3)(G)" ] } }, { "principle_name": "Resource Planning", "description": "Identify and plan for resources needed to operate a data privacy program and include data privacy requirements in solicitations for Technology Assets, Applications and/or Services (TAAS).", "scf_control": "Cybersecurity & Data Protection Portfolio Management", "scf_control_id": "PRM-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2", "CC3.1", "CC3.1-POF4", "CC3.4", "CC5.2" ], "ISO 27701 2025": [ "7.1" ], "NIST 800-53 R5": [ "PL-1" ], "NIST 800-53B R5 (privacy)": [ "PL-1" ], "NIST CSF 2.0": [ "GV.RM", "GV.RR-03" ] } }, { "principle_name": "Inventory of Personal Data", "description": "Maintain an inventory of both the type of personal data and specific data element, as well as the Technology Assets, Applications and/or Services (TAAS) that collect, create, use, disseminate, maintain, and/or disclose that personal data.", "scf_control": "Inventory of Personal Data (PD)", "scf_control_id": "PRI-05.5", "crosswalks": { "GAPP": [ "7.2.2" ], "NIST Privacy Framework 1.0": [ "ID.IM-P1", "ID.IM-P3", "ID.IM-P6" ], "NIST 800-53 R5": [ "PM-5(1)" ], "NIST 800-53B R5 (privacy)": [ "PM-5(1)" ], "NIST CSF 2.0": [ "ID.AM-07" ], "US - CA CCPA 2025": [ "7123(c)(4)(A)" ] } }, { "principle_name": "Inventory of Personal Data", "description": "Maintain an inventory of both the type of personal data and specific data element, as well as the Technology Assets, Applications and/or Services (TAAS) that collect, create, use, disseminate, maintain, and/or disclose that personal data.", "scf_control": "Personal Data (PD) Inventory Automation Support", "scf_control_id": "PRI-05.6", "crosswalks": { "NIST Privacy Framework 1.0": [ "ID.IM-P1", "ID.IM-P3", "ID.IM-P6" ], "NIST 800-53 R5": [ "PM-5(1)" ], "NIST 800-53B R5 (privacy)": [ "PM-5(1)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Cybersecurity & Data Protection-Minded Workforce", "scf_control_id": "SAT-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4", "CC1.4-POF3", "CC2.2-POF12", "CC2.2-POF8" ], "NIST Privacy Framework 1.0": [ "GV.AT-P1", "GV.AT-P2", "GV.AT-P3", "GV.AT-P4" ], "NIST 800-53 R5": [ "AT-1", "PM-13" ], "NIST 800-53B R5 (privacy)": [ "AT-1" ], "NIST CSF 2.0": [ "PR.AT" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(5)(i)" ], "US - CA CCPA 2025": [ "7123(c)(12)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(A)", "2447(c)(8)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Cybersecurity & Data Protection Awareness Training", "scf_control_id": "SAT-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4-POF7", "CC2.2-POF12", "CC2.2-POF8" ], "NIST Privacy Framework 1.0": [ "GV.AT-P1", "GV.AT-P2", "GV.AT-P3" ], "NIST 800-53 R5": [ "AT-2" ], "NIST 800-53B R5 (privacy)": [ "AT-2" ], "NIST CSF 2.0": [ "PR.AT", "PR.AT-01" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(5)(i)", "164.530(b)(2)(i)", "164.530(b)(2)(i)(A)", "164.530(b)(2)(i)(B)", "164.530(b)(2)(i)(C)", "164.530(b)(2)(ii)" ], "US - CA CCPA 2025": [ "7100(a)", "7123(c)(12)", "7123(c)(13)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(A)", "2447(c)(8)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Simulated Cyber Attack Scenario Training", "scf_control_id": "SAT-02.1", "crosswalks": { "NIST 800-53 R5": [ "AT-2(1)", "AT-6" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Role-Based Cybersecurity & Data Protection Training", "scf_control_id": "SAT-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4-POF7", "CC2.2-POF12", "CC2.2-POF13" ], "ISO 27701 2025": [ "7.2" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "GV.AT-P1", "GV.AT-P2", "GV.AT-P3" ], "NIST 800-53 R5": [ "AT-3", "AT-3(2)" ], "NIST 800-53B R5 (privacy)": [ "AT-3" ], "NIST CSF 2.0": [ "PR.AT", "PR.AT-01", "PR.AT-02" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(5)(ii)(C)", "164.308(a)(5)(ii)(D)", "164.530(b)(1)" ], "US - CA CCPA 2025": [ "7100(a)", "7123(c)(12)", "7123(c)(13)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(A)", "2447(c)(8)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Practical Exercises", "scf_control_id": "SAT-03.1", "crosswalks": { "NIST 800-53 R5": [ "AT-3(3)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Suspicious Communications & Anomalous System Behavior", "scf_control_id": "SAT-03.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF13", "CC2.3-POF12" ], "NIST 800-53 R5": [ "AT-2(4)", "AT-2(5)" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(5)(ii)(B)" ], "US - VT Act 171 of 2018": [ "2447(c)(4)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Sensitive / Regulated Data Storage, Handling & Processing", "scf_control_id": "SAT-03.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF9" ], "GAPP": [ "1.1.1", "1.2.10" ], "ISO 29100 2024": [ "6.10" ], "NIST 800-53 R5": [ "AT-3(5)" ], "NIST 800-53B R5 (privacy)": [ "AT-3(5)" ], "US FIPPS": [ "2" ], "US - CA CCPA 2025": [ "7100(a)", "7123(c)(12)", "7123(c)(13)" ], "US - VT Act 171 of 2018": [ "2447(c)(8)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Cyber Threat Environment", "scf_control_id": "SAT-03.6", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF8" ], "NIST 800-53 R5": [ "AT-2(6)" ], "NIST CSF 2.0": [ "ID.RA-03" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(5)(ii)(A)" ], "US - CA CCPA 2025": [ "7123(c)(12)", "7123(c)(13)" ] } }, { "principle_name": "Data Privacy Training", "description": "Provide recurring data privacy awareness and training for all employees and contractors.", "scf_control": "Cybersecurity & Data Protection Training Records", "scf_control_id": "SAT-04", "crosswalks": { "NIST 800-53 R5": [ "AT-4" ], "NIST 800-53B R5 (privacy)": [ "AT-4" ], "US - CA CCPA 2025": [ "7123(c)(12)", "7123(c)(13)" ] } }, { "principle_name": "Personal Data Categories", "description": "Define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD).", "scf_control": "Personal Data (PD) Categories", "scf_control_id": "PRI-05.7", "crosswalks": { "NIST 800-53 R5": [ "PT-7", "PT-7(1)", "PT-7(2)" ], "NIST 800-53B R5 (privacy)": [ "PT-7", "PT-7(1)", "PT-7(2)" ], "US - CA CCPA 2025": [ "7024(j)", "7024(l)" ], "US - OR CPA": [ "5(4)(a)", "5(4)(e)" ], "US - VA CDPA 2025": [ "59.1-578.C.4" ], "EMEA EU GDPR": [ "13.1(e)", "14.1(d)" ], "APAC Australian Privacy Principles": [ "APP 9" ] } }, { "principle_name": "Data Subject Communications", "description": "Craft disclosures and communications to data subjects so the material is readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person.", "scf_control": "Data Subject Communications", "scf_control_id": "PRI-17", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P6.7-POF3" ], "US - CA CCPA 2025": [ "7003(a)", "7004(a)(3)", "7222(b)", "7222(b)(1)", "7222(b)(2)", "7222(b)(3)", "7222(b)(3)(A)", "7222(b)(4)", "7222(b)(4)(A)", "7222(c)", "7222(c)(1)", "7222(c)(2)", "7222(c)(2)(A)", "7222(c)(2)(B)", "7222(c)(2)(C)", "7222(d)", "7222(e)", "7222(f)", "7222(g)", "7222(h)", "7222(i)", "7222(j)", "7222(k)" ], "US - VA CDPA 2025": [ "59.1-577.B.2" ] } }, { "principle_name": "Conspicuous Link To Data Privacy Notice", "description": "Design websites and mobile applications to include a conspicuous link to the organization's data privacy notice.", "scf_control": "Conspicuous Link To Data Privacy Notice", "scf_control_id": "PRI-17.1", "crosswalks": { "US - CA CCPA 2025": [ "7003(c)", "7003(d)" ] } }, { "principle_name": "Notice of Financial Incentive", "description": "Provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate.", "scf_control": "Notice of Financial Incentive", "scf_control_id": "PRI-17.2", "crosswalks": { "US - CA CCPA 2025": [ "7010(g)", "7080(e)" ] } }, { "principle_name": "Data Subject Participation", "description": "Data subjects are directly involved in the decision-making process regarding the fair and lawful processing of the individual’s personal data and, to the extent practicable, directly-engaged to receive explicit permission to use their personal data.", "scf_control": "Choice & Consent", "scf_control_id": "PRI-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P2.0", "P2.1", "P2.1-POF1", "P2.1-POF2", "P2.1-POF3", "P2.1-POF5", "P2.1-POF6", "P3.2", "P3.2-POF2" ], "APEC Privacy Framework 2015": [ "2(e)", "4(a)", "5" ], "GAPP": [ "3.2.1", "3.2.2", "3.2.3", "3.2.4" ], "ISO 29100 2024": [ "6.2" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P3" ], "NIST 800-53 R5": [ "PT-4" ], "NIST 800-53B R5 (privacy)": [ "PT-4" ], "OECD Privacy Principles": [ "1", "4(a)" ], "US Data Privacy Framework (DPF)": [ "II.2.a", "II.2.c" ], "US HIPAA Administrative Simplification 2013": [ "164.506(b)(1)", "164.508(a)(2)", "164.508(c)(1)(v)", "164.508(c)(3)", "164.510(b)(2)(i)", "164.510(b)(2)(ii)", "164.510(b)(2)(iii)", "164.510(b)(3)", "164.514(f)(2)(ii)", "164.514(f)(2)(iv)", "164.514(f)(2)(v)" ], "US - CA CCPA 2025": [ "7002(e)", "7010(b)", "7012(a)", "7012(b)", "7012(c)", "7012(d)", "7012(e)", "7012(e)(1)", "7012(e)(2)", "7012(e)(3)", "7012(e)(4)", "7012(e)(5)", "7012(e)(6)", "7027(c)", "7027(d)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "US - IL BIPA": [ "15(b)(3)" ], "US - OR CPA": [ "5(2)(b)", "5(2)(c)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(E)", "47-18-3203(b)", "47-18-3204(a)(6)" ], "US - VA CDPA 2025": [ "59.1-578.A.5", "59.1-578.D" ], "EMEA EU GDPR": [ "21.1", "21.2", "21.3", "21.4", "21.5", "21.6", "7.1", "7.2", "9.2(a)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "10.1", "15.1", "24.1", "25.1", "25.2", "25.3", "26", "5.1" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 3" ], "APAC India DPDPA 2023": [ "4(1)(a)", "6(1)", "6(10)", "6(3)", "6(7)", "7(a)", "7(b)(i)", "8(8)(b)" ], "Americas Canada PIPEDA": [ "Sec 6", "Sec 7", "Principle 3" ] } }, { "principle_name": "Clear Choices", "description": "Provide clear and conspicuous choices that enable an individual, or a person authorized by the individual, to permit or prohibit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the individual’s personal data. This is also referred to as the right to \"opt out.\"", "scf_control": "Choice & Consent", "scf_control_id": "PRI-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P2.0", "P2.1", "P2.1-POF1", "P2.1-POF2", "P2.1-POF3", "P2.1-POF5", "P2.1-POF6", "P3.2", "P3.2-POF2" ], "APEC Privacy Framework 2015": [ "2(e)", "4(a)", "5" ], "GAPP": [ "3.2.1", "3.2.2", "3.2.3", "3.2.4" ], "ISO 29100 2024": [ "6.2" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P3" ], "NIST 800-53 R5": [ "PT-4" ], "NIST 800-53B R5 (privacy)": [ "PT-4" ], "OECD Privacy Principles": [ "1", "4(a)" ], "US Data Privacy Framework (DPF)": [ "II.2.a", "II.2.c" ], "US HIPAA Administrative Simplification 2013": [ "164.506(b)(1)", "164.508(a)(2)", "164.508(c)(1)(v)", "164.508(c)(3)", "164.510(b)(2)(i)", "164.510(b)(2)(ii)", "164.510(b)(2)(iii)", "164.510(b)(3)", "164.514(f)(2)(ii)", "164.514(f)(2)(iv)", "164.514(f)(2)(v)" ], "US - CA CCPA 2025": [ "7002(e)", "7010(b)", "7012(a)", "7012(b)", "7012(c)", "7012(d)", "7012(e)", "7012(e)(1)", "7012(e)(2)", "7012(e)(3)", "7012(e)(4)", "7012(e)(5)", "7012(e)(6)", "7027(c)", "7027(d)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "US - IL BIPA": [ "15(b)(3)" ], "US - OR CPA": [ "5(2)(b)", "5(2)(c)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(E)", "47-18-3203(b)", "47-18-3204(a)(6)" ], "US - VA CDPA 2025": [ "59.1-578.A.5", "59.1-578.D" ], "EMEA EU GDPR": [ "21.1", "21.2", "21.3", "21.4", "21.5", "21.6", "7.1", "7.2", "9.2(a)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "10.1", "15.1", "24.1", "25.1", "25.2", "25.3", "26", "5.1" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 3" ], "APAC India DPDPA 2023": [ "4(1)(a)", "6(1)", "6(10)", "6(3)", "6(7)", "7(a)", "7(b)(i)", "8(8)(b)" ], "Americas Canada PIPEDA": [ "Sec 6", "Sec 7", "Principle 3" ] } }, { "principle_name": "Initial Consent", "description": "Prior to the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the individual’s personal data, the knowledge and consent of the individual are required.", "scf_control": "Choice & Consent", "scf_control_id": "PRI-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P2.0", "P2.1", "P2.1-POF1", "P2.1-POF2", "P2.1-POF3", "P2.1-POF5", "P2.1-POF6", "P3.2", "P3.2-POF2" ], "APEC Privacy Framework 2015": [ "2(e)", "4(a)", "5" ], "GAPP": [ "3.2.1", "3.2.2", "3.2.3", "3.2.4" ], "ISO 29100 2024": [ "6.2" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P3" ], "NIST 800-53 R5": [ "PT-4" ], "NIST 800-53B R5 (privacy)": [ "PT-4" ], "OECD Privacy Principles": [ "1", "4(a)" ], "US Data Privacy Framework (DPF)": [ "II.2.a", "II.2.c" ], "US HIPAA Administrative Simplification 2013": [ "164.506(b)(1)", "164.508(a)(2)", "164.508(c)(1)(v)", "164.508(c)(3)", "164.510(b)(2)(i)", "164.510(b)(2)(ii)", "164.510(b)(2)(iii)", "164.510(b)(3)", "164.514(f)(2)(ii)", "164.514(f)(2)(iv)", "164.514(f)(2)(v)" ], "US - CA CCPA 2025": [ "7002(e)", "7010(b)", "7012(a)", "7012(b)", "7012(c)", "7012(d)", "7012(e)", "7012(e)(1)", "7012(e)(2)", "7012(e)(3)", "7012(e)(4)", "7012(e)(5)", "7012(e)(6)", "7027(c)", "7027(d)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "US - IL BIPA": [ "15(b)(3)" ], "US - OR CPA": [ "5(2)(b)", "5(2)(c)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(E)", "47-18-3203(b)", "47-18-3204(a)(6)" ], "US - VA CDPA 2025": [ "59.1-578.A.5", "59.1-578.D" ], "EMEA EU GDPR": [ "21.1", "21.2", "21.3", "21.4", "21.5", "21.6", "7.1", "7.2", "9.2(a)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "10.1", "15.1", "24.1", "25.1", "25.2", "25.3", "26", "5.1" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 3" ], "APAC India DPDPA 2023": [ "4(1)(a)", "6(1)", "6(10)", "6(3)", "6(7)", "7(a)", "7(b)(i)", "8(8)(b)" ], "Americas Canada PIPEDA": [ "Sec 6", "Sec 7", "Principle 3" ] } }, { "principle_name": "Updated Consent", "description": "Based on changes to data privacy practices that affect the parameters of an individual's initial consent, updated consent of the individual is required to continue the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the individual’s personal data. This is also referred to as the right to revoke or \"opt out\" at any time after the initial consent was provided.", "scf_control": "Just-In-Time Notice & Updated Consent", "scf_control_id": "PRI-03.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P2.1", "P2.1-POF4", "P3.2" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P3" ], "NIST 800-53 R5": [ "PT-4(2)", "PT-5(1)" ], "US Data Privacy Framework (DPF)": [ "III.14.b.i", "III.14.b.ii" ], "US - CA CCPA 2025": [ "7002(f)", "7010(f)", "7022(g)", "7022(h)", "7025(c)(5)", "7026(k)", "7027(l)", "7221(i)", "7221(k)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "APAC Australian Privacy Principles": [ "APP 5" ], "Americas Canada PIPEDA": [ "Sec 6", "Sec 7", "Principle 3" ] } }, { "principle_name": "Updated Consent", "description": "Based on changes to data privacy practices that affect the parameters of an individual's initial consent, updated consent of the individual is required to continue the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the individual’s personal data. This is also referred to as the right to revoke or \"opt out\" at any time after the initial consent was provided.", "scf_control": "Revoke Consent", "scf_control_id": "PRI-03.4", "crosswalks": { "NIST 800-53 R5": [ "PT-4(3)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)" ], "US - OR CPA": [ "5(1)(d)" ], "EMEA EU GDPR": [ "7.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "5.2" ], "APAC India DPDPA 2023": [ "5(2)(b)", "6(4)", "6(7)", "8(7)(a)", "8(8)(b)" ] } }, { "principle_name": "Equal Service & Price", "description": "Implement business processes to protect the right of data subjects to equal service and price, even if they exercise their data privacy rights.", "scf_control": "Statutory, Regulatory & Contractual Compliance", "scf_control_id": "CPL-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.5", "CC2.2", "CC2.3", "CC2.3-POF5", "CC3.1-POF14", "CC3.1-POF5", "CC3.1-POF8", "CC3.1-POF9" ], "ISO 27701 2025": [ "4.1", "4.2(a)", "4.2(b)", "4.2(c)" ], "ISO 29100 2024": [ "6.12" ], "NIST Privacy Framework 1.0": [ "GV.PO-P5", "GV.MT-P3" ], "NIST 800-53 R5": [ "PL-1", "PM-8" ], "NIST 800-53B R5 (privacy)": [ "PL-1" ], "NIST CSF 2.0": [ "GV.OC", "GV.OC-03", "GV.SC-05", "PR" ], "US Data Privacy Framework (DPF)": [ "II.7.c", "III.5.a", "III.5.b.i" ], "US HIPAA Administrative Simplification 2013": [ "164.306(c)", "164.306(d)(1)", "164.306(d)(2)", "164.314(a)(1)", "164.314(a)(2)(ii)", "164.504(g)(1)" ], "US - CA CCPA 2025": [ "7013(h)", "7022(d)", "7023(e)", "7050(b)", "7072(b)", "7123(b)(3)", "7200(a)", "7200(b)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(1)", "6-1-1305(6)", "6-1-1307(2)", "6-1-1307(3)", "6-1-1308(6)" ], "US - IL PIPA": [ "45(a)", "45(b)", "45(c)", "45(d)", "50" ], "US - OR CPA": [ "7(1)(b)" ], "US - VA CDPA 2025": [ "59.1-581.E" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "2.1", "30.3" ], "APAC Australia Privacy Act": [ "APP Part 11" ], "APAC India DPDPA 2023": [ "7(c)", "7(d)", "7(e)", "8(1)", "8(4)" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Equal Service & Price", "description": "Implement business processes to protect the right of data subjects to equal service and price, even if they exercise their data privacy rights.", "scf_control": "Product or Service Delivery Restrictions", "scf_control_id": "PRI-03.5", "crosswalks": { "US HIPAA Administrative Simplification 2013": [ "164.508(c)(2)(ii)(A)", "164.508(c)(2)(ii)(B)", "164.514(f)(2)(iii)" ], "US - CA CCPA 2025": [ "7080(a)", "7080(b)", "7221(l)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(1)(d)" ], "US - IL IPA": [ "10(b)(2)" ], "US - OR CPA": [ "5(2)(d)" ], "US - VA CDPA 2025": [ "59.1-577.1.E", "59.1-578.A.4" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "7" ] } }, { "principle_name": "Prohibit The Sale of Personal Data", "description": "Provide a clear and conspicuous link on the organization's Internet-based homepage, titled “Do Not Sell My Personal Data” that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal data.", "scf_control": "Tailored Consent", "scf_control_id": "PRI-03.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P3.2-POF1" ], "NIST Privacy Framework 1.0": [ "CT.PO-P3" ], "NIST 800-53 R5": [ "PT-4(1)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(E)(i)", "47-18-3203(a)(2)(E)(ii)", "47-18-3203(a)(2)(E)(iii)", "47-18-3203(b)" ] } }, { "principle_name": "Prohibit The Sale of Personal Data", "description": "Provide a clear and conspicuous link on the organization's Internet-based homepage, titled “Do Not Sell My Personal Data” that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal data.", "scf_control": "Prohibition of Selling, Processing and/or Sharing Personal Data (PD)", "scf_control_id": "PRI-03.3", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P3" ], "US HIPAA Administrative Simplification 2013": [ "164.502(a)(5)(ii)(A)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "US - IL BIPA": [ "15(c)" ], "US - NV SB220": [ "2.3" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(E)(i)", "47-18-3203(a)(2)(E)(ii)", "47-18-3203(a)(2)(E)(iii)", "47-18-3204(d)" ], "US - VA CDPA 2025": [ "59.1-577.1.C", "59.1-578.F.1", "59.1-578.F.1.a" ], "APAC Australian Privacy Principles": [ "APP 7" ] } }, { "principle_name": "Authorized Agent (Proxy)", "description": "Allow data subjects to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions.", "scf_control": "Authorized Agent", "scf_control_id": "PRI-03.6", "crosswalks": { "US Data Privacy Framework (DPF)": [ "II.2.b" ], "US HIPAA Administrative Simplification 2013": [ "164.502(g)(1)", "164.502(g)(2)", "164.502(g)(3)(i)", "164.502(g)(3)(i)(A)" ], "US - CA CCPA 2025": [ "7026(j)", "7027(j)", "7063(a)", "7063(a)(1)", "7063(a)(2)", "7063(b)", "7063(c)", "7063(d)", "7221(j)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(a)(II)" ], "US - IL BIPA": [ "15(b)(3)" ], "US - OR CPA": [ "4(4)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(1)" ], "US - VA CDPA 2025": [ "59.1-577.1.D", "59.1-577.A", "59.1-578.A.5", "59.1-578.F.3" ], "EMEA EU GDPR": [ "8.1", "8.2" ], "APAC India DPDPA 2023": [ "14(1)", "6(7)", "9(1)" ] } }, { "principle_name": "Global Privacy Control (GPC)", "description": "Enable automated mechanisms to provide data subjects with functionality to automatically exercise pre-selected opt-out preferences (e.g., opt-out signal).", "scf_control": "Global Privacy Control (GPC)", "scf_control_id": "PRI-03.8", "crosswalks": { "US - CA CCPA 2025": [ "7025(a)", "7025(b)", "7025(b)(1)", "7025(b)(2)", "7025(c)", "7025(c)(1)", "7025(c)(2)", "7025(c)(3)", "7025(c)(5)", "7025(c)(6)", "7025(d)", "7025(e)", "7025(f)", "7025(f)(1)", "7025(f)(2)", "7025(f)(3)", "7025(g)", "7025(g)(1)", "7025(g)(3)" ], "US - OR CPA": [ "5(5)(c)", "5(5)(c)(A)", "5(5)(c)(B)", "5(5)(c)(C)", "5(5)(c)(D)", "5(5)(c)(E)" ] } }, { "principle_name": "Limited Collection & Use", "description": "Ensure that the design of data collection and use are consistent with the intended use of the information and the need for new information is balanced against any data privacy risks.", "scf_control": "Restrict Collection To Identified Purpose", "scf_control_id": "PRI-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC8.1-POF18", "P3.0", "P3.1", "P3.1-POF1", "P3.1-POF2", "P3.1-POF3", "P3.1-POF4" ], "APEC Privacy Framework 2015": [ "3" ], "GAPP": [ "4.1.2", "9.2.2" ], "ISO 29100 2024": [ "6.4", "6.5" ], "NIST 800-53 R5": [ "PT-2" ], "NIST 800-53B R5 (privacy)": [ "PT-2" ], "US Data Privacy Framework (DPF)": [ "II.5.a" ], "US FIPPS": [ "4" ], "US - AK PIPA": [ "45.48.410" ], "US - CA CCPA 2025": [ "7002(f)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)" ], "US - IL BIPA": [ "15(b)" ], "US - IL IPA": [ "10(b)(1)", "10(b)(3)" ], "US - OR CPA": [ "5(1)(b)", "5(2)(b)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(a)(1)", "47-18-3204(a)(2)" ], "US - VA CDPA 2025": [ "59.1-578.A.1", "59.1-578.F.1", "59.1-578.F.1.c", "59.1-578.F.2" ], "US - VT Act 171 of 2018": [ "2433(a)(1)", "2433(a)(2)" ], "EMEA EU GDPR": [ "5.1(b)", "5.1(c)", "8.1" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 3" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 1", "P1-(1)(a)", "P1-(1)(b)", "Principle 3", "P3-(1)", "P3-(1)(a)", "P3-(1)(b)", "P3-(1)(c)", "P3-(1)(d)", "P3-(1)(d)(i)", "P3-(1)(d)(ii)", "P3-(1)(e)", "P3-(1)(e)(i)", "P3-(1)(e)(ii)", "P3-(1)(f)", "P3-(1)(g)", "P3-(2)", "P3-(3)", "P3-(4)", "P3-(4)(a)", "P3-(4)(b)", "P3-(4)(b)(i)", "P3-(4)(b)(ii)", "P3-(4)(b)(iii)", "P3-(4)(b)(iv)", "P3-(4)(c)", "P3-(4)(d)", "P3-(4)(e)", "P3-(4)(e)(i)", "P3-(4)(e)(ii)", "Principle 4", "P4-(a)", "P4-(b)", "P4-(b)(i)", "P4-(b)(ii)" ], "Americas Canada PIPEDA": [ "Sec 5", "Principle 4" ] } }, { "principle_name": "Authority to Collect", "description": "Identify the lawful basis given to collect, create, use, disseminate, maintain, and/or disclose an individual’s personal data. Document this authority in the organization's publicly-facing data privacy notice.", "scf_control": "Authority To Collect, Process, Store & Share Personal Data (PD)", "scf_control_id": "PRI-04.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC8.1-POF18", "P3.1", "P6.7-POF1" ], "APEC Privacy Framework 2015": [ "4(c)" ], "GAPP": [ "1.2.5", "1.2.11", "4.2.2" ], "ISO 29100 2024": [ "6.3" ], "NIST Privacy Framework 1.0": [ "CT.DP-P4" ], "NIST 800-53 R5": [ "PT-2" ], "NIST 800-53B R5 (privacy)": [ "PT-2" ], "OECD Privacy Principles": [ "1", "4(b)" ], "US FIPPS": [ "3" ], "US HIPAA Administrative Simplification 2013": [ "164.502(a)(1)(i)", "164.502(a)(1)(ii)", "164.502(a)(1)(iii)", "164.502(a)(5)(i)", "164.502(i)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(4)" ], "US - IL BIPA": [ "15(b)" ], "US - IL IPA": [ "10(b)(1)", "10(b)(3)" ], "US - OR CPA": [ "5(2)(b)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(a)(5)", "47-18-3204(b)" ], "US - VA CDPA 2025": [ "59.1-578.F.1.b", "59.1-578.F.1.c" ], "US - VT Act 171 of 2018": [ "2433(a)(2)(A)", "2433(a)(2)(B)", "2433(a)(2)(C)" ], "EMEA EU GDPR": [ "10", "9.2(b)", "9.2(c)", "9.2(d)", "9.2(e)", "9.2(f)", "9.2(g)", "9.2(h)", "9.2(i)", "9.2(j)", "9.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "13.1" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 3", "APP 7" ], "APAC India DPDPA 2023": [ "4(1)(b)" ], "Americas Canada PIPEDA": [ "Sec 5", "Principle 4" ] } }, { "principle_name": "Data Minimization", "description": "Take steps to minimize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the individual’s personal data to what is directly relevant and necessary to accomplish a legally authorized purpose.", "scf_control": "Limit Sensitive / Regulated Data In Testing, Training & Research", "scf_control_id": "DCH-18.2", "crosswalks": { "NIST 800-53 R5": [ "PM-25", "SI-12(2)", "SA-8(33)", "SA-15(12)" ], "NIST 800-53B R5 (privacy)": [ "PM-25", "SI-12(2)", "SA-8(33)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(3)" ] } }, { "principle_name": "Internal Use", "description": "Restrict the internal use of personal data to only authorized purpose(s) that are consistent with the stated data privacy notice.", "scf_control": "Minimize Sensitive / Regulated Data", "scf_control_id": "DCH-18.1", "crosswalks": { "ISO 29100 2024": [ "6.5" ], "NIST 800-53 R5": [ "SI-12(1)" ], "NIST 800-53B R5 (privacy)": [ "SI-12(1)" ], "US HIPAA Administrative Simplification 2013": [ "164.502(b)(1)" ], "US - NV SB220": [ "2.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.3" ] } }, { "principle_name": "Internal Use", "description": "Restrict the internal use of personal data to only authorized purpose(s) that are consistent with the stated data privacy notice.", "scf_control": "Internal Use of Personal Data (PD) For Testing, Training and Research", "scf_control_id": "PRI-05.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF13", "P4.1" ], "GAPP": [ "7.2.2", "9.2.1", "9.2.2" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P2" ], "NIST 800-53 R5": [ "PM-25", "PT-2", "PT-3", "SI-12(1)", "SI-12(2)" ], "NIST 800-53B R5 (privacy)": [ "PM-25", "PT-2", "SI-12(1)", "SI-12(2)" ], "US HIPAA Administrative Simplification 2013": [ "164.508(a)(2)(i)(B)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(4)" ], "US - NV SB220": [ "2.3" ], "US - OR CPA": [ "7(1)(c)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(a)(2)", "47-18-3207(a)(1)", "47-18-3207(a)(2)", "47-18-3207(a)(3)", "47-18-3207(b)(1)", "47-18-3207(b)(2)", "47-18-3207(b)(3)", "47-18-3207(b)(3)(A)", "47-18-3207(b)(3)(B)", "47-18-3207(b)(3)(C)" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 6" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 10", "P10-(1)", "P10-(1)(a)", "P10-(1)(b)(i)", "P10-(1)(b)(ii)", "P10-(1)(c)", "P10-(1)(d)", "P10-(1)(e)(i)", "P10-(1)(e)(ii)", "P10-(1)(e)(iii)", "P10-(1)(e)(iv)", "P10-(1)(f)(i)", "P10-(1)(f)(ii)", "P10-(2)" ] } }, { "principle_name": "Internal Use", "description": "Restrict the internal use of personal data to only authorized purpose(s) that are consistent with the stated data privacy notice.", "scf_control": "Usage Restrictions of Personal Data (PD)", "scf_control_id": "PRI-05.4", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P4.0", "P4.1", "P4.1-POF1" ], "GAPP": [ "5.2.1", "9.2.2" ], "ISO 29100 2024": [ "6.6" ], "NIST Privacy Framework 1.0": [ "CT.DM-P8", "CT.DP-P4", "CT.PO-P1", "CT.PO-P2" ], "NIST 800-53 R5": [ "AC-23", "PM-25", "PT-2", "PT-7" ], "NIST 800-53B R5 (privacy)": [ "PM-25", "PT-2", "PT-7" ], "OECD Privacy Principles": [ "4" ], "US Data Privacy Framework (DPF)": [ "II.2.c" ], "US FIPPS": [ "4" ], "US HIPAA Administrative Simplification 2013": [ "164.502(c)", "164.502(d)(1)", "164.504(g)(2)", "164.506(a)", "164.506(c)(1)", "164.506(c)(5)", "164.508(a)(1)", "164.508(a)(2)(i)(C)", "164.510(a)(1)(i)(A)", "164.510(a)(1)(i)(B)", "164.510(a)(1)(i)(C)", "164.510(a)(1)(i)(D)", "164.510(a)(1)(ii)(A)", "164.510(a)(1)(ii)(B)", "164.510(b)(4)", "164.512", "164.512(i)(1)", "164.512(j)(1)", "164.512(j)(1)(i)(A)", "164.512(j)(1)(i)(B)", "164.512(j)(1)(ii)", "164.512(j)(1)(ii)(A)", "164.512(j)(1)(ii)(B)", "164.512(j)(2)(i)", "164.512(j)(2)(ii)", "164.512(j)(3)", "164.512(j)(4)", "164.512(k)(1)(i)", "164.512(k)(1)(i)(A)", "164.512(k)(1)(i)(B)", "164.512(k)(1)(ii)", "164.512(k)(1)(iii)", "164.512(k)(1)(iv)", "164.512(k)(2)", "164.512(k)(3)", "164.512(k)(4)", "164.512(k)(4)(i)", "164.512(k)(4)(ii)", "164.512(k)(4)(iii)", "164.512(k)(5)(i)", "164.512(k)(5)(i)(A)", "164.512(k)(5)(i)(B)", "164.512(k)(5)(i)(C)", "164.512(k)(5)(i)(D)", "164.512(k)(5)(i)(E)", "164.512(k)(5)(i)(F)", "164.512(k)(5)(ii)", "164.512(k)(5)(iii)", "164.512(k)(6)(i)", "164.512(k)(6)(ii)", "164.512(k)(6)(ii)(1)", "164.514(f)(2)(i)", "164.514(g)" ], "US - CA CCPA 2025": [ "7023(d)(3)", "7026(f)", "7026(f)(1)", "7027(a)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)", "6-1-1308(4)", "6-1-1308(7)" ], "US - IL BIPA": [ "15(b)(2)" ], "US - NV SB220": [ "2.3" ], "US - OR CPA": [ "4(7)(b)", "5(2)(a)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(C)(i)(b)", "47-18-3203(a)(2)(C)(ii)", "47-18-3204(a)(6)", "47-18-3207(b)", "47-18-3207(c)", "47-18-3207(d)" ], "US - VA CDPA 2025": [ "59.1-577.1.C", "59.1-578.A.2", "59.1-578.F.1.c" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.3" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 6", "APP 7", "APP 9" ], "APAC India DPDPA 2023": [ "7(f)", "7(g)", "7(h)", "7(i)", "8(1)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 10", "P10-(1)", "P10-(1)(a)", "P10-(1)(b)(i)", "P10-(1)(b)(ii)", "P10-(1)(c)", "P10-(1)(d)", "P10-(1)(e)(i)", "P10-(1)(e)(ii)", "P10-(1)(e)(iii)", "P10-(1)(e)(iv)", "P10-(1)(f)(i)", "P10-(1)(f)(ii)", "P10-(2)" ] } }, { "principle_name": "Transparency", "description": "Provide a transparent notice to the public about data privacy practices through a clear and conspicuous notice on all organizational websites, mobile applications and other digital services regarding the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the personal data.", "scf_control": "Privacy Act Statements", "scf_control_id": "PRI-01.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P1.1" ], "GAPP": [ "10.2.3" ], "NIST Privacy Framework 1.0": [ "CM.PO-P1", "CM.AW-P1" ], "NIST 800-53 R5": [ "PT-5(2)" ], "NIST 800-53B R5 (privacy)": [ "PT-5(2)" ] } }, { "principle_name": "Transparency", "description": "Provide a transparent notice to the public about data privacy practices through a clear and conspicuous notice on all organizational websites, mobile applications and other digital services regarding the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the personal data.", "scf_control": "Data Privacy Notice", "scf_control_id": "PRI-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.3-POF7", "P1.1", "P1.1-POF1", "P1.1-POF2", "P1.1-POF3", "P1.1-POF4", "P1.1-POF5", "P1.1-POF7" ], "APEC Privacy Framework 2015": [ "2", "2(a)", "2(b)", "2(c)", "2(d)", "2(e)" ], "GAPP": [ "2.1.1", "2.2.1", "2.2.2", "2.2.3", "3.1.0", "3.1.1", "3.1.2", "4.1.0", "4.1.1", "4.2.4", "5.1.0", "5.1.1", "6.1.0", "7.1.0", "7.1.1", "8.1.0", "8.1.1", "9.1.0", "9.1.1", "10.1.0", "10.1.1", "10.2.3" ], "ISO 29100 2024": [ "6.3" ], "NIST Privacy Framework 1.0": [ "CM.PO-P1", "CM.AW-P1" ], "NIST 800-53 R5": [ "PM-20(1)", "PT-5" ], "NIST 800-53B R5 (privacy)": [ "PM-20(1)", "PT-5" ], "US Data Privacy Framework (DPF)": [ "II.1.a.i", "II.1.a.ii", "II.1.a.iii", "II.1.a.iv", "II.1.a.ix", "II.1.a.v", "II.1.a.vi", "II.1.a.vii", "II.1.a.viii", "II.1.a.x", "II.1.a.xi", "II.1.a.xii", "II.1.a.xiii", "II.1.b", "III.11.d.i", "III.11.d.ii", "III.14.b.ii" ], "US FIPPS": [ "7", "8" ], "US HIPAA Administrative Simplification 2013": [ "164.520(a)(1)", "164.520(a)(2)(i)", "164.520(a)(2)(i)(A)", "164.520(a)(2)(i)(B)", "164.520(a)(2)(ii)", "164.520(a)(2)(ii)(A)", "164.520(a)(2)(ii)(B)", "164.520(a)(2)(iii)", "164.520(b)(1)", "164.520(b)(1)(i)", "164.520(b)(1)(ii)", "164.520(b)(1)(ii)(A)", "164.520(b)(1)(ii)(B)", "164.520(b)(1)(ii)(C)", "164.520(b)(1)(ii)(D)", "164.520(b)(1)(ii)(E)", "164.520(b)(1)(iv)", "164.520(b)(1)(iv)(A)", "164.520(b)(1)(iv)(B)", "164.520(b)(1)(iv)(C)", "164.520(b)(1)(iv)(D)", "164.520(b)(1)(iv)(E)", "164.520(b)(1)(iv)(F)", "164.520(b)(1)(v)", "164.520(b)(1)(v)(A)", "164.520(b)(1)(v)(B)", "164.520(b)(1)(v)(C)", "164.520(b)(1)(vi)", "164.520(b)(1)(vii)", "164.520(b)(1)(viii)", "164.520(b)(2)(i)", "164.520(b)(2)(ii)", "164.520(b)(3)", "164.520(c)", "164.520(c)(1)(i)", "164.520(c)(1)(i)(A)", "164.520(c)(1)(i)(B)", "164.520(c)(1)(ii)", "164.520(c)(1)(iii)", "164.520(c)(1)(iv)", "164.520(c)(1)(v)", "164.520(c)(1)(v)(A)", "164.520(c)(1)(v)(B)" ], "US - CA CCPA 2025": [ "7002(b)(5)", "7003(a)", "7004(a)(1)", "7010(a)", "7011(a)", "7011(b)", "7011(c)", "7011(d)", "7011(e)", "7011(e)(1)", "7011(e)(1)(A)", "7011(e)(1)(B)", "7011(e)(1)(C)", "7011(e)(1)(D)", "7011(e)(1)(E)", "7011(e)(1)(F)", "7011(e)(1)(G)", "7011(e)(1)(H)", "7011(e)(1)(I)", "7011(e)(1)(J)", "7011(e)(2)", "7011(e)(2)(A)", "7011(e)(2)(B)", "7011(e)(2)(C)", "7011(e)(2)(D)", "7011(e)(2)(E)", "7011(e)(2)(F)", "7011(e)(2)(G)", "7011(e)(2)(H)", "7011(e)(3)", "7011(e)(3)(A)", "7011(e)(3)(B)", "7011(e)(3)(C)", "7011(e)(3)(D)", "7011(e)(3)(E)", "7011(e)(3)(F)", "7011(e)(3)(G)", "7011(e)(3)(H)", "7011(e)(3)(I)", "7011(e)(3)(J)", "7011(e)(4)", "7011(e)(5)", "7012(f)", "7012(g)(1)", "7013(c)", "7013(e)", "7013(e)(1)", "7013(e)(2)", "7013(e)(3)", "7013(g)(2)", "7014(b)", "7014(c)", "7014(d)", "7014(e)(1)", "7014(e)(2)", "7014(e)(3)", "7014(g)(1)", "7014(g)(2)", "7014(h)", "7025(g)(2)", "7025(g)(2)(A)", "7025(g)(2)(B)", "7025(g)(2)(C)", "7025(g)(2)(D)", "7072(a)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)", "6-1-1308(1)(a)", "6-1-1308(1)(a)(I)", "6-1-1308(1)(a)(II)", "6-1-1308(1)(a)(IV)", "6-1-1308(1)(a)(V)", "6-1-1308(1)(b)", "6-1-105(1)(nnn)" ], "US - IL BIPA": [ "15(a)" ], "US - OR CPA": [ "5(1)(a)", "5(4)(a)", "5(4)(b)", "5(4)(c)", "5(4)(d)", "5(4)(e)", "5(4)(f)", "5(4)(g)", "5(4)(h)", "5(4)(i)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(a)(1)", "47-18-3204(c)", "47-18-3204(c)(1)", "47-18-3204(c)(2)", "47-18-3204(c)(3)", "47-18-3204(c)(4)", "47-18-3204(c)(5)", "47-18-3204(d)", "47-18-3204(e)(1)" ], "US - VA CDPA 2025": [ "59.1-578.C", "59.1-578.C.1", "59.1-578.C.2", "59.1-578.C.3", "59.1-578.C.4", "59.1-578.C.5", "59.1-578.D", "59.1-578.E", "59.1-581.A.2" ], "EMEA EU GDPR": [ "12.7", "13.1(a)", "13.1(b)", "13.1(c)", "13.1(d)", "13.1(e)", "13.2", "13.2(a)", "13.2(b)", "13.2(c)", "13.2(d)", "13.2(e)", "13.2(f)", "13.3", "14.1(a)", "14.1(b)", "14.1(c)", "14.1(d)", "14.1(e)", "14.1(f)", "14.2", "14.2(a)", "14.2(b)", "14.2(c)", "14.2(d)", "14.2(e)", "14.2(f)", "14.2(g)", "14.3(a)", "14.3(b)", "14.3(c)", "14.4", "14.5(a)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "12", "13.2", "13.4", "13.5", "13.6", "4.1" ], "APAC Australia Privacy Act": [ "APP Part 5" ], "APAC Australian Privacy Principles": [ "APP 1", "APP 5" ], "APAC India DPDPA 2023": [ "5(1)(i)", "5(1)(ii)", "5(1)(iii)", "5(2)(a)(i)", "5(2)(a)(ii)", "5(2)(a)(iii)", "6(10)", "6(3)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 3", "P3-(1)", "P3-(1)(a)", "P3-(1)(b)", "P3-(1)(c)", "P3-(1)(d)", "P3-(1)(d)(i)", "P3-(1)(d)(ii)", "P3-(1)(e)", "P3-(1)(e)(i)", "P3-(1)(e)(ii)", "P3-(1)(f)", "P3-(1)(g)", "P3-(2)", "P3-(3)", "P3-(4)", "P3-(4)(a)", "P3-(4)(b)", "P3-(4)(b)(i)", "P3-(4)(b)(ii)", "P3-(4)(b)(iii)", "P3-(4)(b)(iv)", "P3-(4)(c)", "P3-(4)(d)", "P3-(4)(e)", "P3-(4)(e)(i)", "P3-(4)(e)(ii)" ], "Americas Canada PIPEDA": [ "Principle 2" ] } }, { "principle_name": "Transparency", "description": "Provide a transparent notice to the public about data privacy practices through a clear and conspicuous notice on all organizational websites, mobile applications and other digital services regarding the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of the personal data.", "scf_control": "Notification of Disclosure Request To Data Subject", "scf_control_id": "PRI-14.2", "crosswalks": { "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "24.2" ] } }, { "principle_name": "Data Privacy Notice & Purpose Specification", "description": "Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Purpose Specification", "scf_control_id": "PRI-02.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P1.1-POF1", "P1.1-POF2", "P1.1-POF3", "P1.1-POF4", "P6.7-POF1" ], "GAPP": [ "4.2.1" ], "ISO 29100 2024": [ "6.3" ], "NIST Privacy Framework 1.0": [ "CM.PO-P1" ], "NIST 800-53 R5": [ "PT-3" ], "NIST 800-53B R5 (privacy)": [ "PT-3" ], "OECD Privacy Principles": [ "3" ], "US Data Privacy Framework (DPF)": [ "II.1.a.iv", "II.5.a" ], "US FIPPS": [ "3", "7" ], "US HIPAA Administrative Simplification 2013": [ "164.502(a)(3)", "164.508(c)(1)(i)", "164.508(c)(1)(ii)", "164.508(c)(1)(iii)", "164.508(c)(1)(iv)", "164.508(c)(2)(i)(A)", "164.508(c)(2)(i)(B)" ], "US - CA CCPA 2025": [ "7002(a)(1)", "7002(a)(2)", "7002(b)(4)", "7027(m)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(1)(a)", "6-1-1308(1)(a)(I)", "6-1-1308(1)(a)(II)", "6-1-1308(1)(a)(IV)", "6-1-1308(1)(a)(V)", "6-1-1308(1)(b)", "6-1-1308(2)", "6-1-105(1)(nnn)" ], "US - IL BIPA": [ "15(b)(1)", "15(b)(2)" ], "US - OR CPA": [ "5(1)(a)", "5(4)(b)", "5(4)(h)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(c)(2)" ], "US - VA CDPA 2025": [ "59.1-578.C.2" ], "EMEA EU GDPR": [ "13.1(c)", "14.1(c)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.1", "13.2", "13.3" ], "APAC Australia Privacy Act": [ "APP Part 3" ], "APAC Australian Privacy Principles": [ "APP 1" ], "APAC India DPDPA 2023": [ "4(2)", "5(1)(i)", "5(2)(a)(i)", "7(a)", "8(8)(a)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 3", "P3-(1)", "P3-(1)(a)", "P3-(1)(b)", "P3-(1)(c)", "P3-(1)(d)", "P3-(1)(d)(i)", "P3-(1)(d)(ii)", "P3-(1)(e)", "P3-(1)(e)(i)", "P3-(1)(e)(ii)", "P3-(1)(f)", "P3-(1)(g)", "P3-(2)", "P3-(3)", "P3-(4)", "P3-(4)(a)", "P3-(4)(b)", "P3-(4)(b)(i)", "P3-(4)(b)(ii)", "P3-(4)(b)(iii)", "P3-(4)(b)(iv)", "P3-(4)(c)", "P3-(4)(d)", "P3-(4)(e)", "P3-(4)(e)(i)", "P3-(4)(e)(ii)" ], "Americas Canada PIPEDA": [ "Sec 5", "Principle 2" ] } }, { "principle_name": "Data Privacy Notice & Purpose Specification", "description": "Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Notification of Disclosure Request To Data Subject", "scf_control_id": "PRI-14.2", "crosswalks": { "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "24.2" ] } }, { "principle_name": "Data Lifecycle Management", "description": "Limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data to that which is legally authorized, relevant and deemed \"reasonably necessary\" for the proper performance of business functions.", "scf_control": "Data Protection", "scf_control_id": "DCH-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2-POF7", "C1.1", "C1.1-POF2", "CC2.1", "CC6.5", "CC6.7", "CC6.7-POF2", "CC8.1-POF16", "CC8.1-POF17", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "ISO 27701 2025": [ "7.5.3(b)" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1" ], "NIST 800-53 R5": [ "MP-1" ], "NIST 800-53B R5 (privacy)": [ "MP-1" ], "NIST CSF 2.0": [ "ID.AM-08", "PR.DS", "PR.DS-01", "PR.DS-02", "PR.DS-10" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(3)", "164.310(d)(1)", "164.312(c)(1)", "164.514(d)(3)(i)", "164.530(c)(2)(i)" ], "US - AK PIPA": [ "45.48.100" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)", "6-1-1307(2)", "6-1-1307(3)", "6-1-1308(5)" ], "US - VT Act 171 of 2018": [ "2447(a)", "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(a)(2)" ], "APAC Australia Privacy Act": [ "APP Part 8", "APP Part 11" ], "APAC Australian Privacy Principles": [ "APP 11" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Data Lifecycle Management", "description": "Limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data to that which is legally authorized, relevant and deemed \"reasonably necessary\" for the proper performance of business functions.", "scf_control": "Automated Data Management Processes", "scf_control_id": "PRI-02.2", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.DM-P7" ], "NIST 800-53 R5": [ "PM-24", "PT-2(2)", "PT-3(2)" ], "NIST 800-53B R5 (privacy)": [ "PM-24" ] } }, { "principle_name": "Data Lifecycle Management", "description": "Limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data to that which is legally authorized, relevant and deemed \"reasonably necessary\" for the proper performance of business functions.", "scf_control": "Personal Data (PD) Retention & Disposal", "scf_control_id": "PRI-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "C1.1-POF3", "C1.2", "C1.2-POF1", "C1.2-POF2", "CC6.5", "CC6.5-POF2", "P4.0", "P4.2", "P4.2-POF1", "P4.3", "P4.3-POF2", "P4.3-POF3" ], "GAPP": [ "5.2.2", "5.2.3" ], "ISO 29100 2024": [ "6.5", "6.6" ], "NIST Privacy Framework 1.0": [ "CT.DM-P5" ], "NIST 800-53 R5": [ "AC-4(25)", "SI-12", "SI-12(3)" ], "NIST 800-53B R5 (privacy)": [ "SI-12", "SI-12(3)" ], "NIST CSF 2.0": [ "ID.AM-07" ], "US Data Privacy Framework (DPF)": [ "II.5.b" ], "US FIPPS": [ "4" ], "US - AK PIPA": [ "45.48.500" ], "US - IL BIPA": [ "15(a)", "15(b)(2)" ], "US - IL PIPA": [ "40(a)", "40(b)", "40(b)(1)", "40(b)(2)", "40(c)", "40(d)", "40(e)", "40(f)" ], "US - OR CPA": [ "4(7)(a)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(C)(i)(a)", "47-18-3204(a)(4)" ], "US - TX BC521": [ "521.052(b)" ], "EMEA EU GDPR": [ "5.1(e)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.4", "18.1", "18.2.a", "18.2.b" ], "APAC Australia Privacy Act": [ "APP Part 3", "APP Part 6" ], "APAC Australian Privacy Principles": [ "APP 4", "APP 6" ], "Americas Canada PIPEDA": [ "Sec 7", "Sec 8", "Principle 5", "Principle 6" ] } }, { "principle_name": "Data Lifecycle Management", "description": "Limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data to that which is legally authorized, relevant and deemed \"reasonably necessary\" for the proper performance of business functions.", "scf_control": "Data Tagging", "scf_control_id": "PRI-11", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.DM-P7" ], "NIST 800-53 R5": [ "PT-3(1)" ] } }, { "principle_name": "Processing Records", "description": "Maintain a record of processing activities that documents the organization's necessary records to support its obligations for the processing of sensitive/regulated data.", "scf_control": "Personal Data (PD) Lineage", "scf_control_id": "PRI-09", "crosswalks": { "NIST Privacy Framework 1.0": [ "CM.AW-P4", "CM.AW-P6" ], "NIST 800-53 R5": [ "SA-4(12)" ] } }, { "principle_name": "Data Flow Mapping", "description": "Maintain a record of processing activities that documents the flow of personal data that includes:\n - Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;\n - Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;\n - The purposes of the storage, transmission and processing;\n - A description of the categories of data subjects and personal data;\n - Where possible, the time limits for erasure of the different categories of data; and\n - Where possible, a description of the cybersecurity & data privacy measures of the data controller.", "scf_control": "Asset Inventories", "scf_control_id": "AST-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.1-POF6", "CC2.1-POF9", "CC6.1-POF1" ], "NIST Privacy Framework 1.0": [ "ID.IM-P1" ], "NIST 800-53 R5": [ "CM-8", "PM-5" ], "NIST CSF 2.0": [ "ID.AM", "ID.AM-01", "ID.AM-02" ], "US HIPAA Administrative Simplification 2013": [ "164.310(d)(2)(iii)" ], "US - CA CCPA 2025": [ "7123(c)(4)", "7123(c)(4)(B)" ] } }, { "principle_name": "Data Flow Mapping", "description": "Maintain a record of processing activities that documents the flow of personal data that includes:\n - Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;\n - Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;\n - The purposes of the storage, transmission and processing;\n - A description of the categories of data subjects and personal data;\n - Where possible, the time limits for erasure of the different categories of data; and\n - Where possible, a description of the cybersecurity & data privacy measures of the data controller.", "scf_control": "Data Action Mapping", "scf_control_id": "AST-02.8", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.1-POF5", "CC2.1-POF9" ], "NIST Privacy Framework 1.0": [ "ID.IM-P1", "ID.IM-P4", "ID.IM-P5", "ID.IM-P8" ], "NIST 800-53 R5": [ "CM-13" ], "US - CA CCPA 2025": [ "7123(c)(4)(A)" ] } }, { "principle_name": "Data Flow Mapping", "description": "Maintain a record of processing activities that documents the flow of personal data that includes:\n - Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;\n - Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;\n - The purposes of the storage, transmission and processing;\n - A description of the categories of data subjects and personal data;\n - Where possible, the time limits for erasure of the different categories of data; and\n - Where possible, a description of the cybersecurity & data privacy measures of the data controller.", "scf_control": "Network Diagrams & Data Flow Diagrams (DFDs)", "scf_control_id": "AST-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "C1.1-POF1", "CC2.1", "CC2.1-POF2", "CC2.1-POF5" ], "NIST Privacy Framework 1.0": [ "ID.IM-P1" ], "NIST 800-53 R5": [ "PL-2", "SA-4(1)", "SA-4(2)" ], "NIST 800-53B R5 (privacy)": [ "PL-2" ], "NIST CSF 2.0": [ "ID.AM-03" ], "US - CA CCPA 2025": [ "7123(c)(4)(A)" ] } }, { "principle_name": "Data Flow Mapping", "description": "Maintain a record of processing activities that documents the flow of personal data that includes:\n - Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;\n - Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;\n - The purposes of the storage, transmission and processing;\n - A description of the categories of data subjects and personal data;\n - Where possible, the time limits for erasure of the different categories of data; and\n - Where possible, a description of the cybersecurity & data privacy measures of the data controller.", "scf_control": "Sensitive / Regulated Data Actions", "scf_control_id": "CFG-08.1", "crosswalks": { "US HIPAA Administrative Simplification 2013": [ "164.312(c)(2)" ] } }, { "principle_name": "Data Flow Mapping", "description": "Maintain a record of processing activities that documents the flow of personal data that includes:\n - Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;\n - Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;\n - The purposes of the storage, transmission and processing;\n - A description of the categories of data subjects and personal data;\n - Where possible, the time limits for erasure of the different categories of data; and\n - Where possible, a description of the cybersecurity & data privacy measures of the data controller.", "scf_control": "Sensitive / Regulated Media Records", "scf_control_id": "DCH-01.3", "crosswalks": { "NIST CSF 2.0": [ "PR.DS" ] } }, { "principle_name": "Data Flow Mapping", "description": "Maintain a record of processing activities that documents the flow of personal data that includes:\n - Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;\n - Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;\n - The purposes of the storage, transmission and processing;\n - A description of the categories of data subjects and personal data;\n - Where possible, the time limits for erasure of the different categories of data; and\n - Where possible, a description of the cybersecurity & data privacy measures of the data controller.", "scf_control": "Data Tagging", "scf_control_id": "PRI-11", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.DM-P7" ], "NIST 800-53 R5": [ "PT-3(1)" ] } }, { "principle_name": "Data Custodians", "description": "Identify the owners or operators of Technology Assets, Applications and/or Services (TAAS) that process data, or with which data subjects are interacting.", "scf_control": "Asset Ownership Assignment", "scf_control_id": "AST-03", "crosswalks": { "NIST Privacy Framework 1.0": [ "ID.IM-P2" ], "NIST 800-53 R5": [ "SA-4(12)" ], "NIST CSF 2.0": [ "ID.AM" ], "US HIPAA Administrative Simplification 2013": [ "164.310(d)(2)(iii)" ] } }, { "principle_name": "Data Custodians", "description": "Identify the owners or operators of Technology Assets, Applications and/or Services (TAAS) that process data, or with which data subjects are interacting.", "scf_control": "Accountability Information", "scf_control_id": "AST-03.1", "crosswalks": { "NIST Privacy Framework 1.0": [ "ID.IM-P2" ], "NIST 800-53 R5": [ "CM-8(4)" ], "NIST CSF 2.0": [ "ID.AM" ], "US HIPAA Administrative Simplification 2013": [ "164.310(d)(2)(iii)" ] } }, { "principle_name": "Retention of Personal Data", "description": "Ensure that all records containing personal data are maintained in accordance with the organization's records retention schedule and comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Media & Data Retention", "scf_control_id": "DCH-18", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "C1.1-POF3", "PI1.5" ], "NIST 800-53 R5": [ "MP-7", "SI-12" ], "NIST 800-53B R5 (privacy)": [ "SI-12" ], "US HIPAA Administrative Simplification 2013": [ "164.316(b)(2)(i)" ], "US - CA CCPA 2025": [ "7122(g)", "7123(c)(16)", "7155(c)" ], "US - OR CPA": [ "8(6)" ], "APAC India DPDPA 2023": [ "8(7)(a)", "8(8)" ] } }, { "principle_name": "Retention of Personal Data", "description": "Ensure that all records containing personal data are maintained in accordance with the organization's records retention schedule and comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Minimize Sensitive / Regulated Data", "scf_control_id": "DCH-18.1", "crosswalks": { "ISO 29100 2024": [ "6.5" ], "NIST 800-53 R5": [ "SI-12(1)" ], "NIST 800-53B R5 (privacy)": [ "SI-12(1)" ], "US HIPAA Administrative Simplification 2013": [ "164.502(b)(1)" ], "US - NV SB220": [ "2.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "11.3" ] } }, { "principle_name": "Secure Destruction of Personal Data", "description": "Utilize secure methods to dispose of or destroy both physical and digital media that contains personal data.", "scf_control": "Sanitization of Personal Data (PD)", "scf_control_id": "DCH-09.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P4.3" ], "NIST Privacy Framework 1.0": [ "CT.DM-P5" ], "NIST 800-53 R5": [ "MP-6", "MP-6(3)" ], "NIST 800-53B R5 (privacy)": [ "MP-6" ], "US - AK PIPA": [ "45.48.500" ], "US - CA CCPA 2025": [ "7123(c)(16)" ], "APAC India DPDPA 2023": [ "8(7)(a)" ] } }, { "principle_name": "Secure Destruction of Personal Data", "description": "Utilize secure methods to dispose of or destroy both physical and digital media that contains personal data.", "scf_control": "Information Disposal", "scf_control_id": "DCH-21", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "C1.2", "C1.2-POF1", "C1.2-POF2", "CC6.5", "CC6.5-POF2", "P4.3", "P4.3-POF2", "P4.3-POF3" ], "NIST Privacy Framework 1.0": [ "CT.DM-P5" ], "NIST 800-53 R5": [ "SI-12(3)" ], "NIST 800-53B R5 (privacy)": [ "SI-12(3)" ], "US - AK PIPA": [ "45.48.500", "45.48.510" ], "US - IL PIPA": [ "40(a)", "40(b)", "40(b)(1)", "40(b)(2)", "40(c)", "40(d)", "40(e)", "40(f)" ], "US - TX BC521": [ "521.052(b)" ] } }, { "principle_name": "Geolocation Restrictions", "description": "Restrict the location of processing, storage and service locations to comply with the data privacy notice, as well as applicable statutory, regulatory and contractual obligations.", "scf_control": "Information Location", "scf_control_id": "DCH-24", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.1-POF9" ], "NIST 800-53 R5": [ "CM-12" ], "Americas Canada PIPEDA": [ "Sec 20" ] } }, { "principle_name": "Geolocation Restrictions", "description": "Restrict the location of processing, storage and service locations to comply with the data privacy notice, as well as applicable statutory, regulatory and contractual obligations.", "scf_control": "Transfer of Sensitive and/or Regulated Data", "scf_control_id": "DCH-25", "crosswalks": { "EMEA EU GDPR": [ "44", "45.1", "46.1", "46.2", "46.2(a)", "49.1", "49.1(a)", "49.1(b)", "49.1(c)", "49.1(d)", "49.1(e)", "49.1(f)", "49.1(g)", "49.2", "49.3", "49.4", "49.6" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "29.1" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 12", "P12-(1)", "P12-(1)(a)", "P12-(1)(b)", "P12-(1)(c)", "P12-(1)(d)", "P12-(1)(e)", "P12-(1)(f)", "P12-(2)", "P12-(3)" ], "Americas Canada PIPEDA": [ "Sec 20" ] } }, { "principle_name": "Geolocation Restrictions", "description": "Restrict the location of processing, storage and service locations to comply with the data privacy notice, as well as applicable statutory, regulatory and contractual obligations.", "scf_control": "Distributed Processing & Storage", "scf_control_id": "SEA-15", "crosswalks": { "NIST 800-53 R5": [ "PE-23", "SC-36" ], "Americas Canada PIPEDA": [ "Sec 20" ] } }, { "principle_name": "Geolocation Restrictions", "description": "Restrict the location of processing, storage and service locations to comply with the data privacy notice, as well as applicable statutory, regulatory and contractual obligations.", "scf_control": "Third-Party Processing, Storage and Service Locations", "scf_control_id": "TPM-04.4", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.1-POF9", "CC9.1" ], "NIST 800-53 R5": [ "PE-23", "SA-9(5)" ], "NIST CSF 2.0": [ "GV.SC-06" ], "US - CA CCPA 2025": [ "7123(c)(15)" ], "Americas Canada PIPEDA": [ "Sec 20" ] } }, { "principle_name": "Data Portability", "description": "Provide the functionality to export personal data in a structured, commonly-used and machine-readable format that can be transferred to another controller without hindrance.", "scf_control": "Data Portability", "scf_control_id": "PRI-06.6", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P6.7-POF2" ], "NIST Privacy Framework 1.0": [ "ID.DE-P4", "CT.DM-P2", "CT.DM-P6" ], "US HIPAA Administrative Simplification 2013": [ "164.524(c)(2)(i)", "164.524(c)(2)(ii)" ], "US - CA CCPA 2025": [ "7024(g)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(e)" ], "US - OR CPA": [ "3(2)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(D)" ], "US - VA CDPA 2025": [ "59.1-577.A.4" ], "EMEA EU GDPR": [ "20.1" ] } }, { "principle_name": "Data Portability", "description": "Provide the functionality to export personal data in a structured, commonly-used and machine-readable format that can be transferred to another controller without hindrance.", "scf_control": "Personal Data (PD) Exports", "scf_control_id": "PRI-06.7", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P6.7-POF2" ], "APEC Privacy Framework 2015": [ "8(a)", "8(b)", "8(b)(i)", "8(b)(ii)", "8(b)(iii)", "8(b)(iv)" ], "NIST Privacy Framework 1.0": [ "CT.DM-P2", "CT.DM-P6" ], "OECD Privacy Principles": [ "7(b)", "7(b)(iv)" ], "US - CA CCPA 2025": [ "7024(g)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(e)" ], "US - OR CPA": [ "3(1)(a)(C)", "3(2)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(D)" ], "US - VA CDPA 2025": [ "59.1-577.A.4" ], "EMEA EU GDPR": [ "20.1", "20.1(b)" ], "APAC India DPDPA 2023": [ "11(1)(a)" ] } }, { "principle_name": "Record of Disclosures", "description": "Develop and maintain an accounting of personal data disclosures that upon request can be made available to the individual whose personal data was disclosed.", "scf_control": "Documenting Data Processing Activities", "scf_control_id": "PRI-14", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.3", "P8.1-POF4", "P8.1-POF5" ], "GAPP": [ "10.2.3", "10.2.5" ], "NIST Privacy Framework 1.0": [ "CM.AW-P4", "CM.AW-P6", "CM.AW-P7" ], "NIST 800-53 R5": [ "PM-27" ], "NIST 800-53B R5 (privacy)": [ "PM-27" ], "EMEA EU GDPR": [ "30.1", "30.1(a)", "30.1(b)", "30.1(c)", "30.1(d)", "30.1(e)", "30.1(f)", "30.1(g)", "30.2", "30.2(a)", "30.2(b)", "30.2(c)", "30.2(d)", "30.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "31", "31.1", "31.2", "31.3", "31.4", "31.5", "31.6" ] } }, { "principle_name": "Record of Disclosures", "description": "Develop and maintain an accounting of personal data disclosures that upon request can be made available to the individual whose personal data was disclosed.", "scf_control": "Accounting of Disclosures", "scf_control_id": "PRI-14.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P6.2", "P6.2-POF1", "P6.3", "P6.3-POF1" ], "GAPP": [ "7.2.1", "7.2.4" ], "NIST Privacy Framework 1.0": [ "CM.AW-P4" ], "NIST 800-53 R5": [ "PM-21" ], "NIST 800-53B R5 (privacy)": [ "PM-21" ], "US HIPAA Administrative Simplification 2013": [ "164.528(a)(1)", "164.528(a)(1)(i)", "164.528(a)(1)(ii)", "164.528(a)(1)(iii)", "164.528(a)(1)(iv)", "164.528(a)(1)(ix)", "164.528(a)(1)(v)", "164.528(a)(1)(vi)", "164.528(a)(1)(vii)", "164.528(a)(1)(viii)", "164.528(b)", "164.528(b)(1)", "164.528(b)(2)", "164.528(b)(2)(i)", "164.528(b)(2)(ii)", "164.528(b)(2)(iii)", "164.528(b)(2)(iv)", "164.528(b)(3)", "164.528(b)(3)(i)", "164.528(b)(3)(ii)", "164.528(b)(3)(iii)", "164.528(b)(4)(i)", "164.528(b)(4)(i)(A)", "164.528(b)(4)(i)(B)", "164.528(b)(4)(i)(C)", "164.528(b)(4)(i)(D)", "164.528(b)(4)(i)(E)", "164.528(b)(4)(i)(F)", "164.528(b)(4)(ii)", "164.528(c)(1)", "164.528(c)(1)(i)", "164.528(c)(1)(ii)", "164.528(c)(1)(ii)(A)", "164.528(c)(1)(ii)(B)", "164.528(c)(2)", "164.528(d)", "164.528(d)(1)", "164.528(d)(2)", "164.528(d)(3)" ], "US - OR CPA": [ "3(1)(a)(B)(i)", "3(1)(a)(B)(ii)" ], "APAC India DPDPA 2023": [ "11(1)(b)" ] } }, { "principle_name": "Integrity Protections", "description": "Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Data Governance", "scf_control_id": "GOV-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.2-POF1" ], "NIST 800-53 R5": [ "PM-23", "PM-24" ], "NIST 800-53B R5 (privacy)": [ "PM-24" ] } }, { "principle_name": "Integrity Protections", "description": "Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Personal Data (PD) Accuracy & Integrity", "scf_control_id": "PRI-05.2", "crosswalks": { "APEC Privacy Framework 2015": [ "6" ], "GAPP": [ "9.2.1" ], "ISO 29100 2024": [ "6.7" ], "NIST Privacy Framework 1.0": [ "PR.DS-P6" ], "NIST 800-53 R5": [ "PM-24" ], "NIST 800-53B R5 (privacy)": [ "PM-24" ], "US Data Privacy Framework (DPF)": [ "II.5.a" ], "EMEA EU GDPR": [ "5.1(d)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "14" ], "APAC Australia Privacy Act": [ "APP Part 10" ], "APAC Australian Privacy Principles": [ "APP 10" ], "APAC India DPDPA 2023": [ "8(3)", "8(3)(a)", "8(3)(b)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 9" ], "Americas Canada PIPEDA": [ "Principle 6" ] } }, { "principle_name": "De-Identification", "description": "Process personal data in such a manner that it is not attributable to a data subject through technical or organizational measures (e.g., anonymization, pseudonymization or data minimization).", "scf_control": "De-Identification (Anonymization)", "scf_control_id": "DCH-23", "crosswalks": { "NIST 800-53 R5": [ "SI-19" ], "NIST 800-53B R5 (privacy)": [ "SI-19" ], "US Data Privacy Framework (DPF)": [ "III.14.a.i", "III.14.g.i" ], "US - CO Colorado Privacy Act": [ "6-1-1307(1)(a)", "6-1-1307(1)(b)", "6-1-1307(1)(b)(I)(A)", "6-1-1307(1)(b)(I)(B)", "6-1-1307(1)(b)(II)", "6-1-1307(1)(b)(III)" ], "US - OR CPA": [ "7(1)(a)(A)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(C)" ], "US - VA CDPA 2025": [ "59.1-581.A.1" ] } }, { "principle_name": "De-Identification", "description": "Process personal data in such a manner that it is not attributable to a data subject through technical or organizational measures (e.g., anonymization, pseudonymization or data minimization).", "scf_control": "Data Masking", "scf_control_id": "PRI-05.3", "crosswalks": { "NIST 800-53 R5": [ "SI-19(4)" ], "US - CA CCPA 2025": [ "7123(c)(5)(C)" ], "US - VA CDPA 2025": [ "59.1-581.A.1" ], "APAC Australia Privacy Act": [ "APP Part 2" ] } }, { "principle_name": "Quality Management", "description": "Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual.", "scf_control": "Data Quality Management", "scf_control_id": "PRI-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P7.0", "P7.1", "P7.1-POF1", "P7.1-POF2" ], "GAPP": [ "9.2.1" ], "NIST Privacy Framework 1.0": [ "CT.PO-P4", "CT.DM-P8" ], "NIST 800-53 R5": [ "PM-22", "PM-23", "PM-24" ], "NIST 800-53B R5 (privacy)": [ "PM-24" ], "OECD Privacy Principles": [ "2" ], "US FIPPS": [ "5" ], "US HIPAA Administrative Simplification 2013": [ "164.512(i)(1)(i)(B)", "164.512(i)(1)(i)(B)(1)", "164.512(i)(1)(i)(B)(2)", "164.512(i)(1)(i)(B)(3)" ], "US - CA CCPA 2025": [ "7023(c)" ] } }, { "principle_name": "Quality Management", "description": "Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual.", "scf_control": "Data Quality Automation", "scf_control_id": "PRI-10.1", "crosswalks": { "NIST 800-53 R5": [ "PT-3(2)" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Cybersecurity & Data Protection In Project Management", "scf_control_id": "PRM-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.1", "CC4.1", "CC5.2" ], "NIST Privacy Framework 1.0": [ "CM.AW-P3", "CT.PO-P1", "CT.DM-P1", "CT.DM-P2", "CT.DM-P3", "CT.DM-P4", "CT.DM-P5", "CT.DM-P6", "CT.DM-P7", "CT.DM-P8", "CT.DM-P9", "CT.DM-P10", "CT.PO-P4" ], "NIST 800-53 R5": [ "CA-2" ], "NIST 800-53B R5 (privacy)": [ "CA-2" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Cybersecurity & Data Protection Requirements Definition", "scf_control_id": "PRM-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2", "CC4.1", "CC5.2", "PI1.1-POF1", "PI1.1-POF2", "PI1.1-POF3" ], "ISO 27701 2025": [ "6.1.1" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "RA-9" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(2)(ii)" ], "US - CA CCPA 2025": [ "7100(b)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Business Process Definition", "scf_control_id": "PRM-06", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.3", "CC3.1", "CC3.1-POF10", "CC3.1-POF11", "CC3.1-POF12", "CC3.1-POF13", "CC3.1-POF14", "CC3.1-POF15", "CC3.1-POF16", "CC3.1-POF7", "CC3.1-POF8", "CC3.1-POF9", "CC3.4", "CC4.1", "CC5.1", "CC5.2", "P6.7-POF1", "PI1.1", "PI1.1-POF1", "PI1.3-POF1", "PI1.3-POF2", "PI1.3-POF3", "PI1.3-POF4", "PI1.3-POF5", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "ISO 27701 2025": [ "4.1", "4.2", "4.2(a)", "4.2(b)", "4.2(c)", "6.1.1" ], "NIST Privacy Framework 1.0": [ "ID.IM-P5", "CT.PO-P1", "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "PM-11" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(2)(i)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Secure Development Life Cycle (SDLC) Management", "scf_control_id": "PRM-07", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.2", "CC8.1", "CC8.1-POF1" ], "NIST Privacy Framework 1.0": [ "CM.AW-P3", "CT.PO-P1", "CT.DM-P7", "CT.DM-P8", "CT.PO-P4" ], "NIST 800-53 R5": [ "SA-3", "SA-3(1)", "SA-8(30)" ], "NIST 800-53B R5 (privacy)": [ "SA-3" ], "NIST CSF 2.0": [ "GV.SC-09", "ID.AM-08", "PR.PS-02", "PR.PS-03" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Manage Organizational Knowledge", "scf_control_id": "PRM-08", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.DM-P7", "CT.DM-P8" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Secure Engineering Principles", "scf_control_id": "SEA-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2", "CC3.2", "CC5.1", "CC5.2", "CC6.1-POF2", "CC8.1-POF15", "CC8.1-POF18" ], "GAPP": [ "4.2.3", "6.2.2", "7.2.2", "7.2.3" ], "NIST Privacy Framework 1.0": [ "ID.DE-P4", "GV.PO-P2", "CT.PO-P1", "CT.DM-P7", "CT.DM-P8", "CM.AW-P3" ], "NIST 800-53 R5": [ "PT-1", "SA-8", "SC-1", "SC-7(18)", "SI-1", "SA-15(5)" ], "NIST 800-53B R5 (privacy)": [ "PT-1", "SI-1" ], "NIST CSF 2.0": [ "PR.IR", "PR.IR-01", "PR.IR-03" ], "US Data Privacy Framework (DPF)": [ "II.4.a" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(1)" ], "US - CA CCPA 2025": [ "7123(c)(5)(B)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)", "6-1-1308(5)" ], "US - TX BC521": [ "521.052" ], "US - VT Act 171 of 2018": [ "2447(a)", "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(a)(2)" ], "APAC Australia Privacy Act": [ "APP Part 8", "APP Part 11" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Secure Data Processing", "description": "Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive/regulated data is maintained throughout the data lifecycle.", "scf_control": "Secure Software Development Practices (SSDP)", "scf_control_id": "TDA-06", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "PI1.1", "PI1.2", "PI1.2-POF1", "PI1.2-POF2", "PI1.2-POF3", "PI1.3", "PI1.3-POF1", "PI1.3-POF2", "PI1.3-POF3", "PI1.3-POF4", "PI1.3-POF5", "PI1.4", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.DM-P7", "CT.DM-P8", "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "SA-1", "SA-4(3)", "SA-15" ], "NIST 800-53B R5 (privacy)": [ "SA-1" ], "NIST CSF 2.0": [ "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Data Lineage", "description": "Maintain records of the inputs, entities and associated Technology Assets, Applications and/or Services (TAAS) that influence data of interest, providing a historical record of the data and its origins.", "scf_control": "System Security & Privacy Plan (SSPP)", "scf_control_id": "IAO-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF11", "CC2.3-POF10", "CC2.3-POF11", "CC2.3-POF9" ], "NIST Privacy Framework 1.0": [ "ID.IM-P7", "ID.IM-P8", "ID.BE-P3", "CM.AW-P6", "PR.PO-P4" ], "NIST 800-53 R5": [ "PL-2" ], "NIST 800-53B R5 (privacy)": [ "PL-2" ] } }, { "principle_name": "Data Lineage", "description": "Maintain records of the inputs, entities and associated Technology Assets, Applications and/or Services (TAAS) that influence data of interest, providing a historical record of the data and its origins.", "scf_control": "Personal Data (PD) Lineage", "scf_control_id": "PRI-09", "crosswalks": { "NIST Privacy Framework 1.0": [ "CM.AW-P4", "CM.AW-P6" ], "NIST 800-53 R5": [ "SA-4(12)" ] } }, { "principle_name": "Updated Use Permissions", "description": "Implement data management processes to adjust data that is able to be collected, created, used, disseminated, maintained, retained and/or disclosed, based on updated data subject authorization(s).", "scf_control": "Just-In-Time Notice & Updated Consent", "scf_control_id": "PRI-03.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P2.1", "P2.1-POF4", "P3.2" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.PO-P3" ], "NIST 800-53 R5": [ "PT-4(2)", "PT-5(1)" ], "US Data Privacy Framework (DPF)": [ "III.14.b.i", "III.14.b.ii" ], "US - CA CCPA 2025": [ "7002(f)", "7010(f)", "7022(g)", "7022(h)", "7025(c)(5)", "7026(k)", "7027(l)", "7221(i)", "7221(k)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(II)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "APAC Australian Privacy Principles": [ "APP 5" ], "Americas Canada PIPEDA": [ "Sec 6", "Sec 7", "Principle 3" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Updating & Correcting Personal Data (PD)", "scf_control_id": "DCH-22.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.1", "P5.2" ], "GAPP": [ "6.2.5", "6.2.6", "10.2.1", "10.2.2" ], "NIST Privacy Framework 1.0": [ "CT.DM-P3" ], "NIST 800-53 R5": [ "SI-18(4)", "SI-18(5)" ], "NIST 800-53B R5 (privacy)": [ "SI-18(4)" ], "US HIPAA Administrative Simplification 2013": [ "164.526(a)(1)", "164.526(b)(1)" ], "US - CA CCPA 2025": [ "7023(c)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(c)" ], "US - VA CDPA 2025": [ "59.1-577.A.2" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "17.1" ], "APAC Australia Privacy Act": [ "APP Part 13" ], "APAC Australian Privacy Principles": [ "APP 13" ], "APAC New Zealand Privacy Act of 2020": [ "P6-(2)", "Principle 7", "P7-(1)", "P7-(2)", "P7-(3)(a)", "P7-(3)(b)", "P7-(4)", "P7-(5)", "P7-(6)" ], "Americas Canada PIPEDA": [ "Principle 10" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Vulnerability Disclosure Program (VDP)", "scf_control_id": "THR-06", "crosswalks": { "NIST 800-53 R5": [ "RA-5(11)" ], "US - CA CCPA 2025": [ "7123(c)(6)" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Vulnerability & Patch Management Program (VPMP)", "scf_control_id": "VPM-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.2-POF7", "CC3.2-POF9", "CC3.4-POF6", "CC8.1-POF14", "CC8.1-POF16", "CC9.2-POF13" ], "NIST Privacy Framework 1.0": [ "PR.PO-P10" ], "NIST 800-53 R5": [ "SI-2", "SI-3" ], "NIST CSF 2.0": [ "ID.RA-01", "ID.RA-08", "PR.PS-02" ], "US - CA CCPA 2025": [ "7123(c)(5)(D)", "7123(c)(6)" ], "US - VT Act 171 of 2018": [ "2447(c)(7)" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Attack Surface Scope", "scf_control_id": "VPM-01.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF9", "CC3.2-POF7", "CC3.2-POF9", "CC3.4-POF6", "CC9.2-POF13" ], "NIST 800-53 R5": [ "SA-11(6)", "SA-11(7)" ], "NIST CSF 2.0": [ "PR.PS-02" ], "US - CA CCPA 2025": [ "7123(c)(5)(D)" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Vulnerability Remediation Process", "scf_control_id": "VPM-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2", "CC5.3-POF4", "CC7.4-POF8" ], "NIST 800-53 R5": [ "PM-4", "SC-18(1)" ], "NIST CSF 2.0": [ "ID.RA-08", "PR.PS-02" ], "US - CA CCPA 2025": [ "7123(c)(5)(D)" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Vulnerability Ranking", "scf_control_id": "VPM-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.4-POF6" ], "NIST CSF 2.0": [ "ID.RA-08" ], "US - CA CCPA 2025": [ "7123(c)(5)(D)" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Continuous Vulnerability Remediation Activities", "scf_control_id": "VPM-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2" ], "NIST 800-53 R5": [ "SC-18(1)" ], "US - CA CCPA 2025": [ "7123(c)(5)(D)" ] } }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Flaw Remediation with Personal Data (PD)", "scf_control_id": "VPM-04.2", "crosswalks": {} }, { "principle_name": "Flaw Remediation with Personal Data", "description": "Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.", "scf_control": "Software & Firmware Patching", "scf_control_id": "VPM-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC8.1-POF14", "CC8.1-POF16" ], "NIST 800-53 R5": [ "SI-2", "SI-2(4)", "SI-3" ], "NIST CSF 2.0": [ "PR.PS-02" ], "US - CA CCPA 2025": [ "7123(c)(5)(A)", "7123(c)(5)(D)" ], "US - VT Act 171 of 2018": [ "2447(c)(7)" ] } }, { "principle_name": "Analytical Biases", "description": "Understand and evaluate data analytic inputs and outputs for potential bias.", "scf_control": "Data Analytics Bias", "scf_control_id": "PRI-10.2", "crosswalks": { "NIST Privacy Framework 1.0": [ "ID.RA-P2" ] } }, { "principle_name": "Data Subject Rights", "description": "Provide data subjects with appropriate access to their personal data.", "scf_control": "Active Participation By Data Subjects", "scf_control_id": "PRI-03.7", "crosswalks": { "ISO 29100 2024": [ "6.5" ], "OECD Privacy Principles": [ "1" ], "US Data Privacy Framework (DPF)": [ "II.2.c", "III.12.a", "III.12.b" ], "US - CA CCPA 2025": [ "7010(e)", "7010(f)", "7025(c)(4)", "7027(b)", "7027(i)" ], "US - OR CPA": [ "3(1)(d)(A)", "3(1)(d)(B)", "3(1)(d)(C)", "5(6)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(b)" ], "US - VA CDPA 2025": [ "59.1-577.A", "59.1-577.A.5" ] } }, { "principle_name": "Data Subject Rights", "description": "Provide data subjects with appropriate access to their personal data.", "scf_control": "Data Subject Empowerment", "scf_control_id": "PRI-06", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.0", "P5.1", "P5.1-POF1", "P5.1-POF2", "P5.1-POF3" ], "APEC Privacy Framework 2015": [ "8(c)" ], "GAPP": [ "6.2.1", "6.2.2", "6.2.3", "6.2.4", "6.2.5", "6.2.6" ], "ISO 29100 2024": [ "6.9", "6.10" ], "NIST Privacy Framework 1.0": [ "CT.DM-P1" ], "NIST 800-53 R5": [ "AC-3(14)", "SI-18(4)" ], "NIST 800-53B R5 (privacy)": [ "AC-3(14)", "SI-18(4)" ], "OECD Privacy Principles": [ "7(a)" ], "US Data Privacy Framework (DPF)": [ "II.6.a", "III.14.e.ii", "III.8.a.i", "III.8.a.i.1", "III.8.a.i.2", "III.8.a.i.3", "III.8.a.iii", "III.8.b.i", "III.8.b.ii", "III.8.d.ii", "III.8.e.i", "III.8.f.i" ], "US FIPPS": [ "1", "6" ], "US HIPAA Administrative Simplification 2013": [ "164.502(a)(2)(i)", "164.502(a)(2)(ii)", "164.514(h)(1)(i)", "164.514(h)(1)(ii)", "164.524(a)(1)", "164.524(a)(1)(i)", "164.524(a)(1)(ii)", "164.524(a)(1)(iii)", "164.524(a)(1)(iii)(A)", "164.524(a)(1)(iii)(B)", "164.524(a)(2)", "164.524(a)(2)(i)", "164.524(a)(2)(ii)", "164.524(a)(2)(iii)", "164.524(a)(2)(iv)", "164.524(a)(2)(v)", "164.524(a)(3)", "164.524(a)(3)(i)", "164.524(a)(3)(ii)", "164.524(a)(3)(iii)", "164.524(a)(4)", "164.524(b)(1)", "164.524(b)(2)(i)", "164.524(b)(2)(i)(A)", "164.524(b)(2)(i)(B)", "164.524(b)(2)(ii)", "164.524(b)(2)(ii)(A)", "164.524(b)(2)(ii)(B)", "164.524(c)", "164.524(c)(1)", "164.524(c)(3)(i)", "164.524(c)(3)(ii)", "164.524(c)(4)", "164.524(c)(4)(i)", "164.524(c)(4)(ii)", "164.524(c)(4)(iii)", "164.524(c)(4)(iv)", "164.524(d)", "164.524(d)(1)", "164.524(d)(2)" ], "US - CA CCPA 2025": [ "7020(a)", "7020(b)", "7020(c)", "7020(d)", "7020(e)", "7020(f)", "7020(f)(1)", "7020(f)(2)", "7022(b)", "7023(c)", "7023(d)(1)", "7024(g)", "7024(h)", "7024(j)", "7027(d)", "7027(e)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(b)" ], "US - NV SB220": [ "2.1" ], "US - OR CPA": [ "3(1)(a)(A)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(1)", "47-18-3203(a)(2)(A)" ], "US - VA CDPA 2025": [ "59.1-577.A", "59.1-577.A.1", "59.1-577.A.2", "59.1-577.A.3", "59.1-577.A.4" ], "EMEA EU GDPR": [ "12.3", "12.5(b)", "12.6", "15.1", "15.1(a)", "15.1(b)", "15.1(c)", "15.1(d)", "15.1(e)", "15.1(g)", "15.1(h)", "15.2", "15.3", "15.4", "16", "17.1", "18.1", "18.1(a)", "18.1(b)", "18.1(c)", "18.1(d)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "21", "4.2", "4.3", "4.4", "4.5" ], "APAC Australia Privacy Act": [ "APP Part 12" ], "APAC Australian Privacy Principles": [ "APP 12" ], "APAC India DPDPA 2023": [ "11(1)(c)", "11(2)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 6", "P6-(1)", "P6-(1)(a)", "P6-(1)(b)", "P6-(2)", "P6-(3)" ], "Americas Canada PIPEDA": [ "Principle 8", "Principle 9" ] } }, { "principle_name": "Data Subject Rights", "description": "Provide data subjects with appropriate access to their personal data.", "scf_control": "Reject Unauthenticated or Untrustworthy Disclosure Requests", "scf_control_id": "PRI-07.4", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.1-POF4", "P5.2-POF1", "P5.2-POF3" ], "NIST Privacy Framework 1.0": [ "CT.DM-P1" ], "US HIPAA Administrative Simplification 2013": [ "164.524(d)(2)(i)", "164.524(d)(2)(ii)", "164.524(d)(2)(iii)", "164.524(d)(3)" ], "US - CA CCPA 2025": [ "7022(a)", "7023(b)", "7024(a)", "7024(b)", "7026(e)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)" ], "US - OR CPA": [ "4(5)(e)(B)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(b)(4)" ] } }, { "principle_name": "Inquiry Management", "description": "Maintain a capability to receive and respond to data privacy-related requests, complaints, concerns or questions from data subjects.", "scf_control": "Updating & Correcting Personal Data (PD)", "scf_control_id": "DCH-22.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.1", "P5.2" ], "GAPP": [ "6.2.5", "6.2.6", "10.2.1", "10.2.2" ], "NIST Privacy Framework 1.0": [ "CT.DM-P3" ], "NIST 800-53 R5": [ "SI-18(4)", "SI-18(5)" ], "NIST 800-53B R5 (privacy)": [ "SI-18(4)" ], "US HIPAA Administrative Simplification 2013": [ "164.526(a)(1)", "164.526(b)(1)" ], "US - CA CCPA 2025": [ "7023(c)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(c)" ], "US - VA CDPA 2025": [ "59.1-577.A.2" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "17.1" ], "APAC Australia Privacy Act": [ "APP Part 13" ], "APAC Australian Privacy Principles": [ "APP 13" ], "APAC New Zealand Privacy Act of 2020": [ "P6-(2)", "Principle 7", "P7-(1)", "P7-(2)", "P7-(3)(a)", "P7-(3)(b)", "P7-(4)", "P7-(5)", "P7-(6)" ], "Americas Canada PIPEDA": [ "Principle 10" ] } }, { "principle_name": "Inquiry Management", "description": "Maintain a capability to receive and respond to data privacy-related requests, complaints, concerns or questions from data subjects.", "scf_control": "User Feedback Management", "scf_control_id": "PRI-06.4", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P4.3-POF1", "P5.1", "P5.1-POF4", "P5.1-POF5", "P5.2", "P5.2-POF1", "P5.2-POF3", "P5.2-POF4", "P6.7-POF2", "P8.1", "P8.1-POF1", "P8.1-POF2", "P8.1-POF3" ], "GAPP": [ "6.2.5", "6.2.6", "7.1.2", "10.2.1", "10.2.2" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "GV.MT-P7", "CM.AW-P2", "CT.PO-P4" ], "NIST 800-53 R5": [ "PM-26" ], "NIST 800-53B R5 (privacy)": [ "PM-26" ], "OECD Privacy Principles": [ "7(b)(i)", "7(b)(ii)", "7(b)(iii)", "7(c)", "7(d)" ], "US Data Privacy Framework (DPF)": [ "II.7.a.i", "III.11.d.i", "III.8.i.i" ], "US FIPPS": [ "6" ], "US HIPAA Administrative Simplification 2013": [ "164.526(b)(2)(i)", "164.526(b)(2)(i)(A)", "164.526(b)(2)(i)(B)", "164.526(b)(2)(ii)", "164.526(b)(2)(ii)(A)", "164.526(b)(2)(ii)(B)", "164.526(d)", "164.526(d)(1)", "164.526(d)(1)(i)", "164.526(d)(1)(ii)", "164.526(d)(1)(iii)", "164.526(d)(1)(iv)", "164.526(d)(2)", "164.526(d)(3)", "164.526(d)(4)", "164.526(d)(5)(i)", "164.526(d)(5)(ii)", "164.526(d)(5)(iii)", "164.526(e)", "164.526(f)", "164.530(d)(1)", "164.530(d)(2)" ], "US - CA CCPA 2025": [ "7021(a)", "7021(b)", "7022(e)", "7022(f)", "7022(f)(1)", "7023(a)", "7023(d)(2)(A)", "7023(d)(2)(B)", "7023(d)(2)(C)", "7023(d)(2)(D)", "7023(f)(1)", "7023(f)(2)", "7023(f)(3)", "7023(f)(4)", "7023(i)", "7023(j)", "7023(k)", "7024(c)", "7024(c)(1)", "7024(c)(2)", "7024(c)(3)", "7024(c)(4)", "7024(d)", "7024(d)(1)", "7024(d)(2)", "7024(e)", "7024(e)(1)", "7024(e)(2)", "7024(k)", "7024(k)(1)", "7024(k)(2)", "7024(k)(3)", "7024(k)(4)", "7024(k)(5)", "7024(k)(6)", "7027(h)", "7027(k)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(2)(a)", "6-1-1306(2)(b)", "6-1-1306(2)(c)", "6-1-1306(2)(d)" ], "US - NV SB220": [ "2.1", "2.2", "2.4" ], "US - OR CPA": [ "4(5)(a)", "4(5)(b)", "4(5)(c)", "4(5)(d)", "4(5)(e)", "4(5)(e)(A)", "4(5)(e)(B)", "4(6)(b)", "4(6)(c)", "4(6)(d)", "5(5)(a)(A)", "5(5)(a)(B)", "5(5)(a)(C)", "5(5)(b)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(b)(1)", "47-18-3203(b)(2)", "47-18-3203(b)(3)", "47-18-3203(b)(4)", "47-18-3204(e)(1)(A)", "47-18-3204(e)(1)(B)", "47-18-3204(e)(1)(C)", "47-18-3204(e)(2)", "47-18-3207(b)(3)", "47-18-3207(b)(3)(A)", "47-18-3207(b)(3)(B)", "47-18-3207(b)(3)(C)" ], "US - VA CDPA 2025": [ "59.1-577.B.1", "59.1-577.B.2", "59.1-577.B.3", "59.1-577.B.4", "59.1-577.C" ], "EMEA EU GDPR": [ "12.4" ], "APAC Australia Privacy Act": [ "APP Part 13" ], "APAC Australian Privacy Principles": [ "APP 12", "APP 13" ] } }, { "principle_name": "Inquiry Management", "description": "Maintain a capability to receive and respond to data privacy-related requests, complaints, concerns or questions from data subjects.", "scf_control": "Data Subject Authentication", "scf_control_id": "PRI-06.8", "crosswalks": { "US - CA CCPA 2025": [ "7060(a)", "7060(b)", "7060(c)", "7060(c)(1)", "7060(c)(2)", "7060(c)(3)", "7060(c)(3)(A)", "7060(c)(3)(B)", "7060(c)(3)(C)", "7060(c)(3)(D)", "7060(c)(3)(E)", "7060(c)(3)(F)", "7060(d)", "7060(e)", "7060(f)", "7060(g)", "7060(h)", "7061(a)", "7061(b)", "7062(a)", "7062(b)", "7062(c)", "7062(d)", "7062(f)", "7062(g)" ] } }, { "principle_name": "Inquiry Management", "description": "Maintain a capability to receive and respond to data privacy-related requests, complaints, concerns or questions from data subjects.", "scf_control": "Reject Unauthenticated or Untrustworthy Disclosure Requests", "scf_control_id": "PRI-07.4", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.1-POF4", "P5.2-POF1", "P5.2-POF3" ], "NIST Privacy Framework 1.0": [ "CT.DM-P1" ], "US HIPAA Administrative Simplification 2013": [ "164.524(d)(2)(i)", "164.524(d)(2)(ii)", "164.524(d)(2)(iii)", "164.524(d)(3)" ], "US - CA CCPA 2025": [ "7022(a)", "7023(b)", "7024(a)", "7024(b)", "7026(e)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)" ], "US - OR CPA": [ "4(5)(e)(B)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(b)(4)" ] } }, { "principle_name": "Updating Personal Data", "description": "Provide data subjects with appropriate opportunity to correct or amend their personal data.", "scf_control": "Updating & Correcting Personal Data (PD)", "scf_control_id": "DCH-22.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.1", "P5.2" ], "GAPP": [ "6.2.5", "6.2.6", "10.2.1", "10.2.2" ], "NIST Privacy Framework 1.0": [ "CT.DM-P3" ], "NIST 800-53 R5": [ "SI-18(4)", "SI-18(5)" ], "NIST 800-53B R5 (privacy)": [ "SI-18(4)" ], "US HIPAA Administrative Simplification 2013": [ "164.526(a)(1)", "164.526(b)(1)" ], "US - CA CCPA 2025": [ "7023(c)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(c)" ], "US - VA CDPA 2025": [ "59.1-577.A.2" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "17.1" ], "APAC Australia Privacy Act": [ "APP Part 13" ], "APAC Australian Privacy Principles": [ "APP 13" ], "APAC New Zealand Privacy Act of 2020": [ "P6-(2)", "Principle 7", "P7-(1)", "P7-(2)", "P7-(3)(a)", "P7-(3)(b)", "P7-(4)", "P7-(5)", "P7-(6)" ], "Americas Canada PIPEDA": [ "Principle 10" ] } }, { "principle_name": "Updating Personal Data", "description": "Provide data subjects with appropriate opportunity to correct or amend their personal data.", "scf_control": "Updating Personal Data (PD)", "scf_control_id": "PRI-12", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.2", "P5.2-POF2" ], "NIST Privacy Framework 1.0": [ "CT.DM-P3" ], "US HIPAA Administrative Simplification 2013": [ "164.526(a)(1)", "164.526(b)(1)", "164.526(e)", "164.526(f)" ], "US - CA CCPA 2025": [ "7023(b)", "7023(b)(1)", "7023(b)(1)(A)", "7023(b)(1)(B)", "7023(b)(1)(C)", "7023(b)(2)" ], "US - NV SB220": [ "2.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "17.1" ] } }, { "principle_name": "Redress", "description": "Provide data subjects with appropriate opportunity to challenge the organization's compliance with its data privacy principles.", "scf_control": "Correcting Inaccurate Personal Data (PD)", "scf_control_id": "PRI-06.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.2", "P5.2-POF2" ], "APEC Privacy Framework 2015": [ "8(c)" ], "GAPP": [ "6.2.5", "6.2.6", "10.2.1", "10.2.2" ], "ISO 29100 2024": [ "6.9" ], "NIST Privacy Framework 1.0": [ "CM.AW-P8", "CT.DM-P3" ], "NIST 800-53 R5": [ "SI-18(4)", "SI-18(5)" ], "NIST 800-53B R5 (privacy)": [ "SI-18(4)" ], "US Data Privacy Framework (DPF)": [ "II.6.a" ], "US FIPPS": [ "1" ], "US HIPAA Administrative Simplification 2013": [ "164.526(a)(1)", "164.526(a)(2)", "164.526(a)(2)(i)", "164.526(a)(2)(ii)", "164.526(a)(2)(iii)", "164.526(a)(2)(iv)", "164.526(b)(1)" ], "US - CA CCPA 2025": [ "7023(a)", "7023(b)", "7023(d)(1)", "7023(d)(2)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(c)" ], "US - OR CPA": [ "3(1)(b)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(B)" ], "US - VA CDPA 2025": [ "59.1-577.A.2" ], "APAC Australia Privacy Act": [ "APP Part 13" ], "APAC Australian Privacy Principles": [ "APP 13" ], "APAC India DPDPA 2023": [ "12(1)", "12(2)(a)", "12(2)(b)" ], "APAC New Zealand Privacy Act of 2020": [ "P6-(2)", "Principle 7", "P7-(1)", "P7-(2)", "P7-(3)(a)", "P7-(3)(b)", "P7-(4)", "P7-(5)", "P7-(6)" ], "Americas Canada PIPEDA": [ "Principle 10" ] } }, { "principle_name": "Notice of Correction or Amendment", "description": "Notify affected data subjects and applicable third-parties when personal data is corrected or amended.", "scf_control": "Notice of Correction or Processing Change", "scf_control_id": "PRI-06.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P3.1-POF4", "P5.2", "P5.2-POF2", "P5.2-POF3" ], "NIST Privacy Framework 1.0": [ "CM.AW-P1", "CM.PO-P1", "CT.PO-P4" ], "NIST 800-53 R5": [ "SI-18(5)" ], "US HIPAA Administrative Simplification 2013": [ "164.526(c)", "164.526(c)(1)", "164.526(c)(2)", "164.526(c)(3)", "164.526(c)(3)(i)", "164.526(c)(3)(ii)" ], "US - CA CCPA 2025": [ "7022(e)", "7023(f)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(b)(1)" ], "APAC Australia Privacy Act": [ "APP Part 13" ], "APAC Australian Privacy Principles": [ "APP 13" ], "APAC New Zealand Privacy Act of 2020": [ "P6-(2)" ] } }, { "principle_name": "Notice of Correction or Amendment", "description": "Notify affected data subjects and applicable third-parties when personal data is corrected or amended.", "scf_control": "Obligation To Inform Third-Parties", "scf_control_id": "PRI-07.3", "crosswalks": { "NIST Privacy Framework 1.0": [ "CM.AW-P5", "CM.AW-P7" ], "US - CA CCPA 2025": [ "7022(b)(2)", "7022(b)(3)", "7022(f)(4)", "7023(c)", "7026(f)(2)", "7027(g)(2)", "7027(g)(3)" ], "US - VA CDPA 2025": [ "59.1-579.B.2" ] } }, { "principle_name": "Appeal", "description": "Provide data subjects with appropriate opportunity to appeal an adverse decision to have incorrect personal data amended.", "scf_control": "Appeal Adverse Decision", "scf_control_id": "PRI-06.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P5.2" ], "NIST Privacy Framework 1.0": [ "CM.AW-P8" ], "NIST 800-53 R5": [ "PM-26" ], "NIST 800-53B R5 (privacy)": [ "PM-26" ], "US HIPAA Administrative Simplification 2013": [ "164.524(d)(4)" ], "US - CA CCPA 2025": [ "7023(d)(1)", "7023(f)(3)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(3)(a)", "6-1-1306(3)(b)", "6-1-1306(3)(c)" ], "US - OR CPA": [ "4(6)(a)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(c)" ], "US - VA CDPA 2025": [ "59.1-577.C" ], "Americas Canada PIPEDA": [ "Sec 11" ] } }, { "principle_name": "Right to Erasure", "description": "Provide data subjects with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where the personal data is stored or processed by third-parties.", "scf_control": "Right to Erasure", "scf_control_id": "PRI-06.5", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P4.3-POF1" ], "NIST Privacy Framework 1.0": [ "CT.DM-P4" ], "US - CA CCPA 2025": [ "7022(b)(1)", "7022(f)(2)" ], "US - CO Colorado Privacy Act": [ "6-1-1306(1)(d)" ], "US - OR CPA": [ "3(1)(c)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3203(a)(2)(C)", "47-18-3203(a)(2)(C)(i)(a)", "47-18-3203(a)(2)(C)(i)(b)", "47-18-3203(a)(2)(C)(ii)" ], "US - VA CDPA 2025": [ "59.1-577.A.3" ], "EMEA EU GDPR": [ "17.1(a)", "17.1(b)", "17.1(c)", "17.1(d)", "17.1(e)", "17.1(f)", "17.2", "17.3", "17.3(a)", "17.3(b)", "17.3(c)", "17.3(d)", "17.3(e)" ], "APAC India DPDPA 2023": [ "12(1)", "12(3)", "8(7)(a)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Operationalizing Cybersecurity & Data Protection Practices", "scf_control_id": "GOV-15", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.1-POF1", "CC2.1-POF2", "CC2.1-POF3", "CC2.1-POF4", "CC3.1-POF5", "CC5.1", "CC5.1-POF1", "CC5.1-POF2", "CC5.1-POF3", "CC5.1-POF4", "CC5.1-POF5", "CC5.1-POF6" ], "ISO 27701 2025": [ "5.1" ], "ISO 29100 2024": [ "6.12" ], "US Data Privacy Framework (DPF)": [ "II.4.a" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)", "164.306(b)(1)" ], "US - CA CCPA 2025": [ "7123(b)(3)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Select Controls", "scf_control_id": "GOV-15.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.1" ], "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Implement Controls", "scf_control_id": "GOV-15.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.1" ], "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)", "164.306(d)(3)(ii)(A)", "164.308(a)(1)(ii)(B)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Assess Controls", "scf_control_id": "GOV-15.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2-POF1" ], "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Authorize Technology Assets, Applications and/or Services (TAAS)", "scf_control_id": "GOV-15.4", "crosswalks": { "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Monitor Controls", "scf_control_id": "GOV-15.5", "crosswalks": { "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Identity & Access Management (IAM)", "scf_control_id": "IAC-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1", "CC6.1-POF3", "CC6.1-POF7", "CC6.1-POF8", "CC6.1-POF9", "CC6.6", "CC6.6-POF2", "CC6.6-POF3" ], "GAPP": [ "8.2.2" ], "NIST Privacy Framework 1.0": [ "PR.AC-P1" ], "NIST 800-53 R5": [ "AC-1", "IA-1" ], "NIST 800-53B R5 (privacy)": [ "AC-1" ], "NIST CSF 2.0": [ "PR.AA", "PR.AA-05" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(B)", "164.310(a)(2)(iii)", "164.312(a)(1)", "164.530(c)(2)(ii)" ], "US - AK PIPA": [ "45.48.510" ], "US - CA CCPA 2025": [ "7123(c)(1)", "7123(c)(3)", "7123(c)(3)(C)" ], "US - VT Act 171 of 2018": [ "2447(b)(5)", "2447(c)(1)(A)(iv)", "2447(c)(1)(B)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Continuous Monitoring", "scf_control_id": "MON-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.2", "CC7.2-POF1" ], "NIST Privacy Framework 1.0": [ "CT.DM-P8" ], "NIST 800-53 R5": [ "AU-1", "PM-31", "SI-4" ], "NIST 800-53B R5 (privacy)": [ "AU-1", "PM-31" ], "NIST CSF 2.0": [ "DE.AE", "DE.CM-01", "DE.CM-03", "DE.CM-06", "DE.CM-09", "PR.PS-04" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(1)(i)", "164.308(a)(1)(ii)(D)", "164.312(b)" ], "US - CA CCPA 2025": [ "7123(c)(7)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(C)", "2447(b)(8)", "2447(b)(8)(A)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Centralized Collection of Security Event Logs", "scf_control_id": "MON-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.2", "CC7.2-POF1", "CC7.3" ], "NIST 800-53 R5": [ "AU-2", "AU-6", "IR-4(4)", "SI-4" ], "NIST 800-53B R5 (privacy)": [ "AU-2" ], "NIST CSF 2.0": [ "DE.AE-03", "DE.AE-06" ], "US - CA CCPA 2025": [ "7123(c)(7)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Security of Personal Data (PD)", "scf_control_id": "PRI-01.6", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF13", "P4.2-POF2" ], "APEC Privacy Framework 2015": [ "7" ], "ISO 29100 2024": [ "6.11" ], "OECD Privacy Principles": [ "5" ], "US Data Privacy Framework (DPF)": [ "II.4.a" ], "US FIPPS": [ "8" ], "US - CA CCPA 2025": [ "7023(d)(4)", "7024(f)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)(a)", "6-1-1305(4)", "6-1-1308(5)" ], "US - IL BIPA": [ "15(e)(1)", "15(e)(2)" ], "US - IL PIPA": [ "45(a)", "45(b)", "45(c)", "45(d)" ], "US - OR CPA": [ "5(1)(c)", "6(1)(b)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(a)(3)" ], "US - VA CDPA 2025": [ "59.1-578.A.3", "59.1-579.A.1", "59.1-579.B.1" ], "EMEA EU GDPR": [ "24.1", "25.1", "25.2", "32.1", "32.1(a)", "32.1(b)", "5.1(f)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "19" ], "APAC India DPDPA 2023": [ "8(4)", "8(5)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 5", "P5-(a)", "P5-(a)(i)", "P5-(a)(ii)", "P5-(a)(iii)", "P5-(b)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Centralized Management of Cybersecurity & Data Protection Controls", "scf_control_id": "SEA-01.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.1" ], "NIST Privacy Framework 1.0": [ "GV.PO-P2" ], "NIST 800-53 R5": [ "PL-9" ], "NIST 800-53B R5 (privacy)": [ "PL-9" ], "NIST CSF 2.0": [ "PR.IR" ], "US - CA CCPA 2025": [ "7123(c)(5)(B)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)", "6-1-1308(5)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Technology Development & Acquisition", "scf_control_id": "TDA-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.3-POF10", "CC5.2", "CC5.2-POF4", "PI1.2", "PI1.3" ], "NIST 800-53 R5": [ "PL-1", "SA-1", "SA-4", "SA-23" ], "NIST 800-53B R5 (privacy)": [ "PL-1", "SA-1", "SA-4" ], "NIST CSF 2.0": [ "ID.RA-09", "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity by Design", "description": "Establish administrative, technical and physical safeguards to protect sensitive/regulated data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination. Selected practices are in accordance with industry-leading practices (e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.).", "scf_control": "Cybersecurity & Data Protection Testing Throughout Development", "scf_control_id": "TDA-09", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.1-POF1" ], "NIST Privacy Framework 1.0": [ "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "SA-11", "SA-11(5)", "SA-11(6)", "SA-11(7)" ], "NIST 800-53B R5 (privacy)": [ "SA-11" ], "NIST CSF 2.0": [ "ID.IM-01", "ID.IM-02", "ID.RA-01", "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Cloud Services", "scf_control_id": "CLD-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF5" ], "US - CA CCPA 2025": [ "7123(c)(5)(B)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Cloud Security Architecture", "scf_control_id": "CLD-02", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(10)", "7123(c)(5)(B)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Operationalizing Cybersecurity & Data Protection Practices", "scf_control_id": "GOV-15", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.1-POF1", "CC2.1-POF2", "CC2.1-POF3", "CC2.1-POF4", "CC3.1-POF5", "CC5.1", "CC5.1-POF1", "CC5.1-POF2", "CC5.1-POF3", "CC5.1-POF4", "CC5.1-POF5", "CC5.1-POF6" ], "ISO 27701 2025": [ "5.1" ], "ISO 29100 2024": [ "6.12" ], "US Data Privacy Framework (DPF)": [ "II.4.a" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)", "164.306(b)(1)" ], "US - CA CCPA 2025": [ "7123(b)(3)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Select Controls", "scf_control_id": "GOV-15.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.1" ], "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Implement Controls", "scf_control_id": "GOV-15.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.1" ], "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)", "164.306(d)(3)(ii)(A)", "164.308(a)(1)(ii)(B)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Assess Controls", "scf_control_id": "GOV-15.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2-POF1" ], "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Authorize Technology Assets, Applications and/or Services (TAAS)", "scf_control_id": "GOV-15.4", "crosswalks": { "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Monitor Controls", "scf_control_id": "GOV-15.5", "crosswalks": { "ISO 29100 2024": [ "6.12" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(1)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Configuration Change Control", "scf_control_id": "CHG-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF13", "CC3.4", "CC3.4-POF4", "CC6.8-POF3", "CC8.1", "CC8.1-POF1", "CC8.1-POF10", "CC8.1-POF11", "CC8.1-POF13", "CC8.1-POF14", "CC8.1-POF2", "CC8.1-POF3", "CC8.1-POF4", "CC8.1-POF5", "CC8.1-POF6", "CC8.1-POF7", "CC8.1-POF8", "CC8.1-POF9" ], "NIST Privacy Framework 1.0": [ "PR.PO-P2" ], "NIST 800-53 R5": [ "CM-3", "SA-8(31)" ], "NIST CSF 2.0": [ "ID.RA-07" ], "US - CA CCPA 2025": [ "7123(c)(4)(C)", "7123(c)(5)(D)", "7123(c)(5)(E)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Security Impact Analysis for Changes", "scf_control_id": "CHG-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.4", "CC3.4-POF4", "CC8.1-POF10", "CC8.1-POF3" ], "GAPP": [ "1.2.6" ], "NIST 800-53 R5": [ "CM-4" ], "NIST 800-53B R5 (privacy)": [ "CM-4" ], "NIST CSF 2.0": [ "ID.RA-07" ], "US - CA CCPA 2025": [ "7123(c)(5)(D)", "7123(c)(5)(E)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Authenticate, Authorize and Audit (AAA)", "scf_control_id": "IAC-01.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF3", "CC6.1-POF4", "CC6.6", "CC6.6-POF2", "CC6.6-POF3" ], "NIST 800-53 R5": [ "IA-4", "IA-4(4)" ], "NIST CSF 2.0": [ "PR.AA", "PR.AA-03", "PR.AA-04", "PR.AA-05" ], "US - CA CCPA 2025": [ "7123(c)(1)(B)", "7123(c)(3)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Multi-Factor Authentication (MFA)", "scf_control_id": "IAC-06", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.6-POF3" ], "NIST 800-53 R5": [ "IA-2(1)", "IA-2(2)" ], "US - CA CCPA 2025": [ "7123(c)(1)(A)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Role-Based Access Control (RBAC)", "scf_control_id": "IAC-08", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.2-POF3", "CC6.1", "CC6.1-POF12", "CC6.1-POF13", "CC6.3", "CC6.3-POF3" ], "NIST 800-53 R5": [ "AC-2(7)" ], "NIST CSF 2.0": [ "PR.AA-05" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.308(a)(4)(ii)(C)", "164.312(a)(1)", "164.514(d)(2)(i)(A)", "164.514(d)(2)(i)(B)", "164.514(d)(2)(ii)", "164.530(c)(2)(ii)" ], "US - CA CCPA 2025": [ "7123(c)(3)(A)", "7123(c)(3)(A)(i)", "7123(c)(3)(A)(ii)", "7123(c)(3)(A)(iii)", "7123(c)(3)(B)" ], "US - VT Act 171 of 2018": [ "2447(b)(5)", "2447(c)(2)(A)" ], "EMEA EU GDPR": [ "32.4" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Privileged Account Management (PAM)", "scf_control_id": "IAC-16", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1" ], "US - CA CCPA 2025": [ "7123(c)(3)(B)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Least Privilege", "scf_control_id": "IAC-21", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC5.2-POF3", "CC6.1", "CC6.1-POF12", "CC6.1-POF13", "CC6.1-POF7" ], "NIST Privacy Framework 1.0": [ "PR.AC-P4" ], "NIST 800-53 R5": [ "AC-6", "SA-8(14)" ], "NIST CSF 2.0": [ "PR.AA-05", "PR.DS-10" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(3)(i)", "164.312(a)(1)" ], "US - CA CCPA 2025": [ "7123(c)(3)(A)", "7123(c)(3)(A)(iii)", "7123(c)(3)(B)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Management Approval For New or Changed Accounts", "scf_control_id": "IAC-28.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.2-POF1", "CC6.3-POF1" ], "NIST 800-53 R5": [ "AC-24", "IA-12(1)" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(3)(ii)(A)" ], "US - CA CCPA 2025": [ "7123(c)(3)(C)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Security of Personal Data (PD)", "scf_control_id": "PRI-01.6", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF13", "P4.2-POF2" ], "APEC Privacy Framework 2015": [ "7" ], "ISO 29100 2024": [ "6.11" ], "OECD Privacy Principles": [ "5" ], "US Data Privacy Framework (DPF)": [ "II.4.a" ], "US FIPPS": [ "8" ], "US - CA CCPA 2025": [ "7023(d)(4)", "7024(f)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)(a)", "6-1-1305(4)", "6-1-1308(5)" ], "US - IL BIPA": [ "15(e)(1)", "15(e)(2)" ], "US - IL PIPA": [ "45(a)", "45(b)", "45(c)", "45(d)" ], "US - OR CPA": [ "5(1)(c)", "6(1)(b)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3204(a)(3)" ], "US - VA CDPA 2025": [ "59.1-578.A.3", "59.1-579.A.1", "59.1-579.B.1" ], "EMEA EU GDPR": [ "24.1", "25.1", "25.2", "32.1", "32.1(a)", "32.1(b)", "5.1(f)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "19" ], "APAC India DPDPA 2023": [ "8(4)", "8(5)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 5", "P5-(a)", "P5-(a)(i)", "P5-(a)(ii)", "P5-(a)(iii)", "P5-(b)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Secure Engineering Principles", "scf_control_id": "SEA-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2", "CC3.2", "CC5.1", "CC5.2", "CC6.1-POF2", "CC8.1-POF15", "CC8.1-POF18" ], "GAPP": [ "4.2.3", "6.2.2", "7.2.2", "7.2.3" ], "NIST Privacy Framework 1.0": [ "ID.DE-P4", "GV.PO-P2", "CT.PO-P1", "CT.DM-P7", "CT.DM-P8", "CM.AW-P3" ], "NIST 800-53 R5": [ "PT-1", "SA-8", "SC-1", "SC-7(18)", "SI-1", "SA-15(5)" ], "NIST 800-53B R5 (privacy)": [ "PT-1", "SI-1" ], "NIST CSF 2.0": [ "PR.IR", "PR.IR-01", "PR.IR-03" ], "US Data Privacy Framework (DPF)": [ "II.4.a" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(1)" ], "US - CA CCPA 2025": [ "7123(c)(5)(B)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)", "6-1-1308(5)" ], "US - TX BC521": [ "521.052" ], "US - VT Act 171 of 2018": [ "2447(a)", "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(a)(2)" ], "APAC Australia Privacy Act": [ "APP Part 8", "APP Part 11" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Alignment With Enterprise Architecture", "scf_control_id": "SEA-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.1", "CC4.1", "CC5.1", "CC6.1-POF2" ], "NIST Privacy Framework 1.0": [ "GV.PO-P2" ], "NIST 800-53 R5": [ "PL-8", "PM-7" ], "NIST 800-53B R5 (privacy)": [ "PL-8" ], "NIST CSF 2.0": [ "PR.IR", "PR.IR-01", "PR.IR-03" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(1)", "164.306(b)(2)(ii)" ], "US - CA CCPA 2025": [ "7123(c)(5)(B)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)", "6-1-1308(5)" ], "US - TX BC521": [ "521.052" ], "US - VT Act 171 of 2018": [ "2447(a)", "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(a)(2)" ], "APAC Australia Privacy Act": [ "APP Part 8", "APP Part 11" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Product Management", "scf_control_id": "TDA-01.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "PI1.1-POF1", "PI1.1-POF2", "PI1.1-POF3" ], "NIST 800-53 R5": [ "SA-23" ], "NIST CSF 2.0": [ "GV.SC-09", "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Development Methods, Techniques & Processes", "scf_control_id": "TDA-02.3", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "SA-4(3)", "SR-3(1)" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Pre-Established Secure Configurations", "scf_control_id": "TDA-02.4", "crosswalks": { "NIST 800-53 R5": [ "SA-4(5)" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Insecure Ports, Protocols & Services", "scf_control_id": "TDA-02.6", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Cybersecurity & Data Privacy Representatives For Product Changes", "scf_control_id": "TDA-02.7", "crosswalks": { "NIST 800-53 R5": [ "SA-10(7)" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Minimizing Attack Surfaces", "scf_control_id": "TDA-02.8", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Ongoing Product Security Support", "scf_control_id": "TDA-02.9", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Product Testing & Reviews", "scf_control_id": "TDA-02.10", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Disclosure of Vulnerabilities", "scf_control_id": "TDA-02.11", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)", "7123(c)(6)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Secure Software Development Practices (SSDP)", "scf_control_id": "TDA-06", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "PI1.1", "PI1.2", "PI1.2-POF1", "PI1.2-POF2", "PI1.2-POF3", "PI1.3", "PI1.3-POF1", "PI1.3-POF2", "PI1.3-POF3", "PI1.3-POF4", "PI1.3-POF5", "PI1.4", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "NIST Privacy Framework 1.0": [ "CT.PO-P1", "CT.DM-P7", "CT.DM-P8", "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "SA-1", "SA-4(3)", "SA-15" ], "NIST 800-53B R5 (privacy)": [ "SA-1" ], "NIST CSF 2.0": [ "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Software Design Review", "scf_control_id": "TDA-06.5", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cybersecurity Considerations", "description": "Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so Technology Assets, Applications and/or Services (TAAS) achieve the necessary levels of trustworthiness, protection and resilience.", "scf_control": "Technical Documentation Artifacts", "scf_control_id": "TDA-22", "crosswalks": { "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Cryptographic Protections", "description": "Ensure personal data is encrypted both at rest and in transit.", "scf_control": "Use of Cryptographic Controls", "scf_control_id": "CRY-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1", "CC6.1-POF10", "CC6.1-POF11", "CC6.6-POF2", "CC6.7-POF2", "CC6.7-POF3" ], "NIST Privacy Framework 1.0": [ "PR.DS-P1", "PR.DS-P2" ], "NIST 800-53 R5": [ "SC-8(1)", "SC-8(2)", "SC-13", "SI-7(6)" ], "NIST CSF 2.0": [ "PR.DS-01", "PR.DS-02", "PR.DS-10" ], "US HIPAA Administrative Simplification 2013": [ "164.312(a)(2)(iv)", "164.312(e)(2)(ii)" ], "US - CA CCPA 2025": [ "7123(c)(2)" ], "US - VT Act 171 of 2018": [ "2447(c)(3)", "2447(c)(5)" ], "EMEA EU GDPR": [ "32.1(a)" ] } }, { "principle_name": "Cryptographic Protections", "description": "Ensure personal data is encrypted both at rest and in transit.", "scf_control": "Transmission Confidentiality", "scf_control_id": "CRY-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1", "CC6.1-POF10", "CC6.7", "CC6.7-POF2" ], "GAPP": [ "8.2.5" ], "NIST Privacy Framework 1.0": [ "PR.DS-P2" ], "NIST 800-53 R5": [ "SC-8", "SC-8(1)" ], "NIST CSF 2.0": [ "PR.DS-02" ], "US HIPAA Administrative Simplification 2013": [ "164.312(e)(1)" ], "US - CA CCPA 2025": [ "7123(c)(2)" ], "US - VT Act 171 of 2018": [ "2447(c)(3)" ] } }, { "principle_name": "Cryptographic Protections", "description": "Ensure personal data is encrypted both at rest and in transit.", "scf_control": "Encrypting Data At Rest", "scf_control_id": "CRY-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1", "CC6.1-POF10", "CC6.7", "CC6.7-POF2", "CC6.7-POF3" ], "NIST Privacy Framework 1.0": [ "PR.DS-P1" ], "NIST 800-53 R5": [ "SC-13", "SC-28", "SC-28(1)" ], "NIST CSF 2.0": [ "PR.DS-01" ], "US - CA CCPA 2025": [ "7123(c)(2)" ], "US - VT Act 171 of 2018": [ "2447(c)(5)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Physical & Environmental Protections", "scf_control_id": "PES-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2", "A1.2-POF1", "A1.2-POF2", "A1.2-POF3", "A1.2-POF4", "A1.2-POF5", "A1.2-POF6", "A1.2-POF7", "A1.2-POF9", "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "GAPP": [ "8.2.3", "8.2.4" ], "NIST Privacy Framework 1.0": [ "PR.AC-P2", "PR.PO-P4" ], "NIST 800-53 R5": [ "PE-1", "PE-23" ], "NIST CSF 2.0": [ "DE.CM-02", "ID.AM", "PR.AA", "PR.AA-06", "PR.IR-02" ], "US HIPAA Administrative Simplification 2013": [ "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ], "US - VT Act 171 of 2018": [ "2447(b)(7)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Physical Access Authorizations", "scf_control_id": "PES-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "NIST 800-53 R5": [ "PE-2" ], "NIST CSF 2.0": [ "PR.AA", "PR.AA-06" ], "US HIPAA Administrative Simplification 2013": [ "164.310(a)(2)(i)", "164.310(a)(2)(iii)" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Role-Based Physical Access", "scf_control_id": "PES-02.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "NIST 800-53 R5": [ "PE-2(1)" ], "NIST CSF 2.0": [ "PR.AA-06" ], "US HIPAA Administrative Simplification 2013": [ "164.310(a)(2)(i)" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Physical Access Control", "scf_control_id": "PES-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "NIST Privacy Framework 1.0": [ "PR.AC-P2" ], "NIST 800-53 R5": [ "PE-3", "PE-3(2)", "PE-3(3)" ], "NIST CSF 2.0": [ "DE.CM-02", "PR.AA", "PR.AA-06" ], "US HIPAA Administrative Simplification 2013": [ "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(c)" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ], "US - VT Act 171 of 2018": [ "2447(b)(7)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Physical Security of Offices, Rooms & Facilities", "scf_control_id": "PES-04", "crosswalks": { "NIST Privacy Framework 1.0": [ "PR.AC-P2" ], "US HIPAA Administrative Simplification 2013": [ "164.310(b)", "164.310(c)" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ], "US - VT Act 171 of 2018": [ "2447(b)(7)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Monitoring Physical Access", "scf_control_id": "PES-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.4-POF4" ], "NIST 800-53 R5": [ "PE-6" ], "NIST CSF 2.0": [ "DE.CM-02" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ] } }, { "principle_name": "Physical Protections", "description": "Ensure physical security and environmental controls provide appropriate protection for environments where personal data is stored, transmitted and/or processed.", "scf_control": "Visitor Control", "scf_control_id": "PES-06", "crosswalks": { "NIST Privacy Framework 1.0": [ "PR.AC-P2" ], "US HIPAA Administrative Simplification 2013": [ "164.310(a)(2)(iii)" ], "US - CA CCPA 2025": [ "7123(c)(3)(D)" ] } }, { "principle_name": "Embedded Technology", "description": "Facilitate the secure implementation of embedded technologies so sensors minimize the collection of personal data and alert data subjects to the personal data collected by those sensors.", "scf_control": "Embedded Technology Security Program", "scf_control_id": "EMB-01", "crosswalks": {} }, { "principle_name": "Embedded Technology", "description": "Facilitate the secure implementation of embedded technologies so sensors minimize the collection of personal data and alert data subjects to the personal data collected by those sensors.", "scf_control": "Authorized Use", "scf_control_id": "END-13.1", "crosswalks": { "NIST 800-53 R5": [ "SC-42(2)" ] } }, { "principle_name": "Embedded Technology", "description": "Facilitate the secure implementation of embedded technologies so sensors minimize the collection of personal data and alert data subjects to the personal data collected by those sensors.", "scf_control": "Notice of Collection", "scf_control_id": "END-13.2", "crosswalks": { "NIST 800-53 R5": [ "SC-42(4)" ] } }, { "principle_name": "Embedded Technology", "description": "Facilitate the secure implementation of embedded technologies so sensors minimize the collection of personal data and alert data subjects to the personal data collected by those sensors.", "scf_control": "Collection Minimization", "scf_control_id": "END-13.3", "crosswalks": { "NIST 800-53 R5": [ "PM-25", "SA-8(33)", "SC-42(5)" ], "NIST 800-53B R5 (privacy)": [ "PM-25", "SA-8(33)" ], "US - CO Colorado Privacy Act": [ "6-1-1308(3)" ] } }, { "principle_name": "Retire Outdated Systems", "description": "Upgrade, replace, or retire any system, application or service for which appropriate protections, commensurate with risk, cannot be effectively implemented.", "scf_control": "Unsupported Technology Assets, Applications and/or Services (TAAS)", "scf_control_id": "TDA-17", "crosswalks": { "NIST 800-53 R5": [ "SA-22" ], "NIST CSF 2.0": [ "PR.PS-02", "PR.PS-03" ] } }, { "principle_name": "Personnel Security", "description": "Implement personnel management practices, covering employees, contractors and other entities, that ensures appropriate vetting and clearance to Technology Assets, Applications and/or Services (TAAS) that contain, store or transmit personal data.", "scf_control": "Cybersecurity & Data Protection-Minded Workforce", "scf_control_id": "SAT-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4", "CC1.4-POF3", "CC2.2-POF12", "CC2.2-POF8" ], "NIST Privacy Framework 1.0": [ "GV.AT-P1", "GV.AT-P2", "GV.AT-P3", "GV.AT-P4" ], "NIST 800-53 R5": [ "AT-1", "PM-13" ], "NIST 800-53B R5 (privacy)": [ "AT-1" ], "NIST CSF 2.0": [ "PR.AT" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(5)(i)" ], "US - CA CCPA 2025": [ "7123(c)(12)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(A)", "2447(c)(8)" ] } }, { "principle_name": "Rules of Behavior", "description": "Require employees and contractors to read and agree to abide by the organization's rules of behavior, prior to being granted access to Technology Assets, Applications and/or Services (TAAS) that store, transmit or process personal data, including social media.", "scf_control": "Rules of Behavior", "scf_control_id": "HRS-05.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1" ], "NIST 800-53 R5": [ "PL-4" ], "NIST 800-53B R5 (privacy)": [ "PL-4" ], "NIST CSF 2.0": [ "ID.AM" ], "US HIPAA Administrative Simplification 2013": [ "164.310(b)" ], "US - CA CCPA 2025": [ "7122(c)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(B)" ] } }, { "principle_name": "Rules of Behavior", "description": "Require employees and contractors to read and agree to abide by the organization's rules of behavior, prior to being granted access to Technology Assets, Applications and/or Services (TAAS) that store, transmit or process personal data, including social media.", "scf_control": "Social Media & Social Networking Restrictions", "scf_control_id": "HRS-05.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1", "CC1.1-POF2" ], "NIST 800-53 R5": [ "PL-4(1)" ], "NIST 800-53B R5 (privacy)": [ "PL-4(1)" ] } }, { "principle_name": "Employee Sanctions", "description": "Utilize employee sanctions to hold personnel accountable for complying with the organization's data privacy policies and processes.", "scf_control": "Personnel Sanctions", "scf_control_id": "HRS-07", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF4", "CC1.5", "CC1.5-POF5", "CC1.5-POF6", "CC7.4-POF14" ], "NIST 800-53 R5": [ "PS-8" ], "NIST CSF 2.0": [ "GV.PO", "GV.PO-01", "GV.PO-02" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(1)(ii)(C)", "164.530(e)(1)" ], "US - VT Act 171 of 2018": [ "2447(b)(4)" ] } }, { "principle_name": "Workforce Management", "description": "Respond to changing mission requirements and maintain workforce skills in a rapidly-developing technology environment through recruiting and retaining the talent needed to support the organization's mission.", "scf_control": "Human Resources Security Management", "scf_control_id": "HRS-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1", "CC1.1-POF1", "CC1.1-POF3", "CC1.2-POF1", "CC1.2-POF2", "CC1.2-POF3", "CC1.2-POF4", "CC1.3-POF6", "CC1.4", "CC1.4-POF1", "CC1.4-POF2", "CC1.4-POF3", "CC1.5-POF2", "CC1.5-POF3", "CC1.5-POF4", "CC1.5-POF5", "CC2.2-POF3", "CC2.3-POF4", "CC3.3-POF1", "CC3.3-POF2", "CC3.3-POF3", "CC3.3-POF4", "CC3.3-POF5" ], "ISO 27701 2025": [ "7.2" ], "NIST Privacy Framework 1.0": [ "PR.PO-P9" ], "NIST 800-53 R5": [ "PS-1" ], "NIST CSF 2.0": [ "GV.RR-04", "ID.AM" ], "US Data Privacy Framework (DPF)": [ "III.9.b.iii" ], "US FIPPS": [ "2" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(3)(ii)(A)", "164.312(d)", "164.530(e)(2)" ], "APAC India DPDPA 2023": [ "21(1)(a)", "21(1)(b)", "21(1)(c)", "21(1)(d)", "21(1)(e)", "21(2)", "22(1)", "22(2)", "22(3)" ] } }, { "principle_name": "Professional Competency", "description": "Develop and enforce data privacy competency requirements for staff members involved in the acquisition, management, maintenance and use of information resources, to ensure they have the appropriate knowledge and skill.", "scf_control": "Personnel Screening", "scf_control_id": "HRS-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4-POF5" ], "NIST 800-53 R5": [ "PS-3" ], "US HIPAA Administrative Simplification 2013": [ "164.312(d)" ] } }, { "principle_name": "Cybersecurity & Data Privacy Control Validation", "description": "Develop and enforce an Information Assurance (IA) capability that provides a mechanism to perform pre-production control testing to ensure applicable cybersecurity & data privacy controls exist and are functioning. Systems, applications and service are prohibited from \"going live\" without security authorization, following the results of pre-production control testing.", "scf_control": "Information Assurance (IA) Operations", "scf_control_id": "IAO-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.1", "CC4.1-POF8", "CC6.1-POF2", "CC6.1-POF9" ], "NIST 800-53 R5": [ "CA-1", "PM-10" ], "NIST 800-53B R5 (privacy)": [ "CA-1" ], "NIST CSF 2.0": [ "ID.RA-01" ], "US - CA CCPA 2025": [ "7123(c)(4)(C)" ] } }, { "principle_name": "Cybersecurity & Data Privacy Control Validation", "description": "Develop and enforce an Information Assurance (IA) capability that provides a mechanism to perform pre-production control testing to ensure applicable cybersecurity & data privacy controls exist and are functioning. Systems, applications and service are prohibited from \"going live\" without security authorization, following the results of pre-production control testing.", "scf_control": "Security Authorization", "scf_control_id": "IAO-07", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF9" ], "NIST 800-53 R5": [ "CA-6" ], "NIST 800-53B R5 (privacy)": [ "CA-6" ], "US - CA CCPA 2025": [ "7123(c)(4)(C)" ] } }, { "principle_name": "Cybersecurity & Data Privacy Control Validation", "description": "Develop and enforce an Information Assurance (IA) capability that provides a mechanism to perform pre-production control testing to ensure applicable cybersecurity & data privacy controls exist and are functioning. Systems, applications and service are prohibited from \"going live\" without security authorization, following the results of pre-production control testing.", "scf_control": "Risk Monitoring", "scf_control_id": "RSK-11", "crosswalks": { "NIST 800-53 R5": [ "CA-7(4)" ], "NIST 800-53B R5 (privacy)": [ "CA-7(4)" ] } }, { "principle_name": "Cybersecurity & Data Privacy Control Validation", "description": "Develop and enforce an Information Assurance (IA) capability that provides a mechanism to perform pre-production control testing to ensure applicable cybersecurity & data privacy controls exist and are functioning. Systems, applications and service are prohibited from \"going live\" without security authorization, following the results of pre-production control testing.", "scf_control": "Cybersecurity & Data Protection Testing Throughout Development", "scf_control_id": "TDA-09", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.1-POF1" ], "NIST Privacy Framework 1.0": [ "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "SA-11", "SA-11(5)", "SA-11(6)", "SA-11(7)" ], "NIST 800-53B R5 (privacy)": [ "SA-11" ], "NIST CSF 2.0": [ "ID.IM-01", "ID.IM-02", "ID.RA-01", "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Secure Configuration Management", "description": "Implement secure configuration management throughout the System Development Life Cycle (SDLC) to ensure Technology Assets, Applications and/or Services (TAAS) are configured according to industry-recognized secure practices.", "scf_control": "Configuration Management Program", "scf_control_id": "CFG-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.1", "CC7.1-POF1", "CC8.1-POF12", "CC8.1-POF6" ], "NIST Privacy Framework 1.0": [ "PR.PO-P1" ], "NIST 800-53 R5": [ "CM-1", "CM-9" ], "NIST 800-53B R5 (privacy)": [ "CM-1" ], "NIST CSF 2.0": [ "PR.PS", "PR.PS-01", "PR.PS-05" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(1)(i)" ], "US - CA CCPA 2025": [ "7123(c)(11)", "7123(c)(4)(B)", "7123(c)(5)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)" ] } }, { "principle_name": "Secure Configuration Management", "description": "Implement secure configuration management throughout the System Development Life Cycle (SDLC) to ensure Technology Assets, Applications and/or Services (TAAS) are configured according to industry-recognized secure practices.", "scf_control": "Secure Baseline Configurations", "scf_control_id": "CFG-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC6.1-POF7", "CC6.7-POF1", "CC7.1", "CC7.1-POF1", "CC8.1", "CC8.1-POF12", "CC8.1-POF6" ], "NIST Privacy Framework 1.0": [ "PR.PO-P1" ], "NIST 800-53 R5": [ "AU-2", "CM-2", "CM-6", "PL-10", "SA-8", "SA-15(5)" ], "NIST CSF 2.0": [ "PR.DS-10", "PR.PS", "PR.PS-05" ], "US HIPAA Administrative Simplification 2013": [ "164.312(a)(2)(iii)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)" ], "US - CA CCPA 2025": [ "7123(c)(11)", "7123(c)(4)(B)", "7123(c)(5)", "7123(c)(5)(A)", "7123(c)(5)(B)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(4)" ] } }, { "principle_name": "Secure Configuration Management", "description": "Implement secure configuration management throughout the System Development Life Cycle (SDLC) to ensure Technology Assets, Applications and/or Services (TAAS) are configured according to industry-recognized secure practices.", "scf_control": "Cybersecurity & Data Protection Testing Throughout Development", "scf_control_id": "TDA-09", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.1-POF1" ], "NIST Privacy Framework 1.0": [ "CT.DM-P9", "CT.DM-P10" ], "NIST 800-53 R5": [ "SA-11", "SA-11(5)", "SA-11(6)", "SA-11(7)" ], "NIST 800-53B R5 (privacy)": [ "SA-11" ], "NIST CSF 2.0": [ "ID.IM-01", "ID.IM-02", "ID.RA-01", "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Situational Awareness", "description": "Correlate logs from across the organization with a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness of events for potential cybersecurity & data privacy incidents.", "scf_control": "Centralized Collection of Security Event Logs", "scf_control_id": "MON-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.2", "CC7.2-POF1", "CC7.3" ], "NIST 800-53 R5": [ "AU-2", "AU-6", "IR-4(4)", "SI-4" ], "NIST 800-53B R5 (privacy)": [ "AU-2" ], "NIST CSF 2.0": [ "DE.AE-03", "DE.AE-06" ], "US - CA CCPA 2025": [ "7123(c)(7)" ] } }, { "principle_name": "Situational Awareness", "description": "Correlate logs from across the organization with a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness of events for potential cybersecurity & data privacy incidents.", "scf_control": "Correlate Monitoring Information", "scf_control_id": "MON-02.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.2", "CC7.3" ], "NIST 800-53 R5": [ "AU-6(3)", "AU-6(9)", "IR-4(4)", "SI-4(16)" ], "NIST CSF 2.0": [ "DE.AE-03", "DE.AE-06" ] } }, { "principle_name": "Incident Response", "description": "Maintain and test incident response plans, capabilities and training for employees and third-party stakeholders on how to report and respond to incidents.", "scf_control": "Incident Response Operations", "scf_control_id": "IRO-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2-POF5", "CC2.2-POF10", "CC2.2-POF3", "CC7.3", "CC7.3-POF1", "CC7.4", "CC7.4-POF1", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9" ], "GAPP": [ "1.2.7" ], "NIST 800-53 R5": [ "IR-1" ], "NIST 800-53B R5 (privacy)": [ "IR-1" ], "NIST CSF 2.0": [ "DE.AE", "GV.SC-08", "RS", "RS.MI" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(1)(i)", "164.308(a)(6)(i)", "164.308(a)(7)(i)" ], "US - CA CCPA 2025": [ "7123(c)(17)", "7123(c)(17)(B)" ], "US - VT Act 171 of 2018": [ "2447(b)(10)", "2447(b)(10)(A)" ] } }, { "principle_name": "Incident Response", "description": "Maintain and test incident response plans, capabilities and training for employees and third-party stakeholders on how to report and respond to incidents.", "scf_control": "Incident Handling", "scf_control_id": "IRO-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2-POF5", "CC2.2-POF10", "CC2.2-POF3", "CC2.2-POF6", "CC2.3-POF8", "CC7.3", "CC7.3-POF1", "CC7.3-POF3", "CC7.3-POF4", "CC7.3-POF5", "CC7.3-POF6", "CC7.3-POF7", "CC7.4", "CC7.4-POF1", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9" ], "GAPP": [ "1.2.7" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "GV.MT-P5" ], "NIST 800-53 R5": [ "IR-4" ], "NIST 800-53B R5 (privacy)": [ "IR-4" ], "NIST CSF 2.0": [ "DE.AE", "DE.AE-02", "DE.AE-03", "DE.AE-04", "DE.AE-06", "DE.AE-08", "GV.SC-08", "RC.RP-06", "RS", "RS.AN", "RS.AN-06", "RS.CO", "RS.CO-02", "RS.CO-03", "RS.MA", "RS.MA-01", "RS.MA-02", "RS.MA-04", "RS.MI", "RS.MI-01", "RS.MI-02" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(6)(ii)", "164.412", "164.412(a)", "164.412(b)", "164.530(f)" ], "US - CA CCPA 2025": [ "7027(m)(2)", "7123(c)(17)(B)(i)" ], "US - VT Act 171 of 2018": [ "2447(b)(10)", "2447(b)(10)(A)" ] } }, { "principle_name": "Incident Response", "description": "Maintain and test incident response plans, capabilities and training for employees and third-party stakeholders on how to report and respond to incidents.", "scf_control": "Incident Response Plan (IRP)", "scf_control_id": "IRO-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF10", "CC2.3-POF8", "CC7.3", "CC7.3-POF1", "CC7.4", "CC7.4-POF1", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9" ], "GAPP": [ "1.2.7" ], "NIST Privacy Framework 1.0": [ "PR.PO-P7" ], "NIST 800-53 R5": [ "IR-8" ], "NIST 800-53B R5 (privacy)": [ "IR-8" ], "NIST CSF 2.0": [ "DE.AE-06", "ID.IM-04", "RS", "RS.MA", "RS.MA-01", "RS.MA-02", "RS.MA-04", "RS.MI" ], "US - CA CCPA 2025": [ "7123(c)(17)(B)(i)" ], "US - VT Act 171 of 2018": [ "2447(b)(10)", "2447(b)(10)(A)" ] } }, { "principle_name": "Incident Response", "description": "Maintain and test incident response plans, capabilities and training for employees and third-party stakeholders on how to report and respond to incidents.", "scf_control": "Data Breach", "scf_control_id": "IRO-04.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.3", "CC7.3-POF4", "CC7.3-POF5", "P6.3", "P6.6", "P6.6-POF2", "P6.7" ], "GAPP": [ "1.2.7", "7.2.4" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "GV.MT-P5" ], "NIST 800-53 R5": [ "IR-8(1)" ], "NIST 800-53B R5 (privacy)": [ "IR-8(1)" ], "US HIPAA Administrative Simplification 2013": [ "164.404(a)(1)", "164.404(a)(2)", "164.404(c)(1)(A)", "164.404(c)(1)(B)", "164.404(c)(1)(C)", "164.404(c)(1)(D)", "164.404(c)(1)(E)", "164.404(c)(2)", "164.404(d)(1)(i)", "164.404(d)(1)(ii)", "164.404(d)(2)", "164.404(d)(2)(i)", "164.404(d)(2)(ii)(A)", "164.404(d)(2)(ii)(B)", "164.404(d)(3)", "164.406(a)", "164.406(b)", "164.406(c)", "164.410(c)(1)" ], "US - IL PIPA": [ "10(a)", "10(a)(1)(A)", "10(a)(1)(B)", "10(a)(1)(C)", "10(a)(2)", "10(b)", "10(c)(1)", "10(c)(2)", "10(c)(3)", "10(d)", "10(e)(1)", "10(e)(2)", "10(e)(2)(A)", "10(e)(2)(B)", "10(e)(2)(C)" ], "US - TX BC521": [ "521.053" ], "EMEA EU GDPR": [ "33.1" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "20.1", "20.2" ], "APAC India DPDPA 2023": [ "8(6)" ] } }, { "principle_name": "Incident Response", "description": "Maintain and test incident response plans, capabilities and training for employees and third-party stakeholders on how to report and respond to incidents.", "scf_control": "Incident Response Testing", "scf_control_id": "IRO-06", "crosswalks": { "NIST Privacy Framework 1.0": [ "PR.PO-P8" ], "NIST 800-53 R5": [ "IR-3", "SI-4(9)" ], "NIST 800-53B R5 (privacy)": [ "IR-3" ], "US - CA CCPA 2025": [ "7123(c)(17)(B)(ii)" ] } }, { "principle_name": "Incident Response", "description": "Maintain and test incident response plans, capabilities and training for employees and third-party stakeholders on how to report and respond to incidents.", "scf_control": "Incident Reporting Assistance", "scf_control_id": "IRO-11", "crosswalks": { "GAPP": [ "1.2.7" ], "NIST 800-53 R5": [ "IR-7" ], "NIST 800-53B R5 (privacy)": [ "IR-7" ] } }, { "principle_name": "Coordinated Response", "description": "Respond to incidents in a coordinated and structed manner to ensure the appropriate steps are taken to identify and respond to potential incidents.", "scf_control": "Incident Handling", "scf_control_id": "IRO-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2-POF5", "CC2.2-POF10", "CC2.2-POF3", "CC2.2-POF6", "CC2.3-POF8", "CC7.3", "CC7.3-POF1", "CC7.3-POF3", "CC7.3-POF4", "CC7.3-POF5", "CC7.3-POF6", "CC7.3-POF7", "CC7.4", "CC7.4-POF1", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9" ], "GAPP": [ "1.2.7" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "GV.MT-P5" ], "NIST 800-53 R5": [ "IR-4" ], "NIST 800-53B R5 (privacy)": [ "IR-4" ], "NIST CSF 2.0": [ "DE.AE", "DE.AE-02", "DE.AE-03", "DE.AE-04", "DE.AE-06", "DE.AE-08", "GV.SC-08", "RC.RP-06", "RS", "RS.AN", "RS.AN-06", "RS.CO", "RS.CO-02", "RS.CO-03", "RS.MA", "RS.MA-01", "RS.MA-02", "RS.MA-04", "RS.MI", "RS.MI-01", "RS.MI-02" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(6)(ii)", "164.412", "164.412(a)", "164.412(b)", "164.530(f)" ], "US - CA CCPA 2025": [ "7027(m)(2)", "7123(c)(17)(B)(i)" ], "US - VT Act 171 of 2018": [ "2447(b)(10)", "2447(b)(10)(A)" ] } }, { "principle_name": "Coordinated Response", "description": "Respond to incidents in a coordinated and structed manner to ensure the appropriate steps are taken to identify and respond to potential incidents.", "scf_control": "Integrated Security Incident Response Team (ISIRT)", "scf_control_id": "IRO-07", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF6", "CC7.4", "CC7.4-POF1" ], "NIST 800-53 R5": [ "IR-4(11)" ], "NIST CSF 2.0": [ "DE.AE-06", "RS", "RS.MA", "RS.MA-01", "RS.MA-04" ], "US - TX BC521": [ "521.053" ] } }, { "principle_name": "Breach Notification", "description": "Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in accordance with applicable statutory, regulatory and contractual obligations for breach notification.", "scf_control": "Incident Stakeholder Reporting", "scf_control_id": "IRO-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF6", "CC2.3", "CC2.3-POF1", "CC2.3-POF8", "CC7.3-POF2", "CC7.4", "CC7.4-POF13", "CC7.4-POF6", "CC7.4-POF9", "CC7.5-POF2", "P6.3", "P6.7" ], "GAPP": [ "1.2.7" ], "ISO 29100 2024": [ "6.10" ], "NIST 800-53 R5": [ "IR-6" ], "NIST 800-53B R5 (privacy)": [ "IR-6" ], "NIST CSF 2.0": [ "DE.AE-06", "RS", "RS.CO", "RS.CO-02", "RS.CO-03", "RS.MA-01" ], "US HIPAA Administrative Simplification 2013": [ "164.404(b)", "164.408(a)", "164.408(b)", "164.408(c)" ], "US - TX BC521": [ "521.053" ], "EMEA EU GDPR": [ "34.1", "34.2" ], "APAC India DPDPA 2023": [ "8(6)" ] } }, { "principle_name": "Breach Notification", "description": "Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in accordance with applicable statutory, regulatory and contractual obligations for breach notification.", "scf_control": "Coordination With External Providers", "scf_control_id": "IRO-11.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF6", "CC2.3-POF12", "CC2.3-POF2", "CC7.4" ], "NIST 800-53 R5": [ "IR-7(2)" ], "US - TX BC521": [ "521.053" ] } }, { "principle_name": "Risk Management", "description": "Implement a risk management framework to ensure that risks are identified, evaluated and addressed to achieve necessary levels of trustworthiness, protection and resilience.", "scf_control": "Risk Management Program", "scf_control_id": "RSK-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2-POF1", "CC3.1", "CC3.2-POF1", "CC3.2-POF3", "CC3.2-POF5", "CC3.4-POF1", "CC3.4-POF2", "CC3.4-POF3", "CC3.4-POF4", "CC3.4-POF5", "CC4.1", "CC5.1", "CC9.1" ], "ISO 27701 2025": [ "6.1.2" ], "NIST Privacy Framework 1.0": [ "ID.DE-P1", "GV.PO-P6", "GV.RM-P1" ], "NIST 800-53 R5": [ "PM-9", "PM-29", "RA-1" ], "NIST 800-53B R5 (privacy)": [ "RA-1" ], "NIST CSF 2.0": [ "GV", "GV.OV-02", "GV.OV-03", "GV.RM", "GV.RM-01", "GV.RM-03", "GV.RM-04", "GV.RM-06", "GV.RR-01", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-05", "GV.SC-09", "ID", "ID.IM", "ID.RA", "PR", "PR.IR" ], "US HIPAA Administrative Simplification 2013": [ "164.306(a)(3)", "164.306(b)(2)(iv)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)" ], "EMEA EU GDPR": [ "32.2" ] } }, { "principle_name": "Risk Management", "description": "Implement a risk management framework to ensure that risks are identified, evaluated and addressed to achieve necessary levels of trustworthiness, protection and resilience.", "scf_control": "Compensating Countermeasures", "scf_control_id": "RSK-06.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC9.1-POF1", "CC9.1-POF2" ], "ISO 27701 2025": [ "6.1.3" ], "NIST CSF 2.0": [ "GV.RM-04", "ID.RA-06" ], "US HIPAA Administrative Simplification 2013": [ "164.306(d)(3)(ii)(B)(2)" ], "US - CA CCPA 2025": [ "7002(d)(3)" ] } }, { "principle_name": "Risk Management", "description": "Implement a risk management framework to ensure that risks are identified, evaluated and addressed to achieve necessary levels of trustworthiness, protection and resilience.", "scf_control": "Risk Monitoring", "scf_control_id": "RSK-11", "crosswalks": { "NIST 800-53 R5": [ "CA-7(4)" ], "NIST 800-53B R5 (privacy)": [ "CA-7(4)" ] } }, { "principle_name": "Evaluate Risks", "description": "Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of personal data where it is stored, transmitted and/or processed.", "scf_control": "Risk Assessment", "scf_control_id": "RSK-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "A1.2", "CC3.1-POF16", "CC3.2-POF1", "CC3.2-POF2", "CC3.2-POF3", "CC3.2-POF6", "CC3.2-POF8", "CC3.2-POF9", "CC3.4-POF1", "CC3.4-POF2", "CC3.4-POF3", "CC3.4-POF4", "CC3.4-POF5", "CC7.3" ], "GAPP": [ "1.2.4" ], "ISO 27701 2025": [ "6.1.2(e)" ], "NIST Privacy Framework 1.0": [ "ID.DE-P1", "ID.DE-P5", "GV.MT-P1" ], "NIST 800-53 R5": [ "RA-3" ], "NIST 800-53B R5 (privacy)": [ "RA-3" ], "NIST CSF 2.0": [ "GV.RM-06", "ID", "ID.RA-01", "ID.RA-05" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(2)(iv)", "164.308(a)(1)(ii)(A)" ], "US - CA CCPA 2025": [ "7152(a)", "7155(a)" ] } }, { "principle_name": "Evaluate Risks", "description": "Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of personal data where it is stored, transmitted and/or processed.", "scf_control": "Instances Requiring A Risk Assessment", "scf_control_id": "RSK-04.3", "crosswalks": { "US - CA CCPA 2025": [ "7150(a)", "7150(b)", "7150(b)(1)", "7150(b)(2)", "7150(b)(2)(A)", "7150(b)(3)", "7150(b)(4)", "7150(b)(5)", "7150(b)(6)", "7155(a)(1)", "7155(a)(2)", "7155(a)(3)", "7155(b)" ] } }, { "principle_name": "Evaluate Risks", "description": "Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of personal data where it is stored, transmitted and/or processed.", "scf_control": "Risk Assessment Stakeholder Involvement", "scf_control_id": "RSK-04.4", "crosswalks": { "US - CA CCPA 2025": [ "7151(a)", "7151(b)" ] } }, { "principle_name": "Assess Supply Chain Risk", "description": "Assess supply chain risks associated with Technology Assets, Applications and/or Services (TAAS) for data privacy implications.", "scf_control": "Business Impact Analysis (BIA)", "scf_control_id": "RSK-08", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.2", "CC5.2", "CC9.1-POF1", "CC9.1-POF2" ] } }, { "principle_name": "Assess Supply Chain Risk", "description": "Assess supply chain risks associated with Technology Assets, Applications and/or Services (TAAS) for data privacy implications.", "scf_control": "Supply Chain Risk Management (SCRM) Plan", "scf_control_id": "RSK-09", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.1", "CC3.2", "CC3.2-POF7", "CC3.2-POF8", "CC4.1", "CC9.2", "CC9.2-POF1", "CC9.2-POF10", "CC9.2-POF11", "CC9.2-POF12", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9" ], "NIST Privacy Framework 1.0": [ "ID.DE-P2", "ID.DE-P3" ], "NIST 800-53 R5": [ "PM-29", "PM-30", "SA-9(3)", "SR-2", "SR-7" ], "NIST CSF 2.0": [ "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-05", "GV.SC-09", "GV.SC-10", "ID", "ID.IM", "ID.RA", "PR" ] } }, { "principle_name": "Assess Supply Chain Risk", "description": "Assess supply chain risks associated with Technology Assets, Applications and/or Services (TAAS) for data privacy implications.", "scf_control": "Supply Chain Risk Assessment", "scf_control_id": "RSK-09.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.2-POF7", "CC3.2-POF9", "CC9.2", "CC9.2-POF1", "CC9.2-POF11", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF7" ], "NIST Privacy Framework 1.0": [ "ID.DE-P5", "GV.MT-P1" ], "NIST 800-53 R5": [ "RA-3(1)" ], "NIST CSF 2.0": [ "GV.SC", "GV.SC-09" ] } }, { "principle_name": "Risk Awareness", "description": "Maintain a current and accurate register of risk (e.g., Plan of Action & Milestones (POA&M), risk register, etc.).", "scf_control": "Plan of Action & Milestones (POA&M)", "scf_control_id": "IAO-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2", "CC4.2-POF3" ], "NIST 800-53 R5": [ "CA-5", "PM-4", "SA-15(2)" ], "NIST 800-53B R5 (privacy)": [ "CA-5" ], "NIST CSF 2.0": [ "ID.IM-01", "ID.IM-02", "ID.RA-01" ] } }, { "principle_name": "Risk Awareness", "description": "Maintain a current and accurate register of risk (e.g., Plan of Action & Milestones (POA&M), risk register, etc.).", "scf_control": "Risk Register", "scf_control_id": "RSK-04.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2-POF3" ], "NIST Privacy Framework 1.0": [ "ID.DE-P1" ], "NIST CSF 2.0": [ "GV.RM-06", "ID", "ID.RA-01" ] } }, { "principle_name": "Risk Awareness", "description": "Maintain a current and accurate register of risk (e.g., Plan of Action & Milestones (POA&M), risk register, etc.).", "scf_control": "Risk Monitoring", "scf_control_id": "RSK-11", "crosswalks": { "NIST 800-53 R5": [ "CA-7(4)" ], "NIST 800-53B R5 (privacy)": [ "CA-7(4)" ] } }, { "principle_name": "Risk Response", "description": "Responses to identified risks are appropriately identified, categorized and prioritized.", "scf_control": "Risk Response", "scf_control_id": "RSK-06.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.2-POF5" ], "ISO 27701 2025": [ "6.1.3" ], "NIST Privacy Framework 1.0": [ "ID.DE-P1", "ID.RA-P5" ], "NIST 800-53 R5": [ "RA-7" ], "NIST 800-53B R5 (privacy)": [ "RA-7" ], "NIST CSF 2.0": [ "GV.RM-04", "ID.RA-05", "ID.RA-06" ] } }, { "principle_name": "Data Protection Impact Assessment (DPIA)", "description": "Utilize Data Protection Impact Assessments (DPIAs) to effectively identify and reduce data privacy risks to an acceptable level.", "scf_control": "Data Protection Impact Assessment (DPIA)", "scf_control_id": "RSK-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.2", "CC5.2", "PI1.1" ], "GAPP": [ "1.2.4", "4.2.3" ], "ISO 27701 2025": [ "6.1.2", "6.1.2(a)", "6.1.2(a)(1)", "6.1.2(a)(2)", "6.1.2(b)", "6.1.2(c)", "6.1.2(c)(1)", "6.1.2(c)(2)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "8.2" ], "NIST Privacy Framework 1.0": [ "ID.IM-P7", "ID.RA-P1", "ID.RA-P2", "ID.RA-P3", "ID.RA-P4", "ID.RA-P5", "ID.DE-P2", "ID.DE-P3", "GV.PO-P6", "GV.MT-P1", "GV.MT-P4", "GV.MT-P5" ], "NIST 800-53 R5": [ "RA-8" ], "NIST 800-53B R5 (privacy)": [ "RA-8" ], "US - CA CCPA 2025": [ "7152(a)", "7152(a)(1)", "7152(a)(2)", "7152(a)(3)", "7152(a)(3)(A)", "7152(a)(3)(B)", "7152(a)(3)(C)", "7152(a)(3)(D)", "7152(a)(3)(E)", "7152(a)(3)(F)", "7152(a)(3)(G)", "7152(a)(3)(G)(i)", "7152(a)(3)(G)(ii)", "7152(a)(4)", "7152(a)(5)", "7152(a)(5)(A)", "7152(a)(5)(B)", "7152(a)(5)(C)", "7152(a)(5)(D)", "7152(a)(5)(E)", "7152(a)(5)(F)", "7152(a)(5)(G)", "7152(a)(5)(H)", "7152(a)(6)", "7152(a)(6)(A)", "7152(a)(6)(A)(i)", "7152(a)(6)(A)(ii)", "7152(a)(6)(A)(iii)", "7152(a)(6)(A)(iv)", "7152(a)(7)", "7152(a)(8)", "7152(a)(9)", "7154(a)", "7155(a)", "7156(a)", "7156(b)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(2)(c)", "6-1-1305(4)", "6-1-1309(1)", "6-1-1309(2)", "6-1-1309(2)(a)", "6-1-1309(2)(a)(I)", "6-1-1309(2)(a)(II)", "6-1-1309(2)(a)(III)", "6-1-1309(2)(a)(IV)", "6-1-1309(2)(b)", "6-1-1309(2)(c)", "6-1-1309(3)", "6-1-1309(4)", "6-1-1309(5)", "6-1-1309(6)" ], "US - OR CPA": [ "6(1)(c)", "8(1)(a)", "8(1)(c)", "8(2)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3206(a)", "47-18-3206(a)(1)", "47-18-3206(a)(2)", "47-18-3206(a)(3)", "47-18-3206(a)(3)(A)", "47-18-3206(a)(3)(B)", "47-18-3206(a)(3)(C)", "47-18-3206(a)(3)(D)", "47-18-3206(a)(4)", "47-18-3206(a)(5)", "47-18-3206(b)", "47-18-3206(c)", "47-18-3206(d)", "47-18-3206(e)", "47-18-3206(f)" ], "US - VA CDPA 2025": [ "59.1-580.A", "59.1-580.A.1", "59.1-580.A.2", "59.1-580.A.3", "59.1-580.A.4", "59.1-580.A.5", "59.1-580.B", "59.1-580.C", "59.1-580.D", "59.1-580.E", "59.1-580.F", "59.1-580.G" ], "EMEA EU GDPR": [ "35.1", "35.11", "35.3(a)", "35.3(b)", "35.3(c)", "35.7(a)", "35.7(b)", "35.7(c)", "35.7(d)", "35.8", "35.9", "36.1" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "22" ], "APAC India DPDPA 2023": [ "10(2)(c)(i)" ] } }, { "principle_name": "Third-Party Management", "description": "Provide data privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.", "scf_control": "Third-Party Management", "scf_control_id": "TPM-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF5", "CC1.4-POF2", "CC1.4-POF3", "CC2.3-POF10", "CC2.3-POF12", "CC2.3-POF9", "CC3.3", "CC3.4-POF5", "CC9.1", "CC9.2", "CC9.2-POF1", "CC9.2-POF10", "CC9.2-POF11", "CC9.2-POF12", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF5", "CC9.2-POF6", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9" ], "ISO 27701 2025": [ "6.1.3(h)" ], "NIST Privacy Framework 1.0": [ "GV.PO-P4" ], "NIST 800-53 R5": [ "SA-4", "SR-1" ], "NIST 800-53B R5 (privacy)": [ "SA-4" ], "NIST CSF 2.0": [ "GV.SC-04", "GV.SC-06", "GV.SC-07", "GV.SC-08", "GV.SC-10", "ID.AM" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)", "164.312(d)" ], "US - CA CCPA 2025": [ "7024(l)", "7052(a)", "7123(c)(15)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(6)", "6-1-1305(7)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ] } }, { "principle_name": "Third-Party Management", "description": "Provide data privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.", "scf_control": "Third-Party Services", "scf_control_id": "TPM-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.3" ], "NIST 800-53 R5": [ "SA-9" ], "NIST 800-53B R5 (privacy)": [ "SA-9" ], "NIST CSF 2.0": [ "GV.SC-06", "GV.SC-07" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Third-Party Management", "description": "Provide data privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.", "scf_control": "Review of Third-Party Services", "scf_control_id": "TPM-08", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4-POF2", "CC1.4-POF3", "CC3.4", "CC3.4-POF5", "CC9.1", "CC9.2-POF12", "CC9.2-POF13", "CC9.2-POF6", "CC9.2-POF7", "CC9.2-POF8" ], "NIST 800-53 R5": [ "SR-6", "SR-6(1)" ], "NIST CSF 2.0": [ "GV.SC-07", "ID.IM-01", "ID.IM-02" ], "US - CA CCPA 2025": [ "7051(c)", "7053(b)", "7123(c)(15)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "8" ] } }, { "principle_name": "Third-Party Management", "description": "Provide data privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.", "scf_control": "Third-Party Deficiency Remediation", "scf_control_id": "TPM-09", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2", "CC9.1", "CC9.2-POF8", "P6.4-POF2", "P6.5-POF1", "P6.5-POF2", "P6.6-POF1" ], "NIST CSF 2.0": [ "GV.SC-06", "GV.SC-07", "GV.SC-08" ], "US - CA CCPA 2025": [ "7053(a)(5)", "7123(c)(15)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ] } }, { "principle_name": "Third-Party Management", "description": "Provide data privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.", "scf_control": "Managing Changes To Third-Party Services", "scf_control_id": "TPM-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.4", "CC3.4-POF5", "CC9.1", "CC9.2-POF8" ], "NIST 800-53 R5": [ "SA-4" ], "NIST 800-53B R5 (privacy)": [ "SA-4" ], "NIST CSF 2.0": [ "GV.SC-08" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Supply Chain Protections", "description": "Govern the disclosure of personal data to ensure it is only provided to trusted third-parties that can store, process and/or transmit it in a secure manner.", "scf_control": "Supply Chain Risk Management (SCRM)", "scf_control_id": "TPM-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF5", "CC3.2-POF7", "CC9.1", "CC9.2-POF1", "CC9.2-POF10", "CC9.2-POF12", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9" ], "NIST 800-53 R5": [ "SA-9(3)", "SR-2", "SR-2(1)" ], "NIST CSF 2.0": [ "GV.SC", "GV.SC-06", "GV.SC-07" ], "US - CA CCPA 2025": [ "7123(c)(15)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ] } }, { "principle_name": "Supply Chain Protections", "description": "Govern the disclosure of personal data to ensure it is only provided to trusted third-parties that can store, process and/or transmit it in a secure manner.", "scf_control": "Third-Party Services", "scf_control_id": "TPM-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.3" ], "NIST 800-53 R5": [ "SA-9" ], "NIST 800-53B R5 (privacy)": [ "SA-9" ], "NIST CSF 2.0": [ "GV.SC-06", "GV.SC-07" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Secure Disclosure To Third-Parties", "description": "Govern third-party use of personal data to ensure data privacy requirements are enforced when a third-party stores, processes or transmits personal data on behalf of the organization.", "scf_control": "Information Sharing With Third Parties", "scf_control_id": "PRI-07", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P6.1", "P6.1-POF1" ], "GAPP": [ "7.2.1", "7.2.2", "7.2.3" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "CT.PO-P2" ], "NIST 800-53 R5": [ "AC-21" ], "US HIPAA Administrative Simplification 2013": [ "164.506(c)(1)", "164.506(c)(2)", "164.506(c)(3)", "164.506(c)(4)", "164.508(a)(1)", "164.508(a)(4)(i)" ], "US - AK PIPA": [ "45.48.420 45.48.430" ], "US - CO Colorado Privacy Act": [ "6-1-1305(7)", "6-1-1305(8)(a)", "6-1-1305(8)(b)", "6-1-1307(2)", "6-1-1307(3)" ], "US - OR CPA": [ "6(1)(a)", "6(1)(c)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "8" ], "APAC Australian Privacy Principles": [ "APP 7", "APP 8" ], "APAC India DPDPA 2023": [ "8(2)" ], "Americas Canada PIPEDA": [ "Sec 20", "Sec 23" ] } }, { "principle_name": "Contractual Obligations for Third-Parties", "description": "Require terms and conditions in contracts and other agreements to cover the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data.", "scf_control": "Data Privacy Requirements for Contractors & Service Providers", "scf_control_id": "PRI-07.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P6.1-POF1", "P6.4", "P6.4-POF3" ], "GAPP": [ "4.2.3", "7.2.4" ], "ISO 29100 2024": [ "6.10" ], "NIST Privacy Framework 1.0": [ "ID.DE-P3" ], "NIST CSF 2.0": [ "GV.SC-05" ], "US HIPAA Administrative Simplification 2013": [ "164.504(e)(2)(i)", "164.504(e)(2)(ii)(A)", "164.504(e)(2)(ii)(B)", "164.504(e)(2)(ii)(C)", "164.504(e)(4)(i)", "164.504(e)(4)(i)(A)", "164.504(e)(4)(i)(B)", "164.504(e)(4)(i)(B)(ii)", "164.504(e)(4)(i)(B)(ii)(A)" ], "US - CA CCPA 2025": [ "7012(g)(2)", "7022(c)", "7022(c)(1)", "7022(c)(2)", "7022(c)(3)", "7022(c)(4)", "7022(d)", "7023(c)", "7024(i)", "7050(a)", "7050(a)(1)", "7050(a)(2)", "7050(a)(3)", "7050(a)(4)", "7050(b)", "7050(c)", "7050(d)", "7050(e)", "7050(f)", "7050(g)", "7050(h)", "7050(h)(1)", "7050(h)(2)", "7051(a)", "7051(a)(1)", "7051(a)(2)", "7051(a)(3)", "7051(a)(4)", "7051(a)(5)", "7051(a)(6)", "7051(a)(7)", "7051(a)(8)", "7051(a)(9)", "7053(a)(1)", "7053(a)(2)", "7053(a)(3)", "7053(a)(4)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(3)(b)", "6-1-1305(5)", "6-1-1305(5)(a)", "6-1-1305(5)(b)", "6-1-1305(5)(c)", "6-1-1305(5)(d)", "6-1-1305(5)(d)(I)", "6-1-1305(5)(d)(I)(A)", "6-1-1305(5)(d)(I)(B)", "6-1-1305(6)", "6-1-1305(7)", "6-1-1307(2)", "6-1-1307(3)" ], "US - IL PIPA": [ "45(a)", "45(b)", "45(c)", "45(d)", "50" ], "US - OR CPA": [ "6(1)", "6(1)(a)", "6(2)", "7(1)(a)(C)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3205(a)", "47-18-3205(a)(1)", "47-18-3205(a)(2)", "47-18-3205(b)", "47-18-3205(b)(1)", "47-18-3205(b)(2)", "47-18-3205(b)(3)", "47-18-3205(b)(4)", "47-18-3205(b)(5)", "47-18-3205(c)", "47-18-3205(d)" ], "US - VA CDPA 2025": [ "59.1-578.B", "59.1-579.A", "59.1-579.A.1", "59.1-579.A.2", "59.1-579.A.3", "59.1-579.B", "59.1-579.B.3", "59.1-579.B.4", "59.1-579.B.5", "59.1-581.A.3", "59.1-581.E" ], "EMEA EU GDPR": [ "28.1", "28.10", "28.2", "28.3", "28.3(a)", "28.3(b)", "28.3(c)", "28.3(d)", "28.3(e)", "28.3(f)", "28.3(g)", "28.3(h)", "28.4", "28.5", "28.6", "28.7", "28.8", "28.9", "29", "46.3(a)" ], "APAC Australian Privacy Principles": [ "APP 7" ], "APAC India DPDPA 2023": [ "8(2)", "8(7)(b)" ], "APAC New Zealand Privacy Act of 2020": [ "Principle 5", "P5-(a)", "P5-(a)(i)", "P5-(a)(ii)", "P5-(a)(iii)", "P5-(b)" ], "Americas Canada PIPEDA": [ "Sec 20", "Sec 23" ] } }, { "principle_name": "Contractual Obligations for Third-Parties", "description": "Require terms and conditions in contracts and other agreements to cover the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data.", "scf_control": "Third-Party Contract Requirements", "scf_control_id": "TPM-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF5", "CC2.3-POF10", "CC2.3-POF11", "CC2.3-POF12", "CC2.3-POF2", "CC2.3-POF6", "CC2.3-POF7", "CC9.1", "CC9.2-POF1", "CC9.2-POF10", "CC9.2-POF5", "CC9.2-POF6", "CC9.2-POF9", "P6.4-POF3" ], "ISO 27701 2025": [ "6.1.3(h)" ], "NIST Privacy Framework 1.0": [ "ID.DE-P3", "GV.PO-P4", "GV.AT-P4" ], "NIST 800-53 R5": [ "SR-3(3)" ], "NIST CSF 2.0": [ "GV.OC-02", "GV.OC-03", "GV.SC-02", "GV.SC-05", "GV.SC-06" ], "US Data Privacy Framework (DPF)": [ "II.3.a", "II.3.b", "II.7.d", "III.10.a.i", "III.10.a.ii.1", "III.10.a.ii.2", "III.10.a.ii.3", "III.10.a.iii" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)", "164.308(b)(2)", "164.308(b)(3)", "164.314(a)(2)(iii)", "164.314(b)(1)", "164.314(b)(2)(i)", "164.314(b)(2)(ii)", "164.314(b)(2)(iii)", "164.502(a)(4)(i)", "164.502(a)(4)(ii)", "164.502(e)(1)(i)", "164.502(e)(2)", "164.504(e)(2)(i)", "164.504(e)(2)(i)(A)", "164.504(e)(2)(i)(B)", "164.504(e)(2)(ii)(J)", "164.504(e)(4)(i)(B)(ii)(B)(1)", "164.504(e)(4)(i)(B)(ii)(B)(2)", "164.504(f)(1)(i)", "164.504(f)(2)(i)", "164.504(f)(2)(ii)", "164.504(f)(2)(ii)(A)", "164.504(f)(2)(ii)(B)", "164.504(f)(2)(ii)(C)", "164.504(f)(2)(ii)(D)", "164.504(f)(2)(ii)(E)", "164.504(f)(2)(ii)(F)", "164.504(f)(2)(ii)(G)", "164.504(f)(2)(ii)(H)", "164.504(f)(2)(ii)(I)", "164.504(f)(2)(ii)(J)", "164.504(f)(2)(iii)(A)", "164.504(f)(2)(iii)(B)", "164.504(f)(2)(iii)(C)", "164.504(f)(3)(i)", "164.504(f)(3)(ii)", "164.504(f)(3)(iii)", "164.504(f)(3)(iv)" ], "US - CA CCPA 2025": [ "7012(g)(2)", "7051(a)", "7052(b)", "7053(a)", "7053(a)(6)", "7123(c)(15)", "7123(c)(3)(A)(ii)", "7123(c)(3)(A)(iii)", "7153(a)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(3)(b)", "6-1-1305(5)", "6-1-1305(5)(a)", "6-1-1305(5)(b)", "6-1-1305(5)(c)", "6-1-1305(5)(d)", "6-1-1305(5)(d)(I)", "6-1-1305(5)(d)(I)(A)", "6-1-1305(5)(d)(I)(B)", "6-1-1305(6)" ], "US - IL PIPA": [ "45(a)", "45(b)", "45(c)", "45(d)", "50" ], "US - OR CPA": [ "6(2)(a)", "6(2)(b)", "6(2)(c)", "6(2)(d)", "6(2)(e)", "6(2)(f)", "6(2)(g)", "6(2)(h)" ], "US - VA CDPA 2025": [ "59.1-579.B.5" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "8" ], "APAC India DPDPA 2023": [ "8(7)(b)" ] } }, { "principle_name": "Contractual Obligations for Third-Parties", "description": "Require terms and conditions in contracts and other agreements to cover the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of personal data.", "scf_control": "Contract Flow-Down Requirements", "scf_control_id": "TPM-05.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.3-POF12", "CC9.2-POF1", "CC9.2-POF10", "CC9.2-POF9", "P6.4-POF3" ], "ISO 27701 2025": [ "6.1.3(h)" ], "NIST 800-53 R5": [ "SR-3(3)" ], "NIST CSF 2.0": [ "GV.OC-03", "GV.SC-02", "GV.SC-05", "GV.SC-06", "GV.SC-10" ], "US Data Privacy Framework (DPF)": [ "II.7.d", "III.10.a.ii.1", "III.10.a.ii.2", "III.10.a.ii.3", "III.10.a.iii" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)", "164.308(b)(2)", "164.314(a)(2)(i)(B)", "164.314(a)(2)(iii)", "164.502(e)(1)(ii)", "164.504(e)(2)(ii)(D)" ], "US - CA CCPA 2025": [ "7051(b)", "7052(b)", "7053(a)", "7123(c)(15)" ], "US - VA CDPA 2025": [ "59.1-579.B.5" ], "APAC India DPDPA 2023": [ "8(7)(b)" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Testing, Training & Monitoring", "scf_control_id": "PRI-08", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P8.0", "P8.1-POF6" ], "GAPP": [ "1.2.6", "10.2.3", "10.2.4", "10.2.5" ], "NIST 800-53 R5": [ "PM-14" ], "NIST 800-53B R5 (privacy)": [ "PM-14" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Third-Party Services", "scf_control_id": "TPM-04", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.3" ], "NIST 800-53 R5": [ "SA-9" ], "NIST 800-53B R5 (privacy)": [ "SA-9" ], "NIST CSF 2.0": [ "GV.SC-06", "GV.SC-07" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix", "scf_control_id": "TPM-05.4", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF5", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC2.2-POF5", "CC2.2-POF9", "CC2.3-POF11", "CC2.3-POF6", "CC2.3-POF9", "CC9.2-POF12", "CC9.2-POF4" ], "NIST 800-53 R5": [ "SA-9(3)" ], "NIST CSF 2.0": [ "GV.OC", "GV.OC-02", "GV.RM-05", "GV.RR", "GV.RR-02", "GV.SC-02", "GV.SC-06", "ID.AM" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)" ], "US - CA CCPA 2025": [ "7052(a)", "7123(c)(15)", "7123(c)(3)(A)(ii)" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Third-Party Scope Review", "scf_control_id": "TPM-05.5", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF9", "CC3.4-POF5", "CC9.2-POF12", "CC9.2-POF7" ], "NIST CSF 2.0": [ "GV.SC-06" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Review of Third-Party Services", "scf_control_id": "TPM-08", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4-POF2", "CC1.4-POF3", "CC3.4", "CC3.4-POF5", "CC9.1", "CC9.2-POF12", "CC9.2-POF13", "CC9.2-POF6", "CC9.2-POF7", "CC9.2-POF8" ], "NIST 800-53 R5": [ "SR-6", "SR-6(1)" ], "NIST CSF 2.0": [ "GV.SC-07", "ID.IM-01", "ID.IM-02" ], "US - CA CCPA 2025": [ "7051(c)", "7053(b)", "7123(c)(15)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "8" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Third-Party Deficiency Remediation", "scf_control_id": "TPM-09", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC4.2", "CC9.1", "CC9.2-POF8", "P6.4-POF2", "P6.5-POF1", "P6.5-POF2", "P6.6-POF1" ], "NIST CSF 2.0": [ "GV.SC-06", "GV.SC-07", "GV.SC-08" ], "US - CA CCPA 2025": [ "7053(a)(5)", "7123(c)(15)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ] } }, { "principle_name": "Third-Party Compliance", "description": "Validate that data privacy controls for Technology Assets, Applications and/or Services (TAAS) used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.", "scf_control": "Managing Changes To Third-Party Services", "scf_control_id": "TPM-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.4", "CC3.4-POF5", "CC9.1", "CC9.2-POF8" ], "NIST 800-53 R5": [ "SA-4" ], "NIST 800-53B R5 (privacy)": [ "SA-4" ], "NIST CSF 2.0": [ "GV.SC-08" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Business Environment", "description": "The organization's mission, objectives, stakeholders and activities are understood and prioritized to provide resourcing and guidance for data privacy roles, responsibilities and risk management decisions.", "scf_control": "Cybersecurity & Data Protection Resource Management", "scf_control_id": "PRM-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.4" ], "ISO 27701 2025": [ "7.1" ], "NIST 800-53 R5": [ "PM-3" ], "NIST CSF 2.0": [ "GV.RR-03" ] } }, { "principle_name": "Business Environment", "description": "The organization's mission, objectives, stakeholders and activities are understood and prioritized to provide resourcing and guidance for data privacy roles, responsibilities and risk management decisions.", "scf_control": "Third-Party Management", "scf_control_id": "TPM-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF5", "CC1.4-POF2", "CC1.4-POF3", "CC2.3-POF10", "CC2.3-POF12", "CC2.3-POF9", "CC3.3", "CC3.4-POF5", "CC9.1", "CC9.2", "CC9.2-POF1", "CC9.2-POF10", "CC9.2-POF11", "CC9.2-POF12", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF5", "CC9.2-POF6", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9" ], "ISO 27701 2025": [ "6.1.3(h)" ], "NIST Privacy Framework 1.0": [ "GV.PO-P4" ], "NIST 800-53 R5": [ "SA-4", "SR-1" ], "NIST 800-53B R5 (privacy)": [ "SA-4" ], "NIST CSF 2.0": [ "GV.SC-04", "GV.SC-06", "GV.SC-07", "GV.SC-08", "GV.SC-10", "ID.AM" ], "US HIPAA Administrative Simplification 2013": [ "164.308(b)(1)", "164.312(d)" ], "US - CA CCPA 2025": [ "7024(l)", "7052(a)", "7123(c)(15)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(6)", "6-1-1305(7)" ], "US - VT Act 171 of 2018": [ "2447(b)(6)", "2447(b)(6)(A)", "2447(b)(6)(B)" ] } }, { "principle_name": "Data Privacy Protections Context", "description": "Identify and document the organization's role as a controller and/or processor of sensitive/regulated data, including instances involving more than one party.", "scf_control": "Defining Business Context & Mission", "scf_control_id": "GOV-08", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.2-POF1", "CC2.2-POF10", "CC3.1-POF1", "CC3.1-POF15", "CC3.1-POF3", "CC5.1-POF2" ], "ISO 27701 2025": [ "4.1", "6.1.1" ], "NIST Privacy Framework 1.0": [ "ID.IM-P5", "ID.BE-P1", "ID.BE-P2", "GV.RM-P3" ], "NIST CSF 2.0": [ "GV.OC", "GV.OC-01", "GV.OC-04", "GV.OV-01", "GV.SC-03" ], "US HIPAA Administrative Simplification 2013": [ "164.306(b)(2)(i)" ] } }, { "principle_name": "Data Privacy Protections Context", "description": "Identify and document the organization's role as a controller and/or processor of sensitive/regulated data, including instances involving more than one party.", "scf_control": "Joint Processing of Personal Data (PD)", "scf_control_id": "PRI-07.2", "crosswalks": { "NIST Privacy Framework 1.0": [ "ID.BE-P1" ], "US - CO Colorado Privacy Act": [ "6-1-1305(7)" ], "US - OR CPA": [ "6(1)(a)" ], "US - TN Tennessee Information Protection Act": [ "47-18-3205(d)" ] } }, { "principle_name": "Policies, Standards & Procedures", "description": "Ensure appropriate policies, standards and procedures exist to operationalize the data privacy program.", "scf_control": "Publishing Cybersecurity & Data Protection Documentation", "scf_control_id": "GOV-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.2-POF1", "CC1.4-POF1", "CC2.2-POF1", "CC2.2-POF7", "CC5.3", "CC5.3-POF1", "CC7.2-POF1", "P1.1-POF5" ], "GAPP": [ "8.2.1" ], "ISO 27701 2025": [ "5.1", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "6.1.3(c)", "7.5.1(b)", "7.5.2", "7.5.3" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1", "GV.PO-P6", "GV.MT-P3", "GV.MT-P4", "GV.MT-P5", "GV.MT-P6", "GV.MT-P7", "CT.PO-P1", "CT.PO-P2", "CT.PO-P3", "CM.PO-P1", "PR.PO-P4" ], "NIST 800-53 R5": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PM-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "NIST CSF 2.0": [ "GV.PO", "GV.PO-01", "GV.SC-01", "GV.SC-03", "ID.RA" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(1)(i)", "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(A)", "164.308(a)(6)(i)", "164.308(a)(7)(i)", "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)", "164.310(b)", "164.310(d)(1)", "164.310(d)(2)(i)", "164.312(a)(1)", "164.312(c)(1)", "164.316(a)", "164.316(b)(1)(i)" ], "US - AK PIPA": [ "45.48.530" ], "US - CA CCPA 2025": [ "7123(b)(1)" ], "US - VT Act 171 of 2018": [ "2447(b)(3)" ], "EMEA EU GDPR": [ "24.2" ], "APAC Australian Privacy Principles": [ "APP 1" ] } }, { "principle_name": "Policies, Standards & Procedures", "description": "Ensure appropriate policies, standards and procedures exist to operationalize the data privacy program.", "scf_control": "Dissemination of Data Privacy Program Information", "scf_control_id": "PRI-01.3", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "P1.1", "P1.1-POF6" ], "GAPP": [ "2.1.1", "2.2.1", "2.2.2", "2.2.3", "3.1.0", "3.1.1", "3.1.2", "4.1.0", "4.1.1", "4.2.4", "5.1.0", "5.1.1", "6.1.0", "7.1.0", "7.1.1", "8.1.0", "8.1.1", "9.1.0", "9.1.1", "10.1.0", "10.1.1" ], "ISO 27701 2025": [ "6.2(e)", "7.4", "7.5.3(a)" ], "ISO 29100 2024": [ "6.8" ], "NIST Privacy Framework 1.0": [ "GV.PO-P1", "CM.PO-P1", "CM.AW-P1" ], "NIST 800-53 R5": [ "PM-20" ], "NIST 800-53B R5 (privacy)": [ "PM-20" ], "OECD Privacy Principles": [ "6" ], "US FIPPS": [ "8" ], "US - OR CPA": [ "7(1)(a)(B)" ], "US - VA CDPA 2025": [ "59.1-581.A.2" ], "APAC Australian Privacy Principles": [ "APP 1" ] } }, { "principle_name": "Periodic Review", "description": "At planned intervals or after significant changes, review policies, standards and procedures to ensure the continuing suitability, adequacy and effectiveness to meet the organization's applicable statutory, regulatory and contractual needs.", "scf_control": "Periodic Review & Update of Cybersecurity & Data Protection Program", "scf_control_id": "GOV-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF7", "CC5.3", "CC5.3-POF6" ], "GAPP": [ "8.2.1" ], "NIST Privacy Framework 1.0": [ "GV.MT-P2" ], "NIST 800-53 R5": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PM-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "NIST CSF 2.0": [ "GV.OV", "GV.OV-01", "GV.OV-02", "GV.PO-02" ], "US HIPAA Administrative Simplification 2013": [ "164.316(b)(1)(ii)", "164.316(b)(2)(iii)" ], "US - AK PIPA": [ "45.48.530" ], "US - VT Act 171 of 2018": [ "2447(b)(8)(B)", "2447(b)(9)", "2447(b)(9)(A)", "2447(b)(9)(B)" ] } }, { "principle_name": "Periodic Review", "description": "At planned intervals or after significant changes, review policies, standards and procedures to ensure the continuing suitability, adequacy and effectiveness to meet the organization's applicable statutory, regulatory and contractual needs.", "scf_control": "Cybersecurity & Data Protection Assessments", "scf_control_id": "CPL-03", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF3", "CC4.1" ], "GAPP": [ "10.2.4" ], "NIST Privacy Framework 1.0": [ "ID.DE-P5" ], "NIST 800-53 R5": [ "CA-2" ], "NIST 800-53B R5 (privacy)": [ "CA-2" ], "NIST CSF 2.0": [ "ID.IM-01", "ID.IM-02" ], "US HIPAA Administrative Simplification 2013": [ "164.306(d)(3)(i)", "164.316(b)(1)(ii)" ], "US - CA CCPA 2025": [ "7120(a)", "7122(b)" ] } }, { "principle_name": "Oversight", "description": "Provide oversight of data privacy controls throughout the lifecycle of Technology Assets, Applications and/or Services (TAAS) to ensure that in a timely manner, senior leaders with the organization are made aware of data privacy-related risks that are not appropriately remediated.", "scf_control": "Cybersecurity & Data Protection Controls Oversight", "scf_control_id": "CPL-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1", "CC1.1-POF3", "CC2.2", "CC2.3", "CC4.2-POF1", "CC4.2-POF2", "CC4.2-POF3" ], "GAPP": [ "8.2.7" ], "ISO 27701 2025": [ "9.2.2", "9.2.2(a)", "9.2.2(b)", "9.2.2(c)" ], "ISO 29100 2024": [ "6.12" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "PR.PO-P5" ], "NIST 800-53 R5": [ "CA-7", "CA-7(1)", "PM-14" ], "NIST 800-53B R5 (privacy)": [ "CA-7" ], "NIST CSF 2.0": [ "GV.OC-03" ], "US HIPAA Administrative Simplification 2013": [ "164.306(d)(3)(i)", "164.316(b)(2)(iii)" ], "US - AK PIPA": [ "45.48.520" ], "US - CA CCPA 2025": [ "7122(a)(3)", "7122(f)" ], "US - VT Act 171 of 2018": [ "2447(b)(2)(C)", "2447(b)(8)", "2447(b)(8)(A)" ], "EMEA EU GDPR": [ "32.1(d)" ], "APAC Australia Privacy Act": [ "APP Part 11" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Oversight", "description": "Provide oversight of data privacy controls throughout the lifecycle of Technology Assets, Applications and/or Services (TAAS) to ensure that in a timely manner, senior leaders with the organization are made aware of data privacy-related risks that are not appropriately remediated.", "scf_control": "Data Management Board", "scf_control_id": "PRI-13", "crosswalks": { "NIST Privacy Framework 1.0": [ "CT.DM-P8" ], "NIST 800-53 R5": [ "PM-23", "PM-24" ], "NIST 800-53B R5 (privacy)": [ "PM-24" ] } }, { "principle_name": "Metrics & Trends", "description": "Provide performance metrics and trend analysis to enable management visibility and coordinate data privacy efforts across the organization.", "scf_control": "Status Reporting To Governing Body", "scf_control_id": "GOV-01.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF2", "CC2.3-POF3", "CC2.3-POF5", "CC3.1-POF10", "CC3.1-POF11", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "ISO 27701 2025": [ "5.1", "5.3(b)", "9.3.1" ], "NIST CSF 2.0": [ "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID" ], "APAC India DPDPA 2023": [ "10(2)(c)(ii)" ] } }, { "principle_name": "Metrics & Trends", "description": "Provide performance metrics and trend analysis to enable management visibility and coordinate data privacy efforts across the organization.", "scf_control": "Measures of Performance", "scf_control_id": "GOV-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF3", "CC1.2", "CC1.5", "CC1.5-POF2", "CC1.5-POF5", "CC2.1-POF4", "CC2.2", "CC4.1", "CC4.1-POF2", "CC4.2-POF1", "CC5.3-POF6" ], "ISO 27701 2025": [ "9.1" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "PR.PO-P5", "PR.PO-P6" ], "NIST 800-53 R5": [ "PM-6" ], "NIST CSF 2.0": [ "GV", "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID.IM-03" ] } }, { "principle_name": "Metrics & Trends", "description": "Provide performance metrics and trend analysis to enable management visibility and coordinate data privacy efforts across the organization.", "scf_control": "Status Reporting To Governing Body", "scf_control_id": "GOV-01.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF2", "CC2.3-POF3", "CC2.3-POF5", "CC3.1-POF10", "CC3.1-POF11", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "ISO 27701 2025": [ "5.1", "5.3(b)", "9.3.1" ], "NIST CSF 2.0": [ "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID" ], "APAC India DPDPA 2023": [ "10(2)(c)(ii)" ] } }, { "principle_name": "Metrics & Trends", "description": "Provide performance metrics and trend analysis to enable management visibility and coordinate data privacy efforts across the organization.", "scf_control": "Measures of Performance", "scf_control_id": "GOV-05", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF3", "CC1.2", "CC1.5", "CC1.5-POF2", "CC1.5-POF5", "CC2.1-POF4", "CC2.2", "CC4.1", "CC4.1-POF2", "CC4.2-POF1", "CC5.3-POF6" ], "ISO 27701 2025": [ "9.1" ], "NIST Privacy Framework 1.0": [ "GV.MT-P4", "PR.PO-P5", "PR.PO-P6" ], "NIST 800-53 R5": [ "PM-6" ], "NIST CSF 2.0": [ "GV", "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID.IM-03" ] } }, { "principle_name": "Metrics & Trends", "description": "Provide performance metrics and trend analysis to enable management visibility and coordinate data privacy efforts across the organization.", "scf_control": "Documenting Data Processing Activities", "scf_control_id": "PRI-14", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.3", "P8.1-POF4", "P8.1-POF5" ], "GAPP": [ "10.2.3", "10.2.5" ], "NIST Privacy Framework 1.0": [ "CM.AW-P4", "CM.AW-P6", "CM.AW-P7" ], "NIST 800-53 R5": [ "PM-27" ], "NIST 800-53B R5 (privacy)": [ "PM-27" ], "EMEA EU GDPR": [ "30.1", "30.1(a)", "30.1(b)", "30.1(c)", "30.1(d)", "30.1(e)", "30.1(f)", "30.1(g)", "30.2", "30.2(a)", "30.2(b)", "30.2(c)", "30.2(d)", "30.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "31", "31.1", "31.2", "31.3", "31.4", "31.5", "31.6" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Statutory, Regulatory & Contractual Compliance", "scf_control_id": "CPL-01", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.5", "CC2.2", "CC2.3", "CC2.3-POF5", "CC3.1-POF14", "CC3.1-POF5", "CC3.1-POF8", "CC3.1-POF9" ], "ISO 27701 2025": [ "4.1", "4.2(a)", "4.2(b)", "4.2(c)" ], "ISO 29100 2024": [ "6.12" ], "NIST Privacy Framework 1.0": [ "GV.PO-P5", "GV.MT-P3" ], "NIST 800-53 R5": [ "PL-1", "PM-8" ], "NIST 800-53B R5 (privacy)": [ "PL-1" ], "NIST CSF 2.0": [ "GV.OC", "GV.OC-03", "GV.SC-05", "PR" ], "US Data Privacy Framework (DPF)": [ "II.7.c", "III.5.a", "III.5.b.i" ], "US HIPAA Administrative Simplification 2013": [ "164.306(c)", "164.306(d)(1)", "164.306(d)(2)", "164.314(a)(1)", "164.314(a)(2)(ii)", "164.504(g)(1)" ], "US - CA CCPA 2025": [ "7013(h)", "7022(d)", "7023(e)", "7050(b)", "7072(b)", "7123(b)(3)", "7200(a)", "7200(b)" ], "US - CO Colorado Privacy Act": [ "6-1-1305(1)", "6-1-1305(6)", "6-1-1307(2)", "6-1-1307(3)", "6-1-1308(6)" ], "US - IL PIPA": [ "45(a)", "45(b)", "45(c)", "45(d)", "50" ], "US - OR CPA": [ "7(1)(b)" ], "US - VA CDPA 2025": [ "59.1-581.E" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "2.1", "30.3" ], "APAC Australia Privacy Act": [ "APP Part 11" ], "APAC India DPDPA 2023": [ "7(c)", "7(d)", "7(e)", "8(1)", "8(4)" ], "Americas Canada PIPEDA": [ "Principle 7" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Non-Compliance Oversight", "scf_control_id": "CPL-01.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC1.1-POF4", "CC1.5", "CC4.2", "CC4.2-POF1", "CC4.2-POF2", "CC4.2-POF3" ], "ISO 27701 2025": [ "10.2", "10.2(a)", "10.2(b)", "10.2(c)", "10.2(d)", "10.2(e)" ], "ISO 29100 2024": [ "6.12" ], "US - CA CCPA 2025": [ "7123(b)(3)" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Compliance Scope", "scf_control_id": "CPL-01.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF11", "CC5.2-POF2" ], "ISO 27701 2025": [ "4.3" ], "ISO 29100 2024": [ "6.12" ], "NIST CSF 2.0": [ "GV.SC-05" ], "US - CA CCPA 2025": [ "7123(b)(2)", "7123(b)(3)" ], "EMEA EU GDPR": [ "3.1", "3.2", "3.2(a)", "3.2(b)", "3.3" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "2.2" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Ability To Demonstrate Conformity", "scf_control_id": "CPL-01.3", "crosswalks": { "ISO 29100 2024": [ "6.12" ], "US Data Privacy Framework (DPF)": [ "II.7.b", "III.5.a" ], "US - CA CCPA 2025": [ "7122(c)", "7123(b)(3)" ], "US - OR CPA": [ "8(3)" ], "EMEA EU GDPR": [ "5.2", "12.1", "30.4", "31" ], "EMEA Saudi Arabia Personal Data Protection Law (PDPL)": [ "30.4.a" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Conformity Assessment", "scf_control_id": "CPL-01.4", "crosswalks": { "ISO 29100 2024": [ "6.12" ], "US - CA CCPA 2025": [ "7122(a)", "7122(b)", "7122(d)", "7122(e)", "7122(f)", "7123(a)", "7123(b)", "7123(b)(2)", "7123(c)" ], "US - VA CDPA 2025": [ "59.1-579.B.4" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Event Log Retention", "scf_control_id": "MON-10", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "C1.2" ], "NIST 800-53 R5": [ "AU-11" ], "NIST 800-53B R5 (privacy)": [ "AU-11" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Computer Matching Agreements (CMA)", "scf_control_id": "PRI-02.3", "crosswalks": { "NIST 800-53 R5": [ "PM-24", "PT-8" ], "NIST 800-53B R5 (privacy)": [ "PM-24", "PT-8" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "System of Records Notice (SORN)", "scf_control_id": "PRI-02.4", "crosswalks": { "NIST 800-53 R5": [ "PT-6" ], "NIST 800-53B R5 (privacy)": [ "PT-6" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "System of Records Notice (SORN) Review Process", "scf_control_id": "PRI-02.5", "crosswalks": { "NIST 800-53 R5": [ "PT-6(1)" ], "NIST 800-53B R5 (privacy)": [ "PT-6(1)" ] } }, { "principle_name": "Compliance", "description": "Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.", "scf_control": "Privacy Act Exemptions", "scf_control_id": "PRI-02.6", "crosswalks": { "NIST 800-53 R5": [ "PT-6(2)" ], "NIST 800-53B R5 (privacy)": [ "PT-6(2)" ] } }, { "principle_name": "Critical Business Functions", "description": "Ensure Technology Assets, Applications and/or Services (TAAS) that support organizational priorities are assessed so that critical assets are identified and key functional requirements communicated.", "scf_control": "Identify Critical Assets", "scf_control_id": "BCD-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC7.5" ], "NIST Privacy Framework 1.0": [ "ID.BE-P3" ], "NIST 800-53 R5": [ "CP-2(8)" ], "NIST CSF 2.0": [ "GV.OC-04", "GV.OC-05", "ID.AM-05", "RC.RP", "RC.RP-02", "RC.RP-04" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(7)(ii)(E)" ] } }, { "principle_name": "Critical Business Functions", "description": "Ensure Technology Assets, Applications and/or Services (TAAS) that support organizational priorities are assessed so that critical assets are identified and key functional requirements communicated.", "scf_control": "Criticality Analysis", "scf_control_id": "TDA-06.1", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "PI1.1" ], "NIST Privacy Framework 1.0": [ "ID.BE-P3" ], "NIST 800-53 R5": [ "PM-30(1)", "RA-9", "SA-15(3)" ], "NIST CSF 2.0": [ "PR.PS-06" ], "US - CA CCPA 2025": [ "7123(c)(14)" ] } }, { "principle_name": "Critical Business Functions", "description": "Ensure Technology Assets, Applications and/or Services (TAAS) that support organizational priorities are assessed so that critical assets are identified and key functional requirements communicated.", "scf_control": "Third-Party Criticality Assessments", "scf_control_id": "TPM-02", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC3.2-POF8", "CC3.2-POF9", "CC9.1" ], "NIST Privacy Framework 1.0": [ "ID.BE-P3" ], "NIST 800-53 R5": [ "PM-30(1)", "RA-9", "SA-9(3)" ], "NIST CSF 2.0": [ "GV.OC-04", "GV.OC-05", "GV.SC-04", "GV.SC-06", "GV.SC-07", "GV.SC-08", "ID.AM-05", "ID.RA-10" ], "US HIPAA Administrative Simplification 2013": [ "164.308(a)(7)(ii)(E)" ], "US - CA CCPA 2025": [ "7123(c)(15)" ] } }, { "principle_name": "Status Reporting To Governing Body", "description": "Provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's cybersecurity & data privacy program.", "scf_control": "Status Reporting To Governing Body", "scf_control_id": "GOV-01.2", "crosswalks": { "AICPA TSC 2017:2022 (used for SOC 2)": [ "CC2.2-POF2", "CC2.3-POF3", "CC2.3-POF5", "CC3.1-POF10", "CC3.1-POF11", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "ISO 27701 2025": [ "5.1", "5.3(b)", "9.3.1" ], "NIST CSF 2.0": [ "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID" ], "APAC India DPDPA 2023": [ "10(2)(c)(ii)" ] } } ] }