The frameworks at a glance
A quick map of who each framework applies to and whether it is required or voluntary. Details for each are below.
| Framework | Who it applies to | Status | Primary focus |
|---|---|---|---|
| SOC 2 | Service providers handling customer data | Voluntary (buyer-driven) | Operating controls over time |
| ISO 27001 | Any org wanting a certifiable ISMS | Voluntary (certifiable) | Risk-based security program |
| PCI-DSS | Anyone handling payment cards | Required by card brands | Protecting cardholder data |
| HIPAA | US healthcare and business associates | Required by law | Protecting health data (PHI) |
| GDPR | Processors of EU personal data | Required by law | Privacy and data rights |
| CCPA / CPRA | Businesses with California consumer data | Required by law | Consumer privacy rights |
| NIST CSF 2.0 | Any org (umbrella framework) | Voluntary | Outcome-based risk management |
| CIS Controls / Benchmarks | Any org wanting a technical baseline | Voluntary | Prescriptive hardening |
| GLBA / FFIEC / NCUA | US financial institutions | Required by law | Safeguarding financial data |
| SOX | US public companies | Required by law | Controls over financial systems |
| FERPA | US schools and universities | Required by law | Student record privacy |
| NIST 800-53 | US federal systems | Required (FISMA/FedRAMP) | Federal control catalog |
| NIST 800-171 | Handlers of CUI (defense) | Required by DFARS | Protecting CUI |
| CMMC 2.0 | Defense contractors | Required by contract | Certified CUI protection |
| FedRAMP | Cloud providers selling to federal | Required for federal cloud | Authorized cloud security |
| FISMA | Federal agencies and contractors | Required by law | Federal risk management |
| CISA SCuBA | Federal civilian agencies (and anyone) | Required for FCEB | Microsoft 365 secure baseline |
| CJIS | Handlers of criminal justice info | Required for CJI | Protecting CJI |
| IRS Pub 1075 | Handlers of Federal Tax Information | Required for FTI | Protecting FTI |
| StateRAMP | Cloud providers selling to states | Often required | State cloud security |
Business and industry frameworks
The standards most commercial organizations meet, whether to win deals, satisfy regulators, or protect customers.
SOC 2 (AICPA)
Who it applies to: SaaS and service providers that hold customer data; a frequent B2B sales requirement.
Status: Voluntary, but market-driven. Independent CPA audit. Type I is a point in time; Type II covers 3 to 12 months of operating effectiveness.
What it requires:
- Built on the Trust Services Criteria: Security is required, with optional Availability, Confidentiality, Processing Integrity, and Privacy.
- Access control, MFA, and least privilege.
- Logging, monitoring, and change management.
- Vendor risk, incident response, and evidence collected continuously, not once.
Microsoft 365 angle: Enforce MFA and Conditional Access, keep audit logs, run access reviews, and export the evidence a Type II demands.
ISO/IEC 27001 (with 27002)
Who it applies to: Any organization that wants a certifiable information security program; recognized globally.
Status: Voluntary, certifiable by an accredited body on a three-year cycle.
What it requires:
- A working Information Security Management System (ISMS).
- Risk assessment and a documented risk treatment plan.
- A Statement of Applicability against the Annex A controls (93 in the 2022 revision).
- Management review and continual improvement.
Microsoft 365 angle: Identity, device, and data controls map to Annex A; Entra and Purview supply much of the evidence.
PCI-DSS v4.0 (PCI SSC)
Who it applies to: Anyone who stores, processes, or transmits payment card data.
Status: Mandatory by the card brands and your acquirer. v4.0 is the current standard. Validated by self-assessment (SAQ) or a QSA audit, depending on volume.
What it requires:
- Twelve requirements covering network segmentation and secure configuration.
- Encrypt cardholder data in transit and at rest.
- MFA for all access into the cardholder data environment.
- Logging, vulnerability management, least-privilege access, and regular testing.
Microsoft 365 angle: MFA everywhere, log retention, and strict access control; network segmentation lives outside Microsoft 365.
HIPAA / HITECH (US HHS)
Who it applies to: US healthcare covered entities and their business associates that handle protected health information (PHI).
Status: Mandatory federal law, enforced by the Office for Civil Rights. Business Associate Agreements are required.
What it requires:
- Security Rule: administrative, physical, and technical safeguards (access control, audit controls, integrity, transmission security).
- A documented risk analysis is mandatory.
- Privacy Rule and Breach Notification Rule.
- Encryption is addressable, and in practice expected.
Microsoft 365 angle: Encryption, audit logging, DLP, and access control; Microsoft will sign a BAA for the covered services.
GDPR (EU)
Who it applies to: Any organization that processes the personal data of people in the EU, wherever the organization is based.
Status: Mandatory EU law. Fines up to the greater of 20 million euros or 4 percent of global revenue.
What it requires:
- A lawful basis for processing and clear privacy notices.
- Data subject rights: access, correction, erasure, portability.
- Data Protection Impact Assessments for high-risk processing.
- Breach notification within 72 hours and processor agreements.
Microsoft 365 angle: Purview subject-rights and records tooling, data residency options, and audit logs.
CCPA / CPRA (California)
Who it applies to: Businesses that meet revenue or data-volume thresholds and handle California residents data.
Status: Mandatory state law.
What it requires:
- Consumer rights to know, delete, correct, and opt out of sale or sharing.
- Clear privacy notices at collection.
- Reasonable security measures for personal information.
- Data mapping to answer requests.
Microsoft 365 angle: Subject-rights workflows and data mapping in Purview.
NIST Cybersecurity Framework (CSF) 2.0
Who it applies to: Any organization; a widely referenced, outcome-based baseline rather than a certification.
Status: Voluntary framework.
What it requires:
- Organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover.
- Outcome-based, so you choose how to meet each outcome.
- Often used as the umbrella that other controls map into.
- CSF 2.0 added Govern as a first-class function.
Microsoft 365 angle: Maps cleanly onto identity, device, data, and detection controls in Microsoft 365.
CIS Controls v8 and CIS Benchmarks
Who it applies to: Any organization wanting a prescriptive, technical baseline.
Status: Voluntary, free to use.
What it requires:
- 18 controls grouped into Implementation Groups 1 to 3 by maturity.
- Asset inventory, access control, MFA, and secure configuration.
- Continuous vulnerability management and audit logging.
- CIS Benchmarks give per-product hardening, including a Microsoft 365 Benchmark.
Microsoft 365 angle: The CIS Microsoft 365 Benchmark maps directly to specific tenant settings.
GLBA / FFIEC / NCUA (US financial)
Who it applies to: Banks, credit unions, and financial institutions.
Status: Mandatory federal requirements, examined by the FFIEC agencies, and NCUA Part 748 for credit unions.
What it requires:
- A written information security program and risk assessment.
- Access controls, encryption, and MFA.
- Incident response and customer breach notification.
- Third-party and vendor management.
Microsoft 365 angle: Identity, logging, and DLP evidence for examiners.
SOX (Sarbanes-Oxley)
Who it applies to: US publicly traded companies.
Status: Mandatory federal law; Section 404 covers IT general controls over financial systems.
What it requires:
- Access controls and segregation of duties over financial systems.
- Change management with audit trails.
- Periodic access certification.
- Evidence that controls operated all year.
Microsoft 365 angle: Access reviews, Privileged Identity Management, and audit logging.
FERPA (US education)
Who it applies to: Schools and universities that receive US federal funding.
Status: Mandatory federal law.
What it requires:
- Protect the privacy of student education records.
- Control who can access records.
- Honor parental and eligible-student rights.
- Track and limit disclosures.
Microsoft 365 angle: Access control, DLP, and audit logging for student data.
US federal and government frameworks
The requirements for agencies, contractors, and anyone handling government data. Most build on the same NIST control catalog, and most point to the Microsoft government clouds (GCC and GCC High).
NIST SP 800-53 (Rev 5)
Who it applies to: US federal agencies and systems; the control catalog behind most US government programs.
Status: Mandatory for federal systems through FISMA, and the baseline for FedRAMP.
What it requires:
- Roughly 1,000 controls across 20 families (access control, audit, identification and authentication, system and communications protection, and more).
- Baselines tailored to Low, Moderate, or High impact.
- Control assessments and authorization.
- Continuous monitoring.
Microsoft 365 angle: Microsoft 365 GCC and GCC High are built to support these control baselines.
NIST SP 800-171
Who it applies to: Non-federal organizations that handle Controlled Unclassified Information (CUI), especially defense contractors.
Status: Mandatory for US DoD contractors via the DFARS clause 252.204-7012.
What it requires:
- 110 controls (Rev 2) across 14 families.
- A System Security Plan (SSP) and Plans of Action and Milestones (POA&M).
- A self-assessment score reported in SPRS.
- Rev 3 is reshaping the control set.
Microsoft 365 angle: GCC High is the usual home for CUI; controls map to Entra, Intune, and Purview.
CMMC 2.0 (US DoD)
Who it applies to: Companies in the Defense Industrial Base supply chain.
Status: Mandatory, phasing into DoD contracts. Level 1 (17 practices, self-assessed), Level 2 (110 practices aligned to 800-171, third-party C3PAO assessment for CUI), Level 3 (adds 800-172).
What it requires:
- Implement NIST 800-171 for Level 2.
- Third-party certification for most CUI handlers.
- Annual affirmation by a senior official.
- Flow-down to subcontractors.
Microsoft 365 angle: GCC High for CUI and ITAR data; configuration and evidence map to the 800-171 practices.
FedRAMP
Who it applies to: Cloud service providers selling to US federal agencies.
Status: Mandatory for federal cloud use; authorizations at Low, Moderate, or High.
What it requires:
- Implement the relevant 800-53 baseline.
- Independent assessment by a 3PAO.
- An Authorization to Operate (ATO).
- Continuous monitoring after authorization.
Microsoft 365 angle: Microsoft 365 GCC High and DoD are authorized at FedRAMP High.
FISMA
Who it applies to: US federal agencies and contractors operating federal information systems.
Status: Mandatory federal law, implemented through the NIST Risk Management Framework.
What it requires:
- Categorize systems by impact.
- Select and implement 800-53 controls.
- Assess, authorize (ATO), and monitor.
- Annual reporting.
Microsoft 365 angle: Runs on the same 800-53 controls that GCC High supports.
CISA SCuBA
Who it applies to: US federal civilian (FCEB) agencies; freely usable by anyone as a strong Microsoft 365 baseline.
Status: Mandatory direction for FCEB agencies; voluntary but valuable elsewhere.
What it requires:
- Secure configuration baselines for Microsoft 365 (Entra ID, Exchange Online, SharePoint, Teams, Defender, Power Platform) and Google Workspace.
- Specific, testable settings rather than abstract goals.
- The ScubaGear tool checks a tenant against them.
- Updated as Microsoft changes.
Microsoft 365 angle: Maps directly to tenant configuration. Siemserva maps findings to SCuBA natively.
CJIS Security Policy (US FBI)
Who it applies to: Agencies and vendors that access Criminal Justice Information.
Status: Mandatory for CJI access.
What it requires:
- Advanced authentication (MFA) for access to CJI.
- Encryption in transit and at rest.
- Audit logging and personnel screening.
- Strict access control.
Microsoft 365 angle: GCC or GCC High, with MFA and logging configured to the policy.
IRS Publication 1075
Who it applies to: Agencies and contractors that handle Federal Tax Information (FTI).
Status: Mandatory for FTI.
What it requires:
- Controls based on NIST 800-53.
- Encryption and strict access control.
- Logging and data isolation.
- Background screening and physical safeguards.
Microsoft 365 angle: GCC or GCC High, with isolation and logging for FTI.
StateRAMP
Who it applies to: Cloud providers selling to US state and local government.
Status: Increasingly required by states; modeled on FedRAMP and 800-53.
What it requires:
- A FedRAMP-style 800-53 baseline.
- Independent assessment.
- Continuous monitoring.
- A state authorization.
Microsoft 365 angle: The same Microsoft government cloud and control mappings apply.
Levels, tiers, and impact baselines, explained
Many frameworks are not simply pass or fail. They use levels, tiers, or impact baselines that set how much you must do, who is obligated to do it, and how hard the result is to attain and then keep. Here is every leveled framework on this page, broken down by level.
Effort estimates are directional. Your actual cost depends on size, existing controls, and scope. Higher levels almost always cost more to keep than to reach, because the evidence has to be produced again every cycle.
SOC 2 report types (Type I and Type II)
SOC 2 has no pass or fail score. The two report types differ in what the auditor opines on: design at a moment, or operation over time.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Type I | Confirms controls are suitably designed at a single point in time. The fastest way to show a real control framework exists. | Early-stage vendors and buyers who need some assurance immediately. | Weeks once controls are documented. One auditor snapshot. | It is point in time, so it does not stay valid. Buyers soon ask for Type II. |
| Type II | Confirms controls operated effectively across a 3 to 12 month window. The assurance most enterprise buyers actually want. | Enterprise procurement and security questionnaires. | A 3 to 12 month observation period, then the audit. Months, not weeks. | Annual renewal with evidence collected continuously across the whole period. |
PCI-DSS merchant levels (by card volume)
The same twelve requirements apply to everyone. Your level, set by annual transaction volume, decides how rigorously you must validate.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Level 1 | Over 6 million card transactions a year, or any merchant after a breach. The strictest validation path. | The largest merchants and qualifying service providers. | Annual on-site assessment by a QSA (Report on Compliance) plus quarterly ASV scans. | Repeat the full ROC every year and keep quarterly scans clean. |
| Level 2 | 1 to 6 million transactions a year. | Mid-size merchants. | Annual Self-Assessment Questionnaire (a QSA may be required) and quarterly scans. | Annual SAQ and quarterly scans. |
| Level 3 | 20,000 to 1 million e-commerce transactions a year. | Smaller e-commerce merchants. | Annual SAQ and quarterly scans. | Annual SAQ and quarterly scans. |
| Level 4 | Under 20,000 e-commerce, or up to 1 million total transactions a year. | The smallest merchants. | SAQ and scanning as required by your acquirer. | Validate annually as your acquirer directs. |
CMMC 2.0 levels (US DoD)
CMMC has three levels that rise with the sensitivity of the data you handle, from basic contract information up to defense against advanced threats.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Level 1 (Foundational) | 17 basic safeguarding practices. Protects Federal Contract Information (FCI). | Contractors that handle only FCI. | Annual self-assessment and a senior-official affirmation. | Re-do the self-assessment and affirm every year. |
| Level 2 (Advanced) | 110 practices aligned to NIST SP 800-171. Protects Controlled Unclassified Information (CUI). | Most defense contractors that handle CUI. | Third-party (C3PAO) certification for most CUI; a limited subset may self-assess. | Reassessment every three years plus an annual affirmation. |
| Level 3 (Expert) | Level 2 plus a subset of NIST SP 800-172. Defends the most critical programs against advanced persistent threats. | Contractors on the highest-priority CUI programs. | A government-led (DIBCAC) assessment, the highest bar. | Triennial government assessment plus annual affirmation. |
NIST 800-53 and FedRAMP impact baselines (Low, Moderate, High)
Federal systems are categorized by the damage a breach would cause (FIPS 199). That category selects a control baseline; FedRAMP authorizes cloud services at the same three levels. StateRAMP mirrors this for state and local government.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Low | Limited adverse impact if compromised. The smallest control set (and a lighter LI-SaaS "Tailored" path exists for low-risk SaaS). | Public-facing or low-sensitivity federal systems. | Independent (3PAO) assessment and an Authorization to Operate, at the lowest control count. | Continuous monitoring: monthly scans and an annual assessment. |
| Moderate | Serious adverse impact. The most common baseline for federal data; roughly 300-plus controls. | The majority of federal systems and cloud services. | 3PAO assessment and ATO against the larger Moderate baseline. | Continuous monitoring, with more controls to evidence each cycle. |
| High | Severe or catastrophic impact. The largest control set, around 400-plus controls. | Law enforcement, health, financial, and other highly sensitive unclassified data. | The most demanding 3PAO assessment and ATO. | Continuous monitoring at the highest rigor and evidence volume. |
NIST CSF 2.0 tiers (Partial to Adaptive)
The CSF tiers describe how rigorous and consistent your risk management is. They are a maturity description, not a grade or a certification, and you choose the tier you are aiming for.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Tier 1 (Partial) | Ad hoc, reactive risk practices. A starting point that shows where the gaps are. | No one mandates a tier; this is a self-selected baseline. | Low. Reflects current reality rather than new work. | Minimal, but it leaves real risk unmanaged. |
| Tier 2 (Risk Informed) | Risk practices are approved by management but not applied organization-wide. | Organizations beginning a formal program. | Moderate. Policy and management buy-in. | Ongoing management attention to keep practices current. |
| Tier 3 (Repeatable) | Formal, consistent, organization-wide practices that are regularly updated. | Organizations that want dependable, auditable risk management. | Higher. Documented policy, roles, and repeatable process. | Regular review and updates as risk and the business change. |
| Tier 4 (Adaptive) | Continuous improvement, threat-informed, adapting in near real time. | Mature security organizations facing active threats. | Highest. Sustained investment and skilled staff. | Continuous monitoring and improvement as a permanent practice. |
CIS Controls v8 Implementation Groups (IG1, IG2, IG3)
The CIS Controls are split into three Implementation Groups so an organization adopts the safeguards that match its risk and resources. They are voluntary and free.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| IG1 (essential hygiene) | 56 foundational safeguards. The defensible baseline every organization should meet. | Every organization, especially small ones with limited IT. | Low to moderate. Achievable with general IT staff and built-in tooling. | Routine upkeep: inventory, patching, MFA, and logging stay current. |
| IG2 | Adds roughly 74 more safeguards for organizations with moderate resources and more sensitive data. | Organizations with dedicated IT or security staff. | Moderate. Some specialized tooling and process. | Active management of a wider control set. |
| IG3 | All 153 safeguards, for organizations facing sophisticated attacks or heavy regulation. | Mature organizations with security teams and regulated data. | High. Specialized expertise and tooling throughout. | Continuous operation and testing of the full control set. |
CIS Benchmark profiles (Level 1 and Level 2)
Each CIS Benchmark, including the Microsoft 365 Benchmark, offers two hardening profiles so you can balance security against operational impact.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Level 1 | Practical hardening that improves security with minimal disruption to day-to-day use. | Any organization adopting a tenant baseline. | Low to moderate. Sensible defaults most environments can apply. | Re-check settings against benchmark updates and after tenant changes. |
| Level 2 | Defense-in-depth for high-security environments. Stronger, but may reduce some functionality. | Regulated or high-sensitivity environments. | Higher. Requires testing for functionality trade-offs. | Ongoing validation as Microsoft and the benchmark evolve. |
ISO/IEC 27001 certification stages
ISO 27001 is a single standard rather than tiered levels, but certification runs as a staged audit on a three-year cycle, so the effort is spread across attaining and then keeping it.
| Level | What it is and how it helps | Who requires it | Effort to attain | Effort to keep |
|---|---|---|---|---|
| Stage 1 audit | A documentation review that confirms your ISMS is designed and ready. | Organizations pursuing accredited certification. | Moderate. Built on a working ISMS and Statement of Applicability. | Feeds straight into Stage 2; not a standalone state. |
| Stage 2 audit | The certification audit of the ISMS operating in practice. Success grants the certificate. | Buyers and partners who require an accredited certificate. | Higher. Evidence the ISMS actually runs. | The certificate is valid for three years, subject to upkeep below. |
| Surveillance and recertification | Surveillance audits in years one and two, then full recertification in year three. | Anyone maintaining the certificate. | Not applicable; this is the maintenance phase. | A live ISMS, management reviews, and an audit every year. |
What evidence and artifacts each one needs
A framework is only as real as the proof behind it. Most of these require the same kinds of artifacts: a written plan or policy set, a risk assessment, configuration and access records, logs, and an independent report. Here is the evidence an auditor or assessor will expect for each.
Much of this is the same Microsoft 365, Intune, Entra ID (logs included), CVEs, and Purview configuration and logging, exported as evidence. Collect it continuously, not the week before the audit.
| Framework | Evidence and artifacts an assessor expects |
|---|---|
| SOC 2 | A written system description and a control matrix mapped to the Trust Services Criteria, the underlying policies, access-review records, change and incident tickets, and monitoring logs. Type II additionally needs that evidence sampled across the full observation period. The deliverable is the auditor report. |
| ISO/IEC 27001 | A defined ISMS scope, a risk assessment and risk treatment plan, the Statement of Applicability against Annex A, the supporting policies and procedures, internal audit reports, management review minutes, and corrective action records. |
| PCI-DSS | A completed SAQ or Report on Compliance (ROC) with the Attestation of Compliance (AOC), quarterly ASV scan reports, network and cardholder-data-flow diagrams, configuration standards, and penetration test results. |
| HIPAA / HITECH | A documented risk analysis (mandatory), administrative, physical, and technical safeguard policies, signed Business Associate Agreements, workforce training records, audit logs, and breach notification records. |
| GDPR | Records of Processing Activities (ROPA), Data Protection Impact Assessments for high-risk processing, privacy notices, lawful-basis and consent records, processor agreements, and a breach register. |
| CCPA / CPRA | A published privacy policy, a data inventory and map, consumer request logs, opt-out and deletion records, and vendor or service-provider contracts. |
| NIST CSF 2.0 | No certification. Your evidence is a current-versus-target profile, risk assessments, and the records showing each chosen outcome is met. You define the artifact set. |
| CIS Controls / Benchmarks | Safeguard implementation records, an asset inventory, and configuration evidence such as benchmark scan output showing settings against each control or profile. |
| GLBA / FFIEC / NCUA | A written information security program, a risk assessment, board or management reporting, an incident response plan, and vendor management records, all reviewed in examiner workpapers. |
| SOX | Control narratives, IT general control test evidence, periodic access certification records, change tickets with approvals, and segregation-of-duties matrices. |
| FERPA | Access control policies, disclosure logs, parental or eligible-student consent records, and training records for staff handling education records. |
| NIST 800-53 / FISMA | A System Security Plan (SSP), a Security Assessment Report (SAR), a Plan of Action and Milestones (POA&M), the ATO authorization letter, and continuous monitoring reports. |
| NIST 800-171 | A System Security Plan and POA&M, a self-assessment score reported in SPRS, and per-control evidence for the 110 requirements. |
| CMMC 2.0 | The SSP and any POA&M, the assessment results (self, C3PAO, or government), an annual senior-official affirmation in SPRS, and the certificate for Level 2 and above. |
| FedRAMP | A full authorization package: SSP, SAR, and POA&M, the ATO, and monthly continuous-monitoring deliverables (vulnerability scans and POA&M updates). |
| CISA SCuBA | Configuration baseline reports, typically ScubaGear output, showing each Microsoft 365 setting against the baseline, with documented and justified deviations. |
| CJIS | Documentation of policy compliance, audit logs, personnel screening records, and the agreements covering CJI access. |
| IRS Pub 1075 | A System Security Plan, the Safeguard Security Report (SSR), audit logs, and evidence of data isolation and access control for FTI. |
| StateRAMP | A FedRAMP-style package: SSP, SAR, and POA&M, a continuous monitoring package, and the state authorization. |
How this maps to Microsoft 365
Strip away the labels and the frameworks ask the same underlying questions: is access controlled, are devices hardened, is data governed, are vulnerabilities patched in time, and can you prove it. That means most of your evidence comes from the same place: your Microsoft 365, Intune, Entra ID (logs included), CVEs, and Purview configuration, and the logs around it.
Deeper: how Microsoft baselines (MCSB, CISA SCuBA) map to your tenant, and the frameworks Siemserva reports against.
Try the Advanced Microsoft 365 Security Simulator
See exactly what Siemserva finds on a rich, realistic simulated tenant, no access to your environment needed. Launch it right after install, or ask for a free key. Teams report cutting Microsoft 365 and Azure hardening time by up to 80 percent.
Launch the Simulator, free