App Login
Get in Touch
App Login
Try Our Demo
App Login
Get Free Demo

Frameworks We Support

HomeFrameworks We Support

This is a quick guide to the compliance frameworks IntelliGRC manages, what they are, who they're for, and why they matter.

CMMC & NIST 800-171

Defense

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense (DoD)’s framework for verifying that defense contractors adequately protect Controlled Unclassified Information (CUI). It builds directly on NIST 800-171, a set of 110 security requirements published by the National Institute of Standards and Technology. Together, they define the security baseline every organization in the Defense Industrial Base must meet to win and maintain DoD contracts.

Defense contractors, subcontractors & MSPs serving the DIB
 

SOC 2

Trust & Security

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of CPAs® that evaluates how a service organization manages customer data. It’s organized around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report is often the first thing enterprise buyers and partners ask for as proof that your security practices hold up under independent scrutiny.

SaaS companies, cloud providers & technology service organizations
 

ISO 27001

Global Standard

ISO/IEC 27001 is the internationally recognized standard for establishing, implementing, and maintaining an Information Security Management System (ISMS). It takes a risk-based approach requiring organizations to identify threats, select appropriate controls from its Annex A catalog, and continuously improve their security posture. Certification is granted by accredited third-party auditors and is widely accepted across industries and borders.

Organizations of any size seeking internationally recognized certification
 

HIPAA

Healthcare

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that sets the rules for protecting individuals’ health information. Its Privacy Rule governs how Protected Health Information (PHI) can be used and disclosed, while the Security Rule mandates administrative, physical, and technical safeguards for electronic PHI. Non-compliance can result in significant financial penalties and reputational damage.

Healthcare providers, insurers, business associates, and their IT partners
 

NIST CSF

Cybersecurity Baseline

The NIST Cybersecurity Framework (CSF) is a voluntary, risk-based set of guidelines organized into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Unlike prescriptive mandates, the CSF is designed to be flexible, letting organizations of any size or sector assess their current posture, set target maturity levels, and prioritize improvements. It also serves as a common language that maps cleanly to other frameworks.

Any organization looking to establish or mature a cybersecurity program
 

CIS Controls

Actionable Safeguards
The CIS Critical Security Controls are a prioritized set of 18 cybersecurity actions (and 153 safeguards) developed by the Center for Internet Security. They’re organized into three Implementation Groups based on organizational size and risk, making them one of the most practical starting points for improving cyber hygiene. Because they’re action-oriented and prescriptive, CIS Controls translate directly into measurable security improvements.
Small and medium-sized businesses, IT teams, and organizations building a practical security foundation

NIST 800-53

Federal Security
NIST 800-53 is a comprehensive catalog of security and privacy controls published by the National Institute of Standards and Technology (NIST). It provides the control baseline for federal information systems and is required under the Federal Information Security Modernization Act (FISMA). With over 1,000 controls organized across 20 families, it’s the most detailed U.S. government security framework, covering everything from access control and incident response to supply chain risk management. Many other frameworks, including CMMC and FedRAMP, draw directly from 800-53.
Federal agencies, government contractors, and organizations pursuing FedRAMP authorization