| California Consumer Privacy Act (CCPA) – The California Consumer Privacy Act (CCPA) is a 2018 data protection law (effective 2020) that enhances privacy rights for California residents. It allows consumers to know what personal data businesses collect, delete that data, opt-out of its sale, and receive non-discriminatory service. It applies to for-profit businesses meeting specific revenue or data-volume thresholds. |
| Cloud Controls Matrix (CCM) – The Cloud Controls Matrix (CCM), developed by the Cloud Security Alliance (CSA), is a comprehensive cybersecurity control framework designed specifically for cloud computing. It consists of 197 control objectives across 17 domains, acting as a “de-facto” standard for cloud security, risk management, and compliance with industry standards like ISO 27001, NIST, and GDPR. |
| Control Objectives for Information and Related Technologies (COBIT) – COBIT (Control Objectives for Information and Related Technologies) is an ISACA framework for IT management and enterprise governance. It provides best practices, tools, and models to align IT goals with business objectives, manage risk, and ensure IT delivers value. COBIT connects business requirements with IT processes, helping organizations improve security, accountability, and reliability.. |
| Cybersecurity Maturity Model Certification for DoD contractors (CMMC 2.0) – CMMC 2.0 is the U.S. Department of Defense’s (DoD) mandatory, streamlined cybersecurity framework, finalized in late 2024, designed to protect sensitive contractor data (FCI and CUI). It reduces requirements to three levels, focusing on NIST standards, with enforcement beginning through phased implementation, making compliance crucial for winning DoD contracts. |
| Federal Financial Institutions Examination Council (FFIEC) – The Federal Financial Institutions Examination Council (FFIEC) is a formal U.S. interagency body established in 1979 to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. It promotes consistency in supervision across federal and state regulators and facilitates public access to financial data. |
| General Data Protection Regulation (GDPR) – European Union (EU) – The General Data Protection Regulation (GDPR) is the European Union’s (EU) comprehensive data protection law, effective since May 25, 2018, designed to strengthen privacy rights for individuals within the European Economic Area (EEA). It mandates strict rules for collecting, processing, and storing personal data, applying to all organizations targeting or handling data of EEA residents, regardless of the organization’s location. |
| Health Insurance Portability and Accountability Act (HIPAA) – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that establishes national standards to protect sensitive patient health information from unauthorized disclosure. It safeguards medical records (Privacy Rule), secures electronic data (Security Rule), and helps workers maintain insurance coverage when changing jobs. |
| International Organization for Standardization (ISO) 27001:2013 & ISO 27001:2022 – ISO 27001 is the world’s leading information security standard, providing control requirements to create an information security management system (ISMS). ISO 27001:2022 is a moderate update from the previous version of the standard: ISO 27001:2013. |
| International Organization for Standardization (ISO) 27017:2015 – ISO/IEC 27017:2015 is an international code of practice that provides guidelines for information security controls specifically tailored to cloud services. It supplements ISO/IEC 27002 by offering 37 enhanced security controls and seven new cloud-specific controls for both service providers and customers, focusing on shared responsibility, virtual network security, and data protection.. |
| International Organization for Standardization (ISO) 27018 – ISO/IEC 27018 is an international standard and code of practice focusing on the protection of personally identifiable information (PII) in public cloud computing environments. As an extension to ISO/IEC 27001 and 27002, it helps cloud service providers (CSPs) manage risk, ensure transparency, and comply with data privacy regulations like GDPR. |
| International Organization for Standardization (ISO) 27701 – ISO/IEC 27701 is an international, auditable standard designed to help organizations manage personal data privacy through a Privacy Information Management System (PIMS). As an extension of the ISO/IEC 27001 security framework, it provides guidelines for personally identifiable information (PII) controllers and processors to ensure compliance with global regulations like GDPR, thereby improving data protection. |
| Microsoft Supplier Security and Privacy Assurance program (SSPA) – The Microsoft Supplier Security and Privacy Assurance (SSPA) Program is a mandatory initiative for vendors handling Microsoft employee, customer, or confidential data. It mandates that suppliers comply with Data Protection Requirements (DPR), including annual privacy training, data safeguarding, and independent assessments based on the risk level of the data handled. |
| National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) – The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary, flexible, and widely adopted set of guidelines, standards, and best practices designed to help organizations manage and reduce cybersecurity risks. Developed by the U.S. government agency within the Department of Commerce, it focuses on six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. |
| National Institute of Standards and Technology (NIST) SP 800‑53 – NIST Special Publication 800-53 (SP 800-53), Security and Privacy Controls for Information Systems and Organizations, is a comprehensive catalog of security, privacy, and risk management controls developed by the National Institute of Standards and Technology (.gov). It provides actionable guidelines to protect federal information systems, critical infrastructure, and, increasingly, non-federal organizations against cyber threats, human error, and natural disasters. |
| National Institute of Standards and Technology (NIST) SP 800‑171 – NIST Special Publication (SP) 800-171 is a set of guidelines from the National Institute of Standards and Technology that defines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It provides 110 technical and administrative controls for contractors to ensure confidential, sensitive government information is secure. |
| National Institute of Standards and Technology (NIST) AI Risk Management Framework – The National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF 1.0), released in 2023, is a voluntary, flexible, and non-sector-specific guide designed to help organizations manage risks associated with artificial intelligence systems. It focuses on enhancing trustworthiness—ensuring AI is safe, secure, fair, and transparent—through four core functions: Govern, Map, Measure, and Manage. |
| Network and Information Security 2 Directive (NIS 2) Cybersecurity Core – The NIS 2 Directive (EU 2022/2555) is the updated EU-wide cybersecurity legislation, effective for member states to implement by October 17, 2024, aiming to harmonize security standards and boost resilience across critical sectors. It enforces strict risk management, incident reporting, and accountability for both “essential” and “important” entities, expanding scope to sectors like energy, healthcare, manufacturing, and public administration.. |
| Payment Card Industry Security Standard (PCI-DSS) – The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory, global set of 12 security requirements designed to protect credit cardholder data. Administered by the PCI Security Standards Council (founded by major card brands), it applies to any entity storing, processing, or transmitting payment data to prevent breaches and fraud. |
| Payment Card Industry PIN Transaction Security (PCI-PTS) – Payment Card Industry PIN Transaction Security (PCI-PTS) is a set of security requirements mandated by the PCI Security Standards Council (PCI SSC) for hardware and firmware in payment terminals and Hardware Security Modules (HSMs). It ensures that devices used for PIN entry and card data processing—such as POS terminals—are resistant to physical, logical, and network tampering. |
| Sarbanes‑Oxley IT General Controls (SOX ITGC) – Sarbanes-Oxley IT General Controls (SOX ITGC) are mandatory policies and procedures that ensure the integrity, security, and accuracy of information technology systems supporting an organization’s financial reporting. Required for public companies by the 2002 SOX Act, these controls mitigate risks related to unauthorized data access, system changes, and data loss. |
| United Kingdom (UK) Cyber Essentials – Cyber Essentials is a UK government-backed, industry-supported certification scheme designed to protect organizations of all sizes from the most common cyber threats. It establishes a mandatory baseline of five technical security controls—firewalls, secure configuration, user access control, malware protection, and patch management—to mitigate risks from internet-based attacks. |
Contact
(541) 508-5574 | (310) 744-1227
Copyright 2026 Gilberts Convergence
1900 NE Third Street, Suite 106, Bend, OR 97701
222 N Pacific Coast Hwy, El Segundo, CA 90245
A USMC Veteran-Owned Business
Stay Healthy