Compliance & Frameworks

Which regulatory compliance mandates does your organization need to follow? Get the support you need to meet your goals with advanced compliance solutions. 

Understanding the Major Regulations


Understand the difference between major cybersecurity compliance regulations like PCI DSS, HIPAA, SOX, GDPR, and more as you explore compliance solutions from Fortra. Go beyond the basics with a top-line knowledge of lesser-known data protection requirements like LGPD, DORA, and FISMA and learn what it takes to operate compliantly within a range of different industries. Whether you find yourself within one of the covered industries or simply plan on working with one, Fortra can help you become audit-ready and turn your data compliance value from a liability into an asset.

What is CUI protection? 

The standard by which government agencies and their private sector affiliates handle the sharing of controlled unclassified information (CUI) which is government data that is not designated classified but is still information that should not be made public. 

Who should care about CUI protection? 

Federal government agencies and private sector businesses or contractors that work with the government should comply with CUI rules. 

What systems does this affect? 

All systems that contain controlled unclassified information (CUI) are impacted by this regulation. 

Learn more about CUI protection >

What is DORA? 

The Digital Operational Resilience Act (DORA) governs how financial institutions in the EU manage all components of operational resilience, explicitly referring to Information Communication Technology (ICT) risk and ICT risk-management.  

Who should care about DORA? 

Financial entities such as banks, insurance companies, investment firms, and crypt-asset providers in the EU are under DORA compliance requirements, as are critical third parties which provide ICT-related services to EU financial institutions.  

What systems does this affect? 

Dora impacts systems designed to relay digital communications to financial entities across the EU. 

Learn more about DORA compliance >  

What is India's DPDP Act?
The Digital Personal Data Protection Act (DPDP) is India's comprehensive data protection law, governing the collection, storage, processing, and transfer of personal data in India.

Who should care about DPDP?
Any business that collects, stores, or processes personal data of Indian residents should care about DPDP, even if they’re located outside these locations.

What systems does this affect?
DPDP affects all data processing systems that handle personal data of Indian residents.

Learn more about the DPDP Act >

What is FISMA? 

The Federal Information Security Management Act (FISMA) sets forth requirements for rigorous information security protection processes to protect federal government data. 

Who should care about FISMA? 

Federal agencies and state agencies that administer federal programs, and contractors or private sector companies that interface with federal government agencies or programs are affected by FISMA. 

What systems does this affect? 

FISMA impacts any systems that store or transmit sensitive federal agency data.  

Learn more about FISMA compliance >

What is GDPR? 

The General Data Protection Regulation (GDPR) regulates the way personal data is processed, stored, and destroyed by organizations in the European Union (EU) and United Kingdom (UK). 

Who should care about GDPR? 

Organizations that store or process personal data of citizens of the EU and UK, even if they’re located outside these locations, are impacted by GDPR regulations.  

What systems does this affect? 

GDPR regulations affect all systems that handle personally identifying information for any EU or UK citizen. 

Learn more about GDPR compliance >

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) sets out privacy and security rules for patient healthcare data. 

Who should care about HIPAA? 

Healthcare organizations that store electronic health records and other personal health information (PHI), as well as companies and contractors that provide services or functions for those organizations are required to comply with HIPAA regulations and can face substantial fines if they do not.  

What systems does this affect? 

HIPAA regulations affect any system that store or transmit personal health information. 

Learn more about HIPAA compliance >

What is ISO 27001?  

The International Standards Organization (ISO), developed ISO 27001 which helps organizations across every sector with guidance for establishing, maintaining, and continuously improving information security management systems (ISMS). 

Who should care about ISO 27001?  

ISO 27001 is for organizations that need to comply with rapidly changing data protection laws and regulations.  Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information security. 

What systems does this affect?  

ISO 27001 is applicable to all systems used by an organization that contains intellectual property, contracts, financial data, and other sensitive data which needs to be secured. 

Learn More About ISO 27001>>

What is ITAR? 

The International Traffic in Arms Regulations (ITAR) controls the import and export from the United States (US) of certain defense and military equipment and technologies. 

Who should care about ITAR? 

Companies that create or distribute goods or services covered under the United States Munitions List (USML) or sell products to the US Department of Defense are impacted by ITAR regulations.  

What systems does this affect? 

Systems interfacing with data on the manufacturing of defense weapons and classified information relating to technologies on the USML are impacted by ITAR. 

Learn more about ITAR compliance >

What is ITSAR? 

The Indian Telecommunication Security Assurance Requirements (ITSAR) was developed by Department of Telecommunications in India. The purpose was to develop security requirements and standards that address the country specific security needs for telecoms. 

Who should care about ITSAR? 

This applies to telecommunication service providers (TSP) in India. 

What systems does this affect? 

This is for (U)ICC platforms and it recommends common security requirements of various pluggable (U)ICC platforms, specific security requirements of hardware, operating system, and components of (U)SIM, network security, (U)SIM application related security, and the support for special applications. 

Learn more about ITSAR compliance >

What is LGPD?

The General Personal Data Protection Law (LGPD) is the overarching law for the protection of personal data in Brazil. It regulates the processing of personal data, with its objective being to protect the fundamental rights of freedom and privacy and a natural person’s ability to freely develop their personality.

Who should care about LGPD?

LGPD applies to organizations in either of the following scenarios: - When processing of personal data is a) carried out in Brazil and b) the purpose of the processing is to offer or provide goods or services. - When personal data is processed that was collected from individuals who were in Brazil when that data was collected.

What systems does this affect?

LGPD regulations affect all systems that handle personally identifying information that is processed in Brazil and has the purpose of offering or providing goods or services; or was collected from individuals who were in Brazil at that time.

Learn more about LGPD compliance >

What is PCI DSS? 

The Payment Card Industry Data Security Standard (PCI DSS) regulates organizations that handle cardholder data in order to prevent breaches and fraud. 

Who should care about PCI DSS? 

Any entity that processes, stores, or transmits payment card data need to adhere to PCI DSS regulations. 

What systems does this affect? 

PCI DSS regulations affect any system and network that interacts with cardholder data.  

Learn more about PCI compliance >

What is SOX? 

The Sarbanes-Oxley Act (SOX) was created by the US Government to reduce fraud in financial recordkeeping and reporting for SEC-registered companies. 

Who should care about SOX? 

Publicly traded American or overseas companies registered with the Securities and Exchange Commission (SEC) and the companies that provide financial services to them are under obligation to meet SOX compliance.  

What systems does this affect? 

Systems that store and report on financial data for companies are mandated with SOX compliance.  

Learn more about SOX compliance >

Understanding Major Frameworks


Cyber security frameworks are a set of policies, procedures, and best practices to create a strong security posture. These frameworks provide guidance to organizations on how to protect an IT estate from data breaches and operational disruption. 

What are CIS Controls? 

The Center for Internet Security (CIS) Controls are a prioritized, easy to understand framework comprising 18 core security principles. 

Who should care about CIS Controls? 

The CIS Controls can be used by any organization in any industry. This framework is common for organizations that want to begin measuring and evaluating different aspects of their security posture as it covers the most critical controls. 

What systems does this affect? 

This is a comprehensive framework that not only covers all systems (laptops, workstations, servers) but also covers aspects such as network connectivity, software assets, and processes. 

Learn more about CIS Controls >

What is CMMC? 

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive assessment framework and certification program launched by the Department of Defense (DoD) to protect the Defense Industrial Base (DIB) from increasingly frequent and complex cyberattacks.

Who should care about CMMC? 

CMMC compliance is required for any organization, contractor, and subcontractor who is a part of the DoD supply chain. It is estimated to be about 300,000 organizations.

What systems does this affect?

CMMC affects any system that handles or transmits Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Learn more about CMMC >


The MITRE ATT&CK® framework is a globally recognized knowledge base of tactics and techniques used in cyberattacks.

Who should care about MITRE ATT&CK?

This comprehensive framework is free and preferred by threat hunters, red teamers, and other technical security roles as it helps them map the lifecycle of an attack.

What systems does this affect?

This helps understand the different aspects of an attack campaign which could be executed by malicious actors and identify systems vulnerable to different stages of an attack.

Learn more about MITRE ATT&CK

What is NIST CSF? 

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a set of comprehensive guidelines and best practices for organizations to improve their security posture. 

Who should care about NIST CSF? 

NIST CSF impacts critical infrastructure providers and other agencies or private sector organizations looking for guidance on reducing cyber risk.  

What systems does this affect? 

The NIST CSF framework is applicable to all systems and networking technologies used by an organization including information technology (IT), operation technology (OT) and the cloud.  

Learn more about NIST CSF compliance >

What is NIST RMF? 

The National Institute of Standards and Technology (NIST) and the United States Department of Defense (DoD) worked together to establish a unified cybersecurity framework for the Federal Government.  This is called the Risk Management Framework (RMF). 

Who should care about NIST RMF? 

Every federal agency is required to comply with NIST RMF which combines IT security and risk management into the systems development lifecycle.  This dynamic approach to managing agency risk includes 7 steps: Preparation, System Categorization, Selecting Security Controls, Implementation, Assessment, Authorization, and Monitoring. 

It should be noted that private sector and non-profit organizations have found NIST RMF to be useful in improving their security posture and achieving compliance. 

What systems does this affect? 

The NIST RMF applies to all agency systems.  This includes new and legacy systems as well as IoT and control systems. 

Learn more about NIST RMF>

What is zero trust? 

Zero trust is a framework that assumes the security of an organization’s network is continuously at risk from internal and external actors. The framework defines all devices, identities, and systems as untrusted by default, requiring authentication and authorization for access to application and data. It also requires constant revalidation for access to new applications. 

Who should care about zero trust? 

Many enterprises and government agencies across the world have adopted zero trust and it continues to grow. 

What systems does this affect? 

Zero trust is a strategy with specific tactics that may evolve as the IT estate of an organization evolves. It’s critical to identify sensitive data, where it goes, and who needs access to it, and then apply the right controls to protect it. Also critical is monitoring the IT estate by logging and inspecting all traffic to surface malicious activity and identify areas requiring additional hardening. 

Learn more about zero trust>

Need to comply with other regulations?

We can help. Chat with a compliance expert now. 


Cybersecurity & Compliance


Email Data Protection

Find the ally you need in the fight against Business Email Compromise (BEC), phishing and social engineering attacks, ransomware, ATO, accidental data loss and other email-borne threats.

Data Privacy

Keep your data where it belongs. Partner with the solutions that help you stay compliant with data privacy regulations across the board, including HIPAA, SOX, GDPR, PCI DSS, and more.

Data Loss Prevention (DLP)

Avoid compliance blunders with best-in-class Data Loss Prevention (DLP). Our one-of-a-kind approach to DLP leverages cloud-based Managed Detection and Response for a scalable, no-compromise protection.

Data Classification

Operate safely in industries with strict data requirements when you identify, classify, and secure sensitive assets across platforms and in the cloud.

Featured Case Study

What can you do with GoAnywhere?

Alliant Credit Union Enhances PCI DSS with MFT Agents

Illinois-based credit union Alliant was processing over 500 file transfers a week with homegrown solutions. As their need to scale increased and work began on a new data warehouse, it became necessary to consider an automated solution.  

“With our current setup, we saw we needed a more robust system,” explained Computer Operations Supervisor Jay Wehner. “We wanted better automation of the files and a process to import them.” They chose GoAnywhere MFT. Finding it a painless transition, they used it to create secure encrypted connections between their servers. Said Wehner, “No other product was evaluated. GoAnywhere is a true ‘one product does it all.’ It’s not just file movement and SFTP.” 

Branching out beyond the product’s basic capabilities, Alliant adopted GoAnywhere Secure Mail and GoAnywhere GoDrive, a cloud-based Enterprise File Sync and Sharing (EFSS) service which immediately replaced their current cloud-based file sharing solution. “[Those] that are using it … are loving it.” 

Leveraging GoAnywhere MFT agents ultimately helped Alliant to enhance their PCI DSS compliance. “We needed a way to securely store and transmit PCI data,” Wehner revealed. “By utilizing GoAnywhere Agents, we were able to use a secure channel to transmit this data. We now no longer use standard protocols like SMB for file transfers.” 

Cyber Compliance by Industry

Cybersecurity compliance requirements are as unique as the sectors they protect. Know the data regulations by industry and what it takes to securely do business with each one.


Secure CUI per Executive Order mandated controls, ensure safe Department of Defense technology with ITAR, and be FISMA compliant as you protect sensitive federal data.

Learn More >


As threats to health care increase, protect your peace of mind with HIPAA compliant architecture.

Learn More >

Critical National Infrastructure

CNI sectors from energy to water to manufacturing benefit from NIST frameworks designed to secure high-risk national agencies.

Learn More >


Take charge of your bottom-line and secure sensitive customer data with PCI DSS compliant payment card systems.

Learn More >


Simplify SOX compliance with streamlined documentation and reporting on internal controls.

Learn More >

Get the Comprehensive Guide >


Government mandated data privacy regulations like GDPR and LGPD are becoming increasingly common as individuals hold corporations accountable for the responsible handling of their sensitive personal information.

Learn More >


Making sure your software development process adheres to data and privacy standards such as SOX not only helps you avoid compliance fines but increases consumer trust. 

Learn More>

Take the Next Step Toward Compliance

Ace your next audit with Fortra and take the guesswork out of the compliance process.