Cybersecurity Public Resources and References

Federal agencies, standards bodies, state governments, and professional organizations publish a substantial body of freely accessible cybersecurity guidance, frameworks, and regulatory references. This page catalogs those public resources by source category, covering foundational frameworks, sector-specific mandates, and practitioner references relevant to organizations operating under US cybersecurity obligations. Understanding the regulatory context for cybersecurity is essential for applying these resources effectively within a compliance program.

Public education sources

The National Institute of Standards and Technology (NIST) operates the primary publicly funded cybersecurity education infrastructure in the United States. Its NIST Cybersecurity Framework (CSF), now at version 2.0 as of February 2024, provides a voluntary but widely adopted structure organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The framework is explicitly designed for organizations of all sizes and sectors, not exclusively for federal agencies.

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a free learning portal covering topics from basic cyber hygiene to industrial control system security. CISA also publishes Binding Operational Directives (BODs) and Known Exploited Vulnerabilities (KEV) catalogs, both of which carry direct policy weight for federal civilian agencies and serve as informed reference baselines for private-sector practitioners.

The SANS Internet Stormcenter and the Center for Internet Security (CIS) publish benchmark configurations and the CIS Controls — a prioritized set of 18 control categories that map directly to NIST SP 800-53 control families. CIS benchmarks exist for over 100 technology platforms.

Practitioners building or auditing cybersecurity programs should consult Cybersecurity Standards Overview for a structured comparison of which frameworks apply under which regulatory conditions.

Federal resources

Federal cybersecurity governance produces legally binding requirements through statutes, agency regulations, and executive directives. The five most operationally significant sources are:

1. NIST SP 800-53 Rev 5 — The authoritative catalog of security and privacy controls for federal information systems, published by NIST's Computer Security Resource Center at csrc.nist.gov. Controls are organized into 20 families and are mandatory for federal agencies under FISMA.
2. Federal Information Security Modernization Act (FISMA) — Codified at 44 U.S.C. § 3551 et seq., FISMA mandates annual security assessments and continuous monitoring for all federal information systems.
3. HIPAA Security Rule (45 CFR Part 164) — Administered by the HHS Office for Civil Rights, it establishes administrative, physical, and technical safeguard requirements for electronic protected health information. Civil penalties reach $1.9 million per violation category per year (HHS Penalty Structure).
4. FTC Safeguards Rule (16 CFR Part 314) — Revised and enforced by the Federal Trade Commission, it applies to non-bank financial institutions and requires a written information security program with 9 required elements.
5. CMMC (Cybersecurity Maturity Model Certification) — Managed by the Department of Defense, CMMC 2.0 maps to NIST SP 800-171 and applies to defense industrial base contractors handling Controlled Unclassified Information (CUI).

The Cybersecurity Compliance Requirements by Sector page breaks down how each of these federal mandates applies across healthcare, finance, defense, and critical infrastructure verticals.

State-level resources

State-level cybersecurity requirements vary significantly but share structural patterns. California, New York, and Texas operate the three largest and most frequently cited state cybersecurity programs.

California — The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA) and enforced by the California Privacy Protection Agency (CPPA), imposes data security obligations on businesses meeting defined revenue or data volume thresholds.

New York — The New York Department of Financial Services (NYDFS) 23 NYCRR Part 500 regulation applies to licensed financial entities and requires a written cybersecurity policy, a designated CISO, and annual penetration testing. The 2023 amendment to Part 500 added requirements for larger "Class A" companies, including annual independent audits.

Texas — The Texas Identity Theft Enforcement and Protection Act and the Texas Privacy Protection Act impose breach notification timelines of 60 days for affected Texas residents.

42 US states have enacted standalone data breach notification laws with varying trigger definitions and notification windows ranging from 30 to 90 days. The National Conference of State Legislatures (NCSL) maintains a comparative state law database updated as statutes change.

Professional and industry references

Three organizations dominate the professional reference landscape for cybersecurity practitioners:

ISACA publishes the COBIT framework for IT governance and the CISM (Certified Information Security Manager) and CISA (Certified Information Systems Auditor) credentialing programs. COBIT 2019 maps governance objectives to NIST CSF and ISO/IEC 27001 controls.

ISC² administers the CISSP credential and publishes the Common Body of Knowledge (CBK), which covers 8 domains including Security and Risk Management, Asset Security, and Software Development Security.

ISO/IEC 27001:2022 — Issued by the International Organization for Standardization, this is the globally recognized standard for information security management systems (ISMS). Certification requires an accredited third-party audit and typically addresses 93 controls organized across 4 themes in Annex A.

For practitioners mapping these references to operational workflows, Cybersecurity Risk Assessment Methodologies and Process Framework for Cybersecurity provide structured guidance on translating reference material into executable program components. The Cybersecurity Roles and Responsibilities page clarifies accountability structures commonly defined within these frameworks.