Threatstealth

Cross-Domain Framework Mapping Reference

Cross-domain mapping of cybersecurity, privacy and AI frameworks by use case — healthcare, finance, EU operations, federal/defense, cloud, AI, OT, and MSSP.

Cross-Domain Framework Mapping Reference

Practical cross-domain mapping of cybersecurity, privacy, and AI governance frameworks by industry and use case — showing which standards apply and how they overlap for healthcare, finance, EU, federal/defense, cloud, AI systems, OT, and MSSPs.

Healthcare Framework Stack: HIPAA, NIST CSF, and HICP Alignment

Healthcare organisations face a multi-layer compliance stack: HIPAA Security Rule defines the minimum technical and administrative safeguards for electronic PHI, NIST CSF provides a risk-based security management structure, and the Health Industry Cybersecurity Practices (HICP) provide healthcare-specific implementation guidance aligned to both HIPAA and NIST CSF. Understanding how these frameworks map to each other allows healthcare security teams to implement controls once and satisfy multiple requirements simultaneously. For example, NIST CSF PR.AC (Access Control) maps directly to HIPAA Security Rule §164.312(a) (Technical Safeguards - Access Control) and to HICP Practice 1 (Email Protection) — allowing a single MFA implementation to provide evidence across all three frameworks.

Financial Services Framework Stack: PCI DSS, SOC 2, and DORA

Financial services organisations typically face the most complex compliance stack — PCI DSS for payment processing, SOC 2 for service organisation reporting, NIST CSF as a voluntary risk management baseline, FFIEC guidance for US financial institutions, and EU DORA (Digital Operational Resilience Act) for EU-regulated financial entities. DORA, fully applicable from January 2025, adds ICT risk management, resilience testing, and third-party ICT risk management requirements on top of existing obligations. The cross-domain mapping identifies where these frameworks share control objectives — enabling organisations to design their security programme around a unified control set that satisfies all applicable requirements rather than building separate compliance programmes for each framework.

EU Operations Framework Stack: NIS2, GDPR, and EU AI Act

Organisations operating in the EU face a growing stack of concurrent digital regulatory obligations that interact and overlap. NIS2 covers cybersecurity risk management and incident reporting for essential and important entities. GDPR covers personal data protection across all processing activities. DORA applies to financial entities. The EU AI Act covers AI systems meeting scope criteria. The EU Cyber Resilience Act covers products with digital elements. Understanding how these regulations interact — where they share common control objectives and where they impose distinct and potentially conflicting requirements — is essential for organisations building EU compliance programmes. The cross-domain mapping visualises these interactions and identifies where a single control satisfies multiple regulatory obligations.

Federal and Defense Framework Stack: CMMC 2.0 and NIST 800-53

US government contractors face cybersecurity requirements that go significantly beyond commercial sector standards. NIST SP 800-171 defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems — and CMMC 2.0 Level 2 certification requires demonstrating compliance with all 110 requirements through third-party assessment. NIST SP 800-53 defines over 1,000 controls for federal information systems categorised by baseline (Low, Moderate, High). FedRAMP builds on 800-53 with additional requirements for cloud service providers serving federal agencies. The cross-domain mapping shows how CMMC practices map to NIST 800-171 requirements, and how 800-171 maps to the broader 800-53 control catalogue.