Skip to content

By Regulations & Standards
- DORA
- HIPAA
- NERC CIP
- PCI DSS
- Browse all
By Frameworks
Services
Resources
- Latest News
- Blog
- Reports
- Data Sheets
- White Papers
About
FAQ

By Regulations & Standards
- DORA
- HIPAA
- NERC CIP
- PCI DSS
- Browse all
By Frameworks
Services
Resources
- Latest News
- Blog
- Reports
- Data Sheets
- White Papers
About
FAQ

About
FAQ
Log in / Joins us

About
FAQ
Log in / Joins us

By Regulations & Standards
- DORAWhat is Dora?
  - Identify the appropriate software solution for your DORA compliance needs. DORA aims to strengthen the digital operational resilience of the EU financial sector by targeting 21 types of entities. Key requirements include robust ICT risk management, incident reporting, resilience testing (TLPT for some), and third-party risk management, with an information register. DORA also establishes oversight for critical ICT service providers (CTPP).
- HIPAA1. What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that set forth national standards to safeguard sensitive patient health information from unauthorized disclosure without the patient’s knowledge or consent. The HIPAA regulation consists of four rules: 1. Privacy Rule The Privacy Rule is designed to guarantee that entities handling health information implement appropriate measures to safeguard the information from unauthorized access or disclosure.Empower individuals with the knowledge and control over how their health information is utilized. Adherence to the Privacy Rule assures individuals seeking healthcare that an organization is dedicated to preserving the confidentiality and security of their information. Even if individuals are not interacting directly with an organization, they can trust the HIPAA framework to maintain the privacy of their data across all involved parties. 2. Security Rule The Security Rule is focused on protecting a specific subset of information encompassed by the Privacy Rule by establishing standards for the protection of electronically stored and transmitted PHI (ePHI). This is achieved by mandating the implementation of administrative, technical, and physical safeguards. Compliance with the Security Rule signifies an organization’s dedication to safeguarding the confidentiality, integrity, and security of ePHI, and…
  - Find the right software for your HIPAA compliance needs by comparing software capabilities, covered requirements, compliance impact, and the level of evidence the software supports. The HIPAA (Health Insurance Portability and Accountability Act of 1996) is a U.S. law that mandates national standards for protecting sensitive patient health information, known as protected health information (PHI).
- NERC CIP1. What is NERC CIP? NERC CIP, which stands for North American Electric Reliability Corporation Critical Infrastructure Protection, is a collection of cybersecurity standards devised to safeguard the vital infrastructure of the North American electric grid. The objective of NERC CIP standards is to guarantee the reliability, security, and resilience of the electric power system by setting requirements for the identification and protection of critical assets and confidential information. Below is a summary of the NERC CIP framework: CIP-002: Critical Cyber Assets Identification: This requirement is centered on the identification and categorization of critical cyber assets within an organization’s control systems that are essential for the reliable operation of large-scale energy systems. CIP-003: Security Management Controls: This requirement is centered on the implementation of security management controls to establish and maintain an effective cybersecurity program. This encompasses the development of policies, conducting risk assessments, and implementing security controls. CIP-004: Personnel and Training: This requirement underscores the significance of qualified personnel and appropriate training to support an organization’s cybersecurity initiatives. CIP-005: Electronic Security Perimeter: This requirement is centered on establishing secure electronic access points or security perimeters to shield critical cyber assets from unauthorized access and cyber threats. CIP-006: Physical Security…
  - Select the best software solution for your NERC CIP compliance. Compare software capabilities, covered requirements, compliance impact, and evaluate the effectiveness of the evidence provided by the software. NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a set of cybersecurity standards designed to protect the critical infrastructure of the North American electric grid.
- PCI DSS1. What is PCI DSS? Companies that store, process or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard defined by the Payment Card Industry Security Standards Council (PCI SSC) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data (stored on magnetic stripe data or equivalent on a chip, CVC2, CVV2, CID, PINs, PIN blocks) and the primary account number (PAN). The PCI SSC is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Companies must undergo an annual security audit and quarterly network scan by PCI SSC approved providers. Not complying with the PCI DSS standard could lead to fines of non-compliance up to $500,000, expensive litigation costs, and being barred from cardholder data processing from card schemes. Furthermore, non-compliance has a direct impact on brand reputation and exposes companies to negative publicity that damages consumer confidence. The PCI DSS is composed of 12 requirements, organized into six control objectives: Build and Maintain a Secure…
  - Choose the appropriate software solution for your PCI DSS compliance. Evaluate software capabilities, covered requirements, compliance impact, and evaluate the effectiveness of the evidence provided by the software. PCI DSS (Payment Card Industry Data Security Standard) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data and the primary account number (PAN).
- Browse all
By Frameworks
- MITRE ATT&CK®1. What is MITRE ATT&CK? The MITRE ATT&CK is a comprehensive cybersecurity knowledge base of adversary tactics and techniques, grounded in actual real-world observations. This knowledge base provides a standardized approach to understanding, categorizing, and analyzing cyber threats and attack techniques. The MITRE ATT&CK was developed by MITRE, a nonprofit entity, established to offer engineering and technical advice to the federal government. The MITRE ATT&CK focuses on adversary behavior and provides insights into how cyber threats operate, their tactics, techniques, and procedures (TTPs), and the different stages of a cyber-attack. It is widely used in the cybersecurity industry and is valuable for organizations seeking to enhance their threat detection, incident response, and overall cybersecurity defenses. MITRE ATT&CK consists of a matrix that categorizes cyber threats based on the different stages of an attack, known as the “ATT&CK Matrix.” It includes the following components: Tactics: The high-level objectives that adversaries aim to achieve during a cyber-attack. These tactics include initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact. Techniques: The specific methods and techniques used by adversaries to accomplish their objectives within each tactic. These techniques describe the step-by-step actions and procedures employed…
  - Select the appropriate software solution for MITRE ATT&CK mitigations by comparing software capabilities and covered mitigations supported by the software. MITRE ATT&CK is a comprehensive cybersecurity knowledge base of adversary tactics and techniques, based on real-world observations.
- NIST CSF1. What is NIST CSF? The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a widely recognized and widely adopted framework that provides a set of guidelines, best practices, and standards for improving cybersecurity risk management. The framework is specifically designed to help organizations, including critical infrastructure sectors, identify, protect, detect, respond to, and recover from cyber threats and incidents. The NIST CSF is based on industry standards and best practices, and it is a voluntary framework that organizations can adopt and tailor to their specific needs and risk profiles. It consists of three main components: Core: The Core is the heart of the framework and provides a set of cybersecurity activities and desired outcomes. It is organized into five key functions: Identify: This function involves understanding and managing cybersecurity risks by identifying critical assets, assessing vulnerabilities, and understanding the potential impact of cyber threats. Protect: The Protect function focuses on implementing safeguards to ensure the security and resilience of critical infrastructure. It includes activities such as access control, awareness training, data protection, and secure configurations. Detect: The Detect function involves continuous monitoring and timely detection of cybersecurity events. It includes activities such as threat intelligence, anomaly…
  - Find the right software solution for NIST CSF guidance by comparing software capabilities and covered guidance supported by the software. The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary guidance document intended to assist organizations in managing and mitigating cybersecurity risks. The framework is specifically designed to help organizations, including critical infrastructure sectors, identify, protect, detect, respond to, and recover from cyber threats and incidents.
- NIST SP 800-53 (LOW)1. What is NIST SP800-53? The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP800-53) is a comprehensive cybersecurity framework that provides guidelines and controls for federal information systems and organizations. While it is not specifically focused on critical infrastructure, it serves as a valuable resource for enhancing cybersecurity practices in critical infrastructure sectors. NIST SP800-53 covers a wide range of security controls and best practices that organizations can implement to protect their information systems from various cyber threats. The framework is organized into 18 control families, each addressing a specific area of cybersecurity. Some of the key control families include: Access Control (AC): Controls related to granting and managing access to information systems and resources. This includes user identification, authentication, authorization, and accountability. Incident Response (IR): Controls focused on detecting, responding to, and recovering from cybersecurity incidents. It includes incident response planning, incident handling, and communication protocols. Configuration Management (CM): Controls related to establishing and maintaining secure configurations for information systems. This includes configuration baselines, change management processes, and configuration monitoring. System and Information Integrity (SI): Controls aimed at ensuring the integrity of information systems and data. This includes malware protection, security event monitoring, and vulnerability scanning.…
  - Select the appropriate software solution for NIST SP 800-53 (LOW) control baseline by comparing software capabilities and covered controls supported by the software. The NIST SP 800-53 (LOW: Low-Impact Systems) is a comprehensive cybersecurity framework that provides guidelines and controls for federal information systems and organizations. While it is not specifically focused on critical infrastructure, it serves as a valuable resource for enhancing cybersecurity practices in critical infrastructure sectors.
- NIST SSDF1. What is NIST SSDF? The NIST SSDF (Secure Software Development Framework) is a cybersecurity framework developed by the National Institute of Standards and Technology (NIST) to help organizations secure their software development processes. The framework provides guidelines and best practices to integrate security into every phase of the software development life cycle (SDLC), from design to deployment and maintenance. The NIST SSDF Framework consists of a set of core principles and practices aimed at ensuring the development of secure and resilient software. It emphasizes the importance of proactive security measures and risk management throughout the entire software development process. Key components of the NIST SSDF Framework include: Risk Assessment: The framework emphasizes the need for conducting risk assessments early in the software development life cycle. This involves identifying potential security risks and vulnerabilities and analyzing their potential impact on the software and the overall system. Security Requirements: The NIST SSDF Framework promotes the inclusion of security requirements in the software development process. These requirements are defined based on the identified risks and help guide the development team in implementing appropriate security controls. Secure Design: The framework emphasizes the importance of secure design principles in developing resilient software. This involves…
  - Choose the appropriate software solution for NIST SSDF practices by comparing software capabilities and covered practices supported by the software. The NIST SSDF (Secure Software Development Framework) is a cybersecurity framework developed by the NIST to help organizations secure their software development processes. The framework provides guidelines and best practices to integrate security into every phase of the software development life cycle (SDLC), from design to deployment and maintenance.
- Browse all
Services
- Compliance for Software
  - PCI DSS
  - NERC CIP
  - NIST CSF
  - Evaluate your software’s capabilities that support PCI DSS compliance
  - Assess your software’s features that help organizations achieve NERC CIP compliance
  - Review your software’s features that align with NIST CSF best practices
  - NIST SSDF
  - ISO/IEC 27001
  - HIPAA
  - Evaluate your software’s features that help organizations meet NIST SSDF practices
  - Assess your software’s features supporting ISO/IEC 27001 compliance
  - Evaluate your software’s features that help organizations meet HIPAA compliance
  - Browse all
- Strategy and Risk
  - Strategy and Risk consulting services assist critical infrastructure organizations in identifying, assessing, and mitigating potential risks through a structured approach. This enables businesses to align cybersecurity with their objectives while safeguarding assets and reputation
- Cybersecurity for OT
  - Cybersecurity consulting services for OT known as Operational Technology (OT), focuses on safeguarding Industrial Control Systems (ICS) that oversee critical industrial processes. These systems, including SCADA, DCS, PLCs, HMIs, and sensors, are essential in various sectors, from power generation to manufacturing and transportation
Resources
- Latest News
  - Stay up to date with the latest cybersecurity regulations, standards, frameworks, and industry best practices.
- Blog
  - Receive updates and practical insights on the implementation of cybersecurity regulations, standards, requirements, frameworks, and best practices.
- Reports
  - Reports and research on emerging cybersecurity frameworks, guidelines, regulations, and industry best practices to provide a comprehensive understanding of the evolving cybersecurity landscape.
- Data Sheets
  - Learn how organizations improve compliance with cybersecurity regulations, standards, frameworks, and best practices through our services.
- White Papers
  - Access white papers on cybersecurity regulations, standards, requirements, frameworks, and best practices.
About
FAQ

CIARA

by Radiflow

share

see pdf version

Compliance evaluation

What is CIARA?

Radiflow’s CIARA is touted as a pioneering ROI-driven risk assessment and management platform tailored for industrial organizations. It integrates a threat intelligence-driven breach and attack simulation engine (OT-BAS) to precisely assess risks

Cybersecurity Regulations, Standards and Frameworks Supported

DORA

EU AI ACT

HIPAA

ISO/IEC 27001

NERC CIP

PCI DSS

GDPR

NIS 2

CCPA/CPRA

MAS & ABS

PSD2

NCA OTCC

CMMC

PCI 3DS

PCI CP & PLS

MITRE ATT&CK®

NIST CSF

NIST SP 800-53

NIST SSDF

ZTA

CISA Secure for OT Products

NIST AI RMF

MITRE ATT&CK ICS

Deployment

SaaS
Windows
Linux
OS/Virtual/Proprietary
On-Premise

Environment

Information Technology (IT)
Operational Technology (OT)
Extended Internet of Things (XIoT)

Region

America
Asia Pacific
Europe
International

Industry

Critical Infrastructures
Energy & Utilities
Financial Services
Government
Healthcare
Technology & Communications

Capabilities

Risk Assessment

NERC CIP Requirements supported by the software

CIP-002-5.1a: BES Cyber System Categorization

R1, R1.1, R1.2, R1.3: Identify/categorize BES Cyber Systems by High/Medium/Low impact
R2, R2.1, R2.2: Review categorization and obtain approval every 15 months

CIP-003-8: Security Management Controls

Att 1 Sec 5: Plan to mitigate malicious code risk from TCA/Removable Media
Att 1 Sec 5.1, 5.2: Malicious code risk mitigation for TCA

CIP-003-9: Security Management Controls

Att 1 Sec 3.1: Permit only necessary routable inbound/outbound electronic access for Low Impact
Att 1 Sec 6: Implement process to mitigate vendor remote access risks
Att 1 Sec 4.5: Test cyber security incident response plan every 36 months

CIP-004-7: Personnel & Training

R5.1: Initiate access removal within 24 hours of termination/IRA
R5.2, R6.3: Revoke access by next calendar day for reassignments/BCSI
R4.2: Verify active access authorizations quarterly
R4.3: Verify user account privileges every 15 months

CIP-005-7: Electronic Security Perimeter(s)

R1.3: EAPs must require access permissions, reason, and deny all other access
R2.1: Interactive Remote Access must utilize an Intermediate System
R2.3: Require multi-factor authentication for all Interactive Remote Access sessions
R2.4: Method(s) to determine active vendor remote access sessions
R2.5: Method(s) to disable active vendor remote access

CIP-006-6: Physical Security of BES Cyber Systems

R1.10: Restrict physical access or apply encryption/monitoring
R1.4, R1.5: Monitor physical access points and alert within 15 minutes
R1.6, R1.7: Monitor PACS for unauthorized physical access; alert response personnel within 15 minutes
R1.8: Log authorized unescorted physical entry with identity, date, time
R1.9: Retain physical access logs for 90 calendar days
R2.2: Log visitor entry/exit, name, date, time, contact
R2.3: Retain visitor logs for 90 calendar days

CIP-007-6: System Security Management

R2.1: Patch management process: track, evaluate, install security patches
R2.2: Evaluate patches every 35 days
R2.3, R2.4: Apply patch or implement mitigation plan within 35 days
R1.1: Enable only necessary logical network accessible ports, where technically feasible
R5.5: Enforce minimum 8-character length and 3 character types for passwords
R5.6: Enforce password change/obligation at least every 15 months, if feasible
R5.7: Limit unsuccessful authentication attempts or generate alerts, if feasible
R4.1: Log successful/failed logins and detected malicious code
R4.2: Generate alerts for malicious code detection and logging failure
R4.4: Review logged event summarization/sampling every 15 days
R4.3: Retain event logs for last 90 consecutive days

CIP-008-6: Incident Reporting and Response Planning

R1.1, R1.2, R1.4: Identify, classify, respond, and handle cyber incidents
R4, R4.2: Notify E-ISAC/NCCIC within required timelines

CIP-009-6: Recovery Plans for BES Cyber Systems

R2.3: Test recovery plans every 36 months
R1.3: Document process for backup and storage of recovery information
R1.4: Verify successful backup completion and address failures
R2.2: Test representative sample of recovery information usability every 15 months

CIP-010-4: Configuration Change Management

R1.6: Verify software source identity and integrity prior to configuration changes
R1.1: Develop configuration baseline including OS, software, ports, patches
R1.3: Update baseline within 30 days after configuration change
R1.2: Authorize and document changes deviating from existing baseline configuration
R2.1: Monitor baseline configuration changes and investigate unauthorized changes every 35 days
R3.1: Conduct paper or active vulnerability assessment every 15 months
R3.2: Active assessment every 36 months for High Impact, if feasible
R3.3: Perform active vulnerability assessment before adding new Cyber Assets to production
R3.4: Document assessment results, remediation action plans, planned dates, execution status
R4: Documented plan for Transient Cyber Assets and Removable Media

CIP-011-3: Information Protection

R2.1, R2.2: Prevent unauthorized BCSI retrieval prior to reuse or disposal of Cyber Assets
R1.1: Document method(s) to identify BCSI
R1.2: Protect and securely handle BCSI against confidentiality compromise

CIP-012-1: Communications Between Control Centers

R1: Plan to mitigate risks to confidentiality, integrity, availability of real-time data
R1.3: Method(s) to initiate communication link recovery

CIP-013-2: Supply Chain Risk Management

R1.1: Identify and assess cyber security risks during procurement planning
R1.2.5: Require verification of vendor software integrity and authenticity

CIP-015-1: Internal Network Security Monitoring

R1.1, R1.2, R1.3: Monitor network data feeds to detect/evaluate anomalous activity
R2: Retain anomalous activity data until investigation is complete

Scope Impact

Periodic compliance activities supported by the Software

Automated generation of compliance status reports
Ensuring data privacy and protection measures are up to date.
Maintain compliance and evidence documentation
Monitor and address customers' compliance failures
Monitoring and documenting system changes for compliance impact
Ongoing evaluation and management of security risks.
Organizing periodic security awareness training for users
Periodic audits of user permissions and access rights.
Perform quarterly compliance process review
Regular updates to the incident response plan
Routine updates to fix vulnerabilities and maintain security standards
Testing backup and recovery plans to ensure operational

The Software store, process, or transmit

Customer account data
Sensitive information such a as Cardholder Data (CHD), Protected Health Information (PHI), Intellectual Property (IP), Bulk Electric System Critical Information (BCSI)
Other classified information as per relevant compliance standards
Not Applicable

The Software requires to be integrated with other systems impacting the cybersecurity or compliance of the customer

Required integration
Optional integration
Not Applicable

Software modules implemented

Modules that provide cybersecurity services for compliance (e.g., built-in features for PCI DSS, NERC CIP compliance, recurring activities, etc.)
Modules that securely store, process, or transmit customer account data or other sensitive information
Modules that facilitate network security controls
Modules that virtualize (e.g., machines, networks, appliances, applications, and hypervisors)
Modules purchased, subscribed (e.g., SaaS, bespoke and custom software, etc.)
Tools, code repositories, and systems that implement software configuration management or to systems that can impact the cybersecurity
Not Applicable

Software vendor Third-Party Service Providers (TPSPs) used

TPSPs that store, process, or transmit customer account data or other sensitive information on the entity’s behalf
TPSPs that impact the cybersecurity of the software vendor account data, sensitive information (e.g. vendors providing remote support)
TPSPs that manage software vendor modules/components included in the evaluation scope
Not Applicable

NERC CIP scoping

NERC CIP Categorisation

Cyber Asset
BES Cyber Asset (adverse impact in <15 minutes)
Protected Cyber Asset (PCA)
Electronic Access Control or Monitoring Systems (EACMS)
Physical Access Control Systems (PACS)
Removable Media
Transient Cyber Asset
Not Applicable

Support a BES Reliability Operating Service (BROS)

Yes
No
Not Applicable

In Electronic Security Perimeter (ESP)

Yes
No
Not Applicable

External Routable Connectivity (ERC) Scope Impact

Reduce ERC
Eliminate ERC
Not Applicable

In Physical Security Perimeter (PSP)

Yes
No
Not Applicable

With Electronic Access Point (EAP)

Yes
No
Not Applicable

Accessibility Attributes

ERC
LERC
IRA
Not Applicable

Connectivity Attributes

Dial-up
Serial
Routable Protocol
Not Applicable

Compliance Evaluation

Compliance Labs conducted an Initial Analysis of the software to obtain reasonable assurance that the accompanying software documentation fairly presents, in all material respects, the aspects of the software controls that may be relevant or provide support as they relate to Compliance Testing Controls. The Initial Assessment also examines whether the controls included in the software documentation have been suitably designed to support compliance objectives, satisfactorily implemented, and placed in the client environment.

No Software Compliance Testing report currently available.

Alternatives

SecurityGate

by SecurityGate.io

Stay informed

Sign up to receive the latest news on cybersecurity regulations from Compliance Labs.

We promise we won’t spam you.

Email

Acceptance

I accept the terms and conditions.

By proceeding, you agree to our Terms of Use and Privacy Policy. You may unsubscribe at any time.

Tour Ariane – 5 place de la Pyramide
92088 Paris La Défense CEDEX

Contact us

Linkedin-in X-twitter

About
Why Compliance Labs
The team

services
Compliance for Software
Strategy and Risk
Cybersecurity for OT

Resources
All Resources
Blog

my account
Become a member
Log in
Get listed (for Vendors)

FAQ
|
Terms of use
|
Privacy Policy

© 2025 Compliance Labs - All Rights Reserved.

Hide similarities
Highlight differences

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.

Software logo
Vendor
What is this Software?
Website
Cybersecurity Regulations, Standards and Guidelines Tested
Other Cybersecurity Regulations, Standards and Guidelines Supported
Deployment
Environment
Region
Industry
Capabilities
Application and DevOps Security
Asset Inventory and Management
Audit and Compliance Management
Awareness and Training
Backup and Recovery
Data Security
Endpoint and Device Protection
Identity Management and Access Control
Incident Response
Logging and Threat Detection
Network security
Posture and Vulnerability Management
Risk Assessment and Management
Software Bill Of Materials (SBOM)
Zero Trust Network Access
MITRE Mitigations Enterprise Supported by the Software
NIST CSF Controls Supported by the Software
NIST SP6800-53 (LOW) Controls Supported by the Software
NIST SSDF Controls Supported by the Software
HIPAA Requirements Supported by the Software
ISO/IEC 27001 Requirements Supported by the Software
NERC CIP Requirements Supported by the Software
PCI DSS Requirements Supported by the Software
DORA Requirements Supported by the Software
ZTA Logical Architecture Component Supported by the Software
OT Components Supported by the Software
EU AI Act Requirements Supported by the Software
GDPR Requirements Supported by the Software
NIST AI RMF Subcategories
NIS 2 Requirements
MAS & ABS Requirement
CCPA/CPRA Requirements
PSD2 Requirements
CMMC Requirements
NCA OTCC Requirements
MITRE ATT&CK ICS Mitigations
PCI CP & PLS Requirements
PCI 3DS Requirements
Scope Impact
Periodic compliance activities supported by the Software
The Software store, process, or transmit
The Software requires to be integrated with other systems impacting the cybersecurity or compliance of the customer
Software modules implemented
Software vendor Third-Party Service Providers (TPSPs) used
Software NERC CIP scoping
Software NIST SSDF scoping
Software PCI DSS scoping

Compare

Compare ×

View comparison Continue browsing software