Control and risk frameworks
NIST CSF, NIST SP 800 53, CIS Controls, OWASP ASVS, and OWASP MASVS inform control assessment and technical verification planning.
MYID is designed with recognized security, privacy, and application assurance frameworks in mind. The standards and laws on this page guide assessment, control design, and customer deployment planning. Their inclusion does not mean MYID is certified, authorized, endorsed, or universally compliant.
NIST CSF, NIST SP 800 53, CIS Controls, OWASP ASVS, and OWASP MASVS inform control assessment and technical verification planning.
HIPAA, Virginia SEC530, privacy laws, FERPA, GLBA, and CJIS require a customer and data specific review before a deployment claim is approved.
SOC 2, ISO 27001, and FIPS validation require independent evidence or a validated module and operating environment. They are objectives, not current badges.
These sources help organize risk, controls, testing, and evidence. A completed control mapping is supplied only when it has been assessed for the specific release and deployment.
| Reference | Current MYID position | Official source |
|---|---|---|
| NIST Cybersecurity Framework 2.0 | Used as a security risk and program assessment reference. No NIST certification or endorsement is claimed. | NIST CSF |
| NIST SP 800 53 Revision 5 | Included in the control mapping roadmap. Selected controls may be mapped only after evidence review. | NIST control catalog |
| CIS Controls Version 8 | Used as an operational safeguard assessment reference. No implementation group status is claimed. | CIS Controls |
| OWASP ASVS | Selected web and API security requirements can inform release testing. No OWASP verification level is claimed. | OWASP ASVS |
| OWASP MASVS | Selected mobile security requirements can inform iOS and Android verification. No OWASP certification is claimed. | OWASP MASVS |
MYID can provide identity, access, audit, response, and privacy capabilities that are relevant to these obligations. The product alone cannot make an organization compliant.
| Law or standard | Safe current position | Official source |
|---|---|---|
| HIPAA Security Rule | Identity, authentication, audit, and security response capabilities may support applicable safeguards. A healthcare deployment is not approved for electronic protected health information until scope, risk analysis, safeguards, subprocessors, and required contract terms are complete. | HHS Security Rule |
| Virginia SEC530 | Available for customer specific control mapping against applicable Commonwealth requirements. VITA approval or blanket SEC530 compliance is not claimed. | VITA SEC530 |
| Virginia Consumer Data Protection Act | Privacy practices and processor support are assessed where the law applies. Employee and commercial context exclusions must be evaluated before making a claim. | Virginia law |
| General Data Protection Regulation | Applicable deployments require documented roles, lawful instructions, rights handling, retention, deletion, security evidence, subprocessors, and a lawful transfer mechanism. | Official GDPR text |
| California CCPA and CPRA | Applicable privacy duties are assessed for qualifying businesses and processing. MYID does not sell personal information or use advertising trackers on this site. | California privacy rules |
| FERPA | Education deployments require school direction, authorized use, direct control, use limits, retention, and destruction terms. | Education Department overview |
| Gramm Leach Bliley Safeguards Rule | Identity, access, audit, and response capabilities may support a financial institution safeguards program. Service provider oversight and contract requirements remain customer responsibilities. | FTC Safeguards Rule |
| FBI CJIS Security Policy | Readiness must be assessed with the customer and its CJIS Systems Agency for any criminal justice information deployment. FBI approval or CJIS certification is not claimed. | FBI CJIS policy |
| Objective | Current MYID position | Official source |
|---|---|---|
| SOC 2 | The AICPA Trust Services Criteria can inform readiness work. MYID does not claim a Type I or Type II report unless an executed examination produces one. | AICPA SOC information |
| ISO IEC 27001 | Information security management alignment is an objective. No organizational certificate is currently claimed on this page. | ISO standard overview |
| FIPS 140 3 | Validation applies to a specific cryptographic module, version, environment, and approved mode. MYID does not claim product validation merely because standard encryption is used. | NIST FIPS 140 3 |