M-209 cipher machine.

Standards and Regulations

ISO/IEC — International Organization for Standardization and the International Electrotechnical Commission

SOC (formerly SAS 70, now SSAE) = auditing reports

SSAE = Statement on Standards for Attestation Engagements. It's an auditing standard for service organizations. It was SSAE 16, since May 2017 it's SSAE 18.

U.S. Government requirements and documents

ITAR = International Trade in Arms Regulations — military items
EAR = Export Administration Regulations — for "dual use" items like crypto
Wassenaar Arrangement = international export agreements not to export weapons or dual-use technologies to certain countries

FISMA says U.S. Government agencies must come up with security plans, NIST docs say how.

FedRAMP is about U.S. Government use of cloud technology.

FIPS 140-2 specifies approved cryptography, software and hardware.

NIST special publications:

SP 800-37 RMF = Risk Management Framework, how to apply 800-53 controls, with a 6-step process CSIAAM:
  1. Categorize risks
  2. Select tools
  3. Implement
  4. Assess effectiveness
  5. authorization by management
  6. Monitor
SP 800-39 RMF = Risk Management Framework overview, how to manage risk
SP 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations"
It's a catalog of security controls, applied to all U.S. federal government information and IT systems.
SP 800-64 Application security (through SDLC or Software Design Life Cycle)
SP 800-82 Guide to ICS (Industrial Control Systems)
SP 800-145 Defines "cloud" and associated terms.
SP 800-160 Security for IoT and ICS

Common Criteria

CC = Common Criteria, EAL1 (just functionally tested) up to EAL7 (formally verified design and tested). Most commercial offerings are EAL4. The Integrity-178B real-time operating system used in some U.S. military aircraft has been certified as EAL6+, supposedly that's the highest ever achieved.

ENISA — European Network and Information Security Agency

"Cloud Computing: Benefits, Risks, and Recommendations for Information Security" lists top eight security risks, it oddly doesn't mention availability:


National and International Laws for P&DP or Privacy and Data Protection

CSA Cloud Security Alliance

STAR — Security, Trust, and Assurance Registry

CCM — Cloud Controls Matrix

CAIQ — Consensus Assessments Initiative Questionnaire — self-assessment done by cloud providers

GAPP — Generally Accepted Privacy Principles

AICPA (American Institute of Certified Public Accountants) standard for privacy, it describes 74 (!) principles.

CSA Enterprise Architecture:

These are some other quasi-official lists you might need to know.