| NIST SP 800-53 Rev. 5 |
Access control (AC), Audit & accountability (AU), Identification & authentication (IA), Configuration management (CM) |
Widely used baseline for federal and enterprise environments. Maps directly to GPO-enforced controls.[4] |
| NIST SP 800-63B Rev. 4 (2025) |
15-character minimum passwords, blocklist screening, no forced rotation, phishing-resistant MFA |
Finalized mid-2025. Organizations using 90-day rotation or 8-character minimums are now non-compliant.[1] |
| PCI DSS v4.0.1 |
MFA for all access to cardholder data environments, strong password policies, network segmentation, privileged access management |
v4.0.1 is the sole active version since December 2024. The 51 future-dated requirements became mandatory March 31, 2025.[5] |
| HIPAA Security Rule |
Access controls, audit controls, integrity controls, transmission security |
MFA is not explicitly mandated but is considered best practice by HHS. PCI DSS 4.0’s stricter MFA requirement is recommended as baseline. |
| ISO 27001:2022 |
Identity and access management, privileged access rights, information access restriction, logging |
Over 150,000 organizations hold ISO 27001 certificates globally as of 2025.[6] |
| Cyber Insurance |
MFA, 12+ character passwords, network segmentation, annual security training, quarterly patching |
Coalition’s 2024 index: 82% of claims involved organizations without MFA. Larger policies ($5M+) typically require penetration testing and AD audits. |
