The U.S. Regulatory
Mandate Index
Every federal and major state regulatory framework covered by VerdoCo — its statutory source, who it applies to, the threshold for applicability, and the corresponding series.
VerdoCo Regulatory Coverage
Each row represents a U.S. statutory mandate for which VerdoCo provides a complete documentation series. Click any series tag to go directly to that product.
| Framework | Statutory Source | Applies To | Key Threshold | VerdoCo Series |
|---|---|---|---|---|
| HIPAAHealth Insurance Portability & Accountability Act | 45 CFR Parts 160, 162 & 164 HHS/OCR Enforcement |
Healthcare providers, health plans, healthcare clearinghouses, and all Business Associates handling PHI | No size or revenue threshold. One ePHI record triggers full applicability. | VCO-HIPAA P1VCO-HIPAA P2Command Kit |
| CMMC / NIST 800-171Cybersecurity Maturity Model Certification 2.0 | NIST SP 800-171 Rev 2 32 CFR Part 170 · DFARS 252.204-7012 |
DoD prime contractors and subcontractors at all tiers handling Controlled Unclassified Information (CUI) | Any DoD contract or subcontract involving CUI. No revenue threshold. | VCO-CYBER P1VCO-CYBER P2Command Kit |
| GLBA / FTC SafeguardsGramm-Leach-Bliley Act · FTC Safeguards Rule | 15 U.S.C. § 6801 et seq. 16 CFR Part 314 (amended 2023) |
Financial institutions as defined by FTC — lenders, mortgage companies, tax preparers, auto dealers, account servicers | Offering any financial product or service to consumers. No revenue threshold. | VCO-GLBA P1VCO-GLBA P2Command Kit |
| Regulation S-PSEC Regulation S-P · Privacy of Consumer Financial Information | 17 CFR Part 248 SEC Final Rule (2024 Amendment) |
SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents | SEC registration. Expanded data breach notification requirements effective 2024. | VCO-REGSP P1VCO-REGSP P2Command Kit |
| CFPB RegulationsConsumer Financial Protection Bureau — Consumer Protection Frameworks | 12 U.S.C. § 5481 et seq. Regulation E · Regulation Z · Regulation V |
Consumer lenders, debt collectors, credit reporting agencies, mortgage servicers, and consumer financial product providers | Offering consumer financial products or services subject to CFPB jurisdiction. | VCO-CFPB P1VCO-CFPB P2Command Kit |
| ADA Title IIAmericans with Disabilities Act · Title II Digital Accessibility | 42 U.S.C. § 12131 et seq. 28 CFR Part 35 · DOJ Final Rule (2024) |
All state and local government entities regardless of size — agencies, school districts, public universities, transit authorities | Any state or local government entity. WCAG 2.1 AA compliance deadlines by entity population size. | VCO-ADA P1VCO-ADA P2Command Kit |
| Multi-State PrivacyState Data Protection & DPIA Frameworks | CPRA (CA) · CPA (CO) · VCDPA (VA) TDPSA (TX) · Multiple Additional States |
Any business processing personal data of residents of covered states above applicable thresholds | Typically: $25M revenue, 100K consumer records, or 50%+ revenue from personal data sales. Varies by state. | VCO-PRIV P1VCO-PRIV P2Command Kit |
| OSHAOccupational Safety & Health Act — Written Program Requirements | 29 U.S.C. § 651 et seq. 29 CFR Parts 1904, 1910, 1926 |
All employers with workers in covered industries. Specific written program requirements vary by hazard and industry. | Any employer with employees. Exempt: farms with 10 or fewer employees. Most employers have some written program obligation. | VCO-OSHA P1VCO-OSHA P2Command Kit |
| AI GovernanceNIST AI Risk Management Framework · OMB AI Policy | NIST AI RMF 1.0 (2023) OMB M-24-10 · Executive Order 14110 |
Federal agencies (mandatory), federal contractors, and private organizations deploying AI in consequential decision-making (voluntary but rapidly becoming standard) | Federal agencies: mandatory under OMB M-24-10. Private sector: rapidly becoming de facto procurement and regulatory standard. | VCO-AI P1VCO-AI P2Command Kit |
| ESG / Supply ChainEnvironmental, Social & Governance · Supply Chain Transparency | SEC Climate Disclosure Rules California SB 253 · SB 261 · Federal Supply Chain |
Publicly traded companies, federal contractors, California-operating companies above revenue thresholds, and companies in regulated supply chains | SEC registrants (climate disclosure). California: $1B revenue (SB 253), $500M (SB 261). Federal contractors: contract-specific. | VCO-ESG P1VCO-ESG P2Command Kit |
Series in Development
VerdoCo continuously expands its regulatory coverage as new mandates emerge and existing frameworks are updated.
FTC Health Breach Notification Rule
Updated 2024 rule expanding breach notification for non-HIPAA health data.
In DevelopmentCCPA / CPRA Enforcement Expansion
California Privacy Protection Agency rulemaking updates for 2025.
In DevelopmentNY SHIELD Act
New York Stop Hacks and Improve Electronic Data Security Act documentation framework.
PlannedFERPA
Family Educational Rights and Privacy Act — educational institution compliance documentation.
PlannedSOC 2 Type II Readiness
Organizational documentation infrastructure for SOC 2 audit preparation.
PlannedPCI DSS v4.0
Payment Card Industry Data Security Standard documentation for merchants and service providers.
PlannedReady to Address Your Mandate?
Browse the complete catalogue and select the series that covers your organization's specific regulatory obligation.
Browse All Series Contact UsStatutory citations and applicability information provided for general reference only. Regulations are subject to change. Confirm current requirements with qualified legal counsel. VerdoCo · A Product Line of Nexosprop Logistics Corp · All Rights Reserved.