Compliance Public Resources and References

Navigating compliance obligations in the United States requires grounding in authoritative public sources — federal agency guidance, state regulatory portals, professional standards bodies, and court records. This page catalogs the primary reference categories that practitioners, organizations, and researchers draw on when building or auditing a compliance program. Understanding which source governs which obligation is foundational to the work described in the Compliance Standards Overview.

Federal resources

Federal compliance infrastructure is distributed across more than a dozen major agencies, each publishing binding rules, guidance documents, and enforcement data through official channels.

Core federal portals and repositories:

1. eCFR (Electronic Code of Federal Regulations) — Available at ecfr.gov, the eCFR provides the current, continuously updated text of all federal regulations organized by Title. Title 21 (Food and Drugs) governs FDA-regulated entities; Title 29 (Labor) covers OSHA; Title 45 (Public Welfare) contains HHS rules including HIPAA's Privacy and Security Rules at 45 C.F.R. Parts 160–164.
2. Federal Register — Published by the Office of the Federal Register at federalregister.gov, this is the daily journal of proposed rules, final rules, and agency notices. Organizations monitoring regulatory change use the Federal Register to track rulemaking at its earliest stage.
3. NIST Cybersecurity and Privacy Resources — The National Institute of Standards and Technology publishes frameworks and special publications at csrc.nist.gov, including NIST SP 800-53 Rev. 5 (Security and Privacy Controls) and the NIST Cybersecurity Framework (CSF). These are not binding statutes but are incorporated by reference into numerous federal contracts and sector regulations.
4. FTC Bureau of Consumer Protection — Enforcement actions, consent orders, and business guidance are published at ftc.gov/business-guidance. The FTC Act Section 5 unfairness standard and the Gramm-Leach-Bliley Act Safeguards Rule are both administered here.
5. HHS Office for Civil Rights — HIPAA enforcement decisions, corrective action plans, and annual reports are available at hhs.gov/ocr. The OCR Resolution Agreements database documents specific penalty amounts and violation categories.

The distinction between a statute (enacted by Congress, found in the U.S. Code at uscode.house.gov) and a regulation (promulgated by an agency under statutory authority, found in the CFR) is a foundational classification boundary. Compliance obligations derive from regulations; the statute sets the outer authority and penalty ceiling.

State-level resources

State compliance obligations layer on top of federal requirements and, in areas like consumer privacy and data breach notification, frequently set stricter standards. As of 2024, at least 13 states have enacted comprehensive consumer privacy statutes, including California (CPRA), Virginia (CDPA), Colorado (CPA), and Connecticut (CTDPA).

Key state-level reference types include:

• State administrative codes — Every state maintains a codified set of administrative regulations analogous to the CFR. California's Office of Administrative Law publishes the California Code of Regulations at oal.ca.gov. Texas regulations are accessible through the Texas Administrative Code at texreg.sos.state.tx.us.
• State attorney general portals — State AGs are the primary enforcers of consumer protection, data privacy, and charitable solicitation statutes. The California Attorney General's Privacy Enforcement page and the New York AG's Bureau of Internet and Technology both publish enforcement letters and guidance that clarify interpretive positions.
• State legislature bill tracking — National Conference of State Legislatures (ncsl.org) aggregates state privacy and security legislation, giving practitioners a structured method for monitoring multi-state exposure.

Understanding the Compliance Scope of any given program requires mapping federal preemption against state-specific rules — a comparison that varies by industry sector, data type, and transaction geography.

Professional and industry references

Professional standards bodies publish frameworks that are not law but carry significant weight in demonstrating due care and in satisfying auditor expectations.

• ISACA — Publishes COBIT (Control Objectives for Information and Related Technologies), a governance framework widely used for IT compliance audits. ISACA also administers the CISA and CRISC certifications.
• AICPA — The American Institute of CPAs publishes the SOC 2 Trust Services Criteria and the Statement on Standards for Attestation Engagements (SSAE 18), which governs third-party service organization audits at aicpa-cima.com.
• ISO/IEC — ISO 27001 (information security management) and ISO 9001 (quality management) are internationally recognized standards whose requirements inform compliance program design. Published standards are available through iso.org.
• PCI Security Standards Council — The PCI DSS (Payment Card Industry Data Security Standard), maintained at pcisecuritystandards.org, governs any entity storing, processing, or transmitting cardholder data. Version 4.0 introduced 64 new requirements compared to v3.2.1.

The Process Framework for Compliance maps how organizations integrate these external standards into internal control structures.

Court system and legal references

Federal court decisions interpret how statutes and regulations apply to specific facts, and they bind enforcement posture. Three primary repositories are accessible without subscription:

1. PACER (Public Access to Court Electronic Records) — Available at pacer.uscourts.gov, PACER provides docket access to all federal district, appellate, and bankruptcy court filings. Per-page fees apply beyond a quarterly threshold.
2. U.S. Supreme Court opinions — Full text opinions are published free of charge at supremecourt.gov.
3. Google Scholar Case Law — Provides free full-text access to federal and state court opinions, useful for citation research when PACER fees are a constraint.

The distinction between persuasive authority (decisions from other circuits or state courts) and binding authority (decisions from the controlling circuit or the Supreme Court) determines how much weight any given ruling carries in a compliance argument before a regulator or in litigation. Federal circuit splits — where two appellate courts interpret the same statute differently — represent active compliance risk zones until the Supreme Court resolves the divergence.

📜 2 regulatory citations referenced  ·  ✅ Citations verified Feb 25, 2026  ·  View update log

References

• csrc.nist.gov
• ecfr.gov
• federalregister.gov
• ftc.gov/business-guidance
• hhs.gov/ocr
• oal.ca.gov
• pacer.uscourts.gov
• supremecourt.gov