How AirGapNet maps to your framework.

Health Insurance Portability and Accountability Act

US federal standard for protecting electronic protected health information (ePHI). Applies to providers, payers, and their business associates.

• Access Control — restrict who and when can reach systems handling ePHI by keeping service paths physically closed between approved windows.
• Audit Controls — every open/close window is logged with timestamp and source channel, contributing to defensible audit trails.
• Device and Media Controls — hardware-anchored isolation gives physical, not policy-only, control over routes into clinical equipment.
• Transmission Security — when the service path doesn't exist between windows, there is no transmission surface to attack.

NIST Guide to Operational Technology (OT) Security

Federal guide for securing industrial control systems — PLCs, SCADA, ICS, and manufacturing OT networks. Foundational reference for OT security programs in the US.

• Boundary Protection — physical separation between OT and IT zones, enforced by hardware rather than by software firewall policy.
• Access Enforcement — default-closed posture means a misconfigured rule or stale credential cannot reach OT controllers when the window is closed.
• Remote Access Controls — vendor and integrator access is time-boxed at the cable, not at a software gate that can be misconfigured.
• System Monitoring — open/close events are recorded and exportable, contributing to OT change-management audit trails.

North American Electric Reliability Corporation — Critical Infrastructure Protection

Mandatory standards for protecting Bulk Electric System (BES) Cyber Systems. Required for utilities, generators, and operators of the North American power grid.

• Electronic Security Perimeters — hardware-level boundary device contributes to defining and enforcing access controls on Electronic Security Perimeters.
• Cybersecurity Controls — default-closed paths reduce the runtime exposure of BES Cyber Systems between scheduled maintenance.
• Remote Access Management — vendor remote access is opened only during authorized windows and physically returns to a break afterwards.
• Change Management — every transition is logged with a timestamp and a discrete source, supporting change-window audit requirements.

Payment Card Industry Data Security Standard

Mandatory security standard for any merchant or processor that stores, processes, or transmits cardholder data. Currently at v4.0.

• Network Security Controls — hardware boundary device sits at the entrance to card-data environments and physically removes the route when not in use.
• Restrict Access by Need-to-Know — service paths into card-handling systems exist only during approved maintenance windows.
• Strong Authentication on Access — control channel uses phone-number allowlist and two-factor on the device side, not just software session tokens.
• Restrict Physical Access — locking power input and the unit's tamper-evident enclosure contribute to physical security requirements.

Sarbanes-Oxley Act of 2002

Federal law mandating internal controls over financial reporting for US-listed companies. Section 404 drives IT general controls (ITGC) audits.

• Change Management — every maintenance window has a defensible timestamp and a discrete trigger, contributing to ITGC evidence.
• Access Management — default-closed posture enforces least-privilege at the hardware layer, not just in software policy.
• Segregation of Duties — the control channel (SMS / app) is independent of the production network, separating who can act from what they act on.
• Audit Trails — open/close events are recorded, exportable, and immutable from the production side — useful evidence for IT general controls audits.

Cybersecurity Maturity Model Certification

Mandatory cybersecurity standard for US Department of Defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Built on NIST SP 800-171.

• Access Control — limit access to authorized users and devices through default-closed, time-boxed service paths.
• System and Communications Protection — hardware boundary device denies network communications traffic by default, opening only for authorized windows.
• Audit and Accountability — independent control channel produces tamper-evident open/close logs separate from the production network.
• Configuration Management — changes happen inside discrete, recorded windows rather than over an always-on service path.

NIST Security and Privacy Controls for Information Systems

Comprehensive catalog of security and privacy controls for US federal information systems. Foundation for FedRAMP and most US federal cybersecurity programs.

• Access Control (AC family) — default-closed service paths reduce the runtime attack surface against federal systems.
• System and Communications Protection (SC family) — hardware boundary device contributes to network segmentation and isolation requirements.
• Audit and Accountability (AU family) — every transition is recorded with timestamp and source, contributing to audit trail requirements.
• Maintenance (MA family) — vendor maintenance is time-boxed at the cable, with a defensible record of who reached what and when.

IEC 62443 — Industrial Automation and Control Systems Security

International family of standards (ISA/IEC 99) for cybersecurity of Industrial Automation and Control Systems. Increasingly referenced by US OT buyers — NIST SP 800-82 explicitly aligns with the IEC 62443 zone-and-conduit model.

• Zones and conduits model — hardware boundary device enforces a physical conduit between OT zones rather than a software policy.
• Foundational Requirement 1 (Identification and Authentication Control) — control channel uses phone-number allowlist independent of the OT network it protects.
• Foundational Requirement 5 (Restricted Data Flow) — default-closed paths align with the IEC 62443 expectation that traffic between zones is denied unless explicitly authorized.
• Maintenance and audit alignment — every open/close window produces a tamper-evident record on a channel separate from the production network.