A common question is “What is the difference between the CDPP and the DSP?”

ANSWER: In simple terms, the Cybersecurity & Data Protection Program (CDPP) is designed to address a single, specific framework (e.g., ISO 27002, NIST 800-53 or the NIST Cybersecurity Framework), whereas the Digital Security Program (DSP) is designed to address multiple frameworks as a hybrid, "best-in-class" metaframework. 

Privacy Considerations

If your organization needs to address EU GDPR, CCPA, or any other privacy requirement, you should seriously consider the DSP instead of the CDPP, since the DSP contains a robust privacy section, in addition to its cybersecurity sections.  When considering any of the newer laws, regulations and industry frameworks, they can be considered "two-sided coins" in regards to the interconnected nature of privacy and cybersecurity where there is a clear expectation that in addition to a formal cybersecurity program, that your organization also maintains a privacy program to maintain "secure practices" for both privacy and security: 

When you lay out the various frameworks in a spectrum from "weaker" to "robust" the DSP provides the most comprehensive coverage. However, some companies only need/want to align with a single framework.

cybersecurity framework comparison NIST 800-53 vs ISO 27001 27002 vs NIST CSF vs SCF

There are two main factors that will assist you in determining which product is best suited to your business: (1) content and (2) functionality. However, while both cover common requirements, only your organization's needs (current AND future needs in terms of meeting specific statutory, regulatory and contractual requirements) will ultimately determine which is the best fit for you.

DSP vs CDPP Comparison



Editable documentation 2020-check-green.jpg 2020-check-green.jpg
Policies 2020-check-green.jpg 2020-check-green.jpg
Control Objectives 2020-check-green.jpg 2020-check-green.jpg
Standards 2020-check-green.jpg 2020-check-green.jpg
Guidelines 2020-check-green.jpg 2020-check-green.jpg
Procedures (separate product is available - CDPP or DSP Cybersecurity Standardized Operating Procedures (CSOP))



Controls 2020-check-green.jpg 2020-check-red.jpg 
Metaframework (multiple cybersecurity & privacy framework alignment) 2020-check-green.jpg  2020-check-red.jpg 
Single cybersecurity framework (e.g., NIST CSF, ISO 27002 or NIST 800-53)  2020-check-red.jpg  2020-check-green.jpg
Privacy coverage (e.g., GDPR, CCPA, etc.) 2020-check-green.jpg 2020-check-red.jpg  
Metrics (including KPIs & KRIs) 2020-check-green.jpg  2020-check-red.jpg 
Capability Maturity Model  2020-check-green.jpg 2020-check-red.jpg  
Reference Mapping (Excel spreadsheet) 2020-check-green.jpg limited to CDPP framework selected
GRC-Importable (Microsoft Word & Excel formats) 2020-check-green.jpg  2020-check-red.jpg 


In terms of content, the scope of the DSP surpasses both versions of the CDPP, due to its structure and additional materials.

Graphically, the difference in content can be seen in the comparison below (note – this just shows a fraction of what the DSP is mapped to, due to space limitations).


In terms of functionality, the CDPP and DSP both come in Microsoft Word formats, so that it is easy to edit for your needs and gives our clients a wide range of methods to share the content. The difference is in added functionality that can save hundreds of hours in staff and consultant time!

One of the biggest differences in functionality is in the controls used by the CDPP vs the DSP. The CDPP does its best to stay true to the aligned framework (e.g., NIST CSF, ISO 27002 or NIST 800-53). However, the DSP leverages the Secure Controls Framework (SCF) to map to over 100 different laws, regulations and industry frameworks.  


On a daily basis, we receive questions from government / DoD contractors about both NISPOM and NIST 800-171 (DFARS). Both the NIST 800-53 version of the CDPP and the DSP will allow an organization to comply with both NISPOM and NIST 800-171. Just as explained above, the DSP will just give you far more usefulness if you want to mature your security program beyond policies and standards.

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options

Learn More About Cybersecurity & Data Privacy