Compliance Public Resources and References

Federal agencies, standards bodies, and state regulators publish an extensive body of free, authoritative material that practitioners and organizations can use to understand compliance obligations without relying solely on paid counsel or proprietary databases. This page catalogs those resources by category — public education sources, federal agency repositories, state-level guidance, and professional or industry references — to support organizations building or refining a compliance program. Understanding where authoritative guidance originates is foundational to any compliance risk assessment or gap analysis process.

Public education sources

The primary gateway for plain-language compliance education at the federal level is USA.gov, which aggregates agency guidance across more than 40 subject areas including employment law, environmental regulation, and consumer protection. The Federal Register (federalregister.gov) publishes all proposed and final rules, notices, and presidential documents, making it the definitive source for regulatory change tracking.

For standards-based education, the National Institute of Standards and Technology (NIST) maintains a publicly accessible library at csrc.nist.gov, housing frameworks including the NIST Cybersecurity Framework (CSF) 2.0 and the SP 800-series publications covering information security and privacy controls. NIST defines its Cybersecurity Framework as voluntary guidance organized around five core functions — Identify, Protect, Detect, Respond, and Recover — and the document is available at no cost directly from nist.gov/cyberframework.

The distinction between prescriptive and principles-based public resources matters practically: prescriptive sources (such as the Code of Federal Regulations, or CFR, accessible at ecfr.gov) enumerate specific requirements with defined penalties, while principles-based sources (such as NIST frameworks or ISO guidance documents) describe desired outcomes without mandating specific controls. Organizations must identify which category governs their sector before selecting a compliance pathway.

Federal resources

Federal agencies are the authoritative source for sector-specific compliance obligations. The table below identifies the primary resource hub for seven major regulatory domains:

1. Occupational Safety and Health Administration (OSHA) — osha.gov hosts the full text of 29 CFR 1910 (general industry standards) and 29 CFR 1926 (construction standards), enforcement data, and compliance assistance tools relevant to workplace safety compliance.
2. U.S. Department of Health and Human Services (HHS) — hhs.gov/hipaa publishes HIPAA Privacy, Security, and Breach Notification Rules in full, alongside OCR enforcement summaries and audit protocols critical to healthcare compliance requirements.
3. Securities and Exchange Commission (SEC) — sec.gov/rules provides access to all final rules, no-action letters, and staff guidance governing public companies and registered investment advisers.
4. Federal Trade Commission (FTC) — ftc.gov/legal-library catalogues consumer protection statutes, including the FTC Act Section 5, and data security guidance relevant to data privacy compliance.
5. Environmental Protection Agency (EPA) — epa.gov/laws-regulations consolidates the text of statutes including the Clean Air Act (42 U.S.C. §7401 et seq.) and the Resource Conservation and Recovery Act (RCRA), directly supporting environmental compliance requirements.
6. Financial Crimes Enforcement Network (FinCEN) — fincen.gov publishes Bank Secrecy Act (BSA) requirements, beneficial ownership rules effective under the Corporate Transparency Act, and AML/CFT guidance for financial services compliance.
7. Department of Justice (DOJ) — justice.gov/criminal-fraud provides the Foreign Corrupt Practices Act (FCPA) Resource Guide, a 120-page public document co-authored with the SEC that defines bribery standards, safe harbors, and enforcement priorities under anti-corruption compliance.

State-level resources

State compliance obligations frequently exceed federal minimums, and no single federal portal consolidates state law. Practitioners navigating state-level compliance considerations typically consult three categories of state resources:

• State attorney general offices — publish consumer protection rules, data breach notification requirements (all 50 states maintain statutes), and enforcement actions. The National Association of Attorneys General (naag.org) maintains a directory linking to each state's official AG portal.
• State occupational licensing boards — govern profession-specific compliance for healthcare, finance, construction, and legal services. The Council on Licensure, Enforcement and Regulation (CLEAR) at clearhq.org maintains a searchable directory of licensing authorities across North American jurisdictions.
• State environmental and labor agencies — administer delegated federal programs (e.g., OSHA State Plan states, of which there are 22 covering private-sector workers as of the agency's official count at osha.gov/stateplans) and publish state-specific standards that may differ from federal baselines.

California's California Privacy Rights Act (CPRA), enforced by the California Privacy Protection Agency (cppa.ca.gov), and New York's SHIELD Act (N.Y. Gen. Bus. Law §899-aa) are two state statutes that impose data security obligations materially broader than the current federal baseline.

Professional and industry references

Standards bodies and industry associations publish frameworks that, while not legally binding, are frequently incorporated by reference into contracts, consent orders, and regulatory guidance:

• International Organization for Standardization (ISO) — iso.org publishes ISO 37301:2021, the international standard for compliance management systems, and ISO 27001:2022 for information security management. ISO standards require purchase but their structure and scope are publicly summarized through the ISO website.
• Committee of Sponsoring Organizations (COSO) — coso.org publishes the Internal Control — Integrated Framework (2013) and the Enterprise Risk Management Framework (2017), both widely referenced by SEC registrants and audit committees.
• Society of Corporate Compliance and Ethics (SCCE) — corporatecompliance.org provides a library of publicly accessible guidance documents, model compliance program elements, and the Complete Compliance and Ethics Manual, a reference used by compliance officers across industries.
• American Bar Association (ABA) — americanbar.org/groups/business_law publishes model policies and ethics opinions relevant to legal department compliance functions.

The distinction between voluntary consensus standards (ISO, COSO) and mandatory regulatory standards (CFR, state statutes) is operationally critical: voluntary standards provide safe harbor arguments and benchmarking value, but only mandatory standards carry direct legal enforceability. Organizations building a compliance documentation architecture should map each requirement to its source category before assigning control ownership.