The regulatory landscape will continue to evolve, but the fundamental need for robust security, reliable operations and transparent governance remains constant. The beauty of well-designed frameworks like NIST and SOC 2 is that they’re rooted in sound operational principles, not political whims, says Subho Halder, co-founder and CEO of mobile security testing platform Appknox.
House Republicans earlier this year moved to strip the FTC of its antitrust powers before withdrawing the provision, while the Trump Administration slashed most of the Consumer Financial Protection Bureau’s budget. Key privacy initiatives, including efforts to limit how data brokers sell Americans’ personal information, have been scrapped overnight, while comprehensive federal privacy legislation like the American Data Privacy and Protection Act (ADPPA) continues to stall in Congress.
For those of us who’ve built entire compliance programs around clear regulatory signals, this creates an uncomfortable question: What happens when the regulatory landscape we’ve relied on starts disappearing?
This uncertainty is rippling through boardrooms and security teams across the country. Organizations that have invested millions in NIST compliance and SOC 2 audits are now wondering: With all these rollbacks, are we throwing money at frameworks that won’t matter in two years?
Valid question. But it’s not the one we should be focused on.
The real question is: What are we securing, and who are we securing it for?
The real debate isn’t whether US frameworks will survive the current political climate. It’s whether we’re treating governance, risk and compliance as a regulatory checkbox exercise or as the operational backbone they were always meant to be. While politicians debate enforcement budgets, cyber threats aren’t taking a break. If anything, they’re accelerating.
This isn’t the time to abandon proven frameworks. Now’s the time to understand why they work, regardless of who’s watching.
The strategic value of US GRC frameworks
From working with enterprises across different continents, I’ve learned that the best security frameworks build organizations that can actually handle what gets thrown at them.
Take NIST, for example. Yes, it’s a US government standard, but strip away the regulatory language and what you’re left with is a surprisingly practical playbook for identifying, protecting, detecting, responding to and recovering from security incidents. These are the exact steps your team will need when someone clicks the wrong link at 2 a.m. on a Friday.
The same goes for SOC 2. Behind all that compliance jargon is a framework that forces you to answer basic questions:
- How do you control access to sensitive data?
- How do you ensure your systems stay available when you need them?
- How do you monitor for unusual activity?
- How effectively can you respond when a critical incident occurs?
What’s fascinating is that global organizations are doubling down on these frameworks, even as US enforcement wavers. European companies are implementing NIST controls alongside GDPR requirements. Asian enterprises are pursuing SOC 2 certifications to compete in international markets. Why? Because these standards solve real business problems.
Consider third-party risk management, something every organization struggles with, regardless of geography. NIST’s supply chain risk management guidance gives you a systematic way to evaluate whether your vendors can actually protect your data. When a major cloud provider has an outage or a software supplier gets breached, having those controls in place can mean the difference between a minor inconvenience and a business-threatening incident.
The same principle applies to incident response. FedRAMP‘s security controls might seem excessive, but they’re built on decades of lessons learned from real attacks. When ransomware hits your network, you’ll be grateful for the backup procedures, communication protocols and recovery processes that seemed like bureaucratic overhead six months earlier.
Why Scalable Global Frameworks Like ISO 27001 Matter
Updated security standard addresses modern threats with expanded digital protections
Read moreDetailsChoosing GRC models in a global context
Smart organizations have moved beyond the US vs. EMEA debate entirely because modern threats don’t respect geographic boundaries. What matters now is whether your chosen frameworks can work together and adapt as your business evolves.
When evaluating any GRC approach, I recommend focusing on four key criteria:
- Global applicability. This matters now more than ever. Your framework needs to support cross-border compliance, whether you’re dealing with GDPR in Europe, emerging privacy laws in Asia or sector-specific regulations in the Americas.
- Operational alignment with how your teams actually work. If your developers are using DevSecOps practices and your security team relies on threat modeling, your compliance framework should reinforce those processes, not fight against them.
- Audit readiness through repeatable processes. You need frameworks that generate consistent evidence and support control testing that auditors can understand, regardless of which certification body shows up at your door.
Technical flexibility to evolve with your infrastructure. Whether you’re migrating to cloud-native tools, implementing automation or adapting to new privacy requirements, your GRC approach should bend without breaking.
Subho Halder is CEO and co-founder of Appknox, a mobile security testing platform. He is a frequent speaker at BlackHat, Defcon and other security conferences. 
