Supported Compliance Frameworks

--framework ID (repeatable or comma-separated) checks generated passwords against one or more built-in policy presets. Each preset is a fixed set of length, entropy, and character-class requirements defined in crates/paranoid-core/src/lib.rs (FrameworkId, ComplianceFramework, FRAMEWORKS). Selecting a framework can change how passwords are generated: the effective length is raised to the framework’s minimum length when it exceeds --length, and the framework’s character-class requirements (mixed case, digits, symbols) are folded into the generation requirements alongside a per-password and batch-level pass/fail check against that preset’s requirements. For example, --length 8 --framework iso27001 generates a 12-character password because ISO 27001’s minimum length is 12.

Frameworks

Id

Aliases

Display name

Min length

Min entropy (bits)

Mixed case

Digits

Symbols

nist

NIST SP 800-63B

8

30.0

no

no

no

pci_dss

pci, pci-dss

PCI DSS 4.0

12

60.0

yes

yes

no

hipaa

HIPAA

8

50.0

yes

yes

yes

soc2

soc_2, soc-2

SOC 2

8

50.0

yes

yes

no

gdpr

GDPR / ENISA

10

80.0

yes

yes

yes

iso27001

iso-27001, iso_27001

ISO 27001

12

90.0

yes

yes

yes

The Id column is the canonical string accepted by --framework and returned by FrameworkId::as_str(). The Aliases column lists additional strings FrameworkId::parse() accepts for the same id; the CLI’s --help text advertises only the canonical ids.

Each row’s requirements come directly from that framework’s entry in FRAMEWORKS:

  • Min length — minimum accepted password length.

  • Min entropy (bits) — minimum accepted Shannon entropy for the password.

  • Mixed case — whether both uppercase and lowercase characters are required.

  • Digits — whether at least one digit is required.

  • Symbols — whether at least one symbol character is required.

Usage

paranoid-passwd --cli --length 20 --count 3 --framework nist,pci_dss
paranoid-passwd vault generate-store --title GitHub --username jon@example.com --length 24 --framework nist

Passing multiple frameworks requires the generated password to satisfy every selected framework’s requirements, not just one. --json output reports per-framework and combined selected_frameworks_pass results alongside the rest of the audit. --audit-jsonl output is limited to operational audit events and does not include framework compliance results.

None of these presets are an authorization, certification, or compliance claim for the named standard — they are password-strength policy presets modeled on each standard’s published password guidance. See Federal Control Mapping for the separate NIST SP 800-53 control-family evidence map used for FedRAMP/GovCloud/DoD IL5 evaluation.