top of page

Overview of Cybersecurity Frameworks

Updated: Nov 22, 2022

Cybersecurity Frameworks

Cybersecurity frameworks are created and managed to help organizations across different industries follow best practices to secure their systems and data. There are many different frameworks that exist today. Some frameworks are designed for specific industries, such as HITRUST for the healthcare industry or PCI-DSS to protect credit card companies and card holders. Most recent frameworks contain recommendations that can be applied universally however, and overlap with other frameworks. And many frameworks are voluntary recommendations, such as the CIS Controls, but some frameworks are overseen and required by regulatory bodies, such as NIST, which applies to government agencies. We have created a list of the most common Cybersecurity frameworks below, including the industries they apply to, a description of the framework and a link to access the framework. We will continue to update this list over time.


Overview of Cybersecurity Frameworks

There are three key categories of Frameworks to keep in mind when reviewing, evaluating, and determining if/how to apply them.

Control Frameworks (e.g., CIS Controls)
  • Creates a basic strategy for the organization’s cybersecurity best practices

  • Provides the baseline group of technical security controls

  • Helps assess the current state of the infrastructure and environment

  • Helps prioritize the implementation of security controls

Program Frameworks (e.g., NIST 800-53)
  • Helps assess and develop the organization’s cybersecurity program

  • Measures the program’s maturity and effectiveness

  • Develops communications between the cybersecurity team and senior management

Risk Frameworks (e.g., NIST RMF)
  • Defines the necessary processes for risk assessment and management

  • Structures a cybersecurity program for risk management

  • Identifies, measures, and quantifies the organization’s security risks

  • Prioritizes appropriate security measures and activities based on risk

Here is our list of the Cybersecurity Frameworks:

CIS Critical Controls

(All industries)

The Center for Internet Security (CIS) Critical Security Controls, Version 8, formerly the SANS Top 20, lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and increasing resilience for technical infrastructures.

CISA Cybersecurity Performance Goals (CPG)

(All industries, government)

The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.

Cloud Security Alliance (CSA) CCM