Cybersecurity Frameworks
Cybersecurity frameworks are created and managed to help organizations across different industries follow best practices to secure their systems and data. There are many different frameworks that exist today. Some frameworks are designed for specific industries, such as HITRUST for the healthcare industry or PCI-DSS to protect credit card companies and card holders. Most recent frameworks contain recommendations that can be applied universally however, and overlap with other frameworks. And many frameworks are voluntary recommendations, such as the CIS Controls, but some frameworks are overseen and required by regulatory bodies, such as NIST, which applies to government agencies. We have created a list of the most common Cybersecurity frameworks below, including the industries they apply to, a description of the framework and a link to access the framework. We will continue to update this list over time.
Overview of Cybersecurity Frameworks
There are three key categories of Frameworks to keep in mind when reviewing, evaluating, and determining if/how to apply them.
Control Frameworks (e.g., CIS Controls)
Creates a basic strategy for the organization’s cybersecurity best practices
Provides the baseline group of technical security controls
Helps assess the current state of the infrastructure and environment
Helps prioritize the implementation of security controls
Program Frameworks (e.g., NIST 800-53)
Helps assess and develop the organization’s cybersecurity program
Measures the program’s maturity and effectiveness
Develops communications between the cybersecurity team and senior management
Risk Frameworks (e.g., NIST RMF)
Defines the necessary processes for risk assessment and management
Structures a cybersecurity program for risk management
Identifies, measures, and quantifies the organization’s security risks
Prioritizes appropriate security measures and activities based on risk
Here is our list of the Cybersecurity Frameworks:
CIS Critical Controls
(All industries)
The Center for Internet Security (CIS) Critical Security Controls, Version 8, formerly the SANS Top 20, lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and increasing resilience for technical infrastructures.
https://www.cisecurity.org/controls
CISA Cybersecurity Performance Goals (CPG)
(All industries, government)
The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.
Cloud Security Alliance (CSA) CCM
(All industries)
The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. CCM version 4 was developed by the Cloud Security Alliance (CSA).
https://cloudsecurityalliance.org/research/cloud-controls-matrix
COBIT
(All industries)
Control Objectives for Information and Related Technologies (COBIT) was developed in the mid-1990s by ISACA, an independent organization of IT governance professionals. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.
COBIT originally focused on reducing IT risks. COBIT 5, released in 2012, included new technology and business trends to help organizations balance IT and business goals. The current version is COBIT 2019. It's the most used framework to achieve Sarbanes-Oxley compliance. Numerous publications and professional certifications address COBIT requirements.
https://www.isaca.org/resources/cobit
COSO
(All industries)
Committee of Sponsoring Organizations (COSO) is a joint initiative of five professional organizations. Its 2013 framework covers internal controls, and its 2017 framework covers risk management.
A guidance paper, "Managing Cyber Risk in a Digital Age", offers advice on how to prepare and respond to enterprise cyber threats. It aligns with the COSO Enterprise Risk Management Framework.
https://www.coso.org/SitePages/Home.aspx
CSA Section 405(d)
(Healthcare)
Managed by the HHS, technical controls vol 1 and 2 established, for small businesses, and medium/large businesses respectively.
Cybersecurity Maturity Model (CMMC)
(Department of Defense, government)
To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. With its streamlined requirements, CMMC 2.0:
Simplifies compliance by allowing self-assessment for some requirements
Applies priorities for protecting DoD information
Reinforces cooperation between the DoD and industry in addressing evolving cyber threats
https://dodcio.defense.gov/CMMC/
FFIEC
(Financial, Banking)
The Federal Financial Institutions Examination Council (FFIEC) members are taking a number of initiatives to raise the awareness of financial institutions and their critical third-party service providers with respect to cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats. This body provides a Cybersecurity Assessment tool used during their audits.
https://www.ffiec.gov/about.htm
HITRUST CSF
(Healthcare)
HITRUST Common Security Framework includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and can be applied to almost any organization, including healthcare.
https://hitrustalliance.net/product-tool/hitrust-csf
ISO 27001
(All industries)
The ISO 27000 Series was developed by the International Organization for Standardization. It is a flexible information security framework that can be applied to all types and sizes of organizations. ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practice in data protection and cyber resilience are covered by more than a dozen standards in the ISO/IEC 27000 family. Together, they enable organizations of all sectors and sizes to manage the security of assets such as financial information, intellectual property, employee data and information entrusted by third parties.
https://www.iso.org/isoiec-27001-information-security.html
MITRE ATT&CK
(All industries)
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
NIST
(All industries, government)
NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 Series addresses virtually every aspect of information security, with an increasing focus on cloud security.
https://www.nist.gov/cybersecurity
NIST CSF
(All industries, government)
The NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, was developed under Executive Order 13636, released in February 2013. Unlike other NIST frameworks, NIST CSF focuses on risk analysis and risk management. Security controls in the framework are based on the five phases of risk management: identify, protect, detect, respond and recover.
https://www.nist.gov/cyberframework/framework
NIST RMF
(All industries, government)
The NIST Risk Management Framework (RMF) is a comprehensive, flexible, risk-based approach. The framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.
https://csrc.nist.gov/projects/risk-management/about-rmf
NIST SP 800-53
(All industries, government)
This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines.
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
OWASP
(All industries)
Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
PCI-DSS
(Payment card industry)
A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.
There are two key priorities for this standard: Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. And helping vendors understand and implement standards for creating secure payment solutions. https://www.pcisecuritystandards.org
Secure Controls Framework (SCF)
(All industries)
A non-profit organization developing a meta-framework, based on all other frameworks with mappings across all frameworks and major regulations.
SCF Domains: Security & Privacy by Design (S|P) Principles is a set of 32 security and privacy principles that leverage the SCF's extensive cybersecurity and privacy control set.
https://www.securecontrolsframework.com
