Cybersecurity frameworks are created and managed to help organizations across different industries follow best practices to secure their systems and data. There are many different frameworks that exist today. Some frameworks are designed for specific industries, such as HITRUST for the healthcare industry or PCI-DSS to protect credit card companies and card holders. Most recent frameworks contain recommendations that can be applied universally however, and overlap with other frameworks. And many frameworks are voluntary recommendations, such as the CIS Controls, but some frameworks are overseen and required by regulatory bodies, such as NIST, which applies to government agencies. We have created a list of the most common Cybersecurity frameworks below, including the industries they apply to, a description of the framework and a link to access the framework. We will continue to update this list over time.
Overview of Cybersecurity Frameworks
There are three key categories of Frameworks to keep in mind when reviewing, evaluating, and determining if/how to apply them.
Control Frameworks (e.g., CIS Controls)
Creates a basic strategy for the organization’s cybersecurity best practices
Provides the baseline group of technical security controls
Helps assess the current state of the infrastructure and environment
Helps prioritize the implementation of security controls
Program Frameworks (e.g., NIST 800-53)
Helps assess and develop the organization’s cybersecurity program
Measures the program’s maturity and effectiveness
Develops communications between the cybersecurity team and senior management
Risk Frameworks (e.g., NIST RMF)
Defines the necessary processes for risk assessment and management
Structures a cybersecurity program for risk management
Identifies, measures, and quantifies the organization’s security risks
Prioritizes appropriate security measures and activities based on risk
Here is our list of the Cybersecurity Frameworks:
CIS Critical Controls
The Center for Internet Security (CIS) Critical Security Controls, Version 8, formerly the SANS Top 20, lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and increasing resilience for technical infrastructures.
CISA Cybersecurity Performance Goals (CPG)
(All industries, government)
The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.