Security frameworks, standards, maturity models, and control catalogs
105 total articles
The SEC Cybersecurity Disclosure Rules are a set of mandatory reporting requirements adopted by the U.
The HITRUST Common Security Framework (CSF) is a certifiable security and privacy framework built specifically for healthcare and healthcare-adjacent organizations.
NIST Special Publication 800-53 is the United States federal government's comprehensive catalog of security and privacy controls for information systems and organizations.
The CIS Controls (formerly known as the SANS Top 20) are a prioritized set of cybersecurity safeguards published by the Center for Internet Security (CIS).
The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government's standardized approach to security authorization for cloud service providers serving federal agencies.
NIST Special Publication 800-171 is the control set that governs how non-federal organizations must protect Controlled Unclassified Information (CUI) when it resides in their systems or networks.
Implementation guide for DKIM email authentication covering signing mechanics, DNS key publication, selector rotation, and common configuration pitfalls.
Technical reference for SPF record syntax covering mechanisms, qualifiers, DNS lookup limits, common misconfigurations, and alignment with DMARC.
Guide to DMARC policy configuration covering alignment modes, progressive enforcement, aggregate reporting, and subdomain protection strategies.
PCI DSS v4.0 cryptographic mandates for cardholder data protection covering storage encryption, transit encryption, key management, and scope reduction techniques.
Adapting CMMI process improvement methodology to cybersecurity program management for measurable capability advancement.
NIST voluntary tool for identifying and managing privacy risk through five functions, complementing the Cybersecurity Framework with data processing-specific privacy protections.
Guide to REST API security best practices covering authentication, BOLA prevention, input validation, rate limiting, and OWASP API Security Top 10 controls.
Guide to HSTS configuration covering max-age, includeSubDomains, preload lists, SSL stripping prevention, and deployment considerations for subdomain coverage.
Technical and procedural safeguards ensuring financial data accuracy, completeness, and reliability as required by Sarbanes-Oxley Section 404 internal controls over financial reporting.
Guide to CORS policy configuration covering preflight requests, common misconfigurations, origin validation pitfalls, and secure cross-origin access patterns.
Guide to Subresource Integrity covering hash-based verification, CDN supply chain protection, browser enforcement mechanics, and implementation best practices.
ISO 27001 reference set of 93 information security controls organized into organizational, people, physical, and technological themes.
Formal two-stage assessment by accredited certification bodies verifying ISMS conformance to ISO 27001 requirements.
Mandatory ISO 27001 document listing all Annex A controls with applicability decisions, justifications, and implementation status.
NIST CSF 2.0 cross-cutting function establishing cybersecurity risk management strategy, oversight, and governance-level accountability.
NIST CSF function defining incident response activities including planning, communications, analysis, mitigation, and improvement.
NIST CSF foundational function for understanding organizational cybersecurity risk to systems, people, assets, and capabilities.
NIST CSF function implementing safeguards including access control, training, data security, and protective technology.
NIST CSF function for maintaining resilience and restoring capabilities impaired by cybersecurity incidents.
NIST CSF function defining activities for timely discovery of cybersecurity events through monitoring and anomaly detection.
Open industry standard for scoring vulnerability severity using base, threat, environmental, and supplemental metrics across a 0-10 scale.
Mandatory ISO 27001 methodology for identifying, analyzing, and evaluating information security risks to drive control selection.
Deep dive into Content Security Policy covering directives, nonce-based policies, strict-dynamic, common bypass techniques, and deployment strategies for XSS prevention.
PASTA is a seven-stage risk-centric threat modeling methodology that integrates business context, attack simulation, and quantitative risk analysis to produce prioritized, evidence-based security recommendations.
MITRE ATT&CK for Enterprise is a knowledge base of adversary tactics and techniques derived from real-world observations, organized into 14 tactics with hundreds of techniques used for threat intelligence, detection engineering, and security assessment.
D3FEND is MITRE's knowledge graph of cybersecurity countermeasures organized into five tactics (Harden, Detect, Isolate, Deceive, Evict) that maps defensive techniques to the ATT&CK offensive techniques they counter.
OWASP ASVS provides 286 testable security requirements across three verification levels for web applications, bridging the gap between risk awareness and actionable development and testing criteria.
SABSA is a business-driven security architecture methodology using a six-layer model that traces security requirements from business attributes through conceptual, logical, physical, and component layers to operational delivery.
STRIDE is a Microsoft-developed threat modeling methodology that categorizes threats into six types (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) applied systematically to data flow diagrams.
The Shared Responsibility Model defines how security obligations are divided between cloud providers and customers, shifting based on service model (IaaS/PaaS/SaaS) from customer-managed to provider-managed across the technology stack.
TOGAF Security Architecture integrates security as a cross-cutting concern across all four enterprise architecture domains (Business, Data, Application, Technology) within the TOGAF Architecture Development Method.
The Cloud Controls Matrix (CCM) v4 provides 197 cloud-specific security control objectives across 17 domains, mapping to major standards and using the CAIQ questionnaire for assessing cloud provider and customer security responsibilities.
The OWASP Top 10 is a widely adopted awareness document identifying the ten most critical web application security risks, used as a baseline for development, testing, and compliance across the industry.
The CIS/SANS Critical Security Controls are 18 prioritized defensive actions organized into three Implementation Groups, providing prescriptive guidance derived from real attack data to defend against prevalent cyber threats.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
ISO 27002 provides detailed implementation guidance for the 93 security controls referenced by ISO 27001, organized into four themes (Organizational, People, Physical, Technological) with attribute-based tagging for flexible filtering.
VERIS is a standardized incident classification framework using the A4 model (Actors, Actions, Assets, Attributes) that enables structured incident recording, trend analysis, and benchmarking against the Verizon DBIR dataset.
The Lockheed Martin Cyber Kill Chain defines seven sequential attack phases (Reconnaissance through Actions on Objectives) used to map defensive capabilities and disrupt adversary operations at each stage.
CISA's Zero Trust Maturity Model provides a phased roadmap across five pillars (Identity, Devices, Networks, Applications, Data) with three maturity stages for transitioning from perimeter-based security to continuous verification.
FAIR is the international standard for quantifying information risk in financial terms, using probabilistic models to decompose risk into loss event frequency and loss magnitude rather than subjective qualitative ratings.
NIST CSF 2.0 organizes cybersecurity into six functions (Govern, Identify, Protect, Detect, Respond, Recover) applicable to all organizations regardless of size or sector.
Compliance framework comparison identifies overlapping requirements across NIST CSF, SOC 2, ISO 27001, HIPAA, PCI DSS, and CMMC for unified compliance programs.
Implementation guide for NIST AI Risk Management Framework compliance requirements.
Implementation guide for AICPA Trust Services Criteria compliance requirements.
Implementation guide for Cyber Essentials Plus compliance requirements.
Implementation guide for FISMA Compliance compliance requirements.
Implementation guide for NIST 800-171 compliance requirements.
Implementation guide for StateRAMP Compliance compliance requirements.
Implementation guide for HITRUST CSF compliance requirements.
Implementation guide for CIS Controls v8 compliance requirements.
Implementation guide for NIST CSF 2.0 compliance requirements.
Implementation guide for ISO 27001 compliance requirements.
Implementation guide for CMMC 2.0 Level 2 compliance requirements.
Implementation guide for FedRAMP Authorization compliance requirements.
Implementation guide for SOC 2 Type II compliance requirements.
Reference architecture and design patterns for zero trust network architecture patterns implementation.
Automate compliance scanning using OpenSCAP, InSpec, and custom policy checks.
Preparing for cybersecurity compliance audits specific to Government sector.
Third-party risk management guide for Government sector vendor ecosystems.
Network security design patterns for Government sector environments.
Building the business case for cybersecurity investment in Government organizations.
Security awareness program design for Government sector employees.
Data protection compliance guide for Government sector organizations.
Zero trust architecture implementation adapted for Government sector constraints.
Incident response planning guide tailored for Government sector requirements.
Cloud adoption security strategy for Government organizations.
Step-by-step cybersecurity risk assessment guide tailored for Government organizations.
Key changes in NIST CSF 2.0 including the new Govern function, expanded scope, and practical adoption guidance.
How ITIL's service management framework integrates information security into IT service delivery and operations.
How the CSA CCM provides a cybersecurity controls framework specifically designed for cloud computing environments.
The seven-stage PASTA process for risk-centric threat modeling, from business objective definition to residual risk analysis.
NIST's SSDF provides practices for producing secure software, increasingly required for government software suppliers.
NIST's framework for Zero Trust Architecture, the core tenets, logical components, and deployment approaches.
Using the Diamond Model's four core features (adversary, capability, infrastructure, victim) to analyze and track cyber threats.
How Lockheed Martin's Cyber Kill Chain maps the stages of an intrusion, and how defenders can disrupt attacks at each phase.
How D3FEND maps defensive techniques to ATT&CK adversary behaviors, providing a structured approach to countermeasure selection.
How COBIT aligns IT governance with business objectives and provides a framework for managing enterprise IT including security.
How SAMM helps organizations assess and improve their software security practices across governance, design, implementation, verification, and operations.
Using ASVS as a framework for testing web application security controls across three verification levels.
Key changes in PCI DSS version 4.0, the transition timeline, and practical guidance for meeting new requirements.
How FedRAMP authorizes cloud services for government use, the authorization process, impact levels, and path to compliance.
How ISO 27002 provides implementation guidance for the controls referenced in ISO 27001, with the 2022 restructured categories.
The key differences between SOC 2 Type I and Type II reports, which one your organization needs, and how to prepare for each.
Requirements for protecting CUI in non-federal systems, who needs compliance, and how to implement the 110 security requirements.
GDPR establishes comprehensive EU data protection requirements with fines up to 4% of global revenue.
CIS Controls v8 provides 18 prioritized safeguards organized into three implementation groups.
FAIR is the standard for quantifying cyber risk in financial terms.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
PCI DSS 4.0 sets payment card security standards with expanded MFA and customized validation.
NIST 800-207 defines zero trust architecture: verify explicitly, least privilege, assume breach.
NIST 800-53 provides 1,000+ security controls across 20 families for federal and private sector use.
ISO 27001 is the international standard for information security management systems.
OWASP Top 10 catalogs the most critical web application security risks.
Introduction to the Iron Iris framework: 10 blades of operational resilience from detection through recovery.
SOC 2 evaluates how service organizations manage customer data across five Trust Services Criteria.
Overview of CIS Controls v8, Implementation Groups, priority ordering, and how they map to other cybersecurity frameworks.
Understanding ISO 27001 certification, the ISMS framework, Annex A controls, the certification process, and practical business benefits.
The most widely adopted cybersecurity framework, providing six core functions for managing cybersecurity risk.
Continue your mission