Security Frameworks Guide
Contact Us
Browse cybersecurity research, threat data, attack techniques, statistics, and compliance guides on CyberSanso. Free to use, updated regularly.
Security Frameworks Guide: MITRE ATT&CK, NIST CSF, CIS Controls, and More
Cybersecurity frameworks provide the structured vocabulary, control sets, and assessment models that allow organizations to describe their security posture, communicate risk to leadership, and benchmark against peers. Without a framework, security programs are collections of point solutions without coherent architecture. With the right framework, security investments map to measurable outcomes and compliance requirements become manageable.
CyberSanso’s Security Frameworks Guide provides plain-English breakdowns of the frameworks security teams encounter most frequently: NIST CSF 2.0 for organizational risk governance, MITRE ATT&CK for threat-informed defense, CIS Controls v8 for implementation-focused security hygiene, ISO 27001 for certifiable information security management, OWASP Top 10 for web application security, and CMMC for defense contractor compliance. Each guide explains the framework’s structure, intended audience, and practical implementation path – not just the framework’s existence.
Choosing the wrong framework wastes significant resources. A manufacturing contractor required to achieve CMMC certification cannot substitute ISO 27001 compliance. A startup building a SaaS product for healthcare customers needs HIPAA and SOC 2, not NIST 800-53. This guide helps you identify which frameworks apply to your situation before you invest in implementing them.
NIST Cybersecurity Framework 2.0: The Updated Standard
The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, is the most widely adopted cybersecurity governance framework globally. Originally developed in 2014 for US critical infrastructure operators, it has been adopted by organizations across all sectors in over 50 countries. The 2.0 update added a sixth core function and expanded applicability beyond critical infrastructure to all organization sizes and types.
NIST CSF 2.0 is organized around six core functions:
GOVERN – New in version 2.0. Establishes the organizational context, risk tolerance, and governance structures that direct cybersecurity strategy. This function sits above and informs all other functions, recognizing that security is a business risk management problem before it is a technical one.
IDENTIFY – Know your assets, data flows, supplier relationships, and cyber risk exposure. Includes asset management, risk assessment, and supply chain risk management.
PROTECT – Implement safeguards to limit the impact of cybersecurity events. Covers access control, awareness training, data security, and secure configuration management.
DETECT – Identify cybersecurity events when they occur through continuous monitoring, anomaly detection, and security event analysis.
RESPOND – Take action after a detected cybersecurity incident. Includes incident response planning, communication, mitigation, and improvement.
RECOVER – Restore capabilities affected by a cybersecurity incident. Covers recovery planning, communications, and lessons-learned processes.
NIST CSF 2.0 also introduced Community Profiles – pre-built framework configurations for specific sectors and use cases – reducing the customization burden for organizations starting implementation from scratch.
- NIST CSF 2.0: six-function framework with new Govern function
- MITRE ATT&CK: adversary behavior matrix mapped to defensive controls
- CIS Controls v8: 18 prioritized controls in three implementation groups
- ISO 27001: internationally certifiable information security standard
MITRE ATT&CK Framework: Adversary Behavior as a Security Tool
The MITRE ATT&CK framework is a comprehensive knowledge base of adversary tactics, techniques, and sub-techniques observed in real-world attacks. Unlike compliance-oriented frameworks that describe what controls to implement, ATT&CK describes what adversaries actually do – making it the primary framework for threat-informed defense: building detection and response capabilities based on known attacker behavior rather than hypothetical threats.
ATT&CK is organized as a matrix of 14 tactics (the adversary’s goals at each stage of an attack: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact) and hundreds of techniques and sub-techniques under each tactic. Each technique entry includes real-world procedure examples from named threat groups, detection guidance, and mitigation recommendations.
Security teams use ATT&CK for four core activities: detection gap analysis (mapping current SIEM detection rules to ATT&CK coverage to identify blind spots), threat hunting hypothesis generation (searching for specific techniques used by threat groups targeting their sector), purple team exercise design (providing red teams and blue teams a shared language for structured attack simulation), and vendor evaluation (assessing how well security tools cover the ATT&CK matrix against relevant threat groups). The MITRE ATT&CK Navigator is a free browser-based tool for visualizing and annotating ATT&CK matrix coverage.
CIS Controls v8 and ISO 27001: Implementation-Focused Frameworks
While NIST CSF provides governance structure and MITRE ATT&CK provides adversary context, CIS Controls v8 and ISO 27001 provide the most direct implementation guidance for day-to-day security operations.
CIS Controls v8 (released May 2021) comprises 18 control groups organized into three Implementation Groups (IGs) that provide a prioritized implementation roadmap based on organization size and security maturity. IG1 (basic cyber hygiene, 56 safeguards) is recommended for all organizations and covers the minimum controls required to defend against common attacks. IG2 adds 74 safeguards appropriate for organizations with dedicated security staff. IG3 adds 23 advanced safeguards for mature security programs. CIS Controls map directly to NIST CSF, NIST 800-53, ISO 27001, and SOC 2, making compliance documentation significantly simpler for organizations that implement CIS Controls as a baseline.
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It is the only cybersecurity framework on this page that offers independent third-party certification – organizations can achieve ISO 27001 certification through accredited certification bodies (BSI, DNV, Bureau Veritas, LRQA). The 2022 version updated Annex A controls from 114 to 93, reorganized into four themes (Organizational, People, Physical, Technological). ISO 27001 certification typically requires 12 to 18 months for initial implementation and surveillance audits annually with full re-certification every three years.
OWASP Top 10 is the most widely referenced web application security awareness document. The 2021 edition covers: Broken Access Control (the #1 risk), Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery. OWASP does not certify against the Top 10 – it is a training and awareness framework, not an audit standard.
Choosing the Right Framework for Your Organization
Framework selection should be driven by regulatory requirements, customer expectations, and organizational size and maturity – not by what competitors claim to follow.
If you are a US federal agency or contractor: NIST 800-53 (Rev 5) is likely mandatory. Defense contractors specifically may need CMMC 2.0 certification, which maps to NIST 800-171. Check your contract requirements before assuming which level applies.
If you handle payment card data: PCI DSS 4.0 compliance is mandatory regardless of other framework choices. PCI DSS 4.0, released March 2022 with a compliance deadline of March 31, 2025 for all requirements, significantly expanded multi-factor authentication requirements and added customized implementation options.
If you want a certifiable security baseline: ISO 27001 is the most widely recognized internationally. SOC 2 Type 2 is more commonly requested by US enterprise customers and is faster to achieve for SaaS companies.
If you want a prioritized implementation guide with no certification requirements: CIS Controls v8 Implementation Group 1 provides the highest-value minimum-viable security hygiene baseline for organizations that lack dedicated security staff.
If you want to understand and detect attacker behavior: MITRE ATT&CK is not a compliance framework – it is an operational intelligence tool that belongs in every security operations program regardless of which compliance frameworks you use. Use ATT&CK alongside, not instead of, your compliance framework.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.