frameworks.md

Control Frameworks & Standards

Control frameworks and security standards provide structured approaches to implementing and assessing cybersecurity controls.

NIST Frameworks

NIST Cybersecurity Framework (CSF)

• https://www.nist.gov/cyberframework
• https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

NIST Risk Management Framework (RMF)

• https://csrc.nist.gov/Projects/Risk-Management

NIST Publications on Risk & Governance

• Integrating Cybersecurity and Enterprise Risk Management (ERM) - NISTIR 8286: https://csrc.nist.gov/publications/detail/nistir/8286/final
• Staging Cybersecurity Risks for Enterprise Risk Management - NISTIR 8286C: https://csrc.nist.gov/publications/detail/nistir/8286c/draft
• Small Business Information Security Fundamentals: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

ISO/IEC Standards

• ISO/IEC 27001 - Information Security Management Systems: https://www.iso.org/isoiec-27001-information-security.html
• ISO/IEC 27005 - Information Security Risk Management and the FAIR Framework: https://publications.opengroup.org/c103

CIS Controls

• CIS Critical Security Controls: https://www.cisecurity.org/cybersecurity-tools/
• CIS Controls V7 Measures & Metrics: https://www.cisecurity.org/insights/white-papers/cis-controls-v7-measures-metrics

COBIT

• COBIT (Control Objectives for Information and Related Technologies): https://www.isaca.org/resources/cobit

CRF (Cyber Risk Framework)

• CRF Safeguards: https://crfsecure.org/research/crf-safeguards/
• CRF Maturity Model: https://crfsecure.org/research/crf-maturity-model/
• CRF Threat Taxonomy: https://crfsecure.org/research/crf-threat-taxonomy/

Control Mappings & Alignment

Compare and align controls across different frameworks:

• Control Mappings Repository: https://github.com/AbeWinters/control-mappings
• NIST OLIR Catalog: https://csrc.nist.gov/projects/olir/informative-reference-catalog#/
• Adobe Common Controls Framework (CCF): https://www.adobe.com/trust/compliance/common-controls-framework.html
• CCF Mapping Demo: https://adobe-ccf-demo.compliancegenie.io/framework-mapping
• Secure Controls Framework: https://github.com/securecontrolsframework/securecontrolsframework

Other Standards Bodies

• ISACA - IT Risk Framework: https://www.isaca.org/resources/it-risk

• NCSC - Risk Management Collection: https://www.ncsc.gov.uk/collection/risk-management-collection/essential-topics/variety-risk-information

• Software Supply Chain Security

SLSA Framework (Supply Chain Levels for Software Artifacts)

• SLSA Framework: Google's framework for software supply chain security
  • Levels 1-4 of software artifact security
  • Provenance and integrity guarantees
  • Focus on protecting against tampering and unauthorized changes

NIST Secure Software Development Framework (SSDF)

• NIST SSDF: Security practices for software development
  • Practice Groups (PO, PS, PO, PR) covering practices and controls
  • Emphasis on secure development, secure supply chain, and incident management
  • Applicable to commercial and government software

CIS Software Supply Chain Security Benchmark

• CIS Benchmarks - Supply Chain Security: Best practices for securing software supply chain
  • Code repository security
  • Build process security
  • Artifact and dependency management
  • Vulnerability management in dependencies