NIST Cybersecurity Framework (CSF) 2.0
Voluntary · Industry-agnostic
Six functions: Govern, Identify, Protect, Detect, Respond, Recover. We use the CSF as the default program structure for clients who don't have a specific regulatory mandate.
Frameworks
The reference frameworks we work in — and when each one applies.
Cybersecurity is a regulated discipline. Engagements typically reference one or more of the frameworks below — for control selection, audit alignment, or executive communication. This page is the index.
Security
Security frameworks
Control catalogs and program structures we use to design and operate security programs.
NIST SP 800-53
Federal · FISMA / FedRAMP
Control catalog underlying FedRAMP, FISMA, and many state programs. We implement at Low, Moderate, and High baselines.
NIST SP 800-171
Defense · CUI
110 controls for protecting Controlled Unclassified Information in non-federal systems. Required by DFARS and the precursor to CMMC.
CIS Controls v8
Industry-agnostic · IG1–IG3
18 control families organized into three implementation groups. Pragmatic baseline that pairs well with NIST CSF.
IEC 62443
Industrial · OT / ICS
Cybersecurity for industrial automation and control systems. The reference framework for manufacturing, energy, and utilities clients.
Compliance
Compliance & audit frameworks
Required for procurement, sales, or law. Each links to the dedicated compliance page where applicable.
CMMC 2.0
Defense Industrial Base
Three-level maturity model required for DoD contracts touching CUI. Built on NIST 800-171.
FedRAMP
Federal cloud
Authorization for cloud-service providers selling into the federal government.
SOC 2 (Type I & II)
Trust services · SaaS / B2B
AICPA Trust Services Criteria. The de facto B2B sales requirement for SaaS.
ISO/IEC 27001:2022
International · ISMS
Information Security Management System certification. Required outside the U.S. and increasingly in U.S. enterprise procurement.
HIPAA Security Rule
Healthcare · PHI
Required for covered entities and business associates touching PHI in the U.S.
PCI DSS v4
Payments · Cardholder data
Required by the card brands for any system handling, processing, or transmitting cardholder data.
GDPR
EU / UK · Personal data
EU regulation governing personal data processing. Applies to U.S. companies handling EU residents' data.
Threat modeling
Threat & adversary models
How we describe attacker behavior, design detections, and threat-model applications.
MITRE ATT&CK
Adversary tactics & techniques
The reference taxonomy for adversary behavior. We map detection coverage and threat-hunting hypotheses to ATT&CK techniques.
MITRE D3FEND
Defensive countermeasures
Companion to ATT&CK. We use D3FEND to map controls to the adversary techniques they actually disrupt.
Cyber Kill Chain
Intrusion lifecycle
Lockheed Martin model of an intrusion lifecycle. Older than ATT&CK but still useful for executive narrative.
STRIDE
Application threat modeling
Threat-categorization model used for application threat modeling: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege.