Framework References
NIST Risk Management Framework (RMF)
The Risk Management Framework (RMF) is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored.
Intelligence Community Standard (ICS) 500-27
This standard provides for the collection and sharing of audit data to support counter-intelligence, information assurance, business analytics, personnel security, and other community audit needs related to IC information resources.
sox
sox
SARBANES-OXLEY (SOX)
SOX compliance is not just a legal obligation but also a good business practice. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company.
CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
The CMMC measures the maturity of an organization’s cybersecurity processes and practices across five levels covering seventeen domains. The domains are broad categories of critical security functions such as Access Control, Identification and Authentication, Incident Response, etc. much like the control families from the NIST 800-53 security controls standard.
Health Insurance Portability and Accountability Act (HIPAA)
Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.
CIS CRITICAL CONTROLS
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
THE NIST CYBERSECURITY FRAMEWORK (CSF)
The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks.
FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FEDRAMP)
The FedRAMP security controls are based on NIST SP 800-53 Revision 4 baselines and contain controls above the NIST baseline that address the unique elements of cloud computing.
THE CRIMINAL JUSTICE INFORMATION SERVICES (CJIS)
CJIS compliance keeps networks on the same page when it comes to data security and encryption, and ensures that sensitive criminal justice intel is locked down.
Continuous Diagnostics and Mitigation (CDM)
The Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) Program is leading the effort to reduce cyber risk and provide visibility across the federal government.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Plan
The North American Electric Reliability Corporation Critical Infrastructure Protection plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. Check out our NERC CIP Industry Brief.
Acceptable Risk Safeguards (ARS)
The Centers for Medicare & Medicaid Services (CMS) Acceptable Risk Safeguards (ARS) provides guidance to CMS and its contractors as to the minimum acceptable level of required security controls that must be implemented by CMS and CMS contractors to protect CMS’ information and information systems, including CMS Sensitive Information.
Additional Publications and Best Practices
NIST SPECIAL PUBLICATIONS
- SP 800-18 (Security Plans)
- SP 800-30 (Risk Assessment)
- SP 800-34 (Contingency Planning)
- SP 800-37 (Risk Management Framework)
- SP 800-39 (Organizational Risk Management)
- SP 800-53 (Security Controls)
- SP 800-53A (Security Controls Assessment)
- SP 800-59 (National Security Systems)
- SP 800-60 (Security Categorization), Vol 1
- SP 800-60 (Security Categorization), Vol 2
- SP 800-61 (Incident Response Planning)
- SP 800-82 (Industrial Control Systems)
- SP 800-137 (Continuous Monitoring)
- SP 800-171r (Controlled Unclassified Information), (CUI)