top of page


What Is A Security Framework?

A security framework is a collection of documents and policies that define how your organization manages information, systems, and services and the security measures taken to protect data. A security framework looks at regulations and laws, as well as the internal policies to ensure everything is clearly stated regarding cybersecurity tactics and strategies for your company.

One of the keys to developing a cybersecurity program to protect your organization is the adoption of a security framework. Using a security framework enables organizations to gain a systemic understanding of their capabilities and weaknesses.This approach also provides the basis for an orderly methodology in the planning and tracking of improvements over time. The use of a public security framework allows organizations to benchmark their performance against other companies to assist company leadership in planning levels of investment in their security program.

The use of a security framework is not just a pass/fail, or check-the-box exercise. It is unlikely that most organizations will have optimized their security framework to fully understand all their capabilities. The purpose of the security framework is to provide a basis for evaluating key capabilities across a full breadth of the cybersecurity function. This assessment “score” can be measured and tracked over time, and provide the basis for developing a cybersecurity roadmap and investment plan to improve capabilities to a level acceptable with the risk tolerance of the business.

What Are The Top 3 Security Frameworks?

There are many security frameworks your organization can choose from, but there are 3 that stand out as the top options.

1. NIST Cybersecurity Framework (NIST CSF). The NIST security framework was originally intended for use by critical infrastructure sectors like healthcare, utilities, and manufacturers. That's why its official title is the Framework for Improving Critical Infrastructure Cybersecurity. But organizations of all sizes all around the world have recognized its value and adopted the framework.

The NIST CSF is made up of 108 sub-categories, 23 categories, and 5 core functions. The five core functions in this framework are:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recover

These five core functions provide a basis for communicating the framework. Within the framework, you can evaluate capability maturity across the 23 categories on a 1 to 5 scale, and then utilize this as a basis for communicating both current capabilities, as well as building a roadmap and investment plan to target specific categories and therefore to improve the overall capability “score” of the organization.

Learn more about the NIST framework

2. The Cybersecurity Maturity Model Certification (CMMC) program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks. The CMMC program requires certification for all contractors doing business or who want to do business with DoD. This group of impacted contractors includes companies indirectly doing business with DoD through subcontracts, as well as companies that sell commercial products or services to DoD. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.

The 17 Domains of the CMMC standard will mostly overlap with core elements of the NIST CSF.

CMMC Domains with Approximate NIST CSF Mapping

  • Access Control (AC) - PR.AC

  • Incident Response (IR) - RS