top of page


What Is A Security Framework?

secured iphone on yellow backgroun

A security framework is a collection of documents and policies that define how your organization manages information, systems, and services and the security measures taken to protect data. A security framework looks at regulations and laws, as well as the internal policies to ensure everything is clearly stated regarding cybersecurity tactics and strategies for your company.

One of the keys to developing a cybersecurity program to protect your organization is the adoption of a security framework. Using a security framework enables organizations to gain a systemic understanding of their capabilities and weaknesses.This approach also provides the basis for an orderly methodology in the planning and tracking of improvements over time. The use of a public security framework allows organizations to benchmark their performance against other companies to assist company leadership in planning levels of investment in their security program.

The use of a security framework is not just a pass/fail, or check-the-box exercise. It is unlikely that most organizations will have optimized their security framework to fully understand all their capabilities. The purpose of the security framework is to provide a basis for evaluating key capabilities across a full breadth of the cybersecurity function. This assessment “score” can be measured and tracked over time, and provide the basis for developing a cybersecurity roadmap and investment plan to improve capabilities to a level acceptable with the risk tolerance of the business.

What Are The Top 3 Security Frameworks?

There are many security frameworks your organization can choose from, but there are 3 that stand out as the top options.

1. NIST Cybersecurity Framework (NIST CSF). The NIST security framework was originally intended for use by critical infrastructure sectors like healthcare, utilities, and manufacturers. That's why its official title is the Framework for Improving Critical Infrastructure Cybersecurity. But organizations of all sizes all around the world have recognized its value and adopted the framework.

The NIST CSF is made up of 108 sub-categories, 23 categories, and 5 core functions. The five core functions in this framework are:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recover

These five core functions provide a basis for communicating the framework. Within the framework, you can evaluate capability maturity across the 23 categories on a 1 to 5 scale, and then utilize this as a basis for communicating both current capabilities, as well as building a roadmap and investment plan to target specific categories and therefore to improve the overall capability “score” of the organization.

2. The Cybersecurity Maturity Model Certification (CMMC) program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks. The CMMC program requires certification for all contractors doing business or who want to do business with DoD. This group of impacted contractors includes companies indirectly doing business with DoD through subcontracts, as well as companies that sell commercial products or services to DoD. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.

The 17 Domains of the CMMC standard will mostly overlap with core elements of the NIST CSF.

CMMC Domains with Approximate NIST CSF Mapping

  • Access Control (AC) - PR.AC

  • Incident Response (IR) - RS

  • Risk Management (RM) - ID.RM

  • Asset Management (AM) - ID.AM

  • Maintenance (MA) - PR.MA

  • Security Assessment (CA) - ID.RA

  • Awareness and Training (AT) - PR.AT

  • Media Protection (MP) - PR.DS

  • Situational Awareness (SA) - DE

  • Audit and Accountability (AU) - ID.GV

  • Personnel Security (PS)

  • System and Communications Protection (SC) - PR.PT

  • Configuration Management (CM) - PR.IP-1

  • Physical Protection (PE) - PR.AC-2

  • System and Information Integrity (SI) - PR/DE

  • Identification and Authentication (IA) - PR.AC

  • Recovery (RE) - RC

3. Center for Internet Security (CIS). Top 20 Critical Security Controls is another security framework often used by small to medium sized businesses (SMBs). While not as comprehensive as the NIST CSF or CMMC, the CIS Top 20 does provide an excellent starting point for building a cybersecurity program, focused on some of the most critical elements.

Basic CIS Controls

Control 1: Inventory and Control of Hardware Assets

Control 2: Inventory and Control of Software Assets

Control 3: Continuous Vulnerability Management

Control 4: Control and Use of Administrative Privileges

Control 5: Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Fundamental CIS Controls

Control 7: Email and Web Browser Protections

Control 8: Malware Defense

Control 9: Limitation and Control of Network Ports, Protocols and Services

Control 10: Data Recovery Capability

Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Control 12: Boundary Defense

Control 13: Data Protection

Control 14: Controlled Access Based on the Need to Know

Control 15: Wireless Access Control

Control 16: Account Monitoring and Control

Organizational CIS Controls

Control 17: Security Skills Assessment

Control 18: Application Software Security

Control 19: Incident Response and Management

Control 20: Pen Testing and Red Team Exercises

Security frameworks are designed to help your organization carefully document and display policies and procedures. These security frameworks help you be more protected and develop a better comprehensive cybersecurity plan that will ultimately keep your organization safe and secure. Check out the Emagined Pentest Framework to see how we can help you with your next pentest.

security fundamentals pencil image

Learn more about security fundamentals:

We’re committed to helping you learn all about security systems you can implement to improve security at your organization. Our articles are devoted to ensuring your organization can reduce risk in a way that is manageable and affordable.


bottom of page