So Many Frameworks

Authors: Mark Keppler | Steve Foret

A Cybersecurity Frameworks Series

As cybersecurity professionals, we are all trying to accomplish the same thing, aren’t we? Essentially, we aim to protect our information, systems, facilities, and people. Organizations may have different data, business objectives, and requirements, but the overarching goal remains the same. Enter the framework. 

In the coming weeks and months, we will take a deeper dive into some of the more common frameworks to provide more insight on the value, applicability, and nuances of each. Let’s start with the basics.

What is a Cybersecurity Framework and Why Do I Need One?

To use the analogy of a building (an actual building or pretty much anything you build), a framework adds structure and support. Cybersecurity frameworks are a set of recommended practices that make your organization more resistant to attack and better able to respond if you are attacked (which most experts believe is inevitable). When you use a framework, you are leveraging the collective knowledge and experience from a variety of experts. If you are just starting your cyber program, why not take advantage of that knowledge and expertise? Why start from square one?

Does a framework guarantee you won’t be breached? Absolutely not – nothing does. So, why implement one? I’ll use the house analogy again. You may put locks on your doors and windows and install a home security system but that does not mean your house can’t be broken into—again, nothing does. Still, the locks should make it harder to break into; the security system should alert you when it has been broken into. A properly implemented security framework should make your organization more resistant to attack (harder to break into) and more resilient (more aware of an attack and better able to respond). 

Some Common Cybersecurity Frameworks

Given the common goal of security, you might be surprised at the number of frameworks out there. There are more frameworks than you can count on your fingers and toes. How many frameworks are there? I’ve listed 15 frameworks below, but it’s not a complete list. Are new frameworks on the horizon? I’d be shocked if there were not. 

1. NIST Cybersecurity Framework (CSF)
2. NIST Special Publication 800-53 (SP 800-53)
3. Cybersecurity Maturity Model Certification (CMMC)
4. Federal Risk and Authorization Management Program (FedRAMP)
5. Department of Defense (DoD) Risk Management Framework (RMF)
6. Health Insurance Portability and Accountability Act (HIPAA) Security Rule
7. Payment Card Industry Data Security Standard (PCI DSS)
8. Federal Information Security Modernization Act (FISMA)
9. Cybersecurity Capability Maturity Model (C2M2)
10. International Standard for managing information security (ISO27001)
11. New York Department of Financial Services Cyber Security Rules (NYDFS)
12. Australian Signals Directorate
13. Center for Internet Security Critical Security Controls
14. Cloud Security Alliance Cloud Security Controls Matrix (CCM)
15. European Telecommunications Standards Institute

Fun fact, I asked ChatGPT to list the frameworks associated with the US Government and one of the frameworks it listed was PCI, which is not a government framework. It also missed a few that I was expecting it to list - specifically FISMA and C2M2. 

Why So Many Cybersecurity Frameworks?

Good question! There are some important differences in the frameworks and their applicability. To note just a few:

Industry and Services of the Organization

PCI, for example, may not apply to your organization at all if you don’t take payments via payment card. Even if you do and PCI does apply, PCI is specific about protecting credit card information in a good (though often tedious and time-consuming) way. 

Data Collected by the Organization

Some government frameworks vary the requirements based on the types of data to which an organization has access. Jokes about government bureaucracy aside, that makes sense. Not all data requires the same level of protection. Moreover, there’s a cost associated with implementing the highest levels of protection.

Operating Geographies of the Organization

It’s  understandable that organizations outside of the US may not feel the need to follow US standards (though some do seem to follow them). 

Some frameworks are a different take on the same problem. The frameworks have a great deal of similarity and overlap among them, so it is sometimes a matter of preference. It reminds me of the third-party risk questionnaires many of us must complete for our clients. The questionnaires are different, and yet they’re all pretty much the same.

Which Cybersecurity Framework Should I Be Using?

Some frameworks are adopted by organizations looking to improve their cyber security posture, while others are required by industry or government regulation. If you are just getting started, with the goal of improved cyber security, I would likely recommend one of the more simplistic frameworks (e.g. NIST CSF). 

Stay tuned for more in the coming weeks and months. However, if you are not sure about how to approach implementing a framework or would just like to discuss, please feel free to reach out to us. Our goal is to help you Achieve Better Cybersecurity and we’re happy to help!