Other Common Security Frameworks or Standards

Control Objectives for Information Technology (COBIT)

COBIT was create by ISACA and is often used in conjunction with other frameworks as it is more focused on governance than the technical aspects. It offers cross-references to NIST Controls in the same way NIST offers Informational References to COBIT.

HITRUST CSF:

Originally specific to the healthcare industry, HITRUST was developed to offer guidance to healthcare organizations of all sizes to comply HIPAA requirements regarding the safeguarding of PHI. HITRUST is based on the ISO 27001. Where the ISO standard tends to be liberal in enforcing the specific controls to mitigate risk, HITRUST is designed to be more prescriptive, yet flexible enough to address the threats and needs of organizations of any size. HITRUST offers three levels of implementation of controls to allow for "scaling" to the size and resources of the organization. By using the HITRUST framework, organizations can achieve compliance appropriate to the risks they face.

SOC 2:

The SOC 2 framework is one of three reporting options developed by the American Institute of Certified Public Accountants (AICPA) in 2011. It is based on five Trust Services Criteria (TSP): Security, Availability, Processing Integrity, Confidentiality, and Privacy. As SOC 2 has a formal audit inherent to the process it is a good choice for those looking for a certification as the outcome. Organizations are free to make the scope of the audit as narrow or as broad as they would like depending on the needs of the organization. This can include one or all TSPs. The SOC 2 reporting process can be used to audit controls of other security frameworks as well.

NIST 800-171 and CMMC

NIST 800-171 is a publication that builds on the NIST CSF, however it includes specific guidance for the handling of Controlled Unclassified Information(CUI). This is important for any organization doing business directly with the Department of Defense or contractors working with the DoD. The publication was originally distributed as a specific set of controls with a worksheet that allowed organizations to self-assess. There has been no requirement for a formal audit or certification. However in December 2020, the US government established the Cybersecurity Maturity Model Certification (CMMC) process. CMMC is a certification related to NIST 800-171. It provides five levels of certification based on the number of NIST 800-171 controls implemented and verified. CMMC Level 3 certifies all controls in 800-171. Levels 4 & 5 certify controls from other frameworks beyond 800-171. In 2026, all organizations wishing to do business with DoD related companies will be required to be certified under CMMC.