NIST's AI Risk Management Framework (AI RMF)
NIST's AI Risk Management Framework: overview
CISO Assistant
+31 frameworks included and support for custom ones
Frameworks
The list is constantly growing thanks to community requests and contributions đ! We add any missing open standard or regulation for free, just ask đ
ISO/IEC 27001:2022
ISO/IEC
Description
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet. The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
Cyber Security Framework
NIST
Description
The NIST CSF is a framework designed to help organizations improve their cybersecurity practices and manage cybersecurity risks effectively. It is structured around six core functions: Identify, Govern, Protect, Detect, Respond, and Recover, providing a comprehensive approach to cybersecurity. NIST CSF is one of the most used frameworks in Cyber Security programs all over the world.
CyberFundamentals Framework
CCB
Description
The CyberFundamentals Framework, initiated by the Centre for Cybersecurity Belgium (CCB), offers a structured set of guidelines aimed at enhancing cybersecurity within both public and private sectors. The framework is distinguished by its structure across four escalating levels of cybersecurity measures: Small, Basic, Important, and Essential. Starting from the Small level, designed for organizations with limited technical expertise, it progresses to the Essential level, aimed at counteracting advanced cyber threats.
Cybersecurity Maturity Model Certification (CMMC)
DoD (US)
Description
CMMC 2.0 outlines three progressive levels of cybersecurity requirements designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with contractors and subcontractors through DoD acquisition programs. These levels range from foundational cybersecurity practices to advanced measures against sophisticated threats, aligning closely with well-established National Institute of Standards and Technology (NIST) cybersecurity standards, specifically NIST SP 800-171 for the "Advanced" level and a subset of NIST SP 800-172 requirements for the "Expert" level, which is still under development.
NYDFS 500 / NYCRR
NEW YORK STATE
Description
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, officially designated as 23 NYCRR Part 500, is a pioneering set of regulations established to fortify the cybersecurity posture of financial services companies operating within New York State. Enacted on March 1, 2017, and subsequently amended, these regulations set forth stringent requirements designed to protect financial institutions' information systems and nonpublic information from cyber threatsââ. The regulation encompasses a broad range of cybersecurity requirements, including but not limited to the establishment of a comprehensive cybersecurity program, the designation of a Chief Information Security Officer (CISO), penetration testing and vulnerability assessments, the management of third-party service providers, and the development of an incident response planâ.
Digital Operational Resilience Act (DORA)
European Union
Description
The Digital Operational Resilience Act (DORA) represents the European Union's comprehensive approach to enhancing the digital operational resilience of its financial sector. Recognizing the pivotal role that information and communication technology (ICT) systems play in the financial industry, DORA aims to safeguard the EU's financial entities from ICT risks, ensuring that they remain resilient in the face of operational disruptions. It was adopted on December 14, 2022, and published in the Official Journal of the European Union on December 27, 2022, marking a significant step toward harmonizing digital operational resilience across the EU.
Essential Eight Maturity Model
Australian Government
Description
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight. The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASDâs experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.
General Data Protection Regulation (GDPR)
European Union
Description
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect in the European Union (EU) on May 25, 2018. Designed to strengthen privacy rights and data protection for individuals within the EU, the GDPR imposes strict guidelines on how organizations collect, store, process, and manage personal data. It introduces principles such as data minimization, where only necessary data can be processed, and consent, requiring clear and affirmative agreement from individuals before their data is used. The regulation applies to all organizations operating within the EU and those outside the EU that offer goods or services to, or monitor the behavior of, EU residents. Non-compliance can result in hefty fines, up to 4% of annual global turnover or âŹ20 million, whichever is greater. The GDPR has set a global standard, influencing many countries to revise their own data protection laws to align with its stringent requirements, thereby reshaping the landscape of global data privacy.
référentiel Hébergeur de Données de Santé (HDS)
Agence du Numérique en Santé
Description
Le dĂ©cret n° 2018-137 du 26 fĂ©vrier 2018 sur lâhĂ©bergement de donnĂ©es de santĂ© Ă caractĂšre personnel a introduit la certification HDS pour assurer la sĂ©curitĂ© de ces donnĂ©es en France, un pilier clĂ© de la rĂ©gulation numĂ©rique dans le domaine de la santĂ©. Cinq ans aprĂšs son lancement, la DĂ©lĂ©gation du NumĂ©rique en SantĂ© et lâAgence du NumĂ©rique en SantĂ© ont initiĂ© en dĂ©but 2022 une rĂ©vision du rĂ©fĂ©rentiel HDS. Cette rĂ©vision a impliquĂ© la CNIL, le HFDS du ministĂšre de la santĂ©, ainsi que divers acteurs industriels et organismes certificateurs. AprĂšs une consultation publique fin 2022 et plus de 250 contributions analysĂ©es, la CNIL a approuvĂ© le projet de rĂ©fĂ©rentiel rĂ©visĂ© le 13 juillet 2023.
AirCyber
Boost Aerospace
Description
The AirCyber framework by BoostAeroSpace aims to elevate cybersecurity across the European Aerospace and Defense Supply Chain by standardizing and harmonizing IT and IS security. Developed with contributions from aerospace leaders like Airbus, Dassault Aviation, Safran, and Thales, AirCyber offers a suite of services, including maturity assessments, a catalog of cybersecurity solutions, and an encryption portal. This initiative addresses the pressing need for robust cybersecurity measures among smaller suppliers, often more vulnerable to cyber-attacks. Through disseminating advanced security practices and the AirCyber Maturity Standard, BoostAeroSpace facilitates a collective uplift in cyber resilience within the aerospace and defense sectors.
TIBER-EU
ECB
Description
TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence and red-team providers should collaborate to test and improve entities' cyber resilience by conducting controlled cyberattacks.TIBER-EU tests mimic the tactics, techniques, and procedures of real-life attackers based on bespoke threat intelligence. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e., its people, processes, and technologies. The outcome is not a pass or fail; instead, the test is intended to reveal the strengths and weaknesses of the tested entity, enabling it to reach a higher level of cyber maturity.
Application Security Verification Standard (ASVS)
OWASP
Description
The OWASP Application Security Verification Standard (ASVS) is a framework by the Open Web Application Security Project (OWASP) designed to standardize the approach to web application security. It categorizes security controls into three levels of rigor, offering a comprehensive guide for developers, testers, and security professionals to ensure the security of web applications. Covering aspects from authentication to data protection, the ASVS serves as a benchmark for developing, testing, and evaluating the security of web applications, reflecting the latest in security challenges and best practices.
Cloud Controls Matrix (CCM)
CSA*
Description
The Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA) is a comprehensive cybersecurity framework specifically tailored for cloud computing environments. It provides a detailed set of security controls that are aligned with industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002, ISACA COBIT, and NIST. The CCM is designed to aid organizations in assessing the overall security risk of cloud providers and to help ensure that adequate security measures are in place. The matrix covers fundamental security principles across different domains, including compliance, data security, infrastructure security, identity management, and incident response, making it a crucial tool for companies leveraging cloud technology for their operations. * This framework requires one extra manual step, given its license terms.
CIS Controls v8
CIS*
Description
The CIS Critical Security Controls are a set of prioritized guidelines designed to help organizations bolster their cybersecurity posture. Developed by the Center for Internet Security, these controls are widely recognized for their effectiveness in mitigating the most common and impactful cyber threats. The framework consists of several key controls, including inventory and control of hardware and software assets, continuous vulnerability management, controlled use of administrative privileges, secure configuration of hardware and software, and the implementation of a security awareness and training program. By following these controls, organizations can significantly enhance their defensive capabilities against cyberattacks, improve their security management processes, and protect their sensitive information and systems. * This framework requires one extra manual step, given its license terms.
Cyber Resilience Act (CRA)
European Union
Description
The Cyber Resilience Act (CRA) is a legislative proposal by the European Union aimed at enhancing the overall cybersecurity posture of products with digital elements sold within the EU market. The act focuses on ensuring that these products meet stringent cybersecurity standards from the design phase to the end of their lifecycle, thereby reducing risks and vulnerabilities that could lead to cyber-attacks. It applies to a broad range of products, including connected devices and software, with the objective of protecting consumers and businesses from cyber threats. The CRA mandates manufacturers to adhere to specified cybersecurity requirements, conduct thorough assessments of their products' cyber risks, and take appropriate measures to manage those risks effectively. Additionally, the act emphasizes transparency and accountability by requiring manufacturers to report significant cyber incidents. Through these measures, the CRA aims to foster trust and security in the digital marketplace, contributing to the resilience of the EU's digital economy against cyber threats.
Essential Cybersecurity Controls
NCA
Description
The ECC (Essential Cybersecurity Controls) framework, developed by the National Cybersecurity Authority (NCA) of Saudi Arabia, serves as a minimum cybersecurity standard aimed at protecting sensitive government data and technology assets within the country. This framework is a result of a thorough examination of various national and international cybersecurity frameworks and standards. It is structured around 114 cybersecurity controls distributed across 29 subdomains and five main domains: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-party & Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity. These controls are designed to help organizations build robust defenses against cybersecurity risks, ensuring the confidentiality, integrity, and availability of critical government assets and data. While primarily applicable to government organizations, critical infrastructure, and companies handling sensitive data in Saudi Arabia, all organizations are encouraged to adopt the ECC framework to bolster their cybersecurity measures.
Federal Act on Data Protection
Confédération suisse
Description
The Federal Act on Data Protection (FADP) from Switzerland is a key legislative framework designed to protect the privacy and fundamental rights of individuals regarding the processing of their personal data. Set to be fully effective from September 2023 with substantial revisions, the updated FADP aligns more closely with global data protection standards, such as the EU's GDPR. It emphasizes the principles of transparency, purpose limitation, and data minimization, alongside introducing stricter consent requirements and enhanced rights for data subjects, such as the right to be forgotten and the right to data portability. The act also imposes rigorous obligations on data controllers and processors, including requirements for data security and for conducting impact assessments for high-risk processing activities. This makes the FADP a crucial component of the regulatory landscape for both domestic and international organizations operating within Switzerland.
Guide dâhygiĂšne informatique
ANSSI
Description
Le guide d'hygiĂšne informatique de l'ANSSI, publiĂ© le 23 janvier 2017, constitue une ressource essentielle pour les responsables de la sĂ©curitĂ© des systĂšmes d'information. Il propose 42 mesures clĂ©s destinĂ©es Ă renforcer la protection des donnĂ©es et le fonctionnement sĂ©curisĂ© des systĂšmes informatiques. En mettant l'accent sur la sensibilisation et la formation en cybersĂ©curitĂ©, ce guide vise Ă Ă©tablir un socle de pratiques fondamentales, allant de la gestion des risques liĂ©s Ă l'infogĂ©rance Ă la mise en Ćuvre d'un contrĂŽle rigoureux des accĂšs. Cette initiative reflĂšte l'engagement de l'ANSSI Ă promouvoir une culture de la sĂ©curitĂ© informatique adaptĂ©e aux enjeux actuels.
Health Insurance Portability and Accountability Act (HIPAA)
HHS/NIST
Description
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a significant regulatory framework designed to safeguard medical information in the United States. It sets the standard for protecting sensitive patient data, requiring healthcare providers, plans, and clearinghouses to implement physical, network, and process security measures. HIPAA encompasses a range of rules, including the Privacy Rule, which controls the use and disclosure of Protected Health Information (PHI), and the Security Rule, which mandates the secure handling of electronic PHI. Compliance with HIPAA is essential for healthcare entities to ensure the confidentiality, integrity, and availability of patient data, providing a foundation for trust in the healthcare system's handling of personal health information.
Loi de Programmation Militaire (LPM)
Gouvernement Français
Description
La Loi de Programmation Militaire (LPM) est un dispositif lĂ©gislatif adoptĂ© par plusieurs pays pour planifier et organiser les dĂ©penses de dĂ©fense sur une pĂ©riode donnĂ©e, gĂ©nĂ©ralement de cinq Ă six ans. En France, par exemple, la LPM dĂ©finit les grandes orientations et les moyens financiers allouĂ©s aux forces armĂ©es, englobant l'acquisition d'Ă©quipements, le dĂ©veloppement de nouvelles technologies de dĂ©fense, ainsi que le soutien Ă l'innovation et Ă la recherche militaire. Elle vise Ă assurer la prĂ©paration et l'adaptation des armĂ©es aux dĂ©fis contemporains et futurs, en Ă©quilibrant les besoins en matiĂšre de dĂ©fense avec les contraintes budgĂ©taires de l'Ătat. La LPM est cruciale pour la stratĂ©gie de dĂ©fense d'un pays, reflĂ©tant ses ambitions militaires, ses engagements internationaux et sa volontĂ© de protĂ©ger sa souverainetĂ© et la sĂ©curitĂ© de ses citoyens.
Network and Information Security (NIS2)
European Union
Description
The NIS2 Directive, an evolution of the European Union's pioneering Network and Information Systems (NIS) Directive, represents a significant step forward in strengthening cybersecurity across the EU. Enacted to address the growing threats in the digital space, NIS2 broadens the scope of its predecessor by covering a wider range of sectors deemed critical, including energy, transport, banking, and digital infrastructure, among others. It mandates stricter security requirements, incident reporting protocols, and enhanced supervisory measures, including substantial fines for non-compliance. NIS2's primary goal is to bolster the overall resilience and security of network and information systems within the EU, ensuring a unified and high level of cybersecurity preparedness, response, and collaboration among Member States, thereby protecting the internal market and the citizens of the EU from cyber threats.
AI Risk Management Framework (AI RMF)
NIST
Description
The NIST's AI Risk Management Framework (AI RMF) is a comprehensive guideline aimed at fostering trustworthy and responsible development, deployment, and use of artificial intelligence (AI) systems. Developed through extensive collaboration with stakeholders from government, academia, and industry, the AI RMF provides a flexible and voluntary framework to help organizations manage risks associated with AI technologies, including ethical considerations, fairness, accountability, transparency, and the impact on privacy and civil liberties. It emphasizes the importance of incorporating robust risk assessment and management practices throughout the AI lifecycle, from design to deployment and monitoring, to ensure AI systems are reliable, safe, and aligned with societal values and norms. The framework is part of NIST's broader effort to build confidence in AI technologies and to support the development of AI systems that are innovative and beneficial while minimizing harm and unintended consequences.
Payment Card Industry Data Security Standard
PCI Security Standards Council
Description
The Payment Card Industry Data Security Standard (PCI-DSS) is a globally recognized security standard designed to ensure that all entities that process, store, or transmit credit card information maintain a secure environment, thereby reducing credit card fraud. Established by major credit card brands, it sets forth a comprehensive set of requirements including network security, data protection measures, vulnerability management programs, access control measures, and monitoring and testing networks. Compliance with PCI-DSS is mandatory for all such entities and is aimed at protecting sensitive cardholder data throughout the transaction process. The standard not only helps in building trust with customers but also minimizes the risk of data breaches and non-compliance penalties. With its regular updates, PCI-DSS adapts to emerging threats and technologies, ensuring that the payment ecosystem remains secure against evolving cybersecurity challenges.
NIST Privacy Framework
NIST
Description
The NIST Privacy Framework is a voluntary tool developed to help organizations identify and manage privacy risks and enhance individuals' privacy protections. It is designed to be compatible with various privacy laws and regulations and aims to facilitate ethical decision-making regarding data privacy. This framework is structured similarly to the NIST Cybersecurity Framework, consisting of three main parts: Core, Profiles, and Implementation Tiers, which assist organizations in developing and refining their privacy management programs. Through its adaptable approach, the NIST Privacy Framework supports organizations across different sectors and jurisdictions in achieving better compliance and privacy outcomes.
Protective Security Policy Framework
Australian Government
Description
The Protective Security Policy Framework (PSPF) is an Australian Government initiative designed to assist federal government agencies in protecting their people, information, and assets, both at home and overseas. Established to provide a comprehensive set of security guidelines and principles, the PSPF ensures that government operations are conducted securely and with integrity. It encompasses various security measures, including governance, information security, personnel security, and physical security. The framework mandates agencies to implement specific security protocols to safeguard sensitive information and resources against potential threats and vulnerabilities. By standardizing security practices across all government entities, the PSPF aims to foster a resilient and trustworthy government sector, ensuring the continuous and effective delivery of government services to the Australian public and protecting national interests.
Référentiel Général de Sécurité
ANSSI
Description
Le Référentiel Général de Sécurité (RGS) élaboré par l'Agence Nationale de la Sécurité des SystÚmes d'Information (ANSSI) en France, est un cadre normatif destiné à assurer la sécurité des systÚmes d'information des administrations. Mis en place pour répondre aux exigences croissantes de protection des données au sein du secteur public, le RGS définit les rÚgles et les niveaux de sécurité obligatoires pour la protection des informations sensibles gérées par les entités gouvernementales. Il couvre divers aspects de la sécurité informatique, incluant la gestion des risques, la sécurisation des échanges électroniques, la protection de l'infrastructure, ainsi que la conformité des produits et systÚmes de sécurité. En établissant des standards de sécurité stricts, le RGS vise à renforcer la confiance dans les services publics numériques et à garantir la continuité et l'intégrité des services gouvernementaux, tout en protégeant les données personnelles et sensibles contre les cybermenaces.
SOC2-2017 Trust Services Criteria
AICPA
Description
Service Organization Control 2 (SOC 2) is a framework for managing data privacy and security, tailored for service providers storing customer data in the cloud. Developed by the American Institute of CPAs (AICPA), SOC 2 focuses on five key trust service principles: security, availability, processing integrity, confidentiality, and privacy. Unlike its predecessor SOC 1, which is centered on financial reporting controls, SOC 2 is specifically designed to address the needs of technology and cloud computing entities in securing their information systems. Compliance with SOC 2 involves a rigorous audit process, where an independent auditor assesses the extent to which a service provider adheres to these principles based on the design and operational effectiveness of its controls. This certification is crucial for technology companies as it assures clients and stakeholders of the organization's commitment to maintaining a high standard of security and data protection in its operations.
SP 800-53 revision 5
NIST
Description
Special Publication 800-53, developed by the National Institute of Standards and Technology (NIST), is a cornerstone document that provides a comprehensive set of security and privacy controls for federal information systems and organizations in the United States. Part of the Federal Information Processing Standards (FIPS) Publication 200, SP 800-53 is designed to help ensure that federal information systems meet the stringent requirements necessary to protect governmental operations, assets, and individuals against a wide range of threats and risks. The document categorizes security controls into families, such as access control, incident response, and risk assessment, offering a structured approach to selecting and implementing measures based on the system's impact level. Regularly updated to address evolving cybersecurity challenges, SP 800-53 plays a crucial role in guiding federal agencies and their contractors in the development of robust, secure, and resilient information technology infrastructures, thereby safeguarding critical government functions and sensitive data.
SP 800-171 revision 2
NIST
Description
NIST 800-171 Rev 2, developed by the National Institute of Standards and Technology (NIST), is a publication that provides guidelines on protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. This document is particularly crucial for contractors and subcontractors serving the U.S. federal government, as it outlines the requirements for safeguarding sensitive federal information. The guidelines are structured around 14 security requirement families, including access control, incident response, and system and information integrity. NIST 800-171 Rev 2 aims to ensure that sensitive federal information remains confidential and resilient against cyber threats while stored in or transmitted through third-party systems. This standard is pivotal in maintaining the trust and integrity of the supply chain involved in federal operations.
TISAX
ENX
Description
TISAX (Trusted Information Security Assessment Exchange) is a standardized protocol for information security assessments within the automotive industry, developed and governed by the ENX Association. It was designed to ensure a uniform level of information security, data protection, and compliance among automotive manufacturers, suppliers, and service providers. TISAX enables companies to undergo a single assessment that is recognized across the board, thereby reducing the need for multiple audits and fostering a culture of transparency and trust within the industry. This assessment covers a wide range of information security measures, including the protection of sensitive and proprietary data, and aims to facilitate secure collaboration and data exchange. By adhering to TISAX, organizations can demonstrate their commitment to upholding stringent information security standards, thereby gaining a competitive edge and building stronger partnerships within the automotive sector.
CyberSecurity Framework (CSF)
NIST
Description
It is kept for legacy purposes, as many organizations have structured their program on top of the CSF 1.1 version. The NIST Cybersecurity Framework (CSF) , developed by the NIST, is an updated guide to improve cybersecurity practices for organizations across all sectors. Building on the original framework, CSF 1.1 provides a flexible and voluntary structure composed of standards, guidelines, and best practices to manage cybersecurity-related risk. It introduces refinements to its core functionsâIdentify, Protect, Detect, Respond, and Recoverâenhancing its applicability to a broader range of cybersecurity threats and business environments. The update emphasizes the importance of cybersecurity risk management within supply chain security and clarifies the usage of authentication, authorization, and identity proofing. By adopting CSF 1.1, organizations can better align their cybersecurity efforts with business needs, manage risks effectively, and foster a proactive cybersecurity culture.
Want to simplify your GRC?
Check out CISO Assistant and see how it can help you manage your cybersecurity and compliance program.
Stay informed with intuitem's blog
View all posts »Explore our collection of articles, guides, and tutorials on development, cyber security, AI, program management and so much more.
Security Orchestration, Automation, and Response (SOAR)
This article is an introduction to Security Orchestration, Automation, and Response
Understanding DORA Metrics: An Executive Summary
In the modern era, understanding software delivery and operational performance is paramount for business leaders. One toolset that has gained immense popularity is the suite of metrics introduced by the DevOps Research and Assessment (DORA) team.
We are Going Open Source
Press release about our anouncement of the community editions and full switch to Open Source