🚧 Early alpha — building the foundation. See the roadmap →
Framework landscape
Major frameworks
Section titled “Major frameworks”NIST SP 800-53 Rev. 5
Section titled “NIST SP 800-53 Rev. 5”- Authored by: NIST
- Structure: Family > Control > Enhancement
- Example: AC (Access Control) > AC-2 (Account Management) > AC-2(1)
- Size: ~1000+ controls with enhancements
- Format: Available as CSV, XLSX, OSCAL XML/JSON
- Links: Related controls, assessment procedures
NIST Cybersecurity Framework (CSF) 2.0
Section titled “NIST Cybersecurity Framework (CSF) 2.0”- Authored by: NIST
- Structure: Function > Category > Subcategory
- Example: Protect (PR) > Identity Management (PR.AA) > PR.AA-01
- Size: ~100 subcategories
- Crosswalks: Maps to 800-53, CIS, ISO 27001
CIS Controls v8
Section titled “CIS Controls v8”- Authored by: CIS (Center for Internet Security)
- Structure: Control > Safeguard > Implementation Group
- Example: Control 1 > 1.1 (Establish asset inventory) > IG1
- Size: 18 controls, 153 safeguards
- Crosswalks: Maps to NIST CSF, 800-53
MITRE ATT&CK
Section titled “MITRE ATT&CK”- Authored by: MITRE
- Structure: Tactic > Technique > Sub-technique
- Example: Execution (TA0002) > T1059 (Command Scripting) > T1059.001 (PowerShell)
- Size: ~200 techniques with sub-techniques
- Related: D3FEND (defensive), ENGAGE (deception). Maintained crosswalks to NIST 800-53 via CTID.
CRI Profile v2.0
Section titled “CRI Profile v2.0”- Authored by: CRI (Cyber Risk Institute)
- Structure: Function > Category > Subcategory > Diagnostic Statement
- Size: Comprehensive financial sector framework
- Crosswalks: NIST CSF, FFIEC, CISA CPG
Data format patterns
Section titled “Data format patterns”| Framework | ID Pattern | Hierarchy depth |
|---|---|---|
| NIST 800-53 | AC-2, AC-2(1) | 3 (family/control/enhancement) |
| NIST CSF | PR.AA-01 | 3 (function/category/subcategory) |
| CIS v8 | 1.1, 1.2 | 2-3 (control/safeguard/IG) |
| MITRE ATT&CK | T1059, T1059.001 | 2-3 (tactic/technique/sub) |
Understanding these patterns informs column type detection and auto-mapping.
Version history
Section titled “Version history”Frameworks change — see framework versioning for deep coverage and ontology evolution for the general problem.
| Framework | Current Version | Last Major Change | Migration Docs |
|---|---|---|---|
| NIST CSF | 2.0 | Feb 2024 (added GOVERN function) | Transition spreadsheet |
| NIST 800-53 | Rev 5 Update 1 | Sep 2020 (65 new controls, 2 new families) | Comparison workbook |
| MITRE ATT&CK | v16.x | Biannual (Apr/Oct), sub-techniques Jul 2020 | Versions archive |
| CIS Controls | v8.1 | May 2021 (20→18 controls) | Change log |
| CRI Profile | v2.1 | Feb 2024 (added Extend function) | v2.0 mapping |
| MITRE D3FEND | Ongoing | Continuous ontology updates | D3FEND Resources |
Real-world adoption: CRI Profile
Section titled “Real-world adoption: CRI Profile”From an FS-ISAC Spring Summit 2024 session on adopting CRI Profile v2.0:
Implementation challenges
Section titled “Implementation challenges”- Scale: The CRI Profile is a massive spreadsheet with hundreds of diagnostic statements across multiple mapping sheets
- Tooling gap: Organizations like Sallie Mae adopted CRI using tools like Axio, but many still rely on large Excel files
- SaaS demand: Strong demand for SaaS solutions that can handle CRI’s complexity without manual spreadsheet management
Mapping complexity
Section titled “Mapping complexity”- CRI maps to NIST CSF, FFIEC CAT, CISA CPG, and other financial-sector standards
- Organizations need to maintain continuous compliance across all mapped frameworks simultaneously
- Evidence collection must link back to specific diagnostic statements — exactly what Crosswalker’s typed-link system is designed for
Maturity assessment
Section titled “Maturity assessment”- CRI provides a maturity model for assessing control implementation
- GRC policy alignment requires mapping organizational policies to CRI framework categories
- The assessment process is iterative — not a one-time mapping but ongoing evidence management
Additional frameworks
Section titled “Additional frameworks”OWASP Top 10
Section titled “OWASP Top 10”Application security risks — relevant for AppSec teams mapping to broader frameworks.
DETT&CT
Section titled “DETT&CT”Detection and analytics framework building on MITRE ATT&CK.
Cyber Kill Chain
Section titled “Cyber Kill Chain”Lockheed Martin’s attack lifecycle model — commonly referenced alongside ATT&CK.
Diamond Model
Section titled “Diamond Model”Threat intelligence framework for analyzing cyber intrusions — complements ATT&CK’s technique focus.
See framework standards for complete links and resources.