🚧 Early alpha — building the foundation. See the roadmap →

Framework standards & tools

Updated Apr 10, 2026

NIST ecosystem

Cybersecurity Framework (CSF) 2.0

High-level cybersecurity outcomes organized as Function → Category → Subcategory. The foundational framework that most others map to.

SP 800-53 Rev. 5

Detailed security and privacy controls catalog. Family → Control → Enhancement structure with ~1000+ items.

OSCAL (Open Security Controls Assessment Language)

Machine-readable format for security controls in JSON/XML. Enables automated compliance workflows.

OLIR (Online Informative References)

NIST’s official framework crosswalk program — the authoritative source for how frameworks map to each other.

NIST CPRT (Cybersecurity and Privacy Reference Tool)

Interactive tool for browsing frameworks with cross-references.

CPRT Filters

IR 8477

“Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines” — the theoretical foundation for how NIST approaches framework crosswalking.

IR 8477 Publication

NIST RMF Database

Community tool for searching risk management controls.

RMF Database

MITRE frameworks

ATT&CK

Adversary tactics and techniques. Tactic → Technique → Sub-technique.

D3FEND

Defensive countermeasures mapped to ATT&CK techniques.

ENGAGE

Cyber denial and deception framework.

RE&CT

Response framework for incident handling.

RE&CT

Center for Threat-Informed Defense

MITRE Engenuity’s research center produces critical mapping resources:

Mappings Explorer — browse all cross-framework mappings (about)
ATT&CK Control Framework Mappings — NIST 800-53 ↔ ATT&CK
NIST 800-53 Control Mappings
Sensor Mappings to ATT&CK
ATT&CK to CVE Mappings
Top ATT&CK Techniques Calculator
Attack Flow — visualize attack sequences
TRAM (Threat Report ATT&CK Mapper)
Insider Threat TTP Knowledge Base
Atomic Red Team Coverage — technique testing

Detection engineering & threat operations

DeTT&CT — detection gap analysis against ATT&CK
Atomic Red Team — technique testing coverage
Enterprise Purple Teaming Resources
Diamond Model for Threat Intelligence
Cyber Kill Chain — analysis tools

Application security frameworks

OWASP SAMM — Software Assurance Maturity Model (mappings)
OWASP Top 10 — web application security risks
NIST SSDF — Secure Software Development Framework
SAMM-to-SSDF Mapping
Atomic Threat Coverage — detection engineering framework

Other frameworks

CREF (Cyber Resilience Engineering Framework) — NIST resilience engineering
NICE Framework — Cybersecurity Workforce Education Framework
NIST Privacy Framework
NIST Applied Cybersecurity
Privacy Engineering Collaboration Space

CIS Controls v8

18 controls with 153 safeguards, organized by Implementation Group (IG1/IG2/IG3).

CRI Profile v2.0

The Cyber Risk Institute’s meta-framework for financial institutions. Maps to NIST CSF, FFIEC CAT, CISA CPG, and other standards.

CRI Profile
Function → Category → Subcategory → Diagnostic Statement structure

Mapping tools & platforms

Secure Controls Framework (SCF)

Open framework with Set Theory Relationship Mapping (STRM) — a mathematical approach to framework crosswalking.

CISO Assistant

Open-source GRC tool supporting 80+ frameworks with auto-mapping.

GitHub
Decoupling principle enables framework reuse
API-first architecture

Commercial tools

Apptega — framework crosswalking platform
HITRUST MyCSF — compliance framework tool
RegScale — OSCAL-native compliance automation
DRT Confidence — OSCAL tooling
Unified Compliance — common controls hub

Financial sector

FFIEC CAT

Federal Financial Institutions Examination Council Cybersecurity Assessment Tool.

Enterprise Risk Management

NIST IR 8286 (Integrating Cyber into ERM)

FFIEC additional resources

Technical configuration mapping

The STIG ↔ NIST problem

Mapping technical security configurations (STIGs, benchmarks) to control frameworks is a key workflow for security engineers:

DISA STIGs — Security Technical Implementation Guides
DISA CCI List — Control Correlation Identifiers (bridge between STIGs and NIST 800-53)
STIG Compilations — bundled STIG packages
CCI List Rev 5 — updated for 800-53 Rev 5

SCAP (Security Content Automation Protocol)

Machine-readable format for expressing security configuration checklists:

SCAP Project
Security Configuration Settings
NIST Checklist Repository — national checklist database

RMF (Risk Management Framework)

About RMF
RMF Database — community search tool
RMF Implement Step FAQ

Automated STIG-to-NIST mapping

OpenRMF — open-source tool that auto-relates NIST controls to DISA STIG checklists
OpenRMF GitHub

OSCAL ecosystem (expanded)

Core tools

NIST OSCAL GitHub — official repository
OSCAL Registry — document registry
OSCAL Viewer — browse catalogs
OSCAL Resources
oscal.io — community portal

OSCAL-compatible tools

CIS Controls in OSCAL — CIS v8 in OSCAL format
SCKG — Security Controls Knowledge Graph
awesome-oscal — curated OSCAL resources
EasyDynamics OSCAL — OSCAL development tools
RegScale — OSCAL-native compliance platform
DRT Confidence — OSCAL tooling
OpenRMF — open-source RMF/OSCAL tool
CyberESI OSCAL-CPRT — OSCAL catalog project

Audit & compliance tools

Open source

OpenRMF — STIG management + NIST control mapping
Chef InSpec — infrastructure compliance testing
OpenSCAP — SCAP-based security scanner (tools)
Lynis — Linux/macOS security auditing
CISO Assistant — GRC with 80+ frameworks

Enterprise platforms

RegScale — OSCAL-native, engineer-focused
DRT Confidence — OSCAL tooling
Vanta — automated compliance
Drata — automated security compliance
AuditBoard — audit management
Hyperproof — compliance operations
Secureframe — SOC 2 / ISO 27001 automation
Sprinto — continuous compliance
Strike Graph — cybersecurity compliance SaaS