Listen
Watch
DownloadCybersecurity Frameworks: A Simplified Guide to Compliance
Cybersecurity frameworks provide a structured approach to managing digital risk, improving compliance, and strengthening your organization’s overall security posture. This guide outlines commonly adopted frameworks, compares their relevance across industries, and explores how Tanium supports enterprise compliance efforts through real-time visibility, control, and automation.
UPDATE: This post, originally published on August 1, 2024, has been revised to reflect expanded framework coverage, updated regulatory context, and new guidance on operationalizing cybersecurity standards.
In today’s evolving threat landscape, where attacks are increasingly subtle and sophisticated, cybersecurity frameworks are essential (and in some cases, mandatory) for ensuring the safety and integrity of an organization’s information systems.
These frameworks help IT teams manage risk, apply proven safeguards, and meet compliance requestments, especially in regulated sectors like government organizations, retail, and healthcare.
This blog post will break down what cybersecurity frameworks are, why they matter, and how to choose the right ones for your organization.
You’ll get a side-by-side look at ten of the most widely used standards—from NIST to PCI DSS—and learn how to align them with your risk profile, industry requirements, and compliance goals.
Whether you’re building a security strategy from scratch or refining an existing one, this post will help you cut through the complexity and take confident next steps.
- What are cybersecurity frameworks?
- Cybersecurity framework list: 10 popular standards explained
- Side-by-side comparison of cybersecurity frameworks
- Which framework is best for cybersecurity?
- How do cybersecurity frameworks improve organizational security posture?
- How Tanium helps organizations align with cybersecurity frameworks
- Frequently asked questions about cybersecurity frameworks
What are cybersecurity frameworks?
A cybersecurity framework is a set of guidelines, best practices, and standards designed to help organizations manage and reduce their cybersecurity risks. It provides a common language and structure for aligning IT, security, and compliance teams on risk management objectives, including identifying, protecting, detecting, responding to, and recovering from cyber threats.
Cybersecurity frameworks also serve as a frontline defense, helping protect your most valuable digital assets, from customer data and intellectual property to the systems that keep your business running. In a threat landscape that’s constantly shifting—and where many organizations still lack a consistent approach to evaluating and addressing risk—frameworks provide the structure and confidence you need to stay ahead.
While the benefits are clear, frameworks can also introduce challenges—frequent updates, growing complexity, resource demands, and the need to align with existing data security and risk management practices.
But when implemented thoughtfully, they not only enhance your security posture, but they also bring clarity and consistency to how your organization manages cyber risk.
Understanding the significance of these frameworks is essential. They offer a roadmap for safeguarding critical information and building long-term cyber resiliency by addressing all key aspects of cybersecurity—from governance and risk to detection and response.
Cybersecurity framework list: 10 popular standards explained
Let’s explore ten common cybersecurity standards to understand which frameworks may benefit your organization and why.
- 1. Control Objectives for Information and Related Technology (COBIT)
COBIT is a framework for IT governance and management, including cybersecurity, which aligns IT with business goals while managing risk and compliance.
ISACA, a global professional organization for IT practitioners, developed the Control Objectives for Information and Related Technology, known as the COBIT standard. Rather than prescribing specific technologies, COBIT provides a structured approach to governing and managing enterprise information and technology.
It outlines how organizations can implement governance and management processes by considering stakeholder needs and prioritizing accordingly. The framework includes components such as organizational structures, information flows, and performance metrics. It also reinforces IT security practices by embedding them within broader business objectives. Rather than replacing other cybersecurity standards, COBIT compliments them—often serving as a governance layer that supports implementation of frameworks like NIST. - 2. Cybersecurity Maturity Model Certification (CMMC)
CMMC is a U.S. federal framework ensuring defense contractors secure controlled unclassified information (CUI). It includes three maturity levels and aligns closely with NIST SP 800-171 and SP 800-172.
The Cybersecurity Maturity Model Certification, or CMMC framework, is a U.S. federal security standard designed to protect the Defense Industrial Base (DIB) sector—the global consortium of companies that develop military weapons systems and other technology for the U.S. military—from cyber threats.[Read also: What DoD contractors need to know about CMMC 2.0 compliance]
Specifically, the CMMC framework is designed to ensure companies developing systems to support U.S. warfighters meet Department of Defense (DoD) cybersecurity requirements that apply to acquisition programs and systems that process CUI. These standards are especially critical for organizations in the defense supply chain, where protecting CUI is essential to national security. The latest version of the CMMC, the CMMC 2.0 program, introduces three core features: a tiered model for cybersecurity standards, streamlined assessment requirements, and contract-based implementation.
CMMC 2.0 also defines three maturity levels, each with increasing cybersecurity requirements based on the sensitivity of the information handled. These levels range from basic cyber hygiene and self-assessments at Level 1 to advanced, government-verified protections for controlled unclassified information at Level 3.
- 3. Federal Information Security Modernization Act (FISMA)
FISMA requires U.S. federal agencies and their contractors to implement information security protections based on risk level.
The original Federal Information Security Modernization Act, referred to as FISMA, was passed in 2002 and requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the agency’s operations and assets, including those provided or managed by another agency, contractor, or other sources. An updated version of the law was passed in 2014.
FISMA outlines a compliance framework that includes:- Creating an inventory of information systems
- Categorizing systems based on risk level
- Implementing security controls as described in NIST SP 800-53 and in the supplementary standard FIPS-200, “Minimal Security Requirements for Federal Information and Information Systems”
Overall, FISMA takes a risk-based approach to protecting information systems. It requires federal agencies to provide “…information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected/maintained by or on behalf of an agency, information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”
- 4. General Data Protection Regulation (GDPR)
GDPR is a European Union (E.U.) regulation focused on data privacy, control, and protection for E.U. residents.
The General Data Protection Regulation, called GDPR, took effect on May 25, 2018. GDPR requires organizations that handle the personally identifiable information (PII) of E.U. residents to implement strong data privacy and security controls. It also grants individuals the right to access, correct, and request deletion of their personal data. Large organizations must appoint a Data Protection Officer (DPO) to oversee the management of consumer data, ensuring that security controls are in place and organizations can respond to consumer requests in a timely manner. The law also sets forth rules about what data can be collected and how it can be used.
And violating GDPR can be costly. GDPR fines can reach up to 4% of the organization’s global annual revenue or €20 million, whichever is higher.
GDPR was the first sweeping data privacy law in the internet age. It has served as the model for data protection laws and regulations in other regions. For example, the California Consumer Privacy Act, which also passed in 2018, shares many features with GDPR.
[Read also: 10 ways Tanium improves data risk and privacy]
Any organization doing business with E.U. residents must comply with the GDPR. As a result, GDPR has become a de facto standard for data privacy compliance across global enterprises.
Since the law is being used as a model for legislation in other regions, it deserves the attention of companies worldwide. If a company has a cybersecurity program with data management and data security controls in place to comply with GDPR, it’s probably in good shape to comply with other data privacy regulations in other regions or specific industries. - 5. Health Information Trust Alliance (HITRUST CSF)
HITRUST CSF is framework for protecting health information that unifies compliance requirements from HIPAA, ISO, and others.
HITRUST is a privately held, for-profit company based in Frisco, Texas. It has created a cybersecurity standard, originally called the HITRUST Common Security Framework, now called HITRUST CSF. HITRUST CSF is a certifiable framework, meaning organizations can undergo a validated assessment by a HITRUST Authorized External Assessor to achieve certification. Certification is issued by third-party assessors, not by HITRUST itself.
The standard aims to streamline compliance with other cybersecurity frameworks, such as HIPAA and ISO/IEC 27000 standards, including ISO/IEC 27001. Despite HITRUST CSF being widely adopted, some cybersecurity professionals consider the framework cumbersome and outdated. However, many healthcare organizations choose to use HITRUST CSF compliance not only to achieve HIPAA compliance but also to implement security controls to minimize vulnerabilities and improve protection against cyber threats, such as malware, phishing, and business email compromise (BEC). - 6. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA mandates data privacy and security controls to protect patient health information across U.S. healthcare organizations.
The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is an essential cybersecurity standard for the U.S. healthcare industry. It requires that healthcare providers and payers (organizations that pay for healthcare, such as health plan providers, Medicare, and Medicaid) protect the privacy of patients’ personal health information (PHI).
PHI refers to health-related information that can be used to identify an individual and is protected under HIPAA. It includes elements that may also be considered PII, such as names, medical records, or insurance details. The “portability” referred to in the act’s title is the ability for patients to move healthcare records from one provider to another in situations such as changing jobs. To ensure that the privacy of those records isn’t intentionally or accidentally disclosed while being stored or transferred, HIPAA establishes strict requirements for data privacy and security and recommends safeguards such as encryption and access controls, though specific technologies are not mandated. HIPAA’s recommendations aim to promote cybersecurity best practices and minimize the risk of data breaches affecting PII.
Companies that fail to comply with HIPAA can face hefty fines, potentially reaching several million dollars. They might also suffer lasting reputational damage.
In addition to organizational penalties, HIPAA includes civil and criminal penalties for individuals who knowingly misuse PHI, with fines up to $250,000 and potential imprisonment.
- 7. International Organization for Standardization (ISO) 27001, ISO 27002
ISO standards 27001 and 27002 are international standards that take a holistic approach to cybersecurity, emphasizing people, policies, and technology.
ISO 27001 outlines requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). ISO 27002 goes into more specifics, offering best practices and control objectives related to access control, cryptography, human resource security, and incident response. - 8. National Institute of Standards and Technology (NIST)
NIST develops cybersecurity standards and frameworks that help organizations manage and reduce security risks across sectors.
The National Institute of Standards and Technology is, as its name suggests, the U.S. federal government’s primary agency for issuing standards, including cybersecurity standards, such as:- NIST Special Publication (SP) 800-53 provides a catalog of security and privacy controls for information systems and organizations, providing fundamental controls for almost any organization’s security program.
- NIST SP 800-171 sets forth security requirements for nonfederal organizations that need to produce controlled unclassified information.
- NIST SP 800-172 complements NIST SP 800-171 with additional requirements for protecting CUI.
- NIST Cybersecurity Framework (CSF) is a security framework intended to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
When it comes to NIST CSF, the agency has published standards for securing everything from federal IT systems to genomic data. Additionally, other cybersecurity frameworks, such as CMMC 2.0, use NIST cybersecurity frameworks as baselines for establishing security controls. Attacks against critical infrastructure—which includes organizations that provide essential services such as energy, healthcare, and financial services—have increased in recent years. Critical infrastructure organizations should consider adopting the NIST CSF to help improve their cybersecurity postures and defend against these cyberattacks.
Every business can benefit from following NIST guidelines for cybersecurity. One benefit of adopting NIST frameworks is that the agency continues to review and update its standards, taking into account new technologies, security threats, and suggestions from security practitioners.
- 9. Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a standard for protecting credit card data through a comprehensive set of requirements for network, access, and data security.
The Payment Card Industry Security Standards Council (PCI SSC), a global forum dedicated to promoting the security of account data, developed the Payment Card Industry Data Security Standard, or PCI DSS, to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.
Security is vital to the credit card industry, and PCI DSS is a foundational security policy benchmark for credit card (payment card) processors. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data by organizing its security controls into six groups:- 1. Build and maintain a secure network and systems
- 2. Protect cardholder data
- 3. Maintain a vulnerability management program
- 4. Implement strong access control measures
- 5. Regularly monitor and test networks
- 6. Maintain an information security policy
Before PCI DSS was adopted, the five major credit card brands—American Express, Discover, JBC, MasterCard, and VISA—each had their own security standards for protecting account data and combating fraud. By adopting a common standard, the payment card industry streamlined compliance for merchants and service providers—avoiding the need for legislation by enforcing security requirements through contractual obligations.
Merchants in sectors like retail and e-commerce that accept credit card transactions must meet the compliance requirements of PCI DSS and often require foundational controls, such as firewalls, encryption, and access management, to secure sensitive data.
How they report their compliance varies based on the volume of credit card transactions they process annually. Merchants who process only a few thousand transactions have different requirements than those who process many millions.
PCI DSS compliance is validated annually through a Self-Assessment Questionnaire (SAQ) or a formal Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA), depending on transaction volume. - 10. Service Organization Control Type 2 (SOC 2)
SOC 2 is a voluntary cybersecurity framework to ensure service organizations properly store, manage, and secure customer data.
Implemented by the American Institute of Certified Public Accountants (AICPA), SOC 2’s set of guidelines is organized around these five principles:- 1. Availability
- 2. Confidentiality
- 3. Privacy
- 4. Processing integrity
- 5. Security
When a service organization, such as a commercial company that accepts and processes customer data through a website, wants to demonstrate its responsible handling of that data, it can choose to undergo a SOC 2 audit. If it passes the audit, the organization can assure customers, investors, and others that it has undergone a SOC 2 audit and received an attestation report confirming its controls meet the Trust Services Criteria, proving that it has implemented sufficient cybersecurity risk management controls to minimize the risk of data breaches and other cybersecurity incidents.
To note: The Center for Internet Security, a U.S. nonprofit organization founded in 2000 to “help people, businesses, and governments protect themselves against pervasive cyber threats,” offers a set of controls to help organizations meet CMMC 2.0 requirements.
CIS guides mappings of its Critical Security Controls v8 to CMMC 2.0. These CIS controls help DIB companies implement the security controls and processes they need for CMMC 2.0 compliance.
See how Tanium can help organizations meet
PCI DSS requirements
Side-by-side comparison of cybersecurity frameworks
As you can see, with so many frameworks available, each with its own focus, requirements, and industry relevance, it can be challenging to determine which one(s) best align with your organization’s needs.
The table below offers a side-by-side comparison of these cybersecurity frameworks to help clarify their purpose, applicability, and key components:
| Framework | Best for | Key requirements |
|---|---|---|
| COBIT | IT governance and enterprise risk management |
|
| CMMC 2.0 | U.S. DIB contractors |
|
| FISMA | U.S. federal agencies and contractors |
|
| GDPR | Organizations processing E.U. resident data |
|
| HITRUST CSF | Healthcare, finance, and other regulated industries |
|
| HIPAA | Healthcare organizations |
|
| ISO 27001 | Global enterprises across industries |
|
| ISO 27002 | Organizations implementing ISO 27001 controls |
|
| NIST CSF 2.0 | U.S. federal agencies, critical infrastructure, enterprises |
|
| PCI DSS | Retail, e-commerce, and payment processors |
|
| SOC 2 | SaaS providers and service organizations |
|
While the comparison above offers a helpful snapshot, selecting the most appropriate framework requires a closer look at your organization’s specific needs, risks, and regulatory landscape.
In the next section, we’ll walk through key considerations to help you determine which cybersecurity framework—or combination of frameworks—best aligns with your strategy.
Which framework is best for cybersecurity?
Unfortunately, there’s no one-size-fits-all answer. The right cybersecurity framework depends on your industry, the types of data you handle, your regulatory environment, and your team’s capacity.
To help narrow it down, ask yourself:
Are we in healthcare, defense, finance, or retail—each with its own compliance mandate?
Do we handle PHI, CUI, PCI, or PII that require specific protections?
Are we subject to international laws like GDPR due to processing E.U. resident data?
Are we required to complete third-party assessments or internal audits regularly?
Can our team realistically manage and monitor multiple, potentially overlapping frameworks?
Some frameworks, like HIPAA and HITRUST CSF, are specific to a particular industry, such as healthcare, and are often required to meet recognized industry standards for data protection and compliance. Others, like PCI DSS, focus on particular data types, so it provides guidelines and best practices for protecting payment card account data but doesn’t address other types of risks. Broader standards like NIST SP 800-53 offer a foundational set of cybersecurity controls that many organizations adopt as a baseline.
Pro tip: Choosing a cybersecurity framework isn’t just about checking boxes—it’s about aligning with your organization’s mission, risk appetite, and operational realities. Many organizations find that blending multiple frameworks offers the flexibility and coverage they need.
How do cybersecurity frameworks improve organizational security posture?
Cybersecurity frameworks provide guidelines that have been developed, refined, tested, and proven over time. They can provide clear directions and benchmarks that organizations can use to direct their cybersecurity efforts and measure the success of those efforts periodically.
They can also help an organization meet essential regulatory requirements and demonstrate to customers, investors, regulators, and others that they take cybersecurity challenges seriously and are actively working to mitigate them.
Cybersecurity frameworks are a top-down approach to cybersecurity. They provide blueprints based on principles such as security and availability and then work out the details of how to support those principles in practice.
A complementary approach to cybersecurity is strengthening security controls from the bottom up, beginning with the endpoints and data employees work with daily.
Having real-time visibility, control, security, and management of all endpoint devices—including desktops, laptops, tablets, servers, and more in your enterprise can help lay the foundation for complying with whatever cybersecurity framework or combination of frameworks you choose to implement. You can support quick threat mitigation and improve your posture by continuously monitoring endpoints across your enterprise for risks.
This is where Tanium comes in.
How Tanium helps organizations align with cybersecurity frameworks
Tanium Autonomous Endpoint Management (AEM) enables organizations to operationalize leading cybersecurity frameworks—such as NIST CSF 2.0, PCI DSS, and CMMC 2.0—by delivering real-time visibility, control, and automation that empowers teams to manage risk, enforce policies, and support compliance efforts at scale.
A core capability within Tanium AEM, Tanium Risk & Compliance provides the technical capabilities that support compliance management across the enterprise. It enables continuous exposure management, automates remediation workflows, and enforces compliance in real time. Together, these capabilities contribute to Tanium AEM’s role as a unified platform that bridges security operations and governance—delivering a single source of truth for endpoint data and enabling coordinated action across operational, security, and compliance efforts.
Through seamless integration with platforms like Microsoft Intune, Entra ID, and ServiceNow, Tanium extends our real-time visibility and automation to support conditional access enforcement, provides real-time device risk signals, and streamline incident response and remediation workflows.
While these capabilities sound powerful in theory, they’re even more compelling in practice. Let’s take a look at how professional services firm JLL brought these capabilities to life while modernizing its cybersecurity framework with Tanium.
Customer case study: How Tanium and Microsoft Defender for Endpoint helped JLL modernize its cybersecurity framework
With regulatory demands on the rise, many organizations are rethinking their cybersecurity strategies to balance operational efficiency with compliance readiness. JLL is one such organization that successfully modernized its cybersecurity framework by integrating Tanium and Microsoft Defender for Endpoint. This transformation not only gave JLL real-time visibility into threat activity across nearly 100,000 endpoints, but it also enabled the company to shift from reactive to proactive security operations by introducing threat hunting and more advanced preventive measures.
By implementing Microsoft 365 E5, JLL gained advanced security capabilities that, when combined with Tanium’s visibility and control, strengthened the depth and quality of its security controls. This alignment with the joint Microsoft and Tanium roadmap positioned JLL to meet its long-term cybersecurity needs with a future-proof strategy.
To see how this transformation unfolded—and the impact it had on JLL’s security posture—you can watch the video below and explore the complete case study.
Frequently asked questions about cybersecurity frameworks
Cybersecurity frameworks can be complex, especially when navigating overlapping standards and evolving compliance requirements.
To help clarify some of the most common points of confusion, we’ve compiled a quick FAQ below.
What is the difference between NIST and CMMC?
NIST provides broad cybersecurity guidance applicable across sectors, while CMMC specifically applies to DoD contractors and enforces compliance through third-party audits.
Is HIPAA a cybersecurity framework?
Kind of. HIPAA is a healthcare privacy law that incorporates a cybersecurity framework through its Security Rule. It defines standards for protecting PHI and outlines the administrative, physical, and technical safeguards required of healthcare organizations.
What about MITRE ATT&CK?
The MITRE ATT&CK Framework is a powerful knowledge base of adversary tactics and techniques. It is not a regulatory or compliance framework, but rather a threat modeling tool used to enhance detection, response, and simulation strategies.
It complements traditional frameworks like NIST and ISO by helping security teams detect, respond to, and simulate threats more effectively. Many organizations use ATT&CK to enhance threat modeling and incident response planning.
What is the most widely adopted cybersecurity framework?
The NIST CSF is consistently ranked as the most valuable cybersecurity framework by industry professionals, recognized for its flexibility, adaptability, and alignment with risk management and compliance goals.
Is there a risk analysis framework in cybersecurity?
While most cybersecurity frameworks emphasize controls and compliance, the FAIR (Factor Analysis of Information Risk) model offers a different lens for quantifying cyber risk in financial terms.
It’s not a compliance framework, but rather a risk analysis methodology that helps organizations prioritize investments and articulate risk in business terms.
Can organizations follow more than one framework?
Absolutely. Many organizations adopt and combine multiple frameworks to address overlapping requirements for compliance, security, and operational resilience.
Navigating cybersecurity frameworks doesn’t have to be overwhelming. Whether you’re aligning with NIST CSF 2.0, preparing for CMMC 2.0, or managing multiple requirements, Tanium helps unify and streamline your efforts—without sacrificing visibility or control.
Want to simplify compliance and strengthen your security posture? Schedule a free demo to see how Tanium can help your team take the next step.
Tanium Subscription Center
Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.
SUBSCRIBE NOW
