An open-source listing of cybersecurity technologies mapped to the NIST Cybersecurity Framework (CSF).

Recognizing that the national and economic security of the United States depends on the reliable function of critical infrastructure, an Executive Order in 2013 instructed the National Institute of Standards and Technology (NIST) to create a cybersecurity framework (CSF) for Improving Critical Infrastructure Cybersecurity.

The framework focuses on using business drivers to guide cybersecurity activities. It considers cybersecurity risks as part of the organization’s risk management processes.

It’s a helpful way to relate cybersecurity tools to the NIST CSF capabilities.

NIST isn’t applicable to everyone, but it’s a common way to speak and maps well to other frameworks. It helped me on a few projects, and I hadn’t seen anything like this before in the wild, so I thought others would find it valuable too.

What's not included in the framework is a guide on how to apply technology. There are so many technologies and open-source tools available to achieve the goals of the framework.

Organizations are all complex in different ways. Technology and its implementation require nuance, and results can often vary.

There is no one-size-fits-all or truisms when it comes to technology, other than the fact that every organization needs technology and needs ways to secure their business.

This repository is a starting point to help the community make technology decisions that map to the NIST CSF. It will give you a framework to see how your current tools measure up and see what you may be missing and need to consider.

Looking for a more in-depth analysis of cybersecurity concepts and technologies? Check out Return on Security.

Here are the mappings:

• Markdown Format
• Google Sheets Format

Please feel free to fork and/or add issues/PRs to help make this work better for everyone.
Feel free to challenge categorizations and move things around where it makes sense.
If anyone has a better way to display this, I'm all ears! 👂

infosec, information security, cybersec, cyber security, cybersecurity, netsec, vulnerability, disclosure, hacking
pentest, penetration test, red team, blue team, purple team
nist-to-tech, nist-to-tools, nist tools, nist, nist csf, cybersecurity framework, identify, detect, protect, respond, recover, nist 800-53, 800-53, nist 800-53-ra5