The Center for Threat-Informed Defense (Center) just released a set of mappings between MITRE ATT&CK® and NIST Special Publication 800-53 with supporting documentation and resources. These publicly available mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process.
In collaboration with Center participants, AttackIQ, the Center for Internet Security, and JPMorgan Chase, the Center recognized that there was not only a need for mappings for NIST 800-53, but an opportunity to work collaboratively and advance threat-informed defense with the global community. With over 6,300 individual mappings between NIST 800-53 and ATT&CK, we believe that this work will greatly reduce the burden on the community—allowing organizations to focus their limited time and resources on understanding how controls map to threats in their environment.
A new post by Tiffany Bergeron and Jon Baker describes the work in detail.
Center for Threat-Informed Defense Releases Security Control Mappings to MITRE ATT&CK®