Cybersecurity Controls Management Framework (CCMF)
Building Trust, One Control at a Time.
ISAUnited’s Cybersecurity Controls Management Framework (CCMF) delivers a structured, engineering-first approach to cybersecurity controls. Through five focused modules, practitioners learn how to justify, map, place, and continually improve mandatory CAE controls within the Defensible 10 Standards (D10S). Each module builds on the last—from learning the fundamentals, to applying Threat-Driven justification with TADA, to closing design gaps with Architectural Gap-Driven methods, and finally to ensuring accountability and continuous improvement with RACI and V&V.
Explore the modules below to start applying controls that are threat-informed, architecture-anchored, and operationally defensible.
Mastering Cybersecurity Controls
When adopting, designing, and maintaining cybersecurity architectures, practitioners must rely on mandatory, defensible controls to achieve comprehensive protection against threats and vulnerabilities. Under ISAUnited’s Cybersecurity Controls Management Framework (CCMF), every control is justified, mapped, and validated within the Defensible 10 Standards (D10S). These controls are not optional checklists or best-practice suggestions—they are the required foundation of a defensible security posture. By applying Threat-Driven justification (TADA) and Architectural Gap-Driven justification (IDA, CDMs, CECs), practitioners ensure that all controls are evidence-based, architecturally sound, and operationally effective.
Unified Security
Included are the ISAUnited's Security Architecture Designs - 5 Key Responsibilities.
Module 1 — Control Fundamentals (Block & Plug + Triad)
Focus: Speak “controls” like an engineer, not a checkbox.
Overview
-
Block vs Plug model (prevent, detect, correct) and the CIA triad
-
Standards vs controls the ISAUnited way: Foundational Standards (NIST/ISO) vs Technical Standards (D10S) → actual controls
-
Where technical controls live in real systems (quick firewall demo)
Module 2 — Controls Frameworks & the Threat Landscape
Focus: Make controls threat-informed and standards-anchored.
Overview
-
Threat frameworks adopted by ISAUnited: Mandiant Targeted Attack Lifecycle, Lockheed Martin Cyber Kill Chain, and MITRE ATT&CK (tactics/techniques)
-
How D10S organizes actionable technical controls to implement defenses in practice
Module 3 — Justification: Threat-Driven (TADA)
Focus: Prove a control is needed using adversary evidence.
Overview
-
ISAUnited Technical Adversarial & Defensible Analysis (TADA) method: Rapid STRIDE → ATT&CK TTP mapping → Mitigation evaluation → Defensibility check (D10S alignment)
-
STRIDE (adopted Microsoft model)—used fast and light for scoped threat modeling
Module 4 — Justification: Architectural Gap-Driven
Focus: Close missing patterns in design with defensible architecture.
Overview
-
ISAUnited architecture methods: IDA (Defensible Architecture), CDMs (Cybersecurity Design Models), CECs (Cybersecurity Engineering Concepts)
-
Architect view (CDMs): outside-in and follow-the-data modeling
-
Engineer view (CECs): components, integrations, encryption, and systems-of-systems
-
TBMs (Tactical Battle Maps) to show where controls live and why
Module 5 — Roles, RACI & Continuous Improvement
Focus: Make controls persistent, owned, and improve.
Overview
-
RACI for controls (Architect, Engineer, IT Ops, Compliance, Leadership)
-
V&V (Verification & Validation) and operationalizing checks as policy/code
-
Annual D10S open season & sub-standard refresh cycles
Library
Publications
ISAU Library is your platform for the latest in security architecture design and practice. This core collection covers all technical areas of security architecture. ISAU’s Library includes:
Foundational and Technical Standards
E-books
Journals
Manuals and Reports
and more.
ISAU continues to respond to practitioners’ needs for reliable professional tools. We will continue to share updates on our standards transformation.
Join our community today!