SANTA CLARA, Calif. — AttackIQ announced that its Security Optimization Platform can test the NIST 800-53 family of security controls against the MITRE ATT&CK framework, measuring security control effectiveness and providing security teams with real data about compliance. In addition to NIST 800-53 compliance, the platform can now test security controls under the U.S. Department of Defense Cybersecurity Maturity Model (CMMC). 

In making these product innovations, AttackIQ is building on the work of MITRE Engenuity’s Center for Threat-Informed Defense, which released an important body of research mapping the MITRE ATT&CK matrix to the NIST 800-53 family of security controls.  As a result, security leaders can now align the known threat behaviors of ATT&CK to measure and test security effectiveness against NIST 800-53. AttackIQ uses this research to provide organizations with increased certainty about their compliance effectiveness with NIST 800-53 and the DoD CMMC.

“The center was created to accelerate innovation in threat-informed defense across the global cybersecurity community,” said Richard Struse, director of the Center for Threat-Informed Defense. “Our members saw the clear value to the cybersecurity community in aligning ATT&CK to security control framework, such as NIST 800-53, and we’re pleased to make these mappings freely-available.”

AttackIQ leverages research from the Center for Threat-Informed Defense for its customers and the broader cybersecurity community.

“Our close partnership with MITRE and the Center for Threat-Informed Defense has allowed us to stay informed of emerging best practices in cybersecurity,” said Brett Galloway, CEO of AttackIQ. “This research helps organizations close the loop between ATT&CK and NIST 800-53.” 

In conjunction with the release of the center’s research, AttackIQ introduced a new AttackIQ Academy course: “Uniting Threat and Risk Management with NIST 800-53 & MITRE ATT&CK,” and the company also created a CISO's Guide to NIST Security Control Compliance.