OWASP Cyber Controls Matrix (OCCM)

OWASP Incubator Project Release License


Click here to be notified of OCCM news and releases !


OCCM Logo Banner


Solve the problem of multiple cyber standards by consolidating them, reducing timelines and effort by months. The OCCM does this and much more!


Description

The OWASP Cyber Controls Matrix (OCCM) is an innovation in the mapping of cyber controls across different control sets, frameworks, and standards for the purposes of increased knowledge, greater efficiency, and shortened timelines.


Use Cases

  • Implementing cyber controls.
    •  Knowledge  |  Levels of Detail  |  Relevance
  • Implementing two or more cyber control sets / frameworks.
    •  Consolidation  |  Knowledge  |  Levels of Detail  |  Relevance  |  Growth
  • Research and education on cyber topics.
    •  Knowledge  |  Cyber Taxonomy  |  Levels of Detail  |  Relevance  |  Growth
  • Integration into cyber products.
    •  Consolidation  |  Knowledge  |  Cyber Taxonomy  |  Levels of Detail  |  Relevance  |  Growth

Consolidation

Most organizations today must comply with two or more standards in their quest for enhanced Cybersecurity and compliance. This has traditionally been a very linear process, but the OCCM transforms it into a much more parallel one: de-duplicating effort. This can reduce project duration and effort by months. The OCCM means less time implementing, less time documenting, better results, and no more backtracking.

Knowledge

Supercharging Cybersecurity knowledge, the OCCM points cyber analysts to the guidance, insights, references, and best practices available across all standards. This greatly improves understanding of how to implement and document controls, resulting in improved security and improved audit outcomes. Gaps between standards are identified, enabling more comprehensive implementations. Costly mistakes are avoided thanks to visibility of other standards; ensuring that decisions also satisfy future security needs, not just the immediate ones.

Cyber Taxonomy

There is a multi-level cyber taxonomy at the core of the OCCM, to which all the control relationships are normalized. As a result, the mappings are more consistent, objective, organized, and reliable. No more vague groupings of controls or mysterious “black box” mappings. In the OCCM, it is clear how and why each control is related. Furthermore, the OCCM Cyber Taxonomy facilitates easy research of cyber topics and objectives across all standards.

Levels of Detail

Controls in the OCCM are included at all available levels and each of those controls is normalized to three separate levels of detail in the OCCM Cyber Taxonomy. Audit checks are also supported. This ensures a comprehensive mapping that dives deep into the control set / framework, versus the surface mappings common in the industry that only indicate top-level controls.

Every Control entry in the OCCM is given one Control Level and is assigned one or more groups of High Level, Medium Level, and Low Level Topics in the OCCM Cyber Taxonomy.

  • Control Levels for Each Control

    • Control Families / Headings
    • Top-Level Controls
    • Sub-Controls
    • Enhancements
    • etc.

  • Mapping Levels of Detail for Each Control

    • High Level Topics (Areas)
      • ex. “Disaster Recovery” within a Control stating “Ensure there is a Disaster Recovery (H) Policy (M) that identifies Roles and Responsibilities (L) and Mission-Critical Environments (L).”
    • Medium Level Topics (Objects)
      • ex. “Policy” within a Control stating “Ensure there is a Disaster Recovery (H) Policy (M) that identifies Roles and Responsibilities (L) and Mission-Critical Environments (L).”
    • Low Level Topics (Targets)
      • ex. “Roles and Responsibilities” within a Control stating “Ensure there is a Disaster Recovery (H) Policy (M) that identifies Roles and Responsibilities (L) and Mission-Critical Environments (L).”
      • ex. “Mission-Critical Environments” within a Control stating “Ensure there is a Disaster Recovery (H) Policy (M) that identifies Roles and Responsibilities (L) and Mission-Critical Environments (L).”

Relevance

Control relationships in the OCCM are directly mapped and viewable at the three separate levels of detail, resolving the fundamental issues of too-strict or too-loose mapping. Each individual control in the OCCM relates directly to other controls (“one-to-many”), instead of the common industry practice of grouping controls together (“many-to-many”). This common practice results in a handshake problem, where every control in group “A” is mapped to every other control in group “B”.

For example, the group mapping “A1, A2, A3, A4, A5 -> B1, B2, B3, B4, B5” generates 25 total relationships! This requires analysis of 5 relationships per “A” control, some of which may have little to no direct relevance.

Using the OCCM, this example can be greatly simplified and reduced to…

  • High Level Mapping          “A1 -> B1, B2, B3”    [3 relationships]
  • Medium Level Mapping     “A1 -> B1, B2”          [2 relationships]
  • Low Level Mapping           “A1 -> B1”                [1 relationship]

Growth

The OCCM has been designed with the principles of easy contribution, accelerated growth, and continuous improvement. Once a new control is added and normalized, it is automatically mapped to every other control across all standards. There is no longer a need for an analyst to search for a mapping between two different standards or create their own. Every standard in the OCCM is automatically mapped to every other standard, exponentially increasing its scope.


Industry Perspectives

"Complying with multiple cybersecurity frameworks is one of the top challenges we’ve heard from our Member organizations."
(Center for Internet Security, 3/2020)

"... multiple frameworks are often needed, but the task of managing them becomes almost impossible to implement."
(CSO Online, 7/2010)

"One major challenge compliance teams ran into again and again is that they tended to do a lot of duplicative work in order to meet multiple regulatory standards."
(Hyperproof, 3/2020)

"Pursuing multiple frameworks at the same time can overwhelm founders, especially without expert guidance."
(Laika, 1/2020)

"Between 2010 and 2020, hundreds of new cyber regulations, rules, or standards were introduced. This explosion of interest in cybersecurity from regulators has required nearly 98% of companies to comply with two or more cyber compliance standards, while nearly 70% are subject to compliance with more than five."
(Coalfire, 5/2020)


From the Creator / Project Leader

“The capabilities of the OWASP Cyber Controls Matrix are something I have wanted to see my entire career. It is my honor to create it and give it to the entire Cybersecurity industry as an open-source OWASP project. Per the license, I encourage commercial products, non-commercial products, and cyber practitioners to fully incorporate it and contribute back to the project. First and foremost, the OCCM is a community driven effort. All submissions, ideas, promotion, and discourse are greatly appreciated. Thank you for your support!”
      – Eric Bragger (LinkedIn) (Email)


Contributions

Contributions to the OCCM are welcome and appreciated.

Contributors acknowledge that by contributing, copyright for all contributions will be transferred in full to the OWASP Foundation, Inc, the OCCM Creator, and the OCCM Project Leader. Please see the Legal section for further details.


Core Team

Eric Bragger (LinkedIn) (Email) [Creator / Project Leader]


Contributor List

Your Name Here (Your URL Here)


Membership, Donations, and Sponsorship

Please indicate the OWASP Cyber Controls Matrix in membership, donation, and sponsorship comments if you wish to specifically and directly support this project. General contributions to the OWASP Foundation will also support this project and others like it.

All OWASP Projects are run and developed by volunteers and rely on individual memberships, personal donations, and corporate memberships / sponsorships to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral and focused on applying the collective wisdom of some of the best minds in Cybersecurity worldwide.

The OWASP Foundation, Inc. is a non-profit 501(c)(3) charitable organization. Some financial contributions may qualify for a tax deduction. Consult with a tax professional for details.


For any questions regarding this section, send an email to: [email protected]

Image Use

Images created or taken from the OWASP Cyber Controls Matrix (OCCM), OCCM content, and this website may be used if the following attribution is given beneath the image or in the image caption: “Image credit https://cybercontrolsmatrix.com”. If the image content has been modified (excluding size, color, positioning, and formatting changes) or added to other content, the following attribution must be given instead: “Adapted from https://cybercontrolsmatrix.com”.

Required Attribution

Per the open license, all of the paragraphs within the License, Copyright & Trademarks, and Disclaimer & Limitations sections must be included as full attribution – including the links in parenthesis, as functional or non-functional – with, but not limited to: any written / electronic distribution, creation, content, output, or product; documentation; repository; webpage; software; or any other distribution, creation, content, output, or product that incorporates any part or whole of the OWASP Cyber Controls Matrix (OCCM) or associated content.

Partial exception is made for online postings and blog entries (personal or commercial), whose attribution must at minimum make mention of the “OWASP Cyber Controls Matrix (OCCM)”. Mention of the website “https://cybercontrolsmatrix.com”, the creator “Eric Bragger”, and any other core team members is highly encouraged and appreciated.

Partial exception is made for commercial articles, white papers, documentation, and sales collateral; whose attribution must at minimum include the first paragraph in the Copyright & Trademarks section.

License

The OWASP Cyber Controls Matrix (OCCM) is licensed under a Creative Commons Attribution 4.0 International (CC-BY 4.0) license for free use and adaptation, including commercial and government, with attribution. Additional license terms and conditions, such as indemnification, are detailed within the Required Attribution section text that must be provided with use or distribution of the OCCM.

The OWASP Cyber Controls Matrix (OCCM) (https://cybercontrolsmatrix.com) is copyright the OWASP Foundation, Inc. (https://owasp.org) and its creator Eric Bragger (https://www.linkedin.com/in/eric-bragger/). All rights reserved. Control Identifiers (IDs), Control Names, Control Headings, Control Set Names, and Framework Names are copyright their respective owners. “OWASP”™ is trademark the OWASP Foundation, Inc. “Cyber Controls Matrix”™, “OCCM”™, and “OCCM Cyber Taxonomy”™, including their logos and trade dress, are trademark Eric Bragger. All other trademarks belong to their respective owners.

Contributors acknowledge that by contributing, copyright for all contributions will be transferred in full, without any obligation whatsoever expressed or implied, to: the OWASP Foundation, Inc., the OCCM Creator, and the OCCM Project Leader. Contributions may be used, shared, and disseminated at the complete discretion of the OWASP Foundation, Inc., the OCCM Creator, the OCCM Project Leader, and anyone associated with the project whether in an official or non-official capacity. Contributions may include, but are not limited to: information, content, assistance, ideas, software code, submissions, employment, licensing, financial support, marketing, promotion, endorsement, and sponsorship.

Disclaimer & Limitations

The OWASP Cyber Controls Matrix (OCCM) is provided as-is and is used at your own risk with zero expectations. Warranties, liabilities, claims, guarantees, and representation of any kind and for any purpose are fully disclaimed without limitation whether expressed, implied, or statutory with regard to the OCCM, its capabilities, its content, its copyright owners, its creator, any individuals associated with the OCCM, and any aspects of the OCCM. This includes, but is not limited to: negligence; infringement; licensing; fair use; attribution; lack of attribution; completeness; accuracy; applicability; acceptability; availability; correctness; reliability; objectivity; timeliness; practicality; effectiveness; fitness; merchantability; results obtained; claims; expectations; title; damages; losses; and use of, or inability to use, any information, content, or capabilities associated with the OCCM.

The OCCM shall always be considered as-is and is provided as-is with zero liability regardless of any claims, suppositions, beliefs, assumptions, expressions, implications, written agreements, or verbal agreements. The OCCM, its copyright owner, its creator, and any individuals associated with the project shall not be liable, under any circumstances, for any direct, indirect, incidental, special, or consequential damages concerning the OCCM, anything associated with the OCCM, individual associated with the OCCM, or any aspects of the OCCM whether in an official or non-official capacity. Liability shall not be accepted concerning any attribution, lack of attribution, or failure to remove attribution for contributions or contributors. Liability shall not be accepted concerning any third-party use, inclusion, reference, or claims. Liability shall not be accepted for any reason; expressed, implied, or statutory.

The OCCM in part or whole (including, but not limited to: its content and capabilities) is comprised of data, software code, subjective opinions, contributions, statements, descriptions, and other content; any or all of which may be in error for any reason including negligence and are not to be construed as objective, correct, accurate, informed, complete, reasonable, reliable, factual, or effective. The OCCM, its copyright owners, its creator, and any individuals associated with the OCCM do not make any warranty or representation of fitness or merchantability for any purpose.

You agree to indemnify, defend, and hold harmless the OCCM, its copyright owners, its creator, any individuals associated with it, and any aspects of it from any and all claims, liabilities, and expenses (including attorney fees, court fees, process costs, fines, damages, and any other losses) arising out of your use of the OCCM, interaction with the OCCM, any individuals associated with the OCCM, and any aspects of the OCCM; with no expectations whatsoever and regardless of disclosures, claims, discoveries, process, suits, or proceedings.

The Creative Commons Attribution 4.0 International (CC-BY 4.0) license provides further important disclaimers, limitations, and legal text that also applies to the OCCM.



OWASP Incubator Project Release License


Click here to be notified of OCCM news and releases !


OCCM Logo Banner


News

Date Event
20200612Release of Reference Materials: OCCM Control Set for MITRE ATT&CK Enterprise v6.3
20200604Release of Reference Materials: OCCM Control Sets for NIST 800-53r5 FPD and NIST 800-53r4
20200511Project Launched



OWASP Incubator Project Release License


Click here to be notified of OCCM news and releases !


OCCM Logo Banner


The OCCM Mapping is currently in pre-release.

Please see the Roadmap tab for the planned release schedule.


OCCM Mapping

Version Date Type Name Description
TBDTBDTBDTBDTBD


OCCM Reference Material

Version Date Type Name Description
1.020200612XLSOCCM Control Set for MITRE ATT&CK Enterprise v6.3 (20191024)Comprehensive spreadsheet of Tactics, Techniques, Mitigations, APT Groups, and Malicious Software.
Does not contain mapping.
1.020200612PDFOCCM Control Set for MITRE ATT&CK Enterprise v6.3 (20191024)Comprehensive spreadsheet of Tactics, Techniques, Mitigations, APT Groups, and Malicious Software.
Does not contain mapping.
1.020200604XLSOCCM Control Set for NIST SP 800-53 rev. 5 Final Public DraftImproved version of the official NIST spreadsheet.
Does not contain mapping.
1.020200604PDFOCCM Control Set for NIST SP 800-53 rev. 5 Final Public DraftImproved version of the official NIST spreadsheet.
Does not contain mapping.
1.020200604XLSOCCM Control Set for NIST SP 800-53 rev. 4Improved version of the official NIST NVD spreadsheet.
Does not contain mapping.
1.020200604PDFOCCM Control Set for NIST SP 800-53 rev. 4Improved version of the official NIST NVD spreadsheet.
Does not contain mapping.



OWASP Incubator Project Release License


Click here to be notified of OCCM news and releases !


OCCM Logo Banner


Project Roadmap

         X = Done      O = Ongoing

Status Planned Type Detail
XQ2 2020WebpageInitial Project Webpage
XQ2 2020WebpageDomain and Email Configuration
XQ2 2020WebpageMailing List for News / Releases with Survey
XQ2 2020WebpageFrequently Asked Questions (FAQ) tab
XQ2 2020WebpageProject Logo
XQ2 2020Reference MaterialOCCM Control Set: NIST SP 800-53 Rev. 4
XQ2 2020Reference MaterialOCCM Control Set: NIST SP 800-53 Rev. 5 Final Public Draft
XQ2 2020Reference MaterialOCCM Control Set: MITRE ATT&CK Enterprise v6.3
OQ2 2020WebpageKey Benefits and Key Features tabs
OQ2 2020WebpageGraphics for Key Benefits and Key Features
OQ2 2020NormalizationPre-populate Cyber Taxonomy per NIST, CIS, OWASP, and other sources
XQ2 2020WebpageGuidance for Contributors [on Github]
OQ2 2020FeatureStatistics for Mappings
OQ2 2020FeatureSupport for Official and Third-Party Mappings (to reference against the OCCM mappings)
OQ2 2020Control Set / FrameworkOWASP Top 10
Q2 2020Control Set / FrameworkOWASP Proactive Controls (OPC)
Q2 2020Control Set / FrameworkOWASP Mobile Top 10
Q2 2020Control Set / FrameworkCIS Controls (Top 20 and Sub-Controls)
Q3 2020DocumentationInstructions for Use (HTML, PDF, PPT)
Q3 2020Control Set / FrameworkDoD CMMC
Q3 2020Control Set / FrameworkNIST SP 800-171 (DFARS 252.204-7012)
Q3 2020Control Set / FrameworkNIST CSF
Q3 2020Control Set / FrameworkSOC 2 (AICPA TSC)
Q3 2020Control Set / FrameworkCWE Top 25
Q4 2020Control Set / FrameworkOWASP Application Security Verification Standard (ASVS)
Q4 2020Control Set / FrameworkISO/IEC 27001 / ISO/IEC 27002
Q4 2020Control Set / FrameworkISO/IEC 27017
Q4 2020Control Set / FrameworkISO/IEC 27018
Q4 2020Control Set / FrameworkISO/IEC 27701
Q4 2020Control Set / FrameworkISO/IEC 22301
Q1 2021Control Set / FrameworkNIST SP 800-53 Rev. 4 High + PM + Privacy / FISMA / OMB-A130
Q1 2021Control Set / FrameworkFedRAMP
Q1 2021Control Set / FrameworkDoD Cloud SRG
Q2 2021Control Set / FrameworkNIST SP 800-53 Rev. 5 [when released]
FutureControl Set / FrameworkOWASP Software Assurance Maturity Model (SAMM)
FutureControl Set / FrameworkNIST SP 800-137A
FutureControl Set / FrameworkMITRE ATT&CK Enterprise
FutureControl Set / FrameworkMITRE ATT&CK ICS
FutureControl Set / FrameworkMITRE ATT&CK Mobile
FutureControl Set / FrameworkCISQ
FutureControl Set / FrameworkITAR
FutureControl Set / FrameworkPCI DSS
FutureControl Set / FrameworkGDPR
FutureControl Set / FrameworkCCPA
FutureControl Set / FrameworkCOPPA
FutureControl Set / FrameworkFERPA
FutureControl Set / FrameworkENISA (EU Cybersecurity Act)
FutureControl Set / FrameworkCSA STAR
FutureControl Set / FrameworkCIS AWS Foundations
FutureControl Set / FrameworkCIS Azure Foundations
FutureControl Set / FrameworkCIS Google Cloud Foundations
FutureControl Set / FrameworkFFIEC (GLBA/SOX)
FutureControl Set / FrameworkCOSO
FutureControl Set / FrameworkCOBIT
FutureControl Set / FrameworkHIPAA HITECH Act
FutureControl Set / FrameworkHIPAA HITRUST CSF
FutureControl Set / FrameworkNERC CIP
FutureControl Set / FrameworkISA-99 (ANSI IACS)
FutureControl Set / FrameworkMARS-E (ACA / Medicaid / CHIP)
FutureControl Set / FrameworkIRS Publication 1075
FutureControl Set / FrameworkCJIS
FutureControl Set / FrameworkBITS SIG/AUP
FutureControl Set / FrameworkNY DFS
FutureControl Set / FrameworkIASME Governance
FutureControl Set / FrameworkETSI TC Cyber
FutureControl Set / FrameworkBSI Germany
FutureControl Set / FrameworkPIPEDA Canada
FutureControl Set / FrameworkISM Australia
FutureControl Set / FrameworkNZISM New Zealand
FutureControl Set / FrameworkCERT-RMM
FutureControl Set / Framework[additional cyber compliance, best practice, legal, and regulatory controls]
FutureWebpageTranslation into other languages
FutureFeatureBaselines and Profiles (i.e. automatically select controls to display)



OWASP Incubator Project Release License


Click here to be notified of OCCM news and releases !


OCCM Logo Banner


Frequently Asked Questions (FAQ)

  • How can I help the project?

    • Glad you asked! Please start by joining the OCCM mailing list and answering the optional questions on that page.
    • We’ll eventually have content submission instructions and forms together, but our only priority right now is getting the first release out the door.
  • When will the first release of the OCCM occur and what will it include?

    • Officially TBD, but planned before September.
    • Please see the Roadmap tab for an evolving list of target content.
    • Please also join the OCCM mailing list to be notified of OCCM-specific news and releases.
    • The OCCM project launched on May 11, 2020. Core functionality is operational (schema and code for automated mapping). It just takes time to create the initial Cybersecurity Taxonomy and normalize hundreds of Controls across the first Control Sets.
  • Will the OCCM map controls between [Some-Control-Set] and [Some-Other-Control-Set]?

    • Yes, as long as both Control Sets are in the OCCM.
    • The OCCM automatically maps all Controls Sets to every other Control Set.
    • That’s the power of normalizing each Control to the OCCM Cyber Taxonomy.
    • Please see the Roadmap tab for an evolving list of forthcoming Control Sets.
  • Will the OCCM automate control selection, documentation, and other aspects of my program?

    • No. The OCCM is a documentation project driven by code and rich data. Its singular focus is to provide valuable information to assist in implementing and complying with cyber controls across multiple standards / control sets / frameworks.
    • However, we hope that all types of software will use and leverage the OCCM. The OCCM and its content is a gift to the cyber industry; freely licensed for commercial, non-commercial, and government use; with the only stipulation being required attribution.
  • How is the OCCM different from solutions that use Artificial Intelligence (AI), Machine Learning (ML), and Natural Language Processing (NLP)?

    • The OCCM is complementary to AI/ML/NLP solutions. Each can be used to improve the other.
    • At this time, we are not aware of any publicly available AI/ML/NLP control mappings. We have only seen academic papers, statistical analysis, and commercial software features. Please (email) if you know of any AI/ML/NLP source that provides actual mappings.
    • The OCCM content comes from cyber expert analysis, whereas AI/ML/NLP are based upon mathematical models. Both techniques have varying accuracy, biases, missing control relationships (false negatives) and mapping controls that shouldn’t be (false positives).
    • AI/ML/NLP approaches excel at discovering patterns among large amounts of data.
    • The OCCM approach excels at applying human intuition, cyber expertise, and context to small amounts of data; utilizing the power of normalization (categorizing) to apply this to large amounts of data.
  • How is the OCCM different from the Secure Controls Framework (SCF)?

    • The approach of the OCCM is implementing and documenting the target control set while leveraging information from relevant controls in other control sets.
    • The approach of the SCF is implementing and documenting SCF controls (the meta-framework) as a baseline for compliance with other control sets. In other words, the SCF attempts to provide a universal control set with good coverage of other control sets. Of course, the SCF is unable to capture every specific requirement and guidance in those control sets, which is where control mapping from the SCF controls to the target controls is needed and provided.
    • Whether using the OCCM or a meta-framework like the SCF, working directly on a control set is currently the only way to ensure all requirements are fully met for audit and certification.
    • The OCCM provides transparency via the OCCM Cyber Taxonomy on why a specific control has been mapped at each level of detail (High, Medium, and Low); whereas the SCF mapping reason can only be inferred by analyzing the content of the SCF control and the SCF-provided mapping for that control.
    • The OCCM directly maps from one Control Set to all others (i.e. NIST->ISO). The SCM indirectly maps between Control Sets (i.e. NIST->SCF->ISO), except in the case that only SCF controls are being mapped (i.e. SCF->ISO).
    • The SCF license “No Derivatives” condition may hinder use in products and research, as no modification of the SCF controls can be distributed without being granted exception to the license. The OCCM license has no such hindrance. Both licenses require attribution.
    • The SCF is an excellent project and contribution to the industry, just very different in content and use than the OCCM.
OCCM SCF
DesignSimple MatrixMeta-Framework
Separate Control SetNoYes. SCF Controls are required
ApproachControl Set A + Control Set B, etc.SCF Controls + Control Set A + Control Set B, etc.
Mapping CapabilityDirect (i.e. NIST->ISO)Indirect (i.e. NIST->SCF->ISO)
Mapping Detail3 Levels of Detail (High, Medium, Low)1 Level of Detail
Mapping ReasonSpecified via OCCM Cyber TaxonomyUnspecified
Maturity ModelUnspecified [control dependent]SCF Controls [meta-framework dependent]
LicenseFree. CC-BY 4.0Free. CC-BY-ND 4.0 (No Derivatives)
Parent OrganizationOWASP Foundation, Inc. [501(c)(3) non-profit]Secure Controls Framework Council, LLC
  • Why the name OWASP Cyber Controls Matrix (OCCM)?

    • “OWASP” for the OWASP Foundation hosting and supporting the project.
    • “Cyber” because it represents both IT and Cybersecurity. While it is a common buzzword, “cyber” is the only word that represents both.
    • “Controls” because these are the individual, measurable items within a control set / framework.
    • “Matrix” because the OCCM generates a mapping table between every Control and every other Control. Even though arriving at that table requires a specific process, we did not want any distraction from what OCCM generates by calling it (yet another) a Framework or Methodology.
    • Apologies to the CSA Cloud Controls Matrix (CSA CCM). We tried to avoid using “CCM” in our acronym. We really did. The reasons above were too compelling. At least we’re “OCCM”.

Don’t see your question answered here or elsewhere on the website?

Click here to email us about it.