Governance Frameworks & Incident Response Doctrine
Proprietary governance frameworks. Industry standard critique. Decision architecture that holds where NIST, SANS, ISO, and MITRE leave gaps. Not explanation — interpretation.
Named Governance Frameworks
Six proprietary, trademarked frameworks — each stress-tested across regulated mandates, audited by supervisors, and built to survive enforcement scrutiny.
Why Incident Response Frameworks Fail Under Pressure
Industry frameworks provide structure. They do not provide control. The difference becomes visible only during crisis — when it matters most.
CSF 2.0 Alignment — Where the New Model Still Leaves Gaps
NIST defines four clear phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. In structured environments with single-vector incidents, this sequence holds.
Where it breaks: Rev. 3 improves on the linear model but introduces new gaps. The CSF 2.0 mapping creates a governance-heavy structure that satisfies risk committees but does not address operational tempo. CrowdStrike's 2026 GTR records a 29-minute average eCrime breakout time — with one observed breakout in 27 seconds. Unit 42 documents 72-minute exfiltration windows, 4× faster than 2024. In March 2026, Stryker's networks were wiped in real-time by an Iran-aligned group; in April, Drift lost $285M in a single DeFi exploit. Governance cycles operate in weeks. Adversary cycles operate in seconds.
The real gap: Rev. 3 adds "Govern" as a function — but governance in practice requires pre-mandated decision authority, not just risk management structure. In 90% of 2026 breaches analysed by Unit 42, preventable gaps — limited visibility, inconsistent controls, excessive identity trust — enabled the intrusion. CrowdStrike confirms 82% of detections are now malware-free, meaning traditional control frameworks miss the majority of intrusions. NIST Rev. 3 describes what good governance looks like. It does not prescribe who decides when governance functions conflict under time pressure. IBM's 2025 Cost of a Data Breach Report adds a further dimension: shadow AI usage now adds $670K to average breach costs, while organisations deploying AI defensively reduced lifecycle by 80 days and saved $1.9M — a governance paradox that Rev. 3's CSF 2.0 mapping does not resolve. IBM further reports ransomware-specific breach costs at $5.08M — 14% above the general average — while 63% of victims now refuse ransom payment (up from 59% in 2024), driving threat actors toward wiper payloads, data weaponisation, and direct-to-media extortion as alternative leverage. NIST Rev. 3 does not encode the decision sequence for any of these contingencies. IBM's 2025 report simultaneously records 241 days as the new average breach identification-to-containment window — a nine-year low, and yet still 12,528× longer than CrowdStrike's recorded 29-minute breakout and 205× longer than Unit 42's documented 72-minute exfiltration window. The governance model that operates at the speed of risk committees has not closed the gap with the adversary model that operates at the speed of automated lateral movement. CSF 2.0's new 'Govern' function does not bridge that interval.
Doctrine position: NIST provides the operational vocabulary. Decision Rights Architecture™ provides the command structure that makes the vocabulary actionable under pressure.
Operational Sequence — When Sequence Breaks
SANS maintains its six-step PICERL model: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. For 2026, SANS is expanding focus into cloud forensics, AI-assisted incident response, and threat hunting — reflecting the shift toward hybrid-cloud environments and autonomous adversary tooling. With AI-enabled adversary operations up 89% year-over-year (CrowdStrike 2026 GTR) and ransomware operators now pivoting through cloud identities and deploying exclusively to VMware ESXi hosts to evade monitored endpoints, the PICERL sequence is under more operational pressure than at any point in the framework's history.
Where it breaks: The sequence assumes incident progression is orderly and that teams have the skills to execute it. The SANS 2026 Cybersecurity Workforce Report (947 global respondents) demolished that assumption: 60% of organisations identify skills gaps as a greater problem than headcount shortages — the 20-point gap widened sharply from just four points a year prior. 27% of organisations report breaches directly linked to capability gaps. Skills shortages drive slower incident response in 47% of teams. Regulatory pressure on hiring surged from 40% to 95% in a single year (NIS2: 30%, DORA: 26%, CMMC: 29%). The PICERL sequence is technically sound. But it runs on people — and the SANS data confirms those people increasingly lack the skills to execute it under pressure.
The real gap: SANS excels at the technical response layer. It does not address the decision layer: board escalation thresholds, regulatory notification triggers, or the moment when technical containment must yield to business survival decisions. The Verizon DBIR 2025 amplifies the gap: third-party involvement in breaches has doubled to 30%, edge and VPN vulnerabilities surged eightfold with only 54% patched (median 32 days to fix), and espionage-linked breaches increased 163% to 17% of incidents — all vectors that demand cross-organisational decision authority that PICERL does not encode. The impact asymmetry compounds the gap further: Verizon DBIR 2025 records ransomware present in 88% of SMB breaches versus only 39% of enterprise incidents — yet PICERL's operational cadence was architected around enterprise-scale IR capability. The organisations least equipped to execute the sequence face it most frequently, and at the highest relative cost. The median SMB ransom payment reached $115,000 in the same reporting period (Verizon DBIR 2025) — an amount representing existential financial exposure for the majority of affected organisations, yet PICERL provides no cost-benefit decision framework for ransom payment decisions, no escalation threshold for regulatory notification, and no board-mandate architecture for the irreversible choices that arise within the first 60 minutes of a ransomware event.
Doctrine position: SANS defines the operational rhythm. The Crisis Decision Hierarchy defines who commands that rhythm when multiple stakeholders demand conflicting actions.
Compliance Structure — When Compliance Does Not Equal Control
ISO/IEC 27035-1:2023 (second edition) replaced the 2016 first edition, introducing the "incident management team" and "incident coordinator" roles with updated process subclauses. Parts 1 and 2 were revised in 2023; Part 3 remains from 2020; Part 4 (Coordination) was published in December 2024, adding guidelines for cross-organisational incident management — acknowledging that modern incidents routinely span multiple entities, but providing guidance rather than enforceable authority structures. The standard provides internationally certified incident management structure for audit-driven and compliance-heavy environments.
Where it breaks: ISO frameworks optimise for process completeness, not decision speed. During a major incident, the governance structure that satisfied auditors becomes a bottleneck. Approval chains that took 48 hours in normal operations must compress to 15 minutes. The compliance structure was designed for steady-state, not crisis-state. Part 4:2024 acknowledges that cross-organisational coordination is essential — but provides guidelines, not mandates. When multiple organisations share infrastructure and must coordinate containment at adversary speed, a guidance annex does not confer decision authority.
The real gap: Many organisations achieve ISO 27035 alignment and assume they have incident response capability. They have incident response documentation. Whether that documentation survives contact with a real adversary is a different question entirely.
Doctrine position: ISO 27035 satisfies the regulator. The Evidence Chain Model™ satisfies the regulator and preserves decision integrity when the incident is still in progress.
Incident Response RACI — Decision Rights Under Pressure
This is not a task assignment matrix. It is a command architecture. In crisis, the question is never "what needs to be done." It is "who decides, who acts, and who arbitrates when decisions conflict."
The complete operational table — every phase, every role, every decision boundary — with regulatory commentary and skills-gap context, lives on the Crisis Command page.
CSIRT & Crisis Command — Structural Integration
A CSIRT that operates without decision authority is a detection team. A CSIRT with explicit command architecture is a crisis response capability.
The complete CSIRT architecture — escalation patterns, regulated-estate constraints (NIS2 · DORA · clinical), and the operating model that turns detection into command — lives on the Crisis Command page.
How Proprietary Doctrine Extends Industry Frameworks
Each proprietary framework addresses a specific gap that industry standards leave open.
| Industry Standard | What It Provides | What It Misses | Doctrine Extension |
|---|---|---|---|
| NIST SP 800-61 | Incident lifecycle structure | Decision authority, phase arbitration | Decision Rights Architecture™ |
| SANS IR Framework | Operational response sequence | Board escalation, business survival layer | Crisis Decision Hierarchy |
| ISO/IEC 27035 | Compliance & audit structure | Evidence integrity under active incident | Evidence Chain Model™ |
| MITRE ATT&CK | Adversary behaviour mapping (v19: Stealth + Impair Defenses split) | Organisational failure mapping | Control Collapse Model™ |
| DORA / NIS2 | Regulatory reporting obligations (DORA: active enforcement 2026 — on-site inspections, compulsion payments, fines up to 2% global turnover or €10M; ICT providers: €5M + 1% daily turnover; only 50% of firms fully compliant as of Q1 2026; NIS2: first administrative penalties issued Q1 2026 — Germany €850K fine for missing risk management, France opened 14 investigations across healthcare and digital infrastructure — fines up to €10M or 2% of revenue for essential entities, Netherlands mandating self-assessment by Jun 2026, C-level bans, personal manager liability under Art. 20) | Director-level liability architecture | Board-Survivable Cyber Architecture™ |
| EU AI Act / ISO 42001 | AI system classification & risk tiers (high-risk enforcement from Aug 2026; EU Digital Omnibus proposes deferral for legacy systems to 2027; transparency rules Art. 50 active; serious incident reporting within 2–15 days under Art. 73; AI regulatory sandboxes mandated per Member State by Aug 2026; watermarking requirements for AI-generated audio/image/video/text content due 2 Nov 2026) | Operational AI incident command | AI Accountability Stack™ |
| Cyber Resilience Act (CRA) | Mandatory vulnerability & incident reporting for products with digital elements (ENISA Single Reporting Platform operational Sep 2026; manufacturer reporting obligations active) | Product-level incident command integration with enterprise IR | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
The principle: Industry frameworks describe the problem space. Proprietary doctrine fills the decision gaps that frameworks leave open. The two layers are complementary, not competing.
NIST · SANS · ISO · MITRE — Daily Refresh Block
Mon–Fri monitoring window covering NIST (CSF 2.0, SP 800-53, SP 800-61, SP 800-171), SANS / CIS Controls, ISO/IEC (27001, 27002, 27035, 27701, 22301), MITRE ATT&CK, COBIT, CMMC, FAIR, and national frameworks (UK NCSC CAF, Ireland NCSC, ANSSI France). UK CNI operators and FTSE-350 risk committees — primary framework stack remains CAF 4.0 over ISO 27001:2022 / NIST CSF 2.0.
Current doctrine reference set
SP 800-61 Rev. 3 (April 2025) remains the operative incident response profile against CSF 2.0. SP 800-53 Release 5.2.0 ships the CCE / CSF 2.0 cross-mapping enrichment used by the Evidence Chain Model™ for audit automation. SP 800-171 Rev. 3 aligned with CMMC 2.0 Level 2 — Phase 1 enforcement active since November 2025.
v8.1 governance function — stable
CIS Controls v8.1 (June 2024) — 18 controls, Governance security function aligned with NIST CSF 2.0. CIS AI & LLM Companion Guide and MCP Companion Guide (both 20 April 2026) now available — AI risk tooling supplements for CSF 2.0 Govern function; the MCP Companion Guide addresses Model Context Protocol integration risks relevant to organisations deploying AI agents in operational workflows. No further SANS/CIS reading-room advisory updates in the last 24h. SANS 2026 Cybersecurity Workforce Report remains the live capability baseline: 60% of teams cite skills gaps over headcount, 27% of breaches directly tied to capability shortfall.
27701:2025 transition clock ticking
27001:2022 + Amd 1:2024 (climate action) is the only certifiable baseline since the 31 Oct 2025 sunset of 27001:2013. 27701:2025 now a standalone PIMS standard — ~11 new controls, four-category restructure; three-year transition to 14 Oct 2028. 27035-1/-2:2023 active; 27035-4:2024 adds cross-organisational coordination guidance; 22301 BCMS unchanged.
Stealth (TA0005) / Defense Impairment (TA0112) — Day 3 · v19 confirmed stats
v19 Enterprise retires Defense Evasion as a tactic. Stealth inherits TA0005; Defense Impairment (TA0112) is the confirmed new tactic — covering adversary actions that actively degrade security controls. Confirmed v19 Enterprise statistics: 222 Techniques, 475 Sub-Techniques, 174 Groups, 821 Software, 56 Campaigns across 15 Tactics. ICS ATT&CK gains sub-techniques; Mobile gains Detection Strategies. New CTI in v19: LAMEHUG (S9035) — the first malware documented querying a live large language model in active operations, associated with APT28 (G0007); Campaign C0062 (AI-orchestrated espionage) — AI-enabled offensive tooling is now formally tracked at ATT&CK framework level. v18 Detection Strategies / Analytics remain in force on every technique and sub-technique.
CMMC Phase 2 — 10 Nov 2026 countdown
CMMC 2.0 Phase 1 ongoing (Level 1 / Level 2 self-attestation in DoD contracts); Phase 2 begins 10 November 2026 — C3PAO third-party certification mandatory for Level 2 handling CUI. COBIT 2019 and FAIR (quantitative risk) unchanged in the last 24h; Open FAIR™ Body of Knowledge cited for DORA Art. 6 risk-tolerance quantification.
CAF 4.0 · CE LIVE · MITRE v19 NOW LIVE
UK NCSC CAF 4.0 (Aug 2025) remains in force — MSP and data-centre scope expansion queued for 2026; CAF 5.0 design track acknowledges the Cyber Security and Resilience Bill. UK Cyber Essentials (NCSC / IASME): revised requirement set NOW LIVE — effective 27 April 2026. MFA on all available cloud services and 14-day high/critical patch windows are now automatic-fail criteria; CE+ remediation must be applied across the whole scope, not only the sampled devices; cloud-service scope now explicit (SaaS cannot be excluded). All new and renewal CE/CE+ assessments from today must be assessed against the new requirements. CYBERUK 2026 closed 23 April in Glasgow — NCSC CEO Richard Horne's closing 'perfect storm' keynote (AI-driven adversary tradecraft + frontier vulnerability discovery as the next-decade agenda, layered on Day 2 hostile-state attribution — Russia, Iran, China — and Day 1 supply-chain framing) is now the anchoring UK doctrine signal; Cyber Essentials re-anchored as the universal baseline across the full conference programme. ANSSI: ReCyF (Référentiel Cyber France) issued 17 March 2026 as the operational bridge to NIS2 French transposition (July 2026).
No new primary publication from NIST, SANS/CIS, or ISO/IEC in the 24 hours to 09:00 UTC on 1 May 2026. MITRE ATT&CK v19 established — Day 3 post-release. Confirmed v19 Enterprise statistics: 222 Techniques, 475 Sub-Techniques, 174 Groups, 821 Software, 56 Campaigns across 15 Tactics. Defense Impairment tactic ID confirmed: TA0112. New CTI in v19: LAMEHUG (S9035) — the first malware documented querying a live large language model in active operations, associated with APT28 (G0007); Campaign C0062 (AI-orchestrated espionage) — AI-enabled offensive tooling is now formally tracked at ATT&CK framework level. CIS AI & LLM Companion Guide and MCP Companion Guide (both 20 April 2026) available for CSF 2.0 Govern function AI risk tooling; MCP Companion Guide addresses Model Context Protocol integration risks for organisations deploying AI agents in operational workflows. Evidence Chain Model™ governance note: v19 crosswalk sign-off is a procurement-grade audit artefact — record the v18-to-v19 migration date, TA0112 coverage deployment date, and CE assessment-account re-baseline date as separate evidence entries. UK Cyber Essentials new requirements three days established; supply-chain contracts referencing CE compliance must reflect the updated scope (MFA on all cloud services, 14-day high/critical patch windows as automatic-fail criteria). CISA KEV patch verification records should be closed and filed against the relevant control ID. UK CNI operators: consolidate v19 crosswalk completion (TA0112 coverage confirmed), CE posture, and KEV verification as a single Q2 2026 governance delivery before the next board risk review.
A framework that cannot be enforced is a suggestion. A framework that cannot be evidenced is a liability.
These are not theoretical models. They are operational instruments tested under live regulatory examination.
Framework Update — 4 May 2026
NIST SP 800-53 Rev 5.2.0 / CSF 2.0 mapping XLSX finalised — update control crosswalks. MITRE ATT&CK v19 Day 7: TA0005 (Stealth) / TA0112 (Defense Impairment) split fully operational — SOC teams should validate detection coverage for absence-of-signal indicators (TA0112). CISA/NCSC-UK joint advisory AA26-113a: Chinese state-linked SOHO/IoT botnets — maps to ATT&CK T1584.001 Botnet infrastructure acquisition; CNI operators review edge-device detection coverage. NCSC CAF 4.0: MSP + data-centre scope expansion progressing in 2026. UK Cyber Essentials revised requirements (27 Apr 2026) now in force — MFA on cloud services, 14-day patch windows mandatory. FCA/PRA operational resilience final policy PS26/2: effective 18 Mar 2027 — begin gap analysis against CAF Objective C (Protecting Against Cyber Attack) now.
Framework Update — 1 May 2026
MITRE ATT&CK v19 (28 Apr 2026): Defense Evasion tactic split into Stealth (TA0005) and Defense Impairment (TA0112) — enterprise matrix now contains 949 software, 178 groups, 59 campaigns. New AI/social-engineering sub-techniques and ICS sub-technique reorganisation. NIST CSF 2.0 Informative References QSG open for public comment until 6 May 2026; SP 800-53 Release 5.2.0 (Nov 2025) cross-reference mapping finalised.