Governance Frameworks & Incident Response Doctrine
Proprietary governance frameworks. Industry standard critique. Decision architecture that holds where NIST, SANS, ISO, and MITRE leave gaps. Not explanation — interpretation.
Named Governance Frameworks
Six proprietary, trademarked frameworks — each stress-tested across regulated mandates, audited by supervisors, and built to survive enforcement scrutiny.
Why Incident Response Frameworks Fail Under Pressure
Industry frameworks provide structure. They do not provide control. The difference becomes visible only during crisis — when it matters most.
CSF 2.0 Alignment — Where the New Model Still Leaves Gaps
NIST defines four clear phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. In structured environments with single-vector incidents, this sequence holds.
Where it breaks: Rev. 3 improves on the linear model but introduces new gaps. The CSF 2.0 mapping creates a governance-heavy structure that satisfies risk committees but does not address operational tempo. CrowdStrike's 2026 GTR records a 29-minute average eCrime breakout time — with one observed breakout in 27 seconds. Unit 42 documents 72-minute exfiltration windows, 4× faster than 2024. In March 2026, Stryker's networks were wiped in real-time by an Iran-aligned group; in April, Drift lost $285M in a single DeFi exploit. Governance cycles operate in weeks. Adversary cycles operate in seconds.
The real gap: Rev. 3 adds "Govern" as a function — but governance in practice requires pre-mandated decision authority, not just risk management structure. In 90% of 2026 breaches analysed by Unit 42, preventable gaps — limited visibility, inconsistent controls, excessive identity trust — enabled the intrusion. CrowdStrike confirms 82% of detections are now malware-free, meaning traditional control frameworks miss the majority of intrusions. NIST Rev. 3 describes what good governance looks like. It does not prescribe who decides when governance functions conflict under time pressure. IBM's 2025 Cost of a Data Breach Report adds a further dimension: shadow AI usage now adds $670K to average breach costs, while organisations deploying AI defensively reduced lifecycle by 80 days and saved $1.9M — a governance paradox that Rev. 3's CSF 2.0 mapping does not resolve. IBM further reports ransomware-specific breach costs at $5.08M — 14% above the general average — while 63% of victims now refuse ransom payment (up from 59% in 2024), driving threat actors toward wiper payloads, data weaponisation, and direct-to-media extortion as alternative leverage. NIST Rev. 3 does not encode the decision sequence for any of these contingencies. IBM's 2025 report simultaneously records 241 days as the new average breach identification-to-containment window — a nine-year low, and yet still 12,528× longer than CrowdStrike's recorded 29-minute breakout and 205× longer than Unit 42's documented 72-minute exfiltration window. The governance model that operates at the speed of risk committees has not closed the gap with the adversary model that operates at the speed of automated lateral movement. CSF 2.0's new 'Govern' function does not bridge that interval.
Doctrine position: NIST provides the operational vocabulary. Decision Rights Architecture™ provides the command structure that makes the vocabulary actionable under pressure.
Operational Sequence — When Sequence Breaks
SANS maintains its six-step PICERL model: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. For 2026, SANS is expanding focus into cloud forensics, AI-assisted incident response, and threat hunting — reflecting the shift toward hybrid-cloud environments and autonomous adversary tooling. With AI-enabled adversary operations up 89% year-over-year (CrowdStrike 2026 GTR) and ransomware operators now pivoting through cloud identities and deploying exclusively to VMware ESXi hosts to evade monitored endpoints, the PICERL sequence is under more operational pressure than at any point in the framework's history.
Where it breaks: The sequence assumes incident progression is orderly and that teams have the skills to execute it. The SANS 2026 Cybersecurity Workforce Report (947 global respondents) demolished that assumption: 60% of organisations identify skills gaps as a greater problem than headcount shortages — the 20-point gap widened sharply from just four points a year prior. 27% of organisations report breaches directly linked to capability gaps. Skills shortages drive slower incident response in 47% of teams. Regulatory pressure on hiring surged from 40% to 95% in a single year (NIS2: 30%, DORA: 26%, CMMC: 29%). The PICERL sequence is technically sound. But it runs on people — and the SANS data confirms those people increasingly lack the skills to execute it under pressure.
The real gap: SANS excels at the technical response layer. It does not address the decision layer: board escalation thresholds, regulatory notification triggers, or the moment when technical containment must yield to business survival decisions. The Verizon DBIR 2025 amplifies the gap: third-party involvement in breaches has doubled to 30%, edge and VPN vulnerabilities surged eightfold with only 54% patched (median 32 days to fix), and espionage-linked breaches increased 163% to 17% of incidents — all vectors that demand cross-organisational decision authority that PICERL does not encode. The impact asymmetry compounds the gap further: Verizon DBIR 2025 records ransomware present in 88% of SMB breaches versus only 39% of enterprise incidents — yet PICERL's operational cadence was architected around enterprise-scale IR capability. The organisations least equipped to execute the sequence face it most frequently, and at the highest relative cost. The median SMB ransom payment reached $115,000 in the same reporting period (Verizon DBIR 2025) — an amount representing existential financial exposure for the majority of affected organisations, yet PICERL provides no cost-benefit decision framework for ransom payment decisions, no escalation threshold for regulatory notification, and no board-mandate architecture for the irreversible choices that arise within the first 60 minutes of a ransomware event.
Doctrine position: SANS defines the operational rhythm. The Crisis Decision Hierarchy defines who commands that rhythm when multiple stakeholders demand conflicting actions.
Compliance Structure — When Compliance Does Not Equal Control
ISO/IEC 27035-1:2023 (second edition) replaced the 2016 first edition, introducing the "incident management team" and "incident coordinator" roles with updated process subclauses. Parts 1 and 2 were revised in 2023; Part 3 remains from 2020; Part 4 (Coordination) was published in December 2024, adding guidelines for cross-organisational incident management — acknowledging that modern incidents routinely span multiple entities, but providing guidance rather than enforceable authority structures. The standard provides internationally certified incident management structure for audit-driven and compliance-heavy environments.
Where it breaks: ISO frameworks optimise for process completeness, not decision speed. During a major incident, the governance structure that satisfied auditors becomes a bottleneck. Approval chains that took 48 hours in normal operations must compress to 15 minutes. The compliance structure was designed for steady-state, not crisis-state. Part 4:2024 acknowledges that cross-organisational coordination is essential — but provides guidelines, not mandates. When multiple organisations share infrastructure and must coordinate containment at adversary speed, a guidance annex does not confer decision authority.
The real gap: Many organisations achieve ISO 27035 alignment and assume they have incident response capability. They have incident response documentation. Whether that documentation survives contact with a real adversary is a different question entirely.
Doctrine position: ISO 27035 satisfies the regulator. The Evidence Chain Model™ satisfies the regulator and preserves decision integrity when the incident is still in progress.
Incident Response RACI — Decision Rights Under Pressure
This is not a task assignment matrix. It is a command architecture. In crisis, the question is never "what needs to be done." It is "who decides, who acts, and who arbitrates when decisions conflict."
The complete operational table — every phase, every role, every decision boundary — with regulatory commentary and skills-gap context, lives on the Crisis Command page.
CSIRT & Crisis Command — Structural Integration
A CSIRT that operates without decision authority is a detection team. A CSIRT with explicit command architecture is a crisis response capability.
The complete CSIRT architecture — escalation patterns, regulated-estate constraints (NIS2 · DORA · clinical), and the operating model that turns detection into command — lives on the Crisis Command page.
How Proprietary Doctrine Extends Industry Frameworks
Each proprietary framework addresses a specific gap that industry standards leave open.
| Industry Standard | What It Provides | What It Misses | Doctrine Extension |
|---|---|---|---|
| NIST SP 800-61 | Incident lifecycle structure | Decision authority, phase arbitration | Decision Rights Architecture™ |
| SANS IR Framework | Operational response sequence | Board escalation, business survival layer | Crisis Decision Hierarchy |
| ISO/IEC 27035 | Compliance & audit structure | Evidence integrity under active incident | Evidence Chain Model™ |
| MITRE ATT&CK | Adversary behaviour mapping (v19: Stealth + Impair Defenses split) | Organisational failure mapping | Control Collapse Model™ |
| DORA / NIS2 | Regulatory reporting obligations (DORA: active enforcement 2026 — on-site inspections, compulsion payments, fines up to 2% global turnover or €10M; ICT providers: €5M + 1% daily turnover; only 50% of firms fully compliant as of Q1 2026; NIS2: first administrative penalties issued Q1 2026 — Germany €850K fine for missing risk management, France opened 14 investigations across healthcare and digital infrastructure — fines up to €10M or 2% of revenue for essential entities, Netherlands mandating self-assessment by Jun 2026, C-level bans, personal manager liability under Art. 20) | Director-level liability architecture | Board-Survivable Cyber Architecture™ |
| EU AI Act / ISO 42001 | AI system classification & risk tiers (high-risk enforcement from Aug 2026; EU Digital Omnibus proposes deferral for legacy systems to 2027; transparency rules Art. 50 active; serious incident reporting within 2–15 days under Art. 73; AI regulatory sandboxes mandated per Member State by Aug 2026; watermarking requirements for AI-generated audio/image/video/text content due 2 Nov 2026) | Operational AI incident command | AI Accountability Stack™ |
| Cyber Resilience Act (CRA) | Mandatory vulnerability & incident reporting for products with digital elements (ENISA Single Reporting Platform operational Sep 2026; manufacturer reporting obligations active) | Product-level incident command integration with enterprise IR | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
The principle: Industry frameworks describe the problem space. Proprietary doctrine fills the decision gaps that frameworks leave open. The two layers are complementary, not competing.
NIST · SANS · ISO · MITRE — Daily Refresh Block
Mon–Fri monitoring window covering NIST (CSF 2.0, SP 800-53, SP 800-61, SP 800-171), SANS / CIS Controls, ISO/IEC (27001, 27002, 27035, 27701, 22301), MITRE ATT&CK, COBIT, CMMC, FAIR, and national frameworks (UK NCSC CAF, Ireland NCSC, ANSSI France). Ireland NCSC Cyber Essentials revised requirement set goes live 27 April 2026 (corrected); NCSI Bill 2024/26 transposition monitored alongside ReCyF, with CYBERUK 2026 (Glasgow, 21–23 Apr) as the live UK-IE doctrine read-out.
Current doctrine reference set
SP 800-61 Rev. 3 (April 2025) remains the operative incident response profile against CSF 2.0. SP 800-53 Release 5.2.0 ships the CCE / CSF 2.0 cross-mapping enrichment used by the Evidence Chain Model™ for audit automation. SP 800-171 Rev. 3 aligned with CMMC 2.0 Level 2 — Phase 1 enforcement active since November 2025.
v8.1 governance function — stable
CIS Controls v8.1 (June 2024) — 18 controls, Governance security function aligned with NIST CSF 2.0. CIS AI & LLM Companion Guide and MCP Companion Guide (both 20 April 2026) now available — AI risk tooling supplements for CSF 2.0 Govern function; the MCP Companion Guide addresses Model Context Protocol integration risks relevant to organisations deploying AI agents in operational workflows. No further SANS/CIS reading-room advisory updates in the last 24h. SANS 2026 Cybersecurity Workforce Report remains the live capability baseline: 60% of teams cite skills gaps over headcount, 27% of breaches directly tied to capability shortfall.
27701:2025 transition clock ticking
27001:2022 + Amd 1:2024 (climate action) is the only certifiable baseline since the 31 Oct 2025 sunset of 27001:2013. 27701:2025 now a standalone PIMS standard — ~11 new controls, four-category restructure; three-year transition to 14 Oct 2028. 27035-1/-2:2023 active; 27035-4:2024 adds cross-organisational coordination guidance; 22301 BCMS unchanged.
Stealth (TA0005) / Defense Impairment (TA0112) — Day 3 · v19 confirmed stats
v19 Enterprise retires Defense Evasion as a tactic. Stealth inherits TA0005; Defense Impairment (TA0112) is the confirmed new tactic — covering adversary actions that actively degrade security controls. Confirmed v19 Enterprise statistics: 222 Techniques, 475 Sub-Techniques, 174 Groups, 821 Software, 56 Campaigns across 15 Tactics. ICS ATT&CK gains sub-techniques; Mobile gains Detection Strategies. New CTI in v19: LAMEHUG (S9035) — the first malware documented querying a live large language model in active operations, associated with APT28 (G0007); Campaign C0062 (AI-orchestrated espionage) — AI-enabled offensive tooling is now formally tracked at ATT&CK framework level. v18 Detection Strategies / Analytics remain in force on every technique and sub-technique.
CMMC Phase 2 — 10 Nov 2026 countdown
CMMC 2.0 Phase 1 ongoing (Level 1 / Level 2 self-attestation in DoD contracts); Phase 2 begins 10 November 2026 — C3PAO third-party certification mandatory for Level 2 handling CUI. COBIT 2019 and FAIR (quantitative risk) unchanged in the last 24h; Open FAIR™ Body of Knowledge cited for DORA Art. 6 risk-tolerance quantification.
CAF 4.0 · CE LIVE · MITRE v19 NOW LIVE
UK NCSC CAF 4.0 (Aug 2025) remains in force — MSP and data-centre scope expansion queued for 2026; CAF 5.0 design track acknowledges the Cyber Security and Resilience Bill. UK Cyber Essentials (NCSC / IASME): revised requirement set NOW LIVE — effective 27 April 2026. MFA on all available cloud services and 14-day high/critical patch windows are now automatic-fail criteria; CE+ remediation must be applied across the whole scope, not only the sampled devices; cloud-service scope now explicit (SaaS cannot be excluded). All new and renewal CE/CE+ assessments from today must be assessed against the new requirements. CYBERUK 2026 closed 23 April in Glasgow — NCSC CEO Richard Horne's closing 'perfect storm' keynote (AI-driven adversary tradecraft + frontier vulnerability discovery as the next-decade agenda, layered on Day 2 hostile-state attribution — Russia, Iran, China — and Day 1 supply-chain framing) is now the anchoring UK doctrine signal; Cyber Essentials re-anchored as the universal baseline across the full conference programme. ANSSI: ReCyF (Référentiel Cyber France) issued 17 March 2026 as the operational bridge to NIS2 French transposition (July 2026).
No new primary publication from NIST, SANS/CIS, or ISO/IEC in the 24 hours to 09:00 UTC on 1 May 2026. MITRE ATT&CK v19 Day 3 — confirmed Enterprise statistics: 222 Techniques, 475 Sub-Techniques, 174 Groups, 821 Software, 56 Campaigns. Defense Impairment tactic ID confirmed: TA0112. New CTI: LAMEHUG (S9035, APT28) — first LLM-querying malware in live operations; Campaign C0062 (AI-orchestrated espionage). CIS AI & LLM Companion Guide and MCP Companion Guide (20 April 2026) available for CSF 2.0 Govern AI risk tooling. Ireland NIS2 essential and important entities: TA0112 (Defense Impairment) maps directly to NIS2 Article 21 security measures — the obligation to maintain monitoring continuity and detection-system integrity. The LAMEHUG / APT28 CTI entry reinforces the AI-augmented adversary threat vector flagged in recent Ireland NCSC advisories. NCSI Bill 2024/26 transposition on track — pair TA0112 coverage deployment with your next Ireland NCSC compliance reporting milestone. Ireland NCSC Cyber Essentials revised requirements three days established — confirm updated cloud-service scope reflected in current assessments. CISA KEV verification records closed 27 April. Consolidate v19 crosswalk (TA0112 confirmed), CE posture, and KEV sign-off as a single Ireland NIS2 mid-quarter compliance deliverable before the next reporting cycle.
A framework that cannot be enforced is a suggestion. A framework that cannot be evidenced is a liability.
These are not theoretical models. They are operational instruments tested under live regulatory examination.
Framework Update — 4 May 2026
NIST SP 800-53 Rev 5.2.0: CSF 2.0-to-SP 800-53 mapping finalised (Nov 2025) — organisations should now cross-reference using the confirmed mappings XLSX. SP 800-171 Rev 3 / CMMC 2.0 Level 2 Phase 1 enforcement active. No new NIST publication in 24h to 09:00 UTC 4 May 2026. MITRE ATT&CK v19 Day 7: Stealth (TA0005) / Defense Impairment (TA0112) split stable — Ireland NCSC advises essential entities to validate monitoring coverage against both new tactic IDs in NIS2 annual reporting. CISA/NCSC joint advisory AA26-113a (China-nexus SOHO/IoT botnets) maps to ATT&CK T1584.001 (Compromise Infrastructure: Botnet) and T1583.005 (Acquire Infrastructure: Botnet) — Irish CNI operators should verify coverage. NCSC CAF 4.0 remains current; MSP/data-centre scope expansion on track for 2026 — NCSC IE monitoring. EDPB CEF 2026 transparency enforcement intersects GDPR Article 13/14 — frameworks teams should review privacy-notice adequacy now.
Framework Update — 1 May 2026
ATT&CK v19 (28 Apr 2026) Ireland practitioner update: Stealth/Defense Impairment split requires CSIRT-IE runbook review; ICS sub-techniques directly relevant to Irish CNI (energy, water, transport). NIST CSF 2.0 QSG (SP 1308) final. Ireland NCSC Framework alignment with ATT&CK v19 advised. ISO 27001:2022 certification audits using CIS v8.1 mapping now standard.