cross-posted from: infosec.pub/post/6671372

I’m not a vendor, I’m just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don’t suck?

Does anyone care except you (hopefully 😉)