NIST CSF 2.0 provides six core functions (Govern, Identify, Protect, Detect, Respond, Recover) for organizing security programs - CIS Controls offer a prioritized implementation path, with Control 18 specifically addressing penetration testing - NIST SP 800-53 provides detailed security controls use