The Standards
The Defensible 10 Standards (D10S) define the engineering model for cybersecurity architecture - transforming high-level frameworks into measurable, defensible, and technically verifiable design standards.
The Defensible 10 Standards (D10S) - “2025 Parent Standards”
The ten primary technical standards that define ISAUnited’s defensible approach to cybersecurity architecture and engineering.
Each standard captures the essential architecture, engineering, and validation methods necessary to design and maintain secure, resilient, and verifiable systems.
Unlike compliance frameworks that define what must be secured, the D10S define how to engineer that security—measurably, repeatably, and defensibly.
Sub-Standards and Flow-Down Development - "2025-2026"
Sub-Standards Overview
Each year, the Defensible 10 Standards (D10S) expand through Sub-Standards—targeted, domain-specific engineering documents that translate Parent Standard objectives into measurable technical practices.
A Sub-Standard provides the next level of precision: defining configurations, controls, validation criteria, and design behaviors that engineers can directly apply in system development, cloud deployment, or operational environments.
Written by practitioners and reviewed through the ISAUnited Technical Fellow Society, each Sub-Standard represents a controlled flow-down of its Parent Standard—ensuring traceability, consistency, and defensibility across every security domain.
This approach keeps the D10S living, verifiable, and responsive to change—aligning security engineering methods with new technologies, architectures, and threat models each year.
About the Open Season Tables
The examples below illustrate the types of Sub-Standards ISAUnited seeks during the upcoming Open Season 2025 submission period. Each listing represents a proposed area of development that extends one of the ten Parent Standards through detailed engineering guidance, implementation specifications, or validation methods.
Contributors may propose new topics or refine existing examples—each submission must follow the Defensible Standards Submission Schema (D-SSF) and include measurable inputs, outputs, and verification steps.
D01: Network Security Architecture & Engineering [ISAU-DS-NS-1000]
Helps architects and engineers design segmented, resilient network architectures that enforce least-privilege access and measurable control across hybrid infrastructures. Practitioners contributing to this standard can expand on areas such as network segmentation models, Zero Trust connectivity, and automated policy enforcement.
D02: Cloud Security Architecture & Resilience [ISAU-DS-CS-1000]
Enables architects and cloud engineers to design secure, resilient, and verifiable cloud environments that align with Zero Trust and defense-in-depth principles. Practitioners contributing to this domain can develop Sub-Standards on multi-cloud security baselines, cloud identity and access controls, workload isolation, automation of cloud security posture management (CSPM), and resilience testing across distributed architectures.
D03: Compute, Platform & Workload Security Architecture [ISAU-DS-CPW-1000]
Guides engineers in securing virtual machines, containers, and cloud workloads through hardened configurations, runtime protection, and workload integrity validation. Practitioners developing Sub-Standards under this domain can focus on areas such as workload isolation, secure platform baselines, runtime detection engineering, and infrastructure-as-code (IaC) validation methods.
D04: Application Security Architecture & Secure Development [ISAU-DS-AS-1000]
Equips software engineers and security architects to embed security by design throughout the software development lifecycle—covering architecture, coding, testing, and deployment. Practitioners contributing to this domain can develop Sub-Standards focused on secure coding practices, API and microservice protection, software supply chain integrity, and automated application security validation within CI/CD pipelines.
D05: Data Security Architecture [ISAU-DS-DS-1000]
Equips software engineers and security architects to embed security by design throughout the software development lifecycle—covering architecture, coding, testing, and deployment. Practitioners contributing to this domain can develop Sub-Standards focused on secure coding practices, API and microservice protection, software supply chain integrity, and automated application security validation within CI/CD pipelines.
D06: Identity & Access Security Architecture [ISAU-DS-IAM-1000]
Enables architects and engineers to design and implement identity systems that enforce Zero Trust access, adaptive authentication, and least-privilege governance across cloud and enterprise environments. Practitioners in this domain can develop Sub-Standards for privileged access management (PAM), federated identity design, identity lifecycle automation, and risk-based access validation.
D07: Threat & Vulnerability Security Engineering [ISAU-DS-TVE-1000]
Empowers engineers and analysts to build proactive vulnerability and exposure management programs that integrate continuous assessment, threat intelligence, and risk-based remediation. Practitioners in this domain can develop Sub-Standards for automated vulnerability prioritization, attack surface discovery, adversary emulation, and validation of exploit resilience through continuous security testing.
D08: Monitoring, Detection & Incident Response Architecture [ISAU-DS-MDIR-1000]
Supports security engineers and operations teams in designing architectures that deliver real-time detection, automated response, and resilient recovery from cyber incidents. Practitioners contributing to this domain can develop Sub-Standards focused on detection engineering, telemetry integration, security automation (SOAR), threat hunting, and adversary-informed incident response workflows.
D09: Cryptography, Encryption & Key Management [ISAU-DS-CEK-1000]
Guides engineers in designing and managing cryptographic systems that ensure data confidentiality, integrity, and authenticity across hybrid and cloud environments. Practitioners in this domain can develop Sub-Standards focused on encryption implementation patterns, key management lifecycle controls, certificate authority (CA) governance, and cryptographic validation for emerging technologies, such as quantum-resistant algorithms.
D10: DevSecOps & Secure SDLC Engineering [ISAU-DS-DSS-1000]
Helps software engineers, DevOps practitioners, and architects integrate security into every phase of the development and deployment lifecycle. Practitioners contributing to this domain can develop Sub-Standards focused on secure CI/CD pipeline design, automated code validation, policy-as-code enforcement, software supply chain security, and continuous compliance through Security-by-Design and Security-as-Code practices.
