Abstract

U.S. critical infrastructure operators face a persistent gap between high-level cybersecurity frameworks and day-to-day measurable execution, especially under ransomware-driven threat progression. This paper presents an applied, program-to-analytics approach that operationalizes NIST-aligned resilience into auditable actions and metrics while providing a transparent baseline for AI/ML-based threat detection. First, we map five intrusion stages—Initial Access, Privilege Escalation, Lateral Movement, Exfiltration, and Impact—to NIST CSF 2.0 functions and NIST SP 800-53 control-family domains, then define a minimal set of operational metrics (e.g., MFA coverage, patch compliance, MTTD, MTTR, backup restore success, and RTO/RPO achievement) that can be sourced from enterprise systems of record. Second, we implement a sparse-friendly preprocessing and modeling pipeline and evaluate two baseline classifiers on the UNSW-NB15 benchmark dataset (UNSW_NB15_training-set.csv; 175,341 rows; 45 columns) using an 80/20 stratified split (seed=42) and a fixed decision threshold of 0.5. XGBoost achieves ROC-AUC 0.993 and average precision 0.997, with F1 0.969 (TN=10,279; FP=921; FN=575; TP=23,294). Logistic regression (saga) achieves ROC-AUC 0.984 and average precision 0.992, with F1 0.954 (TN=9,230; FP=1,970; FN=281; TP=23,588). The results illustrate baseline tradeoffs under a fixed policy and show how model outputs can be governed through CSF-aligned resilience metrics rather than unsupported deployment claims.