Text search:
Implementation Groups:
IG1 IG2 IG3
Threats:
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Lateral Movement
Framework Relationships:
ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped ID.AM-4: External information systems are catalogued ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.SC-3: NIST Cybersecurity Framework v1.1 / ID.SC-3 ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes PR.AC-3: Remote access is managed PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions PR.AC-7: NIST Cybersecurity Framework v1.1 / PR.AC-7 PR.AT-1: All users are informed and trained PR.AT-2: Privileged users understand their roles and responsibilities PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities PR.AT-4: Senior executives understand their roles and responsibilities PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained PR.DS-5: Protections against data leaks are implemented PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) PR.IP-2: A System Development Life Cycle to manage systems is implemented PR.IP-3: Configuration change control processes are in place PR.IP-4: Backups of information are conducted, maintained, and tested PR.IP-7: Protection processes are improved PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed PR.IP-10: Response and recovery plans are tested PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PR.IP-12: A vulnerability management plan is developed and implemented PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy PR.PT-2: Removable media is protected and its use restricted according to policy PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities PR.PT-4: Communications and control networks are protected PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed DE.AE-2: Detected events are analyzed to understand attack targets and methods DE.AE-3: Event data are collected and correlated from multiple sources and sensors DE.AE-5: Incident alert thresholds are established DE.CM-1: The network is monitored to detect potential cybersecurity events DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events DE.CM-4: Malicious code is detected DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed DE.CM-8: Vulnerability scans are performed DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability DE.DP-5: Detection processes are continuously improved RS.AN-1: Notifications from detection systems are investigated RS.AN-4: Incidents are categorized consistent with response plans RS.AN-5: NIST Cybersecurity Framework v1.1 / RS.AN-5 RS.CO-1: Personnel know their roles and order of operations when a response is needed RS.CO-2: Incidents are reported consistent with established criteria RS.CO-4: Coordination with stakeholders occurs consistent with response plans RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization's privacy program. GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy. GV.PO-P4: Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners). GV.AT-P1: The workforce is informed and trained on its roles and responsibilities. GV.AT-P2: Senior executives understand their roles and responsibilities. GV.AT-P3: Privacy personnel understand their roles and responsibilities. GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities. CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems. CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. PR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). PR.PO-P2: Configuration change control processes are established and in place. PR.PO-P3: Backups of information are conducted, maintained, and tested. PR.PO-P5: Protection processes are improved. PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. PR.PO-P8: Response and recovery plans are tested. PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). PR.PO-P10: A vulnerability management plan is developed and implemented. PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. PR.AC-P3: Remote access is managed. PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). PR.AC-P6: NIST Privacy Framework v1.0 / PR.AC-P6 PR.DS-P1: Data-at-rest are protected. PR.DS-P2: Data-in-transit are protected. PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. PR.DS-P4: Adequate capacity to ensure availability is maintained. PR.DS-P5: Protections against data leaks are implemented. PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. PR.DS-P7: The development and testing environment(s) are separate from the production environment. PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. PR.PT-P1: Removable media is protected and its use restricted according to policy. PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. PR.PT-P3: Communications and control networks are protected. PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.
Apply Clear Cancel
