Text search:
Implementation Groups:
IG1 IG2 IG3
Threats:
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Lateral Movement
Framework Relationships:
ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped ID.AM-4: External information systems are catalogued ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established ID.GV-1: Organizational cybersecurity policy is established and communicated ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process ID.SC-3: NIST Cybersecurity Framework v1.1 / ID.SC-3 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes PR.AC-3: Remote access is managed PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) PR.AC-7: NIST Cybersecurity Framework v1.1 / PR.AC-7 PR.AT-1: All users are informed and trained PR.AT-2: Privileged users understand their roles and responsibilities PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities PR.AT-4: Senior executives understand their roles and responsibilities PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-5: Protections against data leaks are implemented PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) PR.IP-2: A System Development Life Cycle to manage systems is implemented PR.IP-4: Backups of information are conducted, maintained, and tested PR.IP-6: Data is destroyed according to policy PR.IP-7: Protection processes are improved PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed PR.IP-10: Response and recovery plans are tested PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PR.IP-12: A vulnerability management plan is developed and implemented PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy PR.PT-2: Removable media is protected and its use restricted according to policy PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed DE.AE-2: Detected events are analyzed to understand attack targets and methods DE.AE-3: Event data are collected and correlated from multiple sources and sensors DE.AE-5: Incident alert thresholds are established DE.CM-1: The network is monitored to detect potential cybersecurity events DE.CM-4: Malicious code is detected DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed DE.CM-8: Vulnerability scans are performed DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability DE.DP-4: Event detection information is communicated RS.AN-1: Notifications from detection systems are investigated RS.AN-4: Incidents are categorized consistent with response plans RS.AN-5: NIST Cybersecurity Framework v1.1 / RS.AN-5 RS.CO-1: Personnel know their roles and order of operations when a response is needed RS.CO-2: Incidents are reported consistent with established criteria RS.CO-3: Information is shared consistent with response plans RS.CO-4: Coordination with stakeholders occurs consistent with response plans RS.IM-1: Response plans incorporate lessons learned RS.IM-2: Response strategies are updated ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. ID.DE-P1: Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders. ID.DE-P2: NIST Privacy Framework v1.0 / ID.DE-P2 ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization's privacy program. ID.DE-P5: NIST Privacy Framework v1.0 / ID.DE-P5 GV.PO-P1: NIST Privacy Framework v1.0 / GV.PO-P1 GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy. GV.PO-P4: Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners). GV.AT-P1: The workforce is informed and trained on its roles and responsibilities. GV.AT-P2: Senior executives understand their roles and responsibilities. GV.AT-P3: Privacy personnel understand their roles and responsibilities. GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities. CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems. CT.DM-P5: Data are destroyed according to policy. CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. PR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). PR.PO-P3: Backups of information are conducted, maintained, and tested. PR.PO-P5: Protection processes are improved. PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. PR.PO-P8: Response and recovery plans are tested. PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). PR.PO-P10: A vulnerability management plan is developed and implemented. PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. PR.AC-P3: Remote access is managed. PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). PR.DS-P1: Data-at-rest are protected. PR.DS-P2: Data-in-transit are protected. PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. PR.DS-P5: Protections against data leaks are implemented. PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. PR.DS-P7: The development and testing environment(s) are separate from the production environment. PR.DS-P8: Integrity checking mechanisms are used to verify hardware integrity. PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. PR.PT-P1: Removable media is protected and its use restricted according to policy. PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.
Apply Clear Cancel
