Text search:
Control Families:
AC: Access Control AT: Awareness And Training AU: Audit And Accountability CA: Security Assessment And Authorization CM: Configuration Management CP: Contingency Planning IA: Identification And Authentication IR: Incident Response MA: Maintenance MP: Media Protection PE: Physical And Environmental Protection PL: Planning PM: Program Management PS: Personnel Security RA: Risk Assessment SA: System And Services Acquisition SC: System And Communications Protection SI: System And Information Integrity
Baselines:
Low Moderate High
Priorities:
P1: Implement P1 security controls first. P2: Implement P2 security controls after implementation of P1 controls. P3: Implement P3 security controls after implementation of P1 and P2 controls. P0: Security control not selected in any baseline.
Threats:
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Lateral Movement
Framework Relationships:
ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped ID.AM-4: External information systems are catalogued ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established ID.BE-1: The organization's role in the supply chain is identified and communicated ID.BE-2: The organization's place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) ID.GV-1: Organizational cybersecurity policy is established and communicated ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed ID.GV-4: Governance and risk management processes address cybersecurity risks ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources ID.RA-3: Threats, both internal and external, are identified and documented ID.RA-4: Potential business impacts and likelihoods are identified ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.RA-6: Risk responses are identified and prioritized ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process ID.SC-3: NIST Cybersecurity Framework v1.1 / ID.SC-3 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes PR.AC-2: Physical access to assets is managed and protected PR.AC-3: Remote access is managed PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions PR.AC-7: NIST Cybersecurity Framework v1.1 / PR.AC-7 PR.AT-1: All users are informed and trained PR.AT-2: Privileged users understand their roles and responsibilities PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities PR.AT-4: Senior executives understand their roles and responsibilities PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained PR.DS-5: Protections against data leaks are implemented PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) PR.IP-2: A System Development Life Cycle to manage systems is implemented PR.IP-3: Configuration change control processes are in place PR.IP-4: Backups of information are conducted, maintained, and tested PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met PR.IP-6: Data is destroyed according to policy PR.IP-7: Protection processes are improved PR.IP-8: Effectiveness of protection technologies is shared PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed PR.IP-10: Response and recovery plans are tested PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PR.IP-12: A vulnerability management plan is developed and implemented PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy PR.PT-2: Removable media is protected and its use restricted according to policy PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities PR.PT-4: Communications and control networks are protected PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed DE.AE-2: Detected events are analyzed to understand attack targets and methods DE.AE-3: Event data are collected and correlated from multiple sources and sensors DE.AE-4: Impact of events is determined DE.AE-5: Incident alert thresholds are established DE.CM-1: The network is monitored to detect potential cybersecurity events DE.CM-2: The physical environment is monitored to detect potential cybersecurity events DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events DE.CM-4: Malicious code is detected DE.CM-5: Unauthorized mobile code is detected DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed DE.CM-8: Vulnerability scans are performed DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability DE.DP-2: Detection activities comply with all applicable requirements DE.DP-3: Detection processes are tested DE.DP-4: Event detection information is communicated RS.AN-1: Notifications from detection systems are investigated RS.AN-2: The impact of the incident is understood RS.AN-3: Forensics are performed RS.AN-4: Incidents are categorized consistent with response plans RS.AN-5: NIST Cybersecurity Framework v1.1 / RS.AN-5 RS.CO-1: Personnel know their roles and order of operations when a response is needed RS.CO-2: Incidents are reported consistent with established criteria RS.CO-3: Information is shared consistent with response plans RS.CO-4: Coordination with stakeholders occurs consistent with response plans RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness RS.IM-1: Response plans incorporate lessons learned RS.IM-2: Response strategies are updated RS.MI-1: Incidents are contained RS.MI-2: Incidents are mitigated RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks RS.RP-1: Response plan is executed during or after an incident RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams RC.IM-1: Recovery plans incorporate lessons learned RC.IM-2: Recovery strategies are updated RC.RP-1: Recovery plan is executed during or after a cybersecurity incident ID.IM-P1: Systems/products/services that process data are inventoried. ID.IM-P2: NIST Privacy Framework v1.0 / ID.IM-P2 ID.IM-P7: The data processing environment is identified (e.g., geographic location, internal, cloud, third parties). ID.BE-P2: Priorities for organizational mission, objectives, and activities are established and communicated. ID.RA-P1: NIST Privacy Framework v1.0 / ID.RA-P1 ID.RA-P3: Potential problematic data actions and associated problems are identified. ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. ID.RA-P5: Risk responses are identified, prioritized, and implemented. ID.DE-P1: Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders. ID.DE-P2: NIST Privacy Framework v1.0 / ID.DE-P2 ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization's privacy program. ID.DE-P5: NIST Privacy Framework v1.0 / ID.DE-P5 GV.PO-P1: NIST Privacy Framework v1.0 / GV.PO-P1 GV.PO-P2: Processes to instill organizational privacy values within system/product/service development and operations are established and in place. GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy. GV.PO-P5: Legal, regulatory, and contractual requirements regarding privacy are understood and managed. GV.PO-P6: Governance and risk management policies, processes, and procedures address privacy risks. GV.RM-P1: Risk management processes are established, managed, and agreed to by organizational stakeholders. GV.RM-P2: Organizational risk tolerance is determined and clearly expressed. GV.AT-P1: The workforce is informed and trained on its roles and responsibilities. GV.AT-P2: Senior executives understand their roles and responsibilities. GV.AT-P3: Privacy personnel understand their roles and responsibilities. GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities. GV.MT-P1: NIST Privacy Framework v1.0 / GV.MT-P1 GV.MT-P2: Privacy values, policies, and training are reviewed and any updates are communicated. GV.MT-P3: Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place. GV.MT-P4: Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place. GV.MT-P5: NIST Privacy Framework v1.0 / GV.MT-P5 GV.MT-P6: Policies, processes, and procedures incorporate lessons learned from problematic data actions. CT.PO-P2: NIST Privacy Framework v1.0 / CT.PO-P2 CT.PO-P3: Policies, processes, and procedures for enabling individuals' data processing preferences and requests are established and in place. CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems. CT.DM-P1: Data elements can be accessed for review. CT.DM-P2: Data elements can be accessed for transmission or disclosure. CT.DM-P3: Data elements can be accessed for alteration. CT.DM-P4: Data elements can be accessed for deletion. CT.DM-P5: Data are destroyed according to policy. CT.DM-P6: Data are transmitted using standardized formats. CT.DM-P7: Mechanisms for transmitting processing permissions and related data values with data elements are established and in place. CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. CT.DM-P9: Technical measures implemented to manage data processing are tested and assessed. CT.DP-P1: Data are processed to limit observability and linkability (e.g., data actions take place on local devices, privacy-preserving cryptography). CT.DP-P2: Data are processed to limit the identification of individuals (e.g., de-identification privacy techniques, tokenization). CT.DP-P3: Data are processed to limit the formulation of inferences about individuals' behavior or activities (e.g., data processing is decentralized, distributed architectures). CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements. CT.DP-P5: Attribute references are substituted for attribute values. CM.AW-P1: NIST Privacy Framework v1.0 / CM.AW-P1 CM.AW-P2: Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place. CM.AW-P3: System/product/service design enables data processing visibility. CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure. CM.AW-P7: Impacted individuals and organizations are notified about a privacy breach or event. CM.AW-P8: Individuals are provided with mitigation mechanisms (e.g., credit monitoring, consent withdrawal, data alteration or deletion) to address impacts of problematic data actions. PR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). PR.PO-P2: Configuration change control processes are established and in place. PR.PO-P3: Backups of information are conducted, maintained, and tested. PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met. PR.PO-P5: Protection processes are improved. PR.PO-P6: Effectiveness of protection technologies is shared. PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. PR.PO-P8: Response and recovery plans are tested. PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). PR.PO-P10: A vulnerability management plan is developed and implemented. PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. PR.AC-P2: Physical access to data and devices is managed. PR.AC-P3: Remote access is managed. PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). PR.AC-P6: NIST Privacy Framework v1.0 / PR.AC-P6 PR.DS-P1: Data-at-rest are protected. PR.DS-P2: Data-in-transit are protected. PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. PR.DS-P4: Adequate capacity to ensure availability is maintained. PR.DS-P5: Protections against data leaks are implemented. PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. PR.DS-P7: The development and testing environment(s) are separate from the production environment. PR.DS-P8: Integrity checking mechanisms are used to verify hardware integrity. PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. PR.PT-P1: Removable media is protected and its use restricted according to policy. PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. PR.PT-P3: Communications and control networks are protected. PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.
Apply Clear Cancel
