Identify
(ID) | ID.AM: Asset Management | ID.AM-1: Physical devices and systems within the organization are inventoried |
| ID.AM-2: Software platforms and applications within the organization are inventoried |
| ID.AM-3: Organizational communication and data flows are mapped |
| ID.AM-4: External information systems are catalogued |
| ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value |
| ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
| ID.BE: Business Environment | ID.BE-1: The organization's role in the supply chain is identified and communicated |
| ID.BE-2: The organization's place in critical infrastructure and its industry sector is identified and communicated |
| ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated |
| ID.BE-4: Dependencies and critical functions for delivery of critical services are established |
| ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) |
| ID.GV: Governance | ID.GV-1: Organizational cybersecurity policy is established and communicated |
| ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners |
| ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed |
| ID.GV-4: Governance and risk management processes address cybersecurity risks |
| ID.RA: Risk Assessment | ID.RA-1: Asset vulnerabilities are identified and documented |
| ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources |
| ID.RA-3: Threats, both internal and external, are identified and documented |
| ID.RA-4: Potential business impacts and likelihoods are identified |
| ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
| ID.RA-6: Risk responses are identified and prioritized |
| ID.RM: Risk Management Strategy | ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders |
| ID.RM-2: Organizational risk tolerance is determined and clearly expressed |
| ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis |
| ID.SC: Supply Chain Risk Management | ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders |
| ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
| ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan |
| ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations |
| ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers |
Protect
(PR) | PR.AC: Identity Management, Authentication and Access Control | PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
| PR.AC-2: Physical access to assets is managed and protected |
| PR.AC-3: Remote access is managed |
| PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
| PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) |
| PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions |
| PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks) |
| PR.AT: Awareness and Training | PR.AT-1: All users are informed and trained |
| PR.AT-2: Privileged users understand their roles and responsibilities |
| PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities |
| PR.AT-4: Senior executives understand their roles and responsibilities |
| PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities |
| PR.DS: Data Security | PR.DS-1: Data-at-rest is protected |
| PR.DS-2: Data-in-transit is protected |
| PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition |
| PR.DS-4: Adequate capacity to ensure availability is maintained |
| PR.DS-5: Protections against data leaks are implemented |
| PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| PR.DS-7: The development and testing environment(s) are separate from the production environment |
| PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity |
| PR.IP: Information Protection Processes and Procedures | PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
