Informative References

Informative references are a cross-reference to a control set that can be used to implement a security outcome described by the framework element.

    ID.AM: Asset ManagementID.AM-1: Physical devices and systems within the organization are inventoried
    ID.AM-2: Software platforms and applications within the organization are inventoried
    ID.AM-3: Organizational communication and data flows are mapped
    ID.AM-4: External information systems are catalogued
    ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
    ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
    ID.BE: Business EnvironmentID.BE-1: The organization's role in the supply chain is identified and communicated
    ID.BE-2: The organization's place in critical infrastructure and its industry sector is identified and communicated
    ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
    ID.BE-4: Dependencies and critical functions for delivery of critical services are established
    ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
    ID.GV: GovernanceID.GV-1: Organizational cybersecurity policy is established and communicated
    ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
    ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
    ID.GV-4: Governance and risk management processes address cybersecurity risks
    ID.RA: Risk AssessmentID.RA-1: Asset vulnerabilities are identified and documented
    ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
    ID.RA-3: Threats, both internal and external, are identified and documented
    ID.RA-4: Potential business impacts and likelihoods are identified
    ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
    ID.RA-6: Risk responses are identified and prioritized
    ID.RM: Risk Management StrategyID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
    ID.RM-2: Organizational risk tolerance is determined and clearly expressed
    ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
    ID.SC: Supply Chain Risk ManagementID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
    ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
    ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan
    ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
    ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
    PR.AC: Identity Management, Authentication and Access ControlPR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
    PR.AC-2: Physical access to assets is managed and protected
    PR.AC-3: Remote access is managed
    PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
    PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
    PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
    PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)
    PR.AT: Awareness and TrainingPR.AT-1: All users are informed and trained
    PR.AT-2: Privileged users understand their roles and responsibilities
    PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
    PR.AT-4: Senior executives understand their roles and responsibilities
    PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
    PR.DS: Data SecurityPR.DS-1: Data-at-rest is protected
    PR.DS-2: Data-in-transit is protected
    PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
    PR.DS-4: Adequate capacity to ensure availability is maintained
    PR.DS-5: Protections against data leaks are implemented
    PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
    PR.DS-7: The development and testing environment(s) are separate from the production environment
    PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
    PR.IP: Information Protection Processes and ProceduresPR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)