Informative References

Informative references are a cross-reference to a control set that can be used to implement a security outcome described by the framework element.

    PR.IP: Information Protection Processes and ProceduresPR.IP-2: A System Development Life Cycle to manage systems is implemented
    PR.IP-3: Configuration change control processes are in place
    PR.IP-4: Backups of information are conducted, maintained, and tested
    PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
    PR.IP-6: Data is destroyed according to policy
    PR.IP-7: Protection processes are improved
    PR.IP-8: Effectiveness of protection technologies is shared
    PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
    PR.IP-10: Response and recovery plans are tested
    PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
    PR.IP-12: A vulnerability management plan is developed and implemented
    PR.MA: MaintenancePR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
    PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
    PR.PT: Protective TechnologyPR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
    PR.PT-2: Removable media is protected and its use restricted according to policy
    PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
    PR.PT-4: Communications and control networks are protected
    PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
    DE.AE: Anomalies and EventsDE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
    DE.AE-2: Detected events are analyzed to understand attack targets and methods
    DE.AE-3: Event data are collected and correlated from multiple sources and sensors
    DE.AE-4: Impact of events is determined
    DE.AE-5: Incident alert thresholds are established
    DE.CM: Security Continuous MonitoringDE.CM-1: The network is monitored to detect potential cybersecurity events
    DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
    DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
    DE.CM-4: Malicious code is detected
    DE.CM-5: Unauthorized mobile code is detected
    DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
    DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
    DE.CM-8: Vulnerability scans are performed
    DE.DP: Detection ProcessesDE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
    DE.DP-2: Detection activities comply with all applicable requirements
    DE.DP-3: Detection processes are tested
    DE.DP-4: Event detection information is communicated
    DE.DP-5: Detection processes are continuously improved
    RS.AN: AnalysisRS.AN-1: Notifications from detection systems are investigated
    RS.AN-2: The impact of the incident is understood
    RS.AN-3: Forensics are performed
    RS.AN-4: Incidents are categorized consistent with response plans
    RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
    RS.CO: CommunicationsRS.CO-1: Personnel know their roles and order of operations when a response is needed
    RS.CO-2: Incidents are reported consistent with established criteria
    RS.CO-3: Information is shared consistent with response plans
    RS.CO-4: Coordination with stakeholders occurs consistent with response plans
    RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
    RS.IM: ImprovementsRS.IM-1: Response plans incorporate lessons learned
    RS.IM-2: Response strategies are updated
    RS.MI: MitigationRS.MI-1: Incidents are contained
    RS.MI-2: Incidents are mitigated