Informative References

Informative references are a cross-reference to a control set that can be used to implement a security outcome described by the framework element.

    FunctionCategorySubcategory
    Identify
    (ID)
    ID.IM: ImprovementID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities
    ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
    Protect
    (PR)
    PR.AA: Identity Management, Authentication, And Access ControlPR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization
    PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions
    PR.AA-03: Users, services, and hardware are authenticated
    PR.AA-04: Identity assertions are protected, conveyed, and verified
    PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
    PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk
    PR.AT: Awareness And TrainingPR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
    PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
    PR.DS: Data SecurityPR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected
    PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected
    PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected
    PR.DS-11: Backups of data are created, protected, maintained, and tested
    PR.PS: Platform SecurityPR.PS-01: Configuration management practices are established and applied
    PR.PS-02: Software is maintained, replaced, and removed commensurate with risk
    PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk
    PR.PS-04: Log records are generated and made available for continuous monitoring
    PR.PS-05: Installation and execution of unauthorized software are prevented
    PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
    PR.IR: Technology Infrastructure ResiliencePR.IR-01: Networks and environments are protected from unauthorized logical access and usage
    PR.IR-02: The organization's technology assets are protected from environmental threats
    PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
    PR.IR-04: Adequate resource capacity to ensure availability is maintained
    Detect
    (DE)
    DE.CM: Continuous MonitoringDE.CM-01: Networks and network services are monitored to find potentially adverse events
    DE.CM-02: The physical environment is monitored to find potentially adverse events
    DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events
    DE.CM-06: External service provider activities and services are monitored to find potentially adverse events
    DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
    DE.AE: Adverse Event AnalysisDE.AE-02: Potentially adverse events are analyzed to better understand associated activities
    DE.AE-03: Information is correlated from multiple sources
    DE.AE-04: The estimated impact and scope of adverse events are understood
    DE.AE-06: Information on adverse events is provided to authorized staff and tools
    DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis
    DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria
    Respond
    (RS)
    RS.MA: Incident ManagementRS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared
    RS.MA-02: Incident reports are triaged and validated
    RS.MA-03: Incidents are categorized and prioritized
    RS.MA-04: Incidents are escalated or elevated as needed
    RS.MA-05: The criteria for initiating incident recovery are applied
    RS.AN: Incident AnalysisRS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident
    RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
    RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved
    RS.AN-08: An incident's magnitude is estimated and validated
    RS.CO: Incident Response Reporting And CommunicationRS.CO-02: Internal and external stakeholders are notified of incidents
    RS.CO-03: Information is shared with designated internal and external stakeholders
    RS.MI: Incident MitigationRS.MI-01: Incidents are contained
    RS.MI-02: Incidents are eradicated
    Recover
    (RC)
    RC.RP: Incident Recovery Plan ExecutionRC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process
    RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed