FrameworksNIST CSF 2.0
risk_managementv2.0Published
NIST Cybersecurity Framework 2.0
NIST CSF 2.0
Publisher
—
Version
2.0
Published
—
Controls
70
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| ID.AM-01 | Asset Inventory — Hardware Inventories of hardware managed by the organization are maintained. | Identify | |
| PR.AA-01 | Identity Management Identities and credentials for authorized users, services, and hardware are managed by the organization. | Protect | |
| RS.MA-01 | Incident Execution The incident response plan is executed in coordination with relevant third parties once an incident is declared. | Respond | |
| GV.OC-01 | Organizational Context The organizational mission is understood and informs cybersecurity risk management. | Govern | |
| RC.RP-01 | Recovery Plan The recovery portion of the incident response plan is executed once initiated from the incident response process. | Recover | |
| DE.AE-02 | Event Analysis Potentially adverse events are analyzed to better characterize them. | Detect | |
| GV.OC-02 | Internal Stakeholders Internal stakeholders with cybersecurity risk management roles and responsibilities are identified. | Govern | |
| DE.AE-03 | Information Correlation Information is correlated from multiple sources. | Detect | |
| PR.AA-02 | Identity Proofing Identities are proofed and bound to credentials based on the context of interactions. | Protect | |
| RS.MA-02 | Incident Triage Incidents are triaged to support analysis and prioritization of handling. | Respond | |
| RC.RP-02 | Recovery Actions Recovery actions are selected, scoped, prioritized, and performed. | Recover | |
| ID.AM-02 | Asset Inventory — Software Inventories of software, services, and systems managed by the organization are maintained. | Identify | |
| ID.AM-03 | Network Representation Representations of the organization's authorized network communication and internal and external network data flows are maintained. | Identify | |
| RS.MA-03 | Incident Escalation Incidents are escalated or elevated as needed. | Respond | |
| GV.OC-03 | Legal Requirements Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed. | Govern | |
| PR.AA-03 | Authentication Users, services, and hardware are authenticated. | Protect | |
| DE.AE-04 | Impact Estimation The estimated impact and scope of adverse events are understood. | Detect | |
| RC.RP-03 | Restoration Integrity The integrity of backups and other restoration assets is verified before using them for restoration. | Recover | |
| GV.OC-04 | Critical Objectives Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated. | Govern | |
| RC.RP-04 | Critical Services Restoration Critical mission functions and cybersecurity services are re-established. | Recover | |
| DE.AE-06 | Incident Alerting A plan is in place to communicate suspected cybersecurity incidents and vulnerabilities to designated internal and external stakeholders. | Detect | |
| RS.MA-04 | Incident Criteria Incidents are categorized and classified. | Respond | |
| ID.AM-04 | External Systems Inventories of services provided by suppliers, partners, and third parties are maintained. | Identify | |
| PR.AA-04 | Identity Assertions Identity assertions are protected, conveyed, and verified. | Protect | |
| RC.RP-05 | Recovery Completion The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed. | Recover | |
| DE.AE-07 | Cyber Intelligence Cyber threat intelligence and other contextual information are integrated into the analysis. | Detect | |
| ID.AM-05 | Asset Prioritization Assets are prioritized based on classification, criticality, resources, and impact on the mission. | Identify | |
| GV.OC-05 | Outcomes and Dependencies Outcomes, capabilities, and services that the organization depends on are understood and communicated. | Govern | |
| PR.AA-05 | Access Rights Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed. | Protect | |
| RS.MA-05 | Incident Termination The criteria for initiating and terminating incident response are established. | Respond | |
| ID.AM-07 | Data Inventory Inventories of data and corresponding metadata for designated data types are maintained. | Identify | |
| PR.AA-06 | Physical Access Physical access to assets is managed, monitored, and enforced commensurate with risk. | Protect | |
| DE.AE-08 | Incident Declaration Incidents are declared when adverse events meet the defined incident criteria. | Detect | |
| RS.AN-03 | Analysis Tasks Analysis is performed to establish what has taken place during an incident and the root cause of the incident. | Respond | |
| GV.RM-01 | Risk Management Strategy Risk management objectives are established and agreed to by organizational stakeholders. | Govern | |
| RC.RP-06 | Incident Closure The end of incident recovery is declared based on criteria, and incident-related documentation is completed. | Recover | |
| RC.CO-03 | Recovery Communications Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders. | Recover | |
| GV.RM-02 | Risk Appetite Risk appetite and risk tolerance statements are established, communicated, and maintained. | Govern | |
| PR.AT-01 | Awareness Training Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind. | Protect | |
| RS.AN-06 | Actions Cataloged Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved. | Respond | |
| DE.CM-01 | Networks Monitoring Networks and network services are monitored to find potentially adverse events. | Detect | |
| ID.RA-01 | Vulnerability Identification Vulnerabilities in assets are identified, validated, and recorded. | Identify | |
| RS.AN-07 | Incident Scope The magnitude of an incident and its impact on the organization and its stakeholders are understood. | Respond | |
| GV.RM-03 | Cybersecurity Risk Management Cybersecurity risk management activities and outcomes are included in enterprise risk management processes. | Govern | |
| RC.CO-04 | Public Communications Public updates on incident recovery are shared using approved messaging and channels. | Recover | |
| PR.DS-01 | Data-at-Rest Protection The confidentiality, integrity, and availability of data-at-rest are protected. | Protect | |
| DE.CM-02 | Physical Environment Monitoring The physical environment is monitored to find potentially adverse events. | Detect | |
| ID.RA-02 | Cyber Threat Intelligence Cyber threat intelligence is received from information sharing forums and sources. | Identify | |
| GV.RM-06 | Policies and Procedures Policies, processes, procedures, and practices covering the organization's cybersecurity expectations are established and communicated. | Govern | |
| ID.RA-03 | Threat Identification Internal and external threats to the organization are identified and recorded. | Identify | |
| RS.AN-08 | Notifications Notifications are provided to relevant internal and external stakeholders as required by laws, regulations, or policies. | Respond | |
| DE.CM-03 | Personnel Activity Monitoring Personnel activity and technology usage are monitored to find potentially adverse events. | Detect | |
| PR.DS-02 | Data-in-Transit Protection The confidentiality, integrity, and availability of data-in-transit are protected. | Protect | |
| RS.CO-02 | Internal Reporting Internal stakeholders are notified of incidents. | Respond | |
| GV.RM-07 | Cybersecurity Program Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions. | Govern | |
| PR.DS-10 | Data-in-Use Protection The confidentiality, integrity, and availability of data-in-use are protected. | Protect | |
| ID.RA-05 | Risk Assessment Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform prioritization. | Identify | |
| DE.CM-06 | External Service Provider Monitoring External service provider activities and services are monitored to find potentially adverse events. | Detect | |
| DE.CM-09 | Computing Hardware and Software Monitoring Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. | Detect | |
| RS.CO-03 | External Reporting Information is shared with designated external stakeholders in accordance with response plans. | Respond | |
| GV.RR-01 | Roles and Responsibilities Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving. | Govern | |
| ID.RA-06 | Risk Response Risk responses are chosen, prioritized, planned, tracked, and communicated. | Identify | |
| PR.IR-01 | Network Integrity Networks and environments are protected from unauthorized logical access and usage. | Protect | |
| RS.MI-01 | Incident Containment Incidents are contained. | Respond | |
| ID.IM-01 | Improvement Plan Improvements are identified from evaluations. | Identify | |
| PR.IR-02 | Secure Development The organization's technology development and change management processes include cybersecurity practices. | Protect | |
| GV.RR-02 | Cybersecurity Roles Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, and enforced. | Govern | |
| RS.MI-02 | Incident Eradication Incidents are eradicated. | Respond | |
| PR.IR-03 | Hardware and Software Integrity Hardware and software are managed consistently and comprehensively to understand, assess, and manage their integrity. | Protect | |
| PR.IR-04 | Adequate Capacity Adequate resource capacity to ensure availability is maintained. | Protect |