NIST CSF 2.0106

Requirements in this framework

• DE.AE-02: Potentially adverse events are analyzed to better understand associated activities
• DE.AE-03: Information is correlated from multiple sources
• DE.AE-04: The estimated impact and scope of adverse events are understood
• DE.AE-06: Information on adverse events is provided to authorized staff and tools
• DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis
• DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria
• DE.CM-01: Networks and network services are monitored to find potentially adverse events
• DE.CM-02: The physical environment is monitored to find potentially adverse events
• DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events
• DE.CM-06: External service provider activities and services are monitored to find potentially adverse events
• DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
• GV.OC-01: The organizational mission is understood and informs cybersecurity risk management
• GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
• GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
• GV.OC-04: Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
• GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated
• GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
• GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
• GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
• GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
• GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
• GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
• GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained
• GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
• GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
• GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
• GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
• GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
• GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
• GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
• GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
• GV.RR-04: Cybersecurity is included in human resources practices
• GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
• GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
• GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
• GV.SC-04: Suppliers are known and prioritized by criticality
• GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
• GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
• GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
• GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
• GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
• GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
• ID.AM-01: Inventories of hardware managed by the organization are maintained
• ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained
• ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained
• ID.AM-04: Inventories of services provided by suppliers are maintained
• ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission
• ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained
• ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles
• ID.IM-01: Improvements are identified from evaluations
• ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
• ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities
• ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
• ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded
• ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
• ID.RA-03: Internal and external threats to the organization are identified and recorded
• ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
• ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
• ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated
• ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
• ID.RA-08: Processes for receiving, analyzing, and responding to vulnerability disclosures are established
• ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use
• ID.RA-10: Critical suppliers are assessed prior to acquisition
• PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization
• PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions
• PR.AA-03: Users, services, and hardware are authenticated
• PR.AA-04: Identity assertions are protected, conveyed, and verified
• PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
• PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk
• PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
• PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
• PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected
• PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected
• PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected
• PR.DS-11: Backups of data are created, protected, maintained, and tested
• PR.IR-01: Networks and environments are protected from unauthorized logical access and usage
• PR.IR-02: The organization’s technology assets are protected from environmental threats
• PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
• PR.IR-04: Adequate resource capacity to ensure availability is maintained
• PR.PS-01: Configuration management practices are established and applied
• PR.PS-02: Software is maintained, replaced, and removed commensurate with risk
• PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk
• PR.PS-04: Log records are generated and made available for continuous monitoring
• PR.PS-05: Installation and execution of unauthorized software are prevented
• PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
• RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
• RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging
• RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process
• RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed
• RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration
• RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
• RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
• RC.RP-06: The end of incident recovery is declared based on criteria, and incident-related documentation is completed
• RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident
• RS.AN-06: Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved
• RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved
• RS.AN-08: An incident’s magnitude is estimated and validated
• RS.CO-02: Internal and external stakeholders are notified of incidents
• RS.CO-03: Information is shared with designated internal and external stakeholders
• RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared
• RS.MA-02: Incident reports are triaged and validated
• RS.MA-03: Incidents are categorized and prioritized
• RS.MA-04: Incidents are escalated or elevated as needed
• RS.MA-05: The criteria for initiating incident recovery are applied
• RS.MI-01: Incidents are contained
• RS.MI-02: Incidents are eradicated