NIST Cybersecurity Framework 2.0 - Overview and Reference Guide
The NIST Cybersecurity Framework (CSF) 2.0 provides an updated guidance for organizations on how to understand, assess, prioritize, communicate and manage cybersecurity risks alongside other risks of the enterprise, including financial, privacy, supply chain, reputational, technological, or physical risks.
The core of the Cybersecurity Framework contains a set of six Functions (Govern, Identify, Protect, Detect, Respond, and Recover), Categories (Guidance), Subcategories (Recommendations), Implementation Examples (Procedures) and Applicable Risks that provides a comprehensive guideline for managing cybersecurity risk.
The Functions, Categories, and Subcategories apply to all ICT used by an organization, including Information Technology (IT), the Internet of Things (IoT), and Operational Technology (OT). They also apply to all types of technology environments, including cloud, mobile, and artificial intelligence systems.
GOVERN
The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
• Understand and assess specific cybersecurity needs.
• Develop a tailored cybersecurity risk strategy.
• Establish defined risk management policies.
• Develop and communicate organizational cybersecurity practices.
• Establish and monitor cybersecurity supply chain risk management.
• Implement continuous oversight and checkpoints.
IDENTIFY
The organization’s current cybersecurity risks are understood.
- Identify critical business processes and assets.
- Maintain inventories of hardware, software, services, and systems.
- Document information flows.
- Identify threats, vulnerabilities, and risk to assets.
- Lessons learned are used to identify improvements.
PROTECT
Safeguards to manage the organization’s cybersecurity risks are implemented.
- Manage and track physical access to facilities and devices
- Protect and monitor your devices.
- Protect sensitive data.
- Manage and maintain software.
- Conduct regular backups.
- Train users.
DETECT
Potential cybersecurity attacks and compromises are discovered and analyzed.
- Identify critical business processes and assets.
- Maintain inventories of hardware, software, services, and systems.
- Document information flows.
- Identify threats, vulnerabilities, and risk to assets.
- Lessons learned are used to identify improvements.
RESPOND
Actions regarding a detected cybersecurity incident are taken.
- Execute an incident response plan once an incident is declared, in coordination with relevant third parties.
- Categorize and prioritize incidents and escalate or elevate as required.
- Collect incident data and preserve its integrity and provenance.
- Contain and eradicate incidents.
- Notify internal and external stakeholders of any incidents and share incident information with them in line with your organization policies.
RECOVER
Assets and operations affected by a cybersecurity incident are restored.
- Understand your organization’s roles and responsibilities.
- Execute your recovery plan.
- Communicate with internal and external stakeholders.
- Verify your work.
wdt_ID | S/N | Function | Category | Category Description (Guidance) | SID | Subcategory (Recommendations) | Implementation (Procedure) | Risk Applicability | References | Changelog |
---|---|---|---|---|---|---|---|---|---|---|
1 | 1 | GOVERN | Organizational Context | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood | GV.OC-01 | The organizational mission is understood and informs cybersecurity risk management | Ex1: Share the organization's mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission | 1st Party Risk | CRI Profile v2.0: GV.OC-01 CRI Profile v2.0: GV.OC-01.01 SP 800-221A: GV.CT-5 SP 800-221A: GV.CT-3 CSF v1.1: ID.BE-2 CSF v1.1: ID.BE-3 | formerly ID.BE-02, ID.BE-03 |
2 | 2 | GOVERN | Organizational Context | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood | GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | Ex1: Identify relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees) Ex2: Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society) | 1st & 3rd Party Risk | SP 800-218: PO.2.1 CRI Profile v2.0: GV.OC-02 CRI Profile v2.0: GV.OC-02.01 CRI Profile v2.0: GV.OC-02.02 CRI Profile v2.0: GV.OC-02.03 SP 800-221A: GV.OV-2 SP 800-221A: GV.CT-2 SP 800-221A: GV.CT-3 CSF v1.1: ID.SC-2 CSF v1.1: ID.GV-2 | |
3 | 3 | GOVERN | Organizational Context | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood | GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | Ex1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals' information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation) Ex2: Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information Ex3: Align the organization's cybersecurity strategy with legal, regulatory, and contractual requirements | 1st & 3rd Party Risk | SP 800-218: PO.1.1 SP 800-218: PO.1.2 CRI Profile v2.0: GV.OC-03 CRI Profile v2.0: GV.OC-03.01 CRI Profile v2.0: GV.OC-03.02 CSF v1.1: ID.GV-3 | formerly ID.GV-03 |
4 | 4 | GOVERN | Organizational Context | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood | GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | Ex1: Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders Ex2: Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations Ex3: Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation) | 1st & 3rd Party Risk | CRI Profile v2.0: GV.OC-04 CRI Profile v2.0: GV.OC-04.01 CRI Profile v2.0: GV.OC-04.02 CRI Profile v2.0: GV.OC-04.03 CRI Profile v2.0: GV.OC-04.04 SP 800-221A: MA.RI-1 CSF v1.1: ID.BE-4 CSF v1.1: ID.BE-5 | formerly ID.BE-04, ID.BE-05 |
5 | 5 | GOVERN | Organizational Context | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood | GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | Ex1: Create an inventory of the organization's dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions Ex2: Identify and document external dependencies that are potential points of failure for the organization's critical capabilities and services, and share that information with appropriate personnel | 3rd Party Risk | CRI Profile v2.0: GV.OC-05 CRI Profile v2.0: GV.OC-05.01 CRI Profile v2.0: GV.OC-05.02 CRI Profile v2.0: GV.OC-05.03 CRI Profile v2.0: GV.OC-05.04 SP 800-221A: GV.CT-5 SP 800-221A: MA.RI-1 CSF v1.1: ID.BE-1 CSF v1.1: ID.BE-4 | formerly ID.BE-01, ID.BE-04 |
6 | 6 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-01 | Risk management objectives are established and agreed to by organizational stakeholders | Ex1: Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur Ex2: Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems) Ex3: Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance | 1st Party Risk | CRI Profile v2.0: GV.RM-01 CRI Profile v2.0: GV.RM-01.01 CRI Profile v2.0: GV.RM-01.02 CRI Profile v2.0: GV.RM-01.03 CRI Profile v2.0: GV.RM-01.04 CRI Profile v2.0: GV.RM-01.05 SP 800-221A: GV.RR-2 CSF v1.1: ID.RM-1 | formerly ID.RM-01 |
7 | 7 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-02 | Risk appetite and risk tolerance statements are established, communicated, and maintained | Ex1: Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization Ex2: Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements Ex3: Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk | 1st & 3rd Party Risk | CRI Profile v2.0: GV.RM-02 CRI Profile v2.0: GV.RM-02.01 CRI Profile v2.0: GV.RM-02.02 CRI Profile v2.0: GV.RM-02.03 SP 800-221A: GV.BE-1 SP 800-221A: GV.BE-3 CSF v1.1: ID.RM-2 CSF v1.1: ID.RM-3 | formerly ID.RM-02, ID.RM-03 |
8 | 8 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-03 | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety) Ex2: Include cybersecurity risk managers in enterprise risk management planning Ex3: Establish criteria for escalating cybersecurity risks within enterprise risk management | 1st Party Risk | CRI Profile v2.0: GV.RM-03 CRI Profile v2.0: GV.RM-03.01 CRI Profile v2.0: GV.RM-03.02 CRI Profile v2.0: GV.RM-03.03 CRI Profile v2.0: GV.RM-03.04 SP 800-221A: GV.PO-2 SP 800-221A: GV.PO-3 CSF v1.1: ID.GV-4 | formerly ID.GV-04 |
9 | 9 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-04 | Strategic direction that describes appropriate risk response options is established and communicated | Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data Ex2: Determine whether to purchase cybersecurity insurance Ex3: Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services) | 1st Party Risk | CRI Profile v2.0: GV.RM-04 CRI Profile v2.0: GV.RM-04.01 SP 800-221A: GV.BE-1 CSF v1.1: ID.RM-2 | |
10 | 10 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | Ex1: Determine how to update senior executives, directors, and management on the organization's cybersecurity posture at agreed-upon intervals Ex2: Identify how all departments across the organization - such as management, operations, internal auditors, legal, acquisition, physical security, and HR - will communicate with each other about cybersecurity risks | 1st & 3rd Party Risk | CRI Profile v2.0: GV.RM-05 CRI Profile v2.0: GV.RM-05.01 CRI Profile v2.0: GV.RM-05.02 SP 800-221A: GV.PO-1 CSF v1.1: ID.SC-1 | |
11 | 11 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | Ex1: Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas Ex2: Create and use templates (e.g., a risk register) to document cybersecurity risk information (e.g., risk description, exposure, treatment, and ownership) Ex3: Establish criteria for risk prioritization at the appropriate levels within the enterprise Ex4: Use a consistent list of risk categories to support integrating, aggregating, and comparing cybersecurity risks | 1st Party Risk | CRI Profile v2.0: GV.RM-06 CRI Profile v2.0: GV.RM-06.01 SP 800-221A: GV.RR-2 CSF v1.1: ID.RM-1 | |
12 | 12 | GOVERN | Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | GV.RM-07 | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | Ex1: Define and communicate guidance and methods for identifying opportunities and including them in risk discussions (e.g., strengths, weaknesses, opportunities, and threats [SWOT] analysis) Ex2: Identify stretch goals and document them Ex3: Calculate, document, and prioritize positive risks alongside negative risks | 1st Party Risk | CRI Profile v2.0: GV.RM-07 CRI Profile v2.0: GV.RM-07.01 | Conceptually new in 2.0 |
13 | 13 | GOVERN | Roles, Responsibilities, and Authorities | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated | GV.RR-01 | Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving | Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organization's cybersecurity strategy Ex2: Share leaders' expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cybersecurity risk management Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk strategy and review and update it at least annually and after major events Ex4: Conduct reviews to ensure adequate authority and coordination among those responsible for managing cybersecurity risk | 1st Party Risk | SP 800-218: PO.2.3 CIS Controls v8.0: 14.1 CRI Profile v2.0: GV.RR-01 CRI Profile v2.0: GV.RR-01.01 CRI Profile v2.0: GV.RR-01.02 CRI Profile v2.0: GV.RR-01.03 CRI Profile v2.0: GV.RR-01.04 CRI Profile v2.0: GV.RR-01.05 | Conceptually new in 2.0 |
14 | 14 | GOVERN | Roles, Responsibilities, and Authorities | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated | GV.RR-02 | Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | Ex1: Document risk management roles and responsibilities in policy Ex2: Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed Ex3: Include cybersecurity responsibilities and performance requirements in personnel descriptions Ex4: Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement Ex5: Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions | 1st Party Risk | SP 800-218: PO.2.1 CIS Controls v8.0: 14.9 CRI Profile v2.0: GV.RR-02 CRI Profile v2.0: GV.RR-02.01 CRI Profile v2.0: GV.RR-02.02 CRI Profile v2.0: GV.RR-02.03 CRI Profile v2.0: GV.RR-02.04 CRI Profile v2.0: GV.RR-02.05 CRI Profile v2.0: GV.RR-02.06 CRI Profile v2.0: GV.RR-02.07 SP 800-221A: GV.RR-1 SP 800-221A: GV.RR-2 SP 800-221A: GV.OV-2 CSF v1.1: ID.AM-6 CSF v1.1: ID.GV-2 CSF v1.1: DE.DP-1 | formerly ID.AM-06, ID.GV-02, DE.DP-01 |
15 | 15 | GOVERN | Roles, Responsibilities, and Authorities | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated | GV.RR-03 | Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies | Ex1: Conduct periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority Ex2: Identify resource allocation and investment in line with risk tolerance and response Ex3: Provide adequate and sufficient people, process, and technical resources to support the cybersecurity strategy | 1st & 3rd Party Risk | CRI Profile v2.0: GV.RR-03 CRI Profile v2.0: GV.RR-03.01 CRI Profile v2.0: GV.RR-03.02 CRI Profile v2.0: GV.RR-03.03 SP 800-221A: GV.RR-2 CSF v1.1: ID.RM-1 | |
16 | 16 | GOVERN | Roles, Responsibilities, and Authorities | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated | GV.RR-04 | Cybersecurity is included in human resources practices | Ex1: Integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding) Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions Ex3: Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles Ex4: Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles | 1st Party Risk | CIS Controls v8.0: 6.1 CIS Controls v8.0: 6.2 CRI Profile v2.0: GV.RR-04 CRI Profile v2.0: GV.RR-04.01 CRI Profile v2.0: GV.RR-04.02 CRI Profile v2.0: GV.RR-04.03 CSF v1.1: PR.IP-11 | formerly PR.IP-11 |
17 | 17 | GOVERN | Policies, Processes, and Procedures | Organizational cybersecurity policy is established, communicated, and enforced | GV.PO-01 | Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | Ex1: Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction Ex2: Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy Ex3: Require approval from senior management on policy Ex4: Communicate cybersecurity risk management policy and supporting processes and procedures across the organization Ex5: Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated | 1st Party Risk | CRI Profile v2.0: GV.PO-01 CRI Profile v2.0: GV.PO-01.01 CRI Profile v2.0: GV.PO-01.02 CRI Profile v2.0: GV.PO-01.03 CRI Profile v2.0: GV.PO-01.04 CRI Profile v2.0: GV.PO-01.05 CRI Profile v2.0: GV.PO-01.06 CRI Profile v2.0: GV.PO-01.07 CRI Profile v2.0: GV.PO-01.08 SP 800-221A: GV.PO-1 CSF v1.1: ID.GV-1 | formerly ID.GV-01 |
18 | 18 | GOVERN | Policies, Processes, and Procedures | Organizational cybersecurity policy is established, communicated, and enforced | GV.PO-02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | Ex1: Update policy based on periodic reviews of cybersecurity risk management results to ensure that policy and supporting processes and procedures adequately maintain risk at an acceptable level Ex2: Provide a timeline for reviewing changes to the organization's risk environment (e.g., changes in risk or in the organization's mission objectives), and communicate recommended policy updates Ex3: Update policy to reflect changes in legal and regulatory requirements Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial intelligence) and changes to the business (e.g., acquisition of a new business, new contract requirements) | 1st Party Risk | CRI Profile v2.0: GV.PO-02 CRI Profile v2.0: GV.PO-02.01 SP 800-221A: GV.PO-1 CSF v1.1: ID.GV-1 | formerly ID.GV-01 |
19 | 19 | GOVERN | Oversight | Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy | GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | Ex1: Measure how well the risk management strategy and risk results have helped leaders make decisions and achieve organizational objectives Ex2: Examine whether cybersecurity risk strategies that impede operations or innovation should be adjusted | 1st Party Risk | CRI Profile v2.0: GV.OV-01 CRI Profile v2.0: GV.OV-01.01 CRI Profile v2.0: GV.OV-01.02 CRI Profile v2.0: GV.OV-01.03 SP 800-221A: GV.AD-3 | Conceptually new in 2.0 |
20 | 20 | GOVERN | Oversight | Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy | GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | Ex1: Review audit findings to confirm whether the existing cybersecurity strategy has ensured compliance with internal and external requirements Ex2: Review the performance oversight of those in cybersecurity-related roles to determine whether policy changes are necessary Ex3: Review strategy in light of cybersecurity incidents | 1st Party Risk | CRI Profile v2.0: GV.OV-02 CRI Profile v2.0: GV.OV-02.01 CRI Profile v2.0: GV.OV-02.02 SP 800-221A: GV.AD-2 SP 800-221A: GV.AD-3 SP 800-221A: MA.RM-8 | Conceptually new in 2.0 |
21 | 21 | GOVERN | Oversight | Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy | GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | Ex1: Review key performance indicators (KPIs) to ensure that organization-wide policies and procedures achieve objectives Ex2: Review key risk indicators (KRIs) to identify risks the organization faces, including likelihood and potential impact Ex3: Collect and communicate metrics on cybersecurity risk management with senior leadership | 1st Party Risk | CRI Profile v2.0: GV.OV-03 CRI Profile v2.0: GV.OV-03.01 CRI Profile v2.0: GV.OV-03.02 SP 800-221A: GV.OV-2 SP 800-221A: MA.RM-2 | Conceptually new in 2.0 |
22 | 22 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-01 | A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | Ex1: Establish a strategy that expresses the objectives of the cybersecurity supply chain risk management program Ex2: Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the policies and procedures with the organizational stakeholders Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organizational stakeholders Ex4: Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, operations, legal, human resources, and engineering | 3rd Party Risk | CIS Controls v8.0: 15.2 CRI Profile v2.0: GV.SC-01 CRI Profile v2.0: GV.SC-01.01 CRI Profile v2.0: GV.SC-01.02 SP 800-221A: GV.PO-1 CSF v1.1: ID.SC-1 | |
23 | 23 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-02 | Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | Ex1: Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities Ex2: Document cybersecurity supply chain risk management roles and responsibilities in policy Ex3: Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed Ex4: Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability Ex5: Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements Ex7: Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties Ex8: Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers | 3rd Party Risk | SP 800-218: PO.2.1 CIS Controls v8.0: 15.4 CRI Profile v2.0: GV.SC-02 CRI Profile v2.0: GV.SC-02.01 SP 800-221A: GV.RR-1 SP 800-221A: GV.RR-2 CSF v1.1: ID.AM-6 | |
24 | 24 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-03 | Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | Ex1: Identify areas of alignment and overlap with cybersecurity and enterprise risk management Ex2: Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management Ex3: Integrate cybersecurity supply chain risk management into improvement processes Ex4: Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level | 3rd Party Risk | SP 800-218: PW.4.1 CRI Profile v2.0: GV.SC-03 CRI Profile v2.0: GV.SC-03.01 SP 800-221A: GV.CT-2 SP 800-221A: GV.CT-3 CSF v1.1: ID.SC-2 | Conceptually new in 2.0 |
25 | 25 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-04 | Suppliers are known and prioritized by criticality | Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization's systems, and the importance of the products or services to the organization's mission Ex2: Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria | 3rd Party Risk | CIS Controls v8.0: 15.1 CIS Controls v8.0: 15.3 CRI Profile v2.0: GV.SC-04 CRI Profile v2.0: GV.SC-04.01 SP 800-221A: GV.CT-2 SP 800-221A: GV.CT-3 CSF v1.1: ID.SC-2 | |
26 | 26 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-05 | Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | Ex1: Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised Ex2: Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language Ex3: Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements Ex4: Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised Ex5: Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle Ex6: Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products Ex8: Contractually require suppliers to vet their employees and guard against insider threats Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections Ex10: Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks | 3rd Party Risk | SP 800-218: PO.1.3 CIS Controls v8.0: 15.4 CRI Profile v2.0: EX.CN CRI Profile v2.0: EX.CN-01 CRI Profile v2.0: EX.CN-02 CRI Profile v2.0: EX.CN-01.01 CRI Profile v2.0: EX.CN-01.02 CRI Profile v2.0: EX.CN-01.03 CRI Profile v2.0: EX.CN-02.01 CRI Profile v2.0: EX.CN-02.02 CRI Profile v2.0: EX.CN-02.03 CRI Profile v2.0: EX.CN-02.04 CSF v1.1: ID.SC-3 | |
27 | 27 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-06 | Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use | 3rd Party Risk | CIS Controls v8.0: 15.5 CRI Profile v2.0: EX.DD CRI Profile v2.0: EX.DD-01 CRI Profile v2.0: EX.DD-02 CRI Profile v2.0: EX.DD-01.01 CRI Profile v2.0: EX.DD-01.02 CRI Profile v2.0: EX.DD-01.03 CRI Profile v2.0: EX.DD-02.01 CRI Profile v2.0: EX.DD-02.02 CRI Profile v2.0: EX.DD-02.03 CRI Profile v2.0: EX.DD-02.04 SP 800-221A: GV.PO-1 CSF v1.1: ID.SC-1 | |
28 | 28 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-07 | The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | Ex1: Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide Ex2: Evaluate third parties' evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity | 3rd Party Risk | SP 800-218: PW.4.1 SP 800-218: PW.4.4 CIS Controls v8.0: 15.6 CRI Profile v2.0: EX.MM CRI Profile v2.0: EX.MM-01 CRI Profile v2.0: EX.MM-02 CRI Profile v2.0: EX.MM-01.01 CRI Profile v2.0: EX.MM-01.02 CRI Profile v2.0: EX.MM-01.03 CRI Profile v2.0: EX.MM-01.04 CRI Profile v2.0: EX.MM-01.05 CRI Profile v2.0: EX.MM-01.06 CRI Profile v2.0: EX.MM-02.01 CRI Profile v2.0: EX.MM-02.02 CRI Profile v2.0: EX.MM-02.03 SP 800-221A: GV.CT-2 SP 800-221A: GV.CT-3 SP 800-221A: MA.RM-2 SP 800-221A: MA.RM-3 CSF v1.1: ID.SC-2 CSF v1.1: ID.SC-4 | |
29 | 29 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-08 | Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response Ex3: Include critical suppliers in incident response exercises and simulations Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers Ex5: Conduct collaborative lessons learned sessions with critical suppliers | 3rd Party Risk | CIS Controls v8.0: 15.4 CRI Profile v2.0: GV.SC-08 CRI Profile v2.0: GV.SC-08.01 SP 800-221A: GV.CT-3 CSF v1.1: ID.SC-5 | |
30 | 30 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | Ex1: Policies and procedures require provenance records for all acquired technology products and services Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes | 3rd Party Risk | CIS Controls v8.0: 15.6 CRI Profile v2.0: GV.SC-09 CRI Profile v2.0: GV.SC-09.01 SP 800-221A: GV.PO-1 CSF v1.1: ID.SC-1 | |
31 | 31 | GOVERN | Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders | GV.SC-10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed Ex4: Verify that assets containing the organization's data are returned or properly disposed of in a timely, controlled, and safe manner Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account Ex6: Mitigate risks to data and systems created by supplier termination Ex7: Manage data leakage risks associated with supplier termination | 3rd Party Risk | CIS Controls v8.0: 15.7 CRI Profile v2.0: EX.TR CRI Profile v2.0: EX.TR-01 CRI Profile v2.0: EX.TR-02 CRI Profile v2.0: EX.TR-01.01 CRI Profile v2.0: EX.TR-01.02 CRI Profile v2.0: EX.TR-01.03 CRI Profile v2.0: EX.TR-02.01 SP 800-221A: GV.PO-1 CSF v1.1: ID.SC-1 | |
32 | 32 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-01 | Inventories of hardware managed by the organization are maintained | Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, and mobile devices Ex2: Constantly monitor networks to detect new hardware and automatically update inventories | 1st Party Risk | CIS Controls v8.0: 1.1 CRI Profile v2.0: ID.AM-01 CRI Profile v2.0: ID.AM-01.01 SP 800-221A: MA.RI-1 CSF v1.1: ID.AM-1 | |
33 | 33 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-02 | Inventories of software, services, and systems managed by the organization are maintained | Ex1: Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services Ex2: Constantly monitor all platforms, including containers and virtual machines, for software and service inventory changes Ex3: Maintain an inventory of the organization's systems | 1st Party Risk | CIS Controls v8.0: 2.1 CRI Profile v2.0: ID.AM-02 CRI Profile v2.0: ID.AM-02.01 SP 800-221A: MA.RI-1 CSF v1.1: ID.AM-2 | |
34 | 34 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-03 | Representations of the organization's authorized network communication and internal and external network data flows are maintained | Ex1: Maintain baselines of communication and data flows within the organization's wired and wireless networks Ex2: Maintain baselines of communication and data flows between the organization and third parties Ex3: Maintain baselines of communication and data flows for the organization's infrastructure-as-a-service (IaaS) usage Ex4: Maintain documentation of expected network ports, protocols, and services that are typically used among authorized systems | 1st & 3rd Party Risk | CIS Controls v8.0: 3.8 CRI Profile v2.0: ID.AM-03 CRI Profile v2.0: ID.AM-03.01 CSF v1.1: ID.AM-3 CSF v1.1: DE.AE-1 | formerly ID.AM-03, DE.AE-01 |
35 | 35 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-04 | Inventories of services provided by suppliers are maintained | Ex1: Inventory all external services used by the organization, including third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally hosted application services Ex2: Update the inventory when a new external service is going to be utilized to ensure adequate cybersecurity risk management monitoring of the organization's use of that service | 3rd Party Risk | CIS Controls v8.0: 15.1 CRI Profile v2.0: ID.AM-04 CRI Profile v2.0: ID.AM-04.01 CSF v1.1: ID.AM-4 | |
36 | 36 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-05 | Assets are prioritized based on classification, criticality, resources, and impact on the mission | Ex1: Define criteria for prioritizing each class of assets Ex2: Apply the prioritization criteria to assets Ex3: Track the asset priorities and update them periodically or when significant changes to the organization occur | 1st Party Risk | CIS Controls v8.0: 3.7 CRI Profile v2.0: ID.AM-05 CRI Profile v2.0: ID.AM-05.01 CRI Profile v2.0: ID.AM-05.02 SP 800-221A: MA.RI-1 CSF v1.1: ID.AM-5 | |
37 | 37 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-07 | Inventories of data and corresponding metadata for designated data types are maintained | Ex1: Maintain a list of the designated data types of interest (e.g., personally identifiable information, protected health information, financial account numbers, organization intellectual property, operational technology data) Ex2: Continuously discover and analyze ad hoc data to identify new instances of designated data types Ex3: Assign data classifications to designated data types through tags or labels Ex4: Track the provenance, data owner, and geolocation of each instance of designated data types | 1st Party Risk | CIS Controls v8.0: 3.2 CRI Profile v2.0: ID.AM-07 CRI Profile v2.0: ID.AM-07.01 SP 800-221A: MA.RI-1 | Conceptually new in 2.0 |
38 | 38 | IDENTIFY | Asset Management | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy | ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycles | Ex1: Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services Ex2: Integrate cybersecurity considerations into product life cycles Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT) Ex4: Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface Ex5: Properly configure and secure systems, hardware, software, and services prior to their deployment in production Ex6: Update inventories when systems, hardware, software, and services are moved or transferred within the organization Ex7: Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement Ex9: Offer methods for destroying paper, storage media, and other physical forms of data storage | 1st & 3rd Party Risk | SP 800-218: PW.4.1 SP 800-218: PW.4.4 CIS Controls v8.0: 1.1 CIS Controls v8.0: 3.5 CRI Profile v2.0: ID.AM-08 CRI Profile v2.0: ID.AM-08.01 CRI Profile v2.0: ID.AM-08.02 CRI Profile v2.0: ID.AM-08.03 CRI Profile v2.0: ID.AM-08.04 CRI Profile v2.0: ID.AM-08.05 CRI Profile v2.0: ID.AM-08.06 SP 800-221A: MA.RI-1 CSF v1.1: PR.DS-3 CSF v1.1: PR.IP-2 CSF v1.1: PR.MA-1 CSF v1.1: PR.MA-2 CSF v1.1: PR.IP-6 CSF v1.1: PR.DS | formerly PR.DS-03, PR.IP-02, PR.MA-01, PR.MA-02 |
39 | 39 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded | Ex1: Use vulnerability management technologies to identify unpatched and misconfigured software Ex2: Assess network and system architectures for design and implementation weaknesses that affect cybersecurity Ex3: Review, analyze, or test organization-developed software to identify design, coding, and default configuration vulnerabilities Ex4: Assess facilities that house critical computing assets for physical vulnerabilities and resilience issues Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities in products and services Ex6: Review processes and procedures for weaknesses that could be exploited to affect cybersecurity | 1st Party Risk | SP 800-218: PO.5.2 CIS Controls v8.0: 7.1 CRI Profile v2.0: ID.RA-01 CRI Profile v2.0: ID.RA-01.01 CRI Profile v2.0: ID.RA-01.02 CRI Profile v2.0: ID.RA-01.03 SP 800-221A: MA.RI-3 CSF v1.1: ID.RA-1 CSF v1.1: PR.IP-12 CSF v1.1: DE.CM-8 | formerly ID.RA-01, PR.IP-12, DE.CM-08 |
40 | 40 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-02 | Cyber threat intelligence is received from information sharing forums and sources | Ex1: Configure cybersecurity tools and technologies with detection or response capabilities to securely ingest cyber threat intelligence feeds Ex2: Receive and review advisories from reputable third parties on current threat actors and their tactics, techniques, and procedures (TTPs) Ex3: Monitor sources of cyber threat intelligence for information on the types of vulnerabilities that emerging technologies may have | 1st Party Risk | CRI Profile v2.0: ID.RA-02 CRI Profile v2.0: ID.RA-02.01 CRI Profile v2.0: ID.RA-02.02 SP 800-221A: GV.BE-4 CSF v1.1: ID.RA-2 | |
41 | 41 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-03 | Internal and external threats to the organization are identified and recorded | Ex1: Use cyber threat intelligence to maintain awareness of the types of threat actors likely to target the organization and the TTPs they are likely to use Ex2: Perform threat hunting to look for signs of threat actors within the environment Ex3: Implement processes for identifying internal threat actors | 1st & 3rd Party Risk | CRI Profile v2.0: ID.RA-03 CRI Profile v2.0: ID.RA-03.01 CRI Profile v2.0: ID.RA-03.02 CRI Profile v2.0: ID.RA-03.03 CRI Profile v2.0: ID.RA-03.04 SP 800-221A: MA.RI-2 CSF v1.1: ID.RA-3 | |
42 | 42 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-04 | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | Ex1: Business leaders and cybersecurity risk management practitioners work together to estimate the likelihood and impact of risk scenarios and record them in risk registers Ex2: Enumerate the potential business impacts of unauthorized access to the organization's communications, systems, and data processed in or by those systems Ex3: Account for the potential impacts of cascading failures for systems of systems | 1st Party Risk | CRI Profile v2.0: ID.RA-04 CRI Profile v2.0: ID.RA-04.01 SP 800-221A: MA.RI-4 CSF v1.1: ID.RA-4 | |
43 | 43 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-05 | Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization | Ex1: Develop threat models to better understand risks to the data and identify appropriate risk responses Ex2: Prioritize cybersecurity resource allocations and investments based on estimated likelihoods and impacts | 1st Party Risk | SP 800-218: PW.1.1 CRI Profile v2.0: ID.RA-05 CRI Profile v2.0: ID.RA-05.01 CRI Profile v2.0: ID.RA-05.02 CRI Profile v2.0: ID.RA-05.03 CRI Profile v2.0: ID.RA-05.04 SP 800-221A: MA.RA-2 CSF v1.1: ID.RA-5 | |
44 | 44 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-06 | Risk responses are chosen, prioritized, planned, tracked, and communicated | Ex1: Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk Ex2: Apply the vulnerability management plan's criteria for selecting compensating controls to mitigate risk Ex3: Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report) Ex4: Use risk assessment findings to inform risk response decisions and actions Ex5: Communicate planned risk responses to affected stakeholders in priority order | 1st Party Risk | SP 800-218: PO.5.2 CRI Profile v2.0: ID.RA-06 CRI Profile v2.0: ID.RA-06.01 CRI Profile v2.0: ID.RA-06.02 CRI Profile v2.0: ID.RA-06.03 CRI Profile v2.0: ID.RA-06.04 CRI Profile v2.0: ID.RA-06.05 CRI Profile v2.0: ID.RA-06.06 SP 800-221A: MA.RP CSF v1.1: ID.RA-6 CSF v1.1: RS.MI-3 | formerly ID.RA-06, RS.MI-03 |
45 | 45 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-07 | Changes and exceptions are managed, assessed for risk impact, recorded, and tracked | SP 800-218: PO.5.2 CRI Profile v2.0: ID.RA-07 CRI Profile v2.0: ID.RA-07.01 CRI Profile v2.0: ID.RA-07.02 CRI Profile v2.0: ID.RA-07.03 CRI Profile v2.0: ID.RA-07.04 CRI Profile v2.0: ID.RA-07.05 SP 800-221A: MA.RI-3 CSF v1.1: PR.IP-3 | formerly part of PR.IP-03 | ||
46 | 46 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-08 | Processes for receiving, analyzing, and responding to vulnerability disclosures are established | Ex1: Conduct vulnerability information sharing between the organization and its suppliers following the rules and protocols defined in contracts Ex2: Assign responsibilities and verify the execution of procedures for processing, analyzing the impact of, and responding to cybersecurity threat, vulnerability, or incident disclosures by suppliers, customers, partners, and government cybersecurity organizations | 1st & 3rd Party Risk | CIS Controls v8.0: 7.2 CRI Profile v2.0: ID.RA-08 CRI Profile v2.0: ID.RA-08.01 CRI Profile v2.0: ID.RA-08.02 SP 800-221A: MA.RI-3 CSF v1.1: RS.AN-5 | formerly RS.AN-05 |
47 | 47 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-09 | The authenticity and integrity of hardware and software are assessed prior to acquisition and use | Ex1: Assess the authenticity and cybersecurity of critical technology products and services prior to acquisition and use | 3rd Party Risk | SP 800-218: PO.5.2 CRI Profile v2.0: EX.DD-04 CRI Profile v2.0: EX.DD-04.01 CRI Profile v2.0: EX.DD-04.02 SP 800-221A: MA.RI-3 CSF v1.1: PR.DS-8 | formerly PR.DS-08 |
48 | 48 | IDENTIFY | Risk Assessment | The cybersecurity risk to the organization, assets, and individuals is understood by the organization | ID.RA-10 | Critical suppliers are assessed prior to acquisition | CRI Profile v2.0: EX.DD-03 CRI Profile v2.0: EX.DD-03.01 CRI Profile v2.0: EX.DD-03.02 CRI Profile v2.0: EX.DD-03.03 SP 800-221A: GV.CT-2 SP 800-221A: GV.CT-3 SP 800-221A: MA.RM-2 SP 800-221A: MA.RM-3 CSF v1.1: ID.SC-2 CSF v1.1: ID.SC-4 | |||
49 | 49 | IDENTIFY | Improvement | Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions | ID.IM-01 | Improvements are identified from evaluations | Ex1: Perform self-assessments of critical services that take current threats and TTPs into consideration Ex2: Invest in third-party assessments or independent audits of the effectiveness of the organization's cybersecurity program to identify areas that need improvement Ex3: Constantly evaluate compliance with selected cybersecurity requirements through automated means | 1st Party Risk | CRI Profile v2.0: ID.IM-01 CRI Profile v2.0: ID.IM-01.01 CRI Profile v2.0: ID.IM-01.02 CRI Profile v2.0: ID.IM-01.03 CRI Profile v2.0: ID.IM-01.04 CRI Profile v2.0: ID.IM-01.05 | Conceptually new in 2.0 |
50 | 50 | IDENTIFY | Improvement | Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions | ID.IM-02 | Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | Ex1: Identify improvements for future incident response activities based on findings from incident response assessments (e.g., tabletop exercises and simulations, tests, internal reviews, independent audits) Ex2: Identify improvements for future business continuity, disaster recovery, and incident response activities based on exercises performed in coordination with critical service providers and product suppliers Ex3: Involve internal stakeholders (e.g., senior executives, legal department, HR) in security tests and exercises as appropriate Ex4: Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership Ex5: Exercise contingency plans for responding to and recovering from the discovery that products or services did not originate with the contracted supplier or partner or were altered before receipt Ex6: Collect and analyze performance metrics using security tools and services to inform improvements to the cybersecurity program | 1st & 3rd Party Risk | CIS Controls v8.0: 17.7 CRI Profile v2.0: ID.IM-02 CRI Profile v2.0: ID.IM-02.01 CRI Profile v2.0: ID.IM-02.02 CRI Profile v2.0: ID.IM-02.03 CRI Profile v2.0: ID.IM-02.04 CRI Profile v2.0: ID.IM-02.05 CRI Profile v2.0: ID.IM-02.06 CRI Profile v2.0: ID.IM-02.07 CRI Profile v2.0: ID.IM-02.08 CRI Profile v2.0: ID.IM-02.09 SP 800-221A: GV.CT-3 CSF v1.1: ID.SC-5 CSF v1.1: PR.IP-10 CSF v1.1: DE.DP-3 | formerly ID.SC-05, PR.IP-10, DE.DP-03 |
Function | Category | Risk Applicability |