IDENTIFY (1)

ID.AM-1, ID.AM-2, ID.AM-4,

1.A Asset Inventory DE.CM-1, DE.CM-7 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$
$$$$ IMPACT: HIGH COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TACTIC, TECHNIQUE, AND PROCEDURE (TTP) OR RISK ADDRESSED:
Hardware Additions (T1200)
Exploit Public-Facing Application (T0819, ICS T0819) IMPLEMENTED IMPLEMENTED
Internet-accessible device (ICS T0883)
IN PROGRESS IN PROGRESS
IT Done. OT in process.
RECOMMENDED ACTION: Maintain a regularly updated inventory of all
organizational assets with an IP address (including IPv6), including OT. This
SCOPED SCOPED
inventory is updated on a recurring basis, no less than monthly for both IT and OT.

FREE SERVICES AND REFERENCES: Cyber Hygiene Services, “Stuff Off NOT STARTED NOT STARTED
Search” Guide or email [email protected]

1.B Organizational Cybersecurity Leadership ID.GV-1, ID.GV-2 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Lack of sufficient cybersecurity accountability, investment, or effectiveness.

RECOMMENDED ACTION: A named role/position/title is identified as IMPLEMENTED IMPLEMENTED

responsible and accountable for planning, resourcing, and execution of IT Manager with 3rd party assistance.
cybersecurity activities. This role may undertake activities, such as managing
IN PROGRESS IN PROGRESS
cybersecurity operations at the senior level, requesting and securing budget
SCOPED SCOPED
resources, or leading strategy development to inform future positioning.

NOT STARTED NOT STARTED

1.C OT Cybersecurity Leadership ID.GV-1, ID.GV-2 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Lack of accountability, investment, or effectivness of OT cybersecurity program.

RECOMMENDED ACTION: A named role/position/title is identified as IMPLEMENTED IMPLEMENTED

responsible and accountable for planning, resourcing, and execution of OT- IT Manager
specific cybersecurity activities. In some organizations this may be the same
IN PROGRESS IN PROGRESS
position as identified in 1.B.
SCOPED SCOPED

NOT STARTED NOT STARTED

1.D Improving IT and OT Cybersecurity Relationships ID.GV-2, CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
PR.AT-5

COST: $$$$ IMPACT: MEDIUM COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Poor working relationships and a lack of mutual understanding between IT and
OT cybersecurity can often result in increased risk for OT cybersecurity. IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: Organizations sponsor at least one “pizza party”
or equivalent social gathering per year that is focused on strengthening working IN PROGRESS IN PROGRESS
relationships between IT and OT security personnel, and is not a working event
(such as providing meals during an incident response). SCOPED SCOPED

NOT STARTED NOT STARTED

1
 ID.RA-1, PR.IP-12,
1.E Mitigating Known Vulnerabilities DE.CM-8, RS.MI-3, CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
ID.RA-6, RS.AN-5

COST: $$$$ IMPACT: HIGH COMPLEXITY: MEDIUM

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Active Scanning - Vulnerability Scanning (T1595.002)
Exploit Public-Facing Application (T1190, ICS T0819) IMPLEMENTED IMPLEMENTED
Exploitation of Remote Service (T1210, ICS T0866)
Supply Chain Compromise (T1195, ICS T0862) IN PROGRESS IN PROGRESS
External Remote Services (T1133, ICS T0822)
SCOPED SCOPED
RECOMMENDED ACTION: All known exploited vulnerabilities (listed in CISA’s
KEV Catalog) in internet-facing systems are patched or otherwise mitigated NOT STARTED NOT STARTED Monthly patching IT. Air Gapped OT
within a risk-informed span of time, prioritizing more critical assets first.

OT: For assets where patching is either not possible or may substantially
compromise availability or safety, compensating controls are applied (e.g.
segmentation, monitoring) and recorded. Sufficient controls either make
the asset inaccessible from the public internet, or they reduce the ability of
adversaries to exploit the vulnerabilities in these assets.

FREE SERVICES AND REFERENCES: Known Exploited Vulnerabilities

Catalog, Cyber Hygiene Services, or email [email protected]

ID.RA-1, ID.RA-3,
1.F Third-Party Validation of ID.RA-4, ID.RA-5, CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
Cybersecurity Control Effectiveness ID.RA-6

$$$$ IMPACT: HIGH

COST: $$$ COMPLEXITY: HIGH
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Gaps in cyber defenses or a false sense of security in existing protections.

RECOMMENDED ACTION: Third parties with demonstrated expertise in IMPLEMENTED IMPLEMENTED

(IT and/or OT) cybersecurity should regularly validate the effectiveness and
coverage of an organization’s cybersecurity defenses. These exercises, which
IN PROGRESS IN PROGRESS
may include penetration tests, bug bounties, incident simulations, or table-top
SCOPED SCOPED
exercises, should include both unannounced and announced tests.
Ongoing with our 3rd party consultant
Exercises consider both the ability and impact of a potential threat actor to NOT STARTED NOT STARTED
infiltrate the network from the outside, as well as the ability of a threat actor
within the network (e.g., “assume breach”) to pivot laterally to demonstrate
potential impact on critical systems, including operational technology and
industrial control systems.

High-impact findings from previous tests are mitigated in a timely manner and
are not re-observed in future tests.

FREE SERVICES AND REFERENCES: Critical Infrastructure Exercises

1.G Supply Chain Incident Reporting ID.SC-1, ID.SC-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Supply Chain Compromise (T1195, ICS T0862)

RECOMMENDED ACTION: Procurement documents and contracts, such as IMPLEMENTED IMPLEMENTED

service-level agreements (SLAs), stipulate that vendors and/or service providers As per CMMC Incident Reporting requirment
notify the procuring customer of security incidents within a risk-informed time
IN PROGRESS IN PROGRESS
frame, as determined by the organization.
SCOPED SCOPED

NOT STARTED NOT STARTED

2
1.H Supply Chain Vulnerability Disclosure ID.SC-1, ID.SC-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Supply Chain Compromise (T1195, ICS T0862)

RECOMMENDED ACTION: Procurement documents and contracts, such IMPLEMENTED IMPLEMENTED

as SLAs, stipulate that vendors and/or service providers notify the procuring
customer of confirmed security vulnerabilities in their assets within a risk-
IN PROGRESS IN PROGRESS
informed time frame, as determined by the organization.
SCOPED SCOPED

NOT STARTED NOT STARTED

1.I Vendor/Supplier Cybersecurity Requirements ID.SC-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Supply Chain Compromise (T1195, ICS T0862)

RECOMMENDED ACTION: Organizations’ procurement documents include IMPLEMENTED IMPLEMENTED

cybersecurity requirements and questions, which are evaluated in vendor
selection such that, given two offerings of roughly similar cost and function, the
IN PROGRESS IN PROGRESS
more secure offering and/or supplier is preferred.
SCOPED SCOPED

NOT STARTED NOT STARTED

3
 PROTECT (2)

2.A Changing Default Passwords PR.AC-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: MEDIUM

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Valid Accounts - Default Accounts (T1078.001)
Valid Accounts (ICS T0859) IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: An enforced organization-wide policy and/or
IN PROGRESS IN PROGRESS
process that requires changing default manufacturer passwords for any/all
hardware, software, and firmware before putting on any internal or external
SCOPED SCOPED
network. This includes IT assets for OT, such as OT administration web pages.

In instances where changing default passwords is not feasible (e.g., a control NOT STARTED NOT STARTED
system with a hard-coded password), implement and document appropriate
compensating security controls, and monitor logs for network traffic and login
attempts on those devices.

OT: While changing default passwords on an organization’s existing OT requires

significantly more work, CISA still recommends having such a policy to change
default credentials for all new or future devices. This is not only easier to
achieve, but also reduces potential risk in the future if threat actor TTPs change.

FREE SERVICES AND REFERENCES: CISA Bad Practices

2.B Minimum Password Strength PR.AC-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Brute Force - Password Guessing (T1110.001)
Brute Force - Password Cracking (T1110.002) IMPLEMENTED IMPLEMENTED
Brute Force - Password Spraying (T1110.003)
Brute Force - Credential Stuffing (T1110.004) IN PROGRESS IN PROGRESS

RECOMMENDED ACTION: Organizations have a system-enforced policy SCOPED SCOPED

that requires a minimum password length of 15* or more characters for all
password-protected IT assets, and all OT assets where technically feasible.** NOT STARTED NOT STARTED
Organizations should consider leveraging passphrases and password managers
to make it easier for users to maintain sufficiently long passwords. In instances
where minimum password lengths are not technically feasible, compensating
controls are applied and recorded, and all login attempts to those assets are
logged. Assets that cannot support passwords of sufficient strength length are
prioritized for upgrade or replacement. Password complexity is not at 15 Characters yet

This goal is particularly important for organizations that lack widespread

implementation of MFA and capabilities to protect against brute-force attacks
(such as web application firewalls and third-party content delivery networks) or
are unable to adopt passwordless authentication methods.

* Modern attacker tools can crack eight-character passwords quickly. Length is

a more impactful and important factor in password strength than complexity or
frequent password rotations. Long passwords are also easier for users to create
and remember.

** OT assets that use a central authentication mechanism (such as Active

Directory) are most important to address. Examples of low-risk OT assets that
may not be technically feasible include those in remote locations, such as on
offshore rigs or wind turbines.

FREE SERVICES AND REFERENCES: CISA Bad Practices, XKCD 936

4
2.C Unique Credentials PR.AC-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$
$$$$ IMPACT: MEDIUM COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Valid Accounts (T1078, ICS T0859)
Brute Force - Password Guessing (T1110.001) IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: Organizations provision unique and separate Users can not reuse passwords. Service account
IN PROGRESS IN PROGRESS
credentials for similar services and asset access on IT and OT networks. Users
do not (or cannot) reuse passwords for accounts, applications, services, etc.
SCOPED SCOPED
Service accounts/machine accounts have unique passwords from all member
user accounts.
NOT STARTED NOT STARTED

PR.AC-1,
2.D Revoking Credentials for Departing Employees CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
PR.IP-11

COST: $$$$ IMPACT: MEDIUM COMPLEXITY: LOW

DATE: 12/2023 DATE:
TTP OR RISK ADDRESSED:
Valid Accounts (T1078, ICS T0859)

RECOMMENDED ACTION: A defined and enforced administrative process IMPLEMENTED IMPLEMENTED

applied to all departing employees by the day of their departure that (1) revokes Termination service request is created and acte
and securely returns all physical badges, key cards, tokens, etc., and (2)
IN PROGRESS IN PROGRESS
disables all user accounts and access to organizational resources.
SCOPED SCOPED

NOT STARTED NOT STARTED

2.E Separating User and Privileged Accounts PR.AC-4 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4.2023 DATE:
TTP OR RISK ADDRESSED:
Valid Accounts (T1078, ICS T0859)

RECOMMENDED ACTION: No user accounts always have administrator IIMPLEMENTED IMPLEMENTED

or super-user privileges. Administrators maintain separate user accounts for All users have non admin logins. Few users have
all actions and activities not associated with the administrator role (e.g., for IN PROGRESS IN PROGRESS
business email, web browsing). Privileges are reevaluated on a recurring basis to
SCOPED SCOPED
validate continued need for a given set of permissions.

NOT STARTED NOT STARTED

2.F Network Segmentation PR.AC-5, PR.PT-4 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$$ COMPLEXITY: HIGH
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Network Service Discovery (T1046)
Trusted Relationship (T1199) IMPLEMENTED IMPLEMENTED
Network Connection Enumeration (ICS T0840)
Network Sniffing (T1040, ICS T0842) IN PROGRESS IN PROGRESS Seperated by VLAN. One Jump system has acce
RECOMMENDED ACTION: All connections to the OT network are denied by SCOPED SCOPED
default unless explicitly allowed (e.g., by IP address and port) for specific system
functionality. Necessary communications paths between the IT and OT networks NOT STARTED NOT STARTED
must pass through an intermediary, such as a properly configured firewall, bastion
host, “jump box,” or a demilitarized zone, which is closely monitored, captures
network logs, and only allows connections from approved assets.

5
2.G Detection of Unsuccessful (Automated)
CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
Login Attempts PR.AC-7

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Brute Force - Password Guessing (T1110.001)
Brute Force - Password Cracking (T1110.002) IMPLEMENTED IMPLEMENTED
Brute Force - Password Spraying (T1110.003)
Brute Force - Credential Stuffing (T1110.004) IN PROGRESS IN PROGRESS

RECOMMENDED ACTION: All unsuccessful logins are logged and sent to SCOPED SCOPED
an organization’s security team or relevant logging system. Security teams are
Logged and reported by EventLogAnalyzer.
notified (e.g., by an alert) after a specific number of consecutive, unsuccessful NOT STARTED NOT STARTED
login attempts in a short period (e.g., 5 failed attempts over 2 minutes). This
alert is logged and stored in the relevant security or ticketing system for
retroactive analysis.

For IT assets, there is a system-enforced policy that prevents future logins for
the suspicious account. For example, this could be for some minimum time or
until the account is re-enabled by a privileged user. This configuration is enabled
when available on an asset. For example, Windows 11 can automatically lock
out accounts for 10 minutes after 10 incorrect logins in a 10-minute period.

2.H Phishing-Resistant
CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
Multi-Factor Authentication (MFA) PR.AC-7, PR.AC-1

COST: $$
$$$$ IMPACT: HIGH COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Brute Force (T1110)
Remote Services - Remote Desktop Protocol (T1021.001) IMPLEMENTED IMPLEMENTED
Remote Services - SSH (T1021.004)
Valid Accounts (T1078, ICS T0859) IN PROGRESS IN PROGRESS
External Remote Services (ICS T0822)
SCOPED SCOPED
RECOMMENDED ACTION: Organizations implement MFA for access to assets
using the strongest available method for that asset (see below for scope). MFA
NOT STARTED NOT STARTED
options sorted by strength, high to low, are as follows:
1. Hardware-based, phishing-resistant MFA (e.g., FIDO/WebAuthn or PKI-
based - see CISA guidance in “Resources”);
Duo security useing Yubikey or duo app. OT can
2. If such hardware-based MFA is not available, then mobile app-based soft
tokens (preferably push notification with number matching) or emerging
technology such as FIDO passkeys are used;
3. MFA via SMS or voice only used when no other options are possible.

IT: All IT accounts leverage MFA to access organizational resources.

Prioritize accounts with highest risk, such as privileged administrative
accounts for key IT systems.
OT: Within OT environments, MFA is enabled on all accounts and systems
that can be accessed remotely, including vendors/maintenance accounts,
remotely accessible user and engineering workstations, and remotely
accessible human-machine interfaces (HMIs).
FREE SERVICES AND REFERENCES: CISA Bad Practices

2.I Basic Cybersecurity Training PR.AT-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
User Training (M1017, ICS M0917)

RECOMMENDED ACTION: At least annual trainings for all organizational IMPLEMENTED IMPLEMENTED
employees and contractors that cover basic security concepts, such as
phishing, business email compromise, basic operational security (OPSEC),
IN PROGRESS IN PROGRESS At a minimum yearly training for all employees.
password security, etc., as well as foster an internal culture of security and cyber
SCOPED SCOPED
awareness.

New employees receive initial cybersecurity training within 10 days of NOT STARTED NOT STARTED
onboarding and recurring training on at least an annual basis.

FREE SERVICES AND REFERENCES: CISA Cyber Training

6
2.J OT Cybersecurity Training PR.AT-2, PR.AT-3, PR.AT-5 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
User Training (M1017, ICS M0917)

RECOMMENDED ACTION: In addition to basic cybersecurity training, IMPLEMENTED IMPLEMENTED

personnel who maintain or secure OT as part of their regular duties receive
OT-specific cybersecurity training on at least an annual basis.
IN PROGRESS IN PROGRESS

FREE SERVICES AND REFERENCES: CISA ICS Training SCOPED SCOPED

NOT STARTED NOT STARTED

2.K Strong and Agile Encryption PR.DS-2 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$
$$$$ IMPACT: HIGH COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Threat actor-in-the-Middle (T1557)
Automated Collection (T1119) IMPLEMENTED IMPLEMENTED
Network Sniffing (T1040, ICS T0842)
Wireless Compromise (ICS T0860) IN PROGRESS IN PROGRESS
Wireness Sniffing (ICS T0887)
SCOPED SCOPED Standard use of SSL. Wireless network is encryp
RECOMMENDED ACTION: Properly configured and up-to-date transport
layer security (TLS) is utilized to protect data in transit, when technically feasible. NOT STARTED NOT STARTED
Organizations should also plan to identify any use of outdated or weak encryption,
update these to sufficiently strong algorithms, and consider managing implications
of post-quantum cryptography.

OT: To minimize the impact to latency and availability; encryption is used where
feasible, usually for OT communications connecting with remote/external assets.

2.L Secure Sensitive Data PR.DS-1, PR.DS-5 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$ COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Unsecured Credentials (T1552)
Steal or Forge Kerberos Tickets (T1558) IMPLEMENTED IMPLEMENTED
OS Credential Dumping (T1003)
Data from Information Repositories (ICS T0811) IN PROGRESS IN PROGRESS Admin credentials managed in KeePass
Theft of Operational Information (T0882)
SCOPED SCOPED
RECOMMENDED ACTION: Sensitive data, including credentials, are not
stored in plaintext anywhere in the organization and can only be accessed by NOT STARTED NOT STARTED
authenticated and authorized users. Credentials are stored in a secure manner,
such as with a credential/password manager or vault, or other privileged
account management solution.

2.M Email Security PR.DS-5, PR.AC-7 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: MEDIUM COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Phishing (T1566)
Business Email Compromise IMPLEMENTED -IMPLEMENTED
RECOMMENDED ACTION: On all corporate email infrastructure (1) STARTTLS Barracuda Web Filter with robust settings enabl
IN PROGRESS IN PROGRESS
is enabled, (2) SPF and DKIM are enabled, and (3) DMARC is enabled and set
to “reject.” For further examples and information, see CISA’s past guidance for
SCOPED SCOPED
federal agencies.

FREE SERVICES AND REFERENCES: CISA Binding Operational Directive NOT STARTED NOT STARTED

7
2.N Disable Macros by Default PR.IP-1, PR.IP-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: MEDIUM COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Phishing - Spearphishing Attachment (T1566.001)
User Execution - Malicious FIle (T1204.002) IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: A system-enforced policy that disables Microsoft Warning is set. Users are trained.
IN PROGRESS IN PROGRESS
Office macros, or similar embedded code, by default on all devices. If macros
must be enabled in specific circumstances, there is a policy for authorized users
SCOPED SCOPED
to request that macros are enabled on specific assets.
NOT STARTED NOT STARTED

2.O Document Device Configurations PR.IP-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$ COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Delayed, insufficient, or incomplete ability to maintain or restore functionality of
critical devices and service operations. IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: Organizations maintain accurate documentation Config backup done monthly. In process of impl
describing the baseline and current configuration details of all critical IT and OT IN PROGRESS IN PROGRESS
assets to facilitate more effective vulnerability management and response and
recovery activities. Periodic reviews and updates are performed and tracked on SCOPED SCOPED
a recurring basis.
NOT STARTED NOT STARTED

2.P Document Network Topology PR.IP-1, ID.AM-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: MEDIUM COMPLEXITY: MEDIUM

COST: $$
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Incomplete or inaccurate understanding of network topology inhibits effective
incident response and recovery. IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: Organizations maintain accurate documentation Working on automated Network diagram. Static
describing updated network topology and relevant information across all IT and IN PROGRESS IN PROGRESS
OT networks. Periodic reviews and updates should be performed and tracked on
a recurring basis. SCOPED SCOPED

NOT STARTED NOT STARTED

2.Q Hardware and Software Approval Process PR.IP-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$ COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Supply Chain Compromise (T1195, ICS T0862)
Hardware Additions (T1200) IMPLEMENTED IMPLEMENTED
Browser Extensions (T1176)
Transient Cyber Asset (ICS T0864) IN PROGRESS IN PROGRESS Endpoint Central audits software and versions. P
RECOMMENDED ACTION: Implement an administrative policy or automated SCOPED SCOPED
process that requires approval before new hardware, firmware, or software/
software version is installed or deployed. Organizations maintain a risk- NOT STARTED NOT STARTED
informed allowlist of approved hardware, firmware, and software that includes
specification of approved versions, when technically feasible. For OT assets
specifically, these actions should also be aligned with defined change control
and testing activities.

8
2.R System Backups PR.IP-4 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$ COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Data Destruction (T1485, ICS T0809)
Data Encrypted for Impact (T1486) IMPLEMENTED IMPLEMENTED
Disk Wipe (T1561)
Inhibit System Recovery (T1490) IN PROGRESS IN PROGRESS
Denial of Control (ICS T0813)
Denial/Loss of View (ICS T0815, T0829) SCOPED SCOPED
Loss of Availability (T0826)
Backups done nightly and taken offsite weekly.
Loss/Manipulation of Control (T0828, T0831) NOT STARTED NOT STARTED

RECOMMENDED ACTION: All systems that are necessary for operations are
backed up on a regular cadence, no less than once per year.

Backups are stored separately from the source systems and tested on a
recurring basis, no less than once per year. Stored information for OT assets
includes at a minimum: configurations, roles, PLC logic, engineering drawings,
and tools.

2.S Incident Response (IR) Plans PR.IP-9, PR.IP-10 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Inability to quickly and effectively contain, mitigate, and communicate about
cybersecurity incidents. IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: Organizations have, maintain, update, and
regularly drill IT and OT cybersecurity incident response plans for both common IN PROGRESS IN PROGRESS
Incident response plan is documented. Working
and organization-specific (e.g., by sector, locality) threat scenarios and TTPs.
When conducted, tests or drills are as realistic as feasible. IR plans are drilled at SCOPED SCOPED
least annually and are updated within a risk-informed time frame following the
lessons learned portion of any exercise or drill.
NOT STARTED NOT STARTED

FREE SERVICES AND REFERENCES: Table Top Exercise Packages, Critical

Infrastructure Exercises

2.T Log Collection PR.PT-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$ COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Delayed, insufficient, or incomplete ability to detect and respond to potential
cyber incidents.
IMPLEMENTED IMPLEMENTED
Impair Defenses (T1562)

RECOMMENDED ACTION: Access- and security-focused (e.g., IDS/IDPS, IN PROGRESS IN PROGRESS Eventlog analyzer used in IT. Built in logs used fo
firewall, DLP, VPN) logs are collected and stored for use in both detection and
SCOPED SCOPED
incident response activities (e.g., forensics). Security teams are notified when a
critical log source is disabled, such as Windows Event Logging.
NOT STARTED NOT STARTED
OT: For OT assets where logs are non-standard or not available, network traffic
and communications to and from logless assets is collected.

9
2.U Secure Log Storage PR.PT-1 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$
$$$$ IMPACT: HIGH COMPLEXITY: LOW
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Indicator Removal on Host - Clear Windows Event Logs (T1070.001)
Indicator Removal on Host - Clear Linux or Mac System Logs (T1070.002) IMPLEMENTED IMPLEMENTED
Indicator Removal on Host - File Deletion (T1070.004)
IN PROGRESS IN PROGRESS
Logs are stored on loggingserver. This server is a
Indicator Removal on Host (ICS T0872)

RECOMMENDED ACTION: Logs are stored in a central system, such as a SCOPED SCOPED
security information and event management (SIEM) tool or central database, and
can only be accessed or modified by authorized and authenticated users. Logs NOT STARTED NOT STARTED
are stored for a duration informed by risk or pertinent regulatory guidelines.

2.V Prohibit Connection of Unauthorized Devices PR.PT-2 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

$$$$ IMPACT: HIGH

COST: $$$ COMPLEXITY: HIGH
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Hardware Additions (T1200)
Replication Through Removable Media (T1091, ICS T0847) IMPLEMENTED IMPLEMENTED
RECOMMENDED ACTION: Organizations maintain policies and processes to
ensure that unauthorized media and hardware are not connected to IT and OT
IN PROGRESS IN PROGRESS USB blocker software in use. Enduser must requ
assets, such as by limiting use of USB devices and removable media or disabling
SCOPED SCOPED
AutoRun.

OT: When feasible, establish procedures to remove, disable, or otherwise secure NOT STARTED NOT STARTED
physical ports to prevent the connection of unauthorized devices, or establish
procedures for granting access through approved exceptions.

2.W No Exploitable Services on the Internet PR.AC-3 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Active Scanning - Vulnerability Scanning (T1595.002)
Exploit Public-Facing Application (T1190, ICS T0819) IMPLEMENTED IMPLEMENTED
Exploitation of Remote Service (T1210, ICS T0866)
External Remote Services (T1133, ICS T0822) IN PROGRESS IN PROGRESS
Remote Services - Remote Desktop Protocol (T1021.001)
SCOPED SCOPED Must use VPN to access internal servers.
RECOMMENDED ACTION: Assets on the public internet expose no exploitable
services, such as RDP. Where these services must be exposed, appropriate NOT STARTED NOT STARTED
compensating controls are implemented to prevent common forms of abuse and
exploitation. All unnecessary OS applications and network protocols are disabled
on internet-facing assets.

FREE SERVICES AND REFERENCES: Cyber Hygiene Services, “Stuff Off

Search” Guide or email [email protected]

2.X Limit OT Connections to Public Internet PR.PT-4 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$
$$$$ IMPACT: MEDIUM COMPLEXITY: MEDIUM
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Active Scanning - Vulnerability Scanning (T1595.002)
Exploit Public-Facing Application (T1190, ICS T0819) IMPLEMENTED IMPLEMENTED
Exploitation of Remote Service (T1210, ICS T0866)
External Remote Services (T1133, ICS T0822) IN PROGRESS IN PROGRESS
OT devices do not have access to public internet
RECOMMENDED ACTION: No OT assets are on the public internet, unless SCOPED SCOPED
explicitly required for operation. Exceptions must be justified and documented,
and excepted assets must have additional protections in place to prevent and NOT STARTED NOT STARTED
detect exploitation attempts (e.g., logging, MFA, mandatory access via proxy or
other intermediary).

FREE SERVICES AND REFERENCES: Cyber Hygiene Services, “Stuff Off

Search” Guide or email [email protected]

10
 DETECT (3)

ID.RA-2, ID.RA-3,
3.A Detecting Relevant Threats and TTPs CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
DE.CM-1

$$$$ IMPACT: MEDIUM COMPLEXITY:

COST: $$$ HIGH
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Without the knowledge of relevant threats and ability to detect them,
organizations risk that threat actors may exist in their networks undetected for
IMPLEMENTED IMPLEMENTED
long periods.
IN PROGRESS IN PROGRESS
GEO location services on Firewall. Endpoint AV a
RECOMMENDED ACTION: Organizations have documented a list of threats
and cyber threat actor TTPs relevant to their organization (for example, based
on industry, sectors, etc.), and have the ability (such as via rules, alerting, or SCOPED SCOPED
commercial prevention and detection systems) to detect instances of those
key threats. NOT STARTED NOT STARTED

11
 RESPOND (4)

4.A Incident Reporting RS.CO-2, RS.CO-4 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Without timely incident reporting CISA and other groups are less able to assist
affected organizations and lack critical insight into the broader threat landscape
IMPLEMENTED IMPLEMENTED
(such as whether a broader attack is occurring against a specific sector).

RECOMMENDED ACTION: Organizations maintain codified policy and IN PROGRESS IN PROGRESS

procedures on to whom and how to report all confirmed cybersecurity incidents
to appropriate external entities (e.g., state/federal regulators or SRMAs as SCOPED SCOPED
Reporting documented. ECA certificate being aq
required, ISAC/ISAO, as well as CISA).
NOT STARTED NOT STARTED
Known incidents are reported to CISA and other necessary parties within
time frames directed by applicable regulatory guidance or in the absence of
guidance, as soon as safely capable. This goal will be revisited following full
implementation of the Cyber Incident Reporting for Critical Infrastrcuture Act of
2022 (CIRCIA).

FREE SERVICES AND REFERENCES: Incident Reporting and/or contact

[email protected] or (888) 282-0870

4.B Vulnerability Disclosure/Reporting RS.AN-5 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$
$$$$ IMPACT: LOW COMPLEXITY: HIGH
DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Active Scanning - Vulnerability Scanning (T1595.002)
Exploit Public-Facing Application (T1190, ICS T0819) IMPLEMENTED IMPLEMENTED
Exploitation of Remote Service (T1210, ICS T0866)
Supply Chain Compromise (T1195, ICS T0862) IN PROGRESS IN PROGRESS

RECOMMENDED ACTION: Consistent with NIST SP 800-53 Revision 5, SCOPED SCOPED

organizations maintain a public, easily discoverable method for security
researchers to notify (e.g., via email address or web form) organizations’ security NOT STARTED NOT STARTED
teams of vulnerable, misconfigured, or otherwise exploitable assets. Valid
submissions are acknowledged and responded to in a timely manner, taking
into account the completeness and complexity of the vulnerability. Validated and
exploitable weaknesses are mitigated consistent with their severity.

Security researchers sharing vulnerabilities discovered in good faith are

protected under Safe Harbor rules.

In instances where vulnerabilities are validated and disclosed, public

acknowledgement is given to the researcher who originally submitted the
notification.

FREE SERVICES AND REFERENCES: Vulnerability Disclosure Policy

Template, Disclose.io Policy Maker, Coordinated Vulnerability Disclosure Process,
Vulnerability Reporting; email [email protected]

4.C Deploy Security.txt Files RS.AN-5 CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES

COST: $$$$ IMPACT: HIGH COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Active Scanning - Vulnerability Scanning (T1595.002)
Exploit Public-Facing Application (T1190, ICS T0819) IMPLEMENTED IMPLEMENTED
Exploitation of Remote Service (T1210, ICS T0866)
Supply Chain Compromise (T1195, ICS T0862) IN PROGRESS IN PROGRESS

RECOMMENDED ACTION: All public-facing web domains have a security.txt SCOPED SCOPED
file that conforms to the recommendations in RFC 9116.

FREE SERVICES AND REFERENCES: https://securitytxt.org NOT STARTED NOT STARTED

12
 RECOVER (5)

RC.RP-1, R.IP-9,
5.A Incident Planning and Preparedness CURRENT ASSESSMENT YEAR 1 ASSESSMENT NOTES
PR.IP-10

COST: $$$$ IMPACT: MEDIUM COMPLEXITY: LOW

DATE: 12/4/2023 DATE:
TTP OR RISK ADDRESSED:
Disruption to availability of an asset, service, or system
RECOMMENDED ACTION: Develop, maintain, and execute plans to recover IMPLEMENTED IMPLEMENTED
and restore to service business or mission-critical assets or systems that
IN PROGRESS IN PROGRESS
DR plan in place. Scheduled recovery tests being
might be impacted by a cybersecurity incident.

SCOPED SCOPED

NOT STARTED NOT STARTED

13