Function Category

GOVERN (GV): The Organizational Context (GV.OC): The circumstances —

organization’s cybersecurity mission, stakeholder expectations, dependencies, and legal,
regulatory, and contractual requirements — surrounding the
risk management strategy, organization’s cybersecurity risk management decisions are
expectations, and policy are understood
established, communicated, and
monitored

Risk Management Strategy (GV.RM): The organization’s

priorities, constraints, risk tolerance and appetite statements,
and assumptions are established, communicated, and used to
support operational risk decisions
Roles, Responsibilities, and Authorities (GV.RR):
Cybersecurity roles, responsibilities, and authorities to foster
accountability, performance assessment, and continuous
improvement are established and communicated
Policy (GV.PO): Organizational cybersecurity policy is
established, communicated, and enforced
Oversight (GV.OV): Results of organization-wide
cybersecurity risk management activities and performance are
used to inform, improve, and adjust the risk management
strategy

Cybersecurity Supply Chain Risk Management (GV.SC):

Cyber supply chain risk management processes are identified,
established, managed, monitored, and improved by
organizational stakeholders
IDENTIFY (ID): The Asset Management (ID.AM): Assets (e.g., data, hardware,
software, systems, facilities, services, people) that enable the
organization’s current organization to achieve business purposes are identified and
cybersecurity risks are managed consistent with their relative importance to
understood organizational objectives and the organization’s risk strategy
Risk Assessment (ID.RA): The cybersecurity risk to the
organization, assets, and individuals is understood by the
organization
Improvement (ID.IM): Improvements to organizational
cybersecurity risk management processes, procedures and
activities are identified across all CSF Functions
PROTECT (PR): Safeguards to Identity Management, Authentication, and Access Control
manage the organization’s (PR.AA): Access to physical and logical assets is limited to
cybersecurity risks are used authorized users, services, and hardware and managed
commensurate with the assessed risk of unauthorized access
Awareness and Training (PR.AT): The organization’s
personnel are provided with cybersecurity awareness and
training so that they can perform their cybersecurity-related
tasks

Data Security (PR.DS): Data are managed consistent with

the organization’s risk strategy to protect the confidentiality,
integrity, and availability of information
Platform Security (PR.PS): The hardware, software (e.g.,
firmware, operating systems, applications), and services of
physical and virtual platforms are managed consistent with the
organization’s risk strategy to protect their confidentiality,
integrity, and availability
 Technology Infrastructure Resilience (PR.IR): Security
architectures are managed with the organization’s risk strategy
to protect asset confidentiality, integrity, and availability, and
organizational resilience

DETECT (DE): Possible

cybersecurity attacks and Continuous Monitoring (DE.CM): Assets are monitored to
compromises are found and find anomalies, indicators of compromise, and other
analyzed potentially adverse events
Adverse Event Analysis (DE.AE): Anomalies, indicators of
compromise, and other potentially adverse events are analyzed
to characterize the events and detect cybersecurity incidents
RESPOND (RS): Actions
regarding a detected Incident Management (RS.MA): Responses to detected
cybersecurity incident are taken cybersecurity incidents are managed
Incident Analysis (RS.AN): Investigations are conducted to
ensure effective response and support forensics and recovery
activities

Incident Response Reporting and Communication

(RS.CO): Response activities are coordinated with internal
and external stakeholders as required by laws, regulations, or
policies
 Incident Mitigation (RS.MI): Activities are performed to
prevent expansion of an event and mitigate its effects

RECOVER (RC): Assets and

operations affected by a Incident Recovery Plan Execution (RC.RP): Restoration
cybersecurity incident are activities are performed to ensure operational availability of
restored systems and services affected by cybersecurity incidents
Incident Recovery Communication (RC.CO): Restoration
activities are coordinated with internal and external parties
Subcategory Implementation Examples

GV.OC-01: The organizational Ex1: Share the organization’s mission (e.g., through vision and mission
mission is understood and informs statements, marketing, and service strategies) to provide a basis for
cybersecurity risk management identifying risks that may impede that mission

GV.OC-02: Internal and external Ex1: Identify relevant internal stakeholders and their cybersecurity-related
stakeholders are understood, and their expectations (e.g., performance and risk expectations of officers, directors,
needs and expectations regarding and advisors; cultural expectations of employees)
cybersecurity risk management are
understood and considered Ex2: Identify relevant external stakeholders and their cybersecurity-related
expectations (e.g., privacy expectations of customers, business expectations
of partnerships, compliance expectations of regulators, ethics expectations of
society)

GV.OC-03: Legal, regulatory, and Ex1: Determine a process to track and manage legal and regulatory
contractual requirements regarding requirements regarding protection of individuals’ information (e.g., Health
cybersecurity — including privacy Insurance Portability and Accountability Act, California Consumer Privacy
and civil liberties obligations — are Act, General Data Protection Regulation)
understood and managed
Ex2: Determine a process to track and manage contractual requirements for
cybersecurity management of supplier, customer, and partner information
Ex3: Align the organization’s cybersecurity strategy with legal, regulatory,
and contractual requirements
GV.OC-04: Critical objectives, Ex1: Establish criteria for determining the criticality of capabilities and
capabilities, and services that services as viewed by internal and external stakeholders
stakeholders depend on or expect from
Ex2: Determine (e.g., from a business impact analysis) assets and business
the organization are understood and
operations that are vital to achieving mission objectives and the potential
communicated
impact of a loss (or partial loss) of such operations
Ex3: Establish and communicate resilience objectives (e.g., recovery time
objectives) for delivering critical capabilities and services in various
operating states (e.g., under attack, during recovery, normal operation)

GV.OC-05: Outcomes, capabilities, Ex1: Create an inventory of the organization’s dependencies on external
and services that the organization resources (e.g., facilities, cloud-based hosting providers) and their
depends on are understood and relationships to organizational assets and business functions
communicated
Ex2: Identify and document external dependencies that are potential points
of failure for the organization’s critical capabilities and services, and share
that information with appropriate personnel

GV.RM-01: Risk management Ex1: Update near-term and long-term cybersecurity risk management
objectives are established and agreed objectives as part of annual strategic planning and when major changes
to by organizational stakeholders occur
GV.RM-01: Risk management
objectives are established and agreed
to by organizational stakeholders
Ex2: Establish measurable objectives for cybersecurity risk management
(e.g., manage the quality of user training, ensure adequate risk protection for
industrial control systems)
Ex3: Senior leaders agree about cybersecurity objectives and use them for
measuring and managing risk and performance
GV.RM-02: Risk appetite and risk Ex1: Determine and communicate risk appetite statements that convey
tolerance statements are established, expectations about the appropriate level of risk for the organization
communicated, and maintained
Ex2: Translate risk appetite statements into specific, measurable, and
broadly understandable risk tolerance statements
Ex3: Refine organizational objectives and risk appetite periodically based
on known risk exposure and residual risk
GV.RM-03: Cybersecurity risk Ex1: Aggregate and manage cybersecurity risks alongside other enterprise
management activities and outcomes risks (e.g., compliance, financial, operational, regulatory, reputational,
are included in enterprise risk safety)
Ex2: Include cybersecurity risk managers in enterprise risk management
management processes
planning
Ex3: Establish criteria for escalating cybersecurity risks within enterprise
risk management
GV.RM-04: Strategic direction that Ex1: Specify criteria for accepting and avoiding cybersecurity risk for
describes appropriate risk response various classifications of data
options is established and
Ex2: Determine whether to purchase cybersecurity insurance
communicated
Ex3: Document conditions under which shared responsibility models are
acceptable (e.g., outsourcing certain cybersecurity functions, having a third
party perform financial transactions on behalf of the organization, using
public cloud-based services)

GV.RM-05: Lines of communication Ex1: Determine how to update senior executives, directors, and
across the organization are established management on the organization’s cybersecurity posture at agreed-upon
for cybersecurity risks, including risks intervals
Ex2: Identify how all departments across the organization — such as
from suppliers and other third parties
management, operations, internal auditors, legal, acquisition, physical
security, and HR — will communicate with each other about cybersecurity
risks
GV.RM-06: A standardized method Ex1: Establish criteria for using a quantitative approach to cybersecurity
for calculating, documenting, risk analysis, and specify probability and exposure formulas
categorizing, and prioritizing
Ex2: Create and use templates (e.g., a risk register) to document
cybersecurity risks is established and
cybersecurity risk information (e.g., risk description, exposure, treatment,
communicated
and ownership)
Ex3: Establish criteria for risk prioritization at the appropriate levels within
the enterprise
Ex4: Use a consistent list of risk categories to support integrating,
aggregating, and comparing cybersecurity risks
GV.RM-07: Strategic opportunities Ex1: Define and communicate guidance and methods for identifying
(i.e., positive risks) are characterized opportunities and including them in risk discussions (e.g., strengths,
and are included in organizational weaknesses, opportunities, and threats [SWOT] analysis)
cybersecurity risk discussions
Ex2: Identify stretch goals and document them
Ex3: Calculate, document, and prioritize positive risks alongside negative
risks
GV.RR-01: Organizational leadership Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in
is responsible and accountable for developing, implementing, and assessing the organization’s cybersecurity
cybersecurity risk and fosters a culture strategy
that is risk-aware, ethical, and
continually improving Ex2: Share leaders’ expectations regarding a secure and ethical culture,
especially when current events present the opportunity to highlight positive
or negative examples of cybersecurity risk management
Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity
risk strategy and review and update it at least annually and after major
events
Ex4: Conduct reviews to ensure adequate authority and coordination among
those responsible for managing cybersecurity risk
GV.RR-02: Roles, responsibilities, Ex1: Document risk management roles and responsibilities in policy
and authorities related to cybersecurity Ex2: Document who is responsible and accountable for cybersecurity risk
risk management are established, management activities and how those teams and individuals are to be
communicated, understood, and consulted and informed
enforced
Ex3: Include cybersecurity responsibilities and performance requirements in
personnel descriptions
Ex4: Document performance goals for personnel with cybersecurity risk
management responsibilities, and periodically measure performance to
identify areas for improvement
Ex5: Clearly articulate cybersecurity responsibilities within operations, risk
functions, and internal audit functions
GV.RR-03: Adequate resources are Ex1: Conduct periodic management reviews to ensure that those given
allocated commensurate with the cybersecurity risk management responsibilities have the necessary authority
cybersecurity risk strategy, roles,
Ex2: Identify resource allocation and investment in line with risk tolerance
responsibilities, and policies
and response
Ex3: Provide adequate and sufficient people, process, and technical
resources to support the cybersecurity strategy
GV.RR-04: Cybersecurity is included Ex1: Integrate cybersecurity risk management considerations into human
in human resources practices resources processes (e.g., personnel screening, onboarding, change
notification, offboarding)
Ex2: Consider cybersecurity knowledge to be a positive factor in hiring,
training, and retention decisions
Ex3: Conduct background checks prior to onboarding new personnel for
sensitive roles, and periodically repeat background checks for personnel
with such roles
Ex4: Define and enforce obligations for personnel to be aware of, adhere to,
and uphold security policies as they relate to their roles

GV.PO-01: Policy for managing Ex1: Create, disseminate, and maintain an understandable, usable risk
cybersecurity risks is established management policy with statements of management intent, expectations, and
based on organizational context, direction
cybersecurity strategy, and priorities
and is communicated and enforced Ex2: Periodically review policy and supporting processes and procedures to
ensure that they align with risk management strategy objectives and
priorities, as well as the high-level direction of the cybersecurity policy
Ex3: Require approval from senior management on policy
Ex4: Communicate cybersecurity risk management policy and supporting
processes and procedures across the organization
 Ex5: Require personnel to acknowledge receipt of policy when first hired,
annually, and whenever policy is updated
GV.PO-02: Policy for managing Ex1: Update policy based on periodic reviews of cybersecurity risk
cybersecurity risks is reviewed, management results to ensure that policy and supporting processes and
updated, communicated, and enforced procedures adequately maintain risk at an acceptable level
to reflect changes in requirements,
threats, technology, and organizational Ex2: Provide a timeline for reviewing changes to the organization’s risk
mission environment (e.g., changes in risk or in the organization’s mission
objectives), and communicate recommended policy updates
Ex3: Update policy to reflect changes in legal and regulatory requirements
Ex4: Update policy to reflect changes in technology (e.g., adoption of
artificial intelligence) and changes to the business (e.g., acquisition of a new
business, new contract requirements)

GV.OV-01: Cybersecurity risk Ex1: Measure how well the risk management strategy and risk results have
management strategy outcomes are helped leaders make decisions and achieve organizational objectives
reviewed to inform and adjust strategy
Ex2: Examine whether cybersecurity risk strategies that impede operations
and direction
or innovation should be adjusted
GV.OV-02: The cybersecurity risk Ex1: Review audit findings to confirm whether the existing cybersecurity
management strategy is reviewed and strategy has ensured compliance with internal and external requirements
adjusted to ensure coverage of
Ex2: Review the performance oversight of those in cybersecurity-related
organizational requirements and risks
roles to determine whether policy changes are necessary
Ex3: Review strategy in light of cybersecurity incidents
GV.OV-03: Organizational Ex1: Review key performance indicators (KPIs) to ensure that organization-
cybersecurity risk management wide policies and procedures achieve objectives
performance is evaluated and
Ex2: Review key risk indicators (KRIs) to identify risks the organization
reviewed for adjustments needed
faces, including likelihood and potential impact
Ex3: Collect and communicate metrics on cybersecurity risk management
with senior leadership

GV.SC-01: A cybersecurity supply Ex1: Establish a strategy that expresses the objectives of the cybersecurity
chain risk management program, supply chain risk management program
strategy, objectives, policies, and
Ex2: Develop the cybersecurity supply chain risk management program,
processes are established and agreed
including a plan (with milestones), policies, and procedures that guide
to by organizational stakeholders
implementation and improvement of the program, and share the policies and
procedures with the organizational stakeholders

Ex3: Develop and implement program processes based on the strategy,

objectives, policies, and procedures that are agreed upon and performed by
the organizational stakeholders
Ex4: Establish a cross-organizational mechanism that ensures alignment
between functions that contribute to cybersecurity supply chain risk
management, such as cybersecurity, IT, operations, legal, human resources,
and engineering
GV.SC-02: Cybersecurity roles and Ex1: Identify one or more specific roles or positions that will be responsible
responsibilities for suppliers, and accountable for planning, resourcing, and executing cybersecurity
customers, and partners are supply chain risk management activities
established, communicated, and
coordinated internally and externally Ex2: Document cybersecurity supply chain risk management roles and
responsibilities in policy
Ex3: Create responsibility matrixes to document who will be responsible
and accountable for cybersecurity supply chain risk management activities
and how those teams and individuals will be consulted and informed
Ex4: Include cybersecurity supply chain risk management responsibilities
and performance requirements in personnel descriptions to ensure clarity
and improve accountability
Ex5: Document performance goals for personnel with cybersecurity risk
management-specific responsibilities, and periodically measure them to
demonstrate and improve performance
Ex6: Develop roles and responsibilities for suppliers, customers, and
business partners to address shared responsibilities for applicable
cybersecurity risks, and integrate them into organizational policies and
applicable third-party agreements
Ex7: Internally communicate cybersecurity supply chain risk management
roles and responsibilities for third parties
Ex8: Establish rules and protocols for information sharing and reporting
processes between the organization and its suppliers
GV.SC-03: Cybersecurity supply Ex1: Identify areas of alignment and overlap with cybersecurity and
chain risk management is integrated enterprise risk management
into cybersecurity and enterprise risk
Ex2: Establish integrated control sets for cybersecurity risk management
management, risk assessment, and
and cybersecurity supply chain risk management
improvement processes
Ex3: Integrate cybersecurity supply chain risk management into
improvement processes
Ex4: Escalate material cybersecurity risks in supply chains to senior
management, and address them at the enterprise risk management level
GV.SC-04: Suppliers are known and Ex1: Develop criteria for supplier criticality based on, for example, the
prioritized by criticality sensitivity of data processed or possessed by suppliers, the degree of access
to the organization’s systems, and the importance of the products or services
to the organization’s mission

Ex2: Keep a record of all suppliers, and prioritize suppliers based on the
criticality criteria
GV.SC-05: Requirements to address Ex1: Establish security requirements for suppliers, products, and services
cybersecurity risks in supply chains commensurate with their criticality level and potential impact if
are established, prioritized, and compromised
Ex2: Include all cybersecurity and supply chain requirements that third
integrated into contracts and other
parties must follow and how compliance with the requirements may be
types of agreements with suppliers
verified in default contractual language
and other relevant third parties
Ex3: Define the rules and protocols for information sharing between the
organization and its suppliers and sub-tier suppliers in agreements
Ex4: Manage risk by including security requirements in agreements based
on their criticality and potential impact if compromised
Ex5: Define security requirements in service-level agreements (SLAs) for
monitoring suppliers for acceptable security performance throughout the
supplier relationship lifecycle
 Ex6: Contractually require suppliers to disclose cybersecurity features,
functions, and vulnerabilities of their products and services for the life of the
product or the term of service
Ex7: Contractually require suppliers to provide and maintain a current
component inventory (e.g., software or hardware bill of materials) for
critical products
Ex8: Contractually require suppliers to vet their employees and guard
against insider threats
Ex9: Contractually require suppliers to provide evidence of performing
acceptable security practices through, for example, self-attestation,
conformance to known standards, certifications, or inspections
Ex10: Specify in contracts and other agreements the rights and
responsibilities of the organization, its suppliers, and their supply chains,
with respect to potential cybersecurity risks

GV.SC-06: Planning and due Ex1: Perform thorough due diligence on prospective suppliers that is
diligence are performed to reduce consistent with procurement planning and commensurate with the level of
risks before entering into formal risk, criticality, and complexity of each supplier relationship
supplier or other third-party
relationships Ex2: Assess the suitability of the technology and cybersecurity capabilities
and the risk management practices of prospective suppliers
Ex3: Conduct supplier risk assessments against business and applicable
cybersecurity requirements
Ex4: Assess the authenticity, integrity, and security of critical products prior
to acquisition and use
GV.SC-07: The risks posed by a Ex1: Adjust assessment formats and frequencies based on the third party’s
supplier, their products and services, reputation and the criticality of the products or services they provide
and other third parties are understood,
Ex2: Evaluate third parties’ evidence of compliance with contractual
recorded, prioritized, assessed,
cybersecurity requirements, such as self-attestations, warranties,
responded to, and monitored over the
certifications, and other artifacts
course of the relationship
Ex3: Monitor critical suppliers to ensure that they are fulfilling their
security obligations throughout the supplier relationship lifecycle using a
variety of methods and techniques, such as inspections, audits, tests, or other
forms of evaluation

Ex4: Monitor critical suppliers, services, and products for changes to their
risk profiles, and reevaluate supplier criticality and risk impact accordingly
Ex5: Plan for unexpected supplier and supply chain-related interruptions to
ensure business continuity
GV.SC-08: Relevant suppliers and Ex1: Define and use rules and protocols for reporting incident response and
other third parties are included in recovery activities and the status between the organization and its suppliers
incident planning, response, and
Ex2: Identify and document the roles and responsibilities of the
recovery activities
organization and its suppliers for incident response
Ex3: Include critical suppliers in incident response exercises and
simulations
Ex4: Define and coordinate crisis communication methods and protocols
between the organization and its critical suppliers
Ex5: Conduct collaborative lessons learned sessions with critical suppliers
GV.SC-09: Supply chain security Ex1: Policies and procedures require provenance records for all acquired
practices are integrated into technology products and services
cybersecurity and enterprise risk
Ex2: Periodically provide risk reporting to leaders about how acquired
management programs, and their
components are proven to be untampered and authentic
performance is monitored throughout
the technology product and service
life cycle
GV.SC-09: Supply chain security
practices are integrated into
cybersecurity and enterprise risk
management programs, and their
performance is monitored throughout
the technology product and service Ex3: Communicate regularly among cybersecurity risk managers and
life cycle operations personnel about the need to acquire software patches, updates,
and upgrades only from authenticated and trustworthy software providers
Ex4: Review policies to ensure that they require approved supplier
personnel to perform maintenance on supplier products
Ex5: Policies and procedure require checking upgrades to critical hardware
for unauthorized changes
GV.SC-10: Cybersecurity supply Ex1: Establish processes for terminating critical relationships under both
chain risk management plans include normal and adverse circumstances
provisions for activities that occur
Ex2: Define and implement plans for component end-of-life maintenance
after the conclusion of a partnership or
support and obsolescence
service agreement
Ex3: Verify that supplier access to organization resources is deactivated
promptly when it is no longer needed
Ex4: Verify that assets containing the organization’s data are returned or
properly disposed of in a timely, controlled, and safe manner
Ex5: Develop and execute a plan for terminating or transitioning supplier
relationships that takes supply chain security risk and resiliency into account
Ex6: Mitigate risks to data and systems created by supplier termination
Ex7: Manage data leakage risks associated with supplier termination

Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT,
ID.AM-01: Inventories of hardware and mobile devices
managed by the organization are
maintained Ex2: Constantly monitor networks to detect new hardware and
automatically update inventories
Ex1: Maintain inventories for all types of software and services, including
commercial-off-the-shelf, open-source, custom applications, API services,
ID.AM-02: Inventories of software, and cloud-based applications and services
services, and systems managed by the
organization are maintained Ex2: Constantly monitor all platforms, including containers and virtual
machines, for software and service inventory changes
Ex3: Maintain an inventory of the organization’s systems
Ex1: Maintain baselines of communication and data flows within the
organization’s wired and wireless networks
ID.AM-03: Representations of the Ex2: Maintain baselines of communication and data flows between the
organization’s authorized network organization and third parties
communication and internal and
external network data flows are Ex3: Maintain baselines of communication and data flows for the
maintained organization’s infrastructure-as-a-service (IaaS) usage
Ex4: Maintain documentation of expected network ports, protocols, and
services that are typically used among authorized systems
Ex1: Inventory all external services used by the organization, including
third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS),
and software-as-a-service (SaaS) offerings; APIs; and other externally
ID.AM-04: Inventories of services hosted application services
provided by suppliers are maintained
ID.AM-04: Inventories of services
provided by suppliers are maintained
Ex2: Update the inventory when a new external service is going to be
utilized to ensure adequate cybersecurity risk management monitoring of the
organization’s use of that service
Ex1: Define criteria for prioritizing each class of assets
ID.AM-05: Assets are prioritized Ex2: Apply the prioritization criteria to assets
based on classification, criticality,
resources, and impact on the mission Ex3: Track the asset priorities and update them periodically or when
significant changes to the organization occur
Ex1: Maintain a list of the designated data types of interest (e.g., personally
identifiable information, protected health information, financial account
numbers, organization intellectual property, operational technology data)
ID.AM-07: Inventories of data and Ex2: Continuously discover and analyze ad hoc data to identify new
corresponding metadata for designated instances of designated data types
data types are maintained Ex3: Assign data classifications to designated data types through tags or
labels
Ex4: Track the provenance, data owner, and geolocation of each instance of
designated data types
Ex1: Integrate cybersecurity considerations throughout the life cycles of
systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life cycles
Ex3: Identify unofficial uses of technology to meet mission objectives (i.e.,
“shadow IT”)
Ex4: Periodically identify redundant systems, hardware, software, and
services that unnecessarily increase the organization’s attack surface
Ex5: Properly configure and secure systems, hardware, software, and
ID.AM-08: Systems, hardware, services prior to their deployment in production
software, services, and data are
managed throughout their life cycles Ex6: Update inventories when systems, hardware, software, and services
are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s data retention
policy using the prescribed destruction method, and keep and manage a
record of the destructions
Ex8: Securely sanitize data storage when hardware is being retired,
decommissioned, reassigned, or sent for repairs or replacement
Ex9: Offer methods for destroying paper, storage media, and other physical
forms of data storage

Ex1: Use vulnerability management technologies to identify unpatched and

misconfigured software
Ex2: Assess network and system architectures for design and
implementation weaknesses that affect cybersecurity
Ex3: Review, analyze, or test organization-developed software to identify
ID.RA-01: Vulnerabilities in assets design, coding, and default configuration vulnerabilities
are identified, validated, and recorded Ex4: Assess facilities that house critical computing assets for physical
vulnerabilities and resilience issues
Ex5: Monitor sources of cyber threat intelligence for information on new
vulnerabilities in products and services
Ex6: Review processes and procedures for weaknesses that could be
exploited to affect cybersecurity
 Ex1: Configure cybersecurity tools and technologies with detection or
response capabilities to securely ingest cyber threat intelligence feeds
ID.RA-02: Cyber threat intelligence is
Ex2: Receive and review advisories from reputable third parties on current
received from information sharing
threat actors and their tactics, techniques, and procedures (TTPs)
forums and sources
Ex3: Monitor sources of cyber threat intelligence for information on the
types of vulnerabilities that emerging technologies may have
Ex1: Use cyber threat intelligence to maintain awareness of the types of
threat actors likely to target the organization and the TTPs they are likely to
ID.RA-03: Internal and external use
threats to the organization are Ex2: Perform threat hunting to look for signs of threat actors within the
identified and recorded environment
Ex3: Implement processes for identifying internal threat actors
Ex1: Business leaders and cybersecurity risk management practitioners
work together to estimate the likelihood and impact of risk scenarios and
record them in risk registers
ID.RA-04: Potential impacts and
likelihoods of threats exploiting Ex2: Enumerate the potential business impacts of unauthorized access to the
vulnerabilities are identified and organization’s communications, systems, and data processed in or by those
recorded systems
Ex3: Account for the potential impacts of cascading failures for systems of
systems

ID.RA-05: Threats, vulnerabilities, Ex1: Develop threat models to better understand risks to the data and
likelihoods, and impacts are used to identify appropriate risk responses
understand inherent risk and inform Ex2: Prioritize cybersecurity resource allocations and investments based on
risk response prioritization estimated likelihoods and impacts
Ex1: Apply the vulnerability management plan’s criteria for deciding
whether to accept, transfer, mitigate, or avoid risk
Ex2: Apply the vulnerability management plan’s criteria for selecting
compensating controls to mitigate risk
ID.RA-06: Risk responses are chosen,
Ex3: Track the progress of risk response implementation (e.g., plan of
prioritized, planned, tracked, and
action and milestones [POA&M], risk register, risk detail report)
communicated
Ex4: Use risk assessment findings to inform risk response decisions and
actions
Ex5: Communicate planned risk responses to affected stakeholders in
priority order
Ex1: Implement and follow procedures for the formal documentation,
review, testing, and approval of proposed changes and requested exceptions
Ex2: Document the possible risks of making or not making each proposed
ID.RA-07: Changes and exceptions change, and provide guidance on rolling back changes
are managed, assessed for risk impact,
recorded, and tracked Ex3: Document the risks related to each requested exception and the plan
for responding to those risks
Ex4: Periodically review risks that were accepted based upon planned future
actions or milestones
Ex1: Conduct vulnerability information sharing between the organization
and its suppliers following the rules and protocols defined in contracts
ID.RA-08: Processes for receiving,
analyzing, and responding to Ex2: Assign responsibilities and verify the execution of procedures for
vulnerability disclosures are processing, analyzing the impact of, and responding to cybersecurity threat,
established vulnerability, or incident disclosures by suppliers, customers, partners, and
government cybersecurity organizations
ID.RA-09: The authenticity and
Ex1: Assess the authenticity and cybersecurity of critical technology
integrity of hardware and software are
products and services prior to acquisition and use
assessed prior to acquisition and use
ID.RA-10: Critical suppliers are Ex1: Conduct supplier risk assessments against business and applicable
assessed prior to acquisition cybersecurity requirements, including the supply chain

Ex1: Perform self-assessments of critical services that take current threats

and TTPs into consideration
Ex2: Invest in third-party assessments or independent audits of the
ID.IM-01: Improvements are
effectiveness of the organization’s cybersecurity program to identify areas
identified from evaluations
that need improvement
Ex3: Constantly evaluate compliance with selected cybersecurity
requirements through automated means
Ex1: Identify improvements for future incident response activities based on
findings from incident response assessments (e.g., tabletop exercises and
simulations, tests, internal reviews, independent audits)
Ex2: Identify improvements for future business continuity, disaster
recovery, and incident response activities based on exercises performed in
coordination with critical service providers and product suppliers
ID.IM-02: Improvements are
identified from security tests and Ex3: Involve internal stakeholders (e.g., senior executives, legal
exercises, including those done in department, HR) in security tests and exercises as appropriate
coordination with suppliers and Ex4: Perform penetration testing to identify opportunities to improve the
relevant third parties security posture of selected high-risk systems as approved by leadership
Ex5: Exercise contingency plans for responding to and recovering from the
discovery that products or services did not originate with the contracted
supplier or partner or were altered before receipt
Ex6: Collect and analyze performance metrics using security tools and
services to inform improvements to the cybersecurity program
Ex1: Conduct collaborative lessons learned sessions with suppliers
ID.IM-03: Improvements are
identified from execution of Ex2: Annually review cybersecurity policies, processes, and procedures to
operational processes, procedures, and take lessons learned into account
activities Ex3: Use metrics to assess operational cybersecurity performance over time
Ex1: Establish contingency plans (e.g., incident response, business
continuity, disaster recovery) for responding to and recovering from adverse
events that can interfere with operations, expose confidential information, or
otherwise endanger the organization’s mission and viability

ID.IM-04: Incident response plans Ex2: Include contact and communication information, processes for
and other cybersecurity plans that handling common scenarios, and criteria for prioritization, escalation, and
affect operations are established, elevation in all contingency plans
communicated, maintained, and Ex3: Create a vulnerability management plan to identify and assess all types
improved of vulnerabilities and to prioritize, test, and implement risk responses
Ex4: Communicate cybersecurity plans (including updates) to those
responsible for carrying them out and to affected parties
Ex5: Review and update all cybersecurity plans annually or when a need for
significant improvements is identified
 Ex1: Initiate requests for new access or additional access for employees,
contractors, and others, and track, review, and fulfill the requests, with
permission from system or data owners when needed
PR.AA-01: Identities and credentials Ex2: Issue, manage, and revoke cryptographic certificates and identity
for authorized users, services, and tokens, cryptographic keys (i.e., key management), and other credentials
hardware are managed by the
organization Ex3: Select a unique identifier for each device from immutable hardware
characteristics or an identifier securely provisioned to the device
Ex4: Physically label authorized hardware with an identifier for inventory
and servicing purposes
PR.AA-02: Identities are proofed and Ex1: Verify a person’s claimed identity at enrollment time using
bound to credentials based on the government-issued identity credentials (e.g., passport, visa, driver’s license)
context of interactions Ex2: Issue a different credential for each person (i.e., no credential sharing)
Ex1: Require multifactor authentication
Ex2: Enforce policies for the minimum strength of passwords, PINs, and
similar authenticators
PR.AA-03: Users, services, and
hardware are authenticated Ex3: Periodically reauthenticate users, services, and hardware based on risk
(e.g., in zero trust architectures)
Ex4: Ensure that authorized personnel can access accounts essential for
protecting safety under emergency conditions
Ex1: Protect identity assertions that are used to convey authentication and
user information through single sign-on systems
Ex2: Protect identity assertions that are used to convey authentication and
PR.AA-04: Identity assertions are user information between federated systems
protected, conveyed, and verified
Ex3: Implement standards-based approaches for identity assertions in all
contexts, and follow all guidance for the generation (e.g., data models,
metadata), protection (e.g., digital signing, encryption), and verification
(e.g., signature validation) of identity assertions

Ex1: Review logical and physical access privileges periodically and

whenever someone changes roles or leaves the organization, and promptly
rescind privileges that are no longer needed
PR.AA-05: Access permissions,
entitlements, and authorizations are Ex2: Take attributes of the requester and the requested resource into
defined in a policy, managed, account for authorization decisions (e.g., geolocation, day/time, requester
enforced, and reviewed, and endpoint’s cyber health)
incorporate the principles of least
Ex3: Restrict access and privileges to the minimum necessary (e.g., zero
privilege and separation of duties
trust architecture)
Ex4: Periodically review the privileges associated with critical business
functions to confirm proper separation of duties
Ex1: Use security guards, security cameras, locked entrances, alarm
systems, and other physical controls to monitor facilities and restrict access
PR.AA-06: Physical access to assets
Ex2: Employ additional physical security controls for areas that contain
is managed, monitored, and enforced
high-risk assets
commensurate with risk
Ex3: Escort guests, vendors, and other third parties within areas that contain
business-critical assets
 Ex1: Provide basic cybersecurity awareness and training to employees,
contractors, partners, suppliers, and all other users of the organization’s non-
public resources

Ex2: Train personnel to recognize social engineering attempts and other

PR.AT-01: Personnel are provided common attacks, report attacks and suspicious activity, comply with
with awareness and training so that acceptable use policies, and perform basic cyber hygiene tasks (e.g.,
they possess the knowledge and skills patching software, choosing passwords, protecting credentials)
to perform general tasks with Ex3: Explain the consequences of cybersecurity policy violations, both to
cybersecurity risks in mind individual users and the organization as a whole
Ex4: Periodically assess or test users on their understanding of basic
cybersecurity practices
Ex5: Require annual refreshers to reinforce existing practices and introduce
new practices
Ex1: Identify the specialized roles within the organization that require
additional cybersecurity training, such as physical and cybersecurity
personnel, finance personnel, senior leadership, and anyone with access to
PR.AT-02: Individuals in specialized business-critical data
roles are provided with awareness and
Ex2: Provide role-based cybersecurity awareness and training to all those in
training so that they possess the
specialized roles, including contractors, partners, suppliers, and other third
knowledge and skills to perform
parties
relevant tasks with cybersecurity risks
in mind Ex3: Periodically assess or test users on their understanding of
cybersecurity practices for their specialized roles
Ex4: Require annual refreshers to reinforce existing practices and introduce
new practices

Ex1: Use encryption, digital signatures, and cryptographic hashes to protect

the confidentiality and integrity of stored data in files, databases, virtual
machine disk images, container images, and other resources
PR.DS-01: The confidentiality, Ex2: Use full disk encryption to protect data stored on user endpoints
integrity, and availability of data-at-
rest are protected Ex3: Confirm the integrity of software by validating signatures
Ex4: Restrict the use of removable media to prevent data exfiltration
Ex5: Physically secure removable media containing unencrypted sensitive
information, such as within locked offices or file cabinets
Ex1: Use encryption, digital signatures, and cryptographic hashes to protect
the confidentiality and integrity of network communications
Ex2: Automatically encrypt or block outbound emails and other
communications that contain sensitive data, depending on the data
classification
PR.DS-02: The confidentiality,
integrity, and availability of data-in- Ex3: Block access to personal email, file sharing, file storage services, and
transit are protected other personal communications applications and services from
organizational systems and networks
PR.DS-02: The confidentiality,
integrity, and availability of data-in-
transit are protected

Ex4: Prevent reuse of sensitive data from production environments (e.g.,

customer records) in development, testing, and other non-production
environments
Ex1: Remove data that must remain confidential (e.g., from processors and
PR.DS-10: The confidentiality, memory) as soon as it is no longer needed
integrity, and availability of data-in-
use are protected Ex2: Protect data in use from access by other users and processes of the
same platform
Ex1: Continuously back up critical data in near-real-time, and back up other
data frequently at agreed-upon schedules
PR.DS-11: Backups of data are Ex2: Test backups and restores for all types of data sources at least annually
created, protected, maintained, and Ex3: Securely store some backups offline and offsite so that an incident or
tested disaster will not damage them
Ex4: Enforce geographic separation and geolocation restrictions for data
backup storage

Ex1: Establish, test, deploy, and maintain hardened baselines that enforce
the organization’s cybersecurity policies and provide only essential
PR.PS-01: Configuration capabilities (i.e., principle of least functionality)
management practices are established
and applied Ex2: Review all default configuration settings that may potentially impact
cybersecurity when installing or upgrading software
Ex3: Monitor implemented software for deviations from approved baselines
Ex1: Perform routine and emergency patching within the timeframes
specified in the vulnerability management plan
Ex2: Update container images, and deploy new container instances to
replace rather than update existing instances
Ex3: Replace end-of-life software and service versions with supported,
PR.PS-02: Software is maintained, maintained versions
replaced, and removed commensurate
with risk Ex4: Uninstall and remove unauthorized software and services that pose
undue risks
Ex5: Uninstall and remove any unnecessary software components (e.g.,
operating system utilities) that attackers might misuse
Ex6: Define and implement plans for software and service end-of-life
maintenance support and obsolescence
Ex1: Replace hardware when it lacks needed security capabilities or when it
cannot support software with needed security capabilities
PR.PS-03: Hardware is maintained,
replaced, and removed commensurate Ex2: Define and implement plans for hardware end-of-life maintenance
with risk support and obsolescence
Ex3: Perform hardware disposal in a secure, responsible, and auditable
manner
Ex1: Configure all operating systems, applications, and services (including
cloud-based services) to generate log records
PR.PS-04: Log records are generated
Ex2: Configure log generators to securely share their logs with the
and made available for continuous
organization’s logging infrastructure systems and services
monitoring
Ex3: Configure log generators to record the data needed by zero-trust
architectures
 Ex1: When risk warrants it, restrict software execution to permitted
products only or deny the execution of prohibited and unauthorized software
Ex2: Verify the source of new software and the software’s integrity before
PR.PS-05: Installation and execution installing it
of unauthorized software are
prevented Ex3: Configure platforms to use only approved DNS services that block
access to known malicious domains
Ex4: Configure platforms to allow the installation of organization-approved
software only
Ex1: Protect all components of organization-developed software from
PR.PS-06: Secure software tampering and unauthorized access
development practices are integrated,
Ex2: Secure all software produced by the organization, with minimal
and their performance is monitored
vulnerabilities in their releases
throughout the software development
life cycle Ex3: Maintain the software used in production environments, and securely
dispose of software once it is no longer needed

Ex1: Logically segment organization networks and cloud-based platforms

according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile,
guests), and permit required communications only between segments
Ex2: Logically segment organization networks from external networks, and
PR.IR-01: Networks and permit only necessary communications to enter the organization’s networks
environments are protected from from the external networks
unauthorized logical access and usage
Ex3: Implement zero trust architectures to restrict network access to each
resource to the minimum necessary
Ex4: Check the cyber health of endpoints before allowing them to access
and use production resources
Ex1: Protect organizational equipment from known environmental threats,
PR.IR-02: The organization’s such as flooding, fire, wind, and excessive heat and humidity
technology assets are protected from Ex2: Include protection from environmental threats and provisions for
environmental threats adequate operating infrastructure in requirements for service providers that
operate systems on the organization's behalf
Ex1: Avoid single points of failure in systems and infrastructure
PR.IR-03: Mechanisms are
implemented to achieve resilience Ex2: Use load balancing to increase capacity and improve reliability
requirements in normal and adverse Ex3: Use high-availability components like redundant storage and power
situations supplies to improve system reliability
PR.IR-04: Adequate resource Ex1: Monitor usage of storage, power, compute, network bandwidth, and
capacity to ensure availability is other resources
maintained Ex2: Forecast future needs, and scale resources accordingly

Ex1: Monitor DNS, BGP, and other network services for adverse events
Ex2: Monitor wired and wireless networks for connections from
unauthorized endpoints
DE.CM-01: Networks and network
services are monitored to find
potentially adverse events
DE.CM-01: Networks and network
services are monitored to find Ex3: Monitor facilities for unauthorized or rogue wireless networks
potentially adverse events Ex4: Compare actual network flows against baselines to detect deviations
Ex5: Monitor network communications to identify changes in security
postures for zero trust purposes
Ex1: Monitor logs from physical access control systems (e.g., badge
readers) to find unusual access patterns (e.g., deviations from the norm) and
failed access attempts
DE.CM-02: The physical Ex2: Review and monitor physical access records (e.g., from visitor
environment is monitored to find registration, sign-in sheets)
potentially adverse events Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins,
alarms) for signs of tampering
Ex4: Monitor the physical environment using alarm systems, cameras, and
security guards
Ex1: Use behavior analytics software to detect anomalous user activity to
mitigate insider threats
DE.CM-03: Personnel activity and
Ex2: Monitor logs from logical access control systems to find unusual
technology usage are monitored to
access patterns and failed access attempts
find potentially adverse events
Ex3: Continuously monitor deception technology, including user accounts,
for any usage
Ex1: Monitor remote and onsite administration and maintenance activities
DE.CM-06: External service provider that external providers perform on organizational systems
activities and services are monitored
to find potentially adverse events Ex2: Monitor activity from cloud-based services, internet service providers,
and other service providers for deviations from expected behavior
Ex1: Monitor email, web, file sharing, collaboration services, and other
common attack vectors to detect malware, phishing, data leaks and
exfiltration, and other adverse events

DE.CM-09: Computing hardware and Ex2: Monitor authentication attempts to identify attacks against credentials
software, runtime environments, and and unauthorized credential reuse
their data are monitored to find Ex3: Monitor software configurations for deviations from security baselines
potentially adverse events Ex4: Monitor hardware and software for signs of tampering
Ex5: Use technologies with a presence on endpoints to detect cyber health
issues (e.g., missing patches, malware infections, unauthorized software),
and redirect the endpoints to a remediation environment before access is
authorized

Ex1: Use security information and event management (SIEM) or other tools
to continuously monitor log events for known malicious and suspicious
activity
Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to
DE.AE-02: Potentially adverse events improve detection accuracy and characterize threat actors, their methods,
are analyzed to better understand and indicators of compromise
associated activities
Ex3: Regularly conduct manual reviews of log events for technologies that
cannot be sufficiently monitored through automation
Ex4: Use log analysis tools to generate reports on their findings
Ex1: Constantly transfer log data generated by other sources to a relatively
small number of log servers
DE.AE-03: Information is correlated Ex2: Use event correlation technology (e.g., SIEM) to collect information
from multiple sources captured by multiple sources
DE.AE-03: Information is correlated
from multiple sources
Ex3: Utilize cyber threat intelligence to help correlate events among log
sources

DE.AE-04: The estimated impact and Ex1: Use SIEMs or other tools to estimate impact and scope, and review
scope of adverse events are and refine the estimates
understood Ex2: A person creates their own estimates of impact and scope
Ex1: Use cybersecurity software to generate alerts and provide them to the
security operations center (SOC), incident responders, and incident response
tools
DE.AE-06: Information on adverse Ex2: Incident responders and other authorized personnel can access log
events is provided to authorized staff analysis findings at all times
and tools Ex3: Automatically create and assign tickets in the organization’s ticketing
system when certain types of alerts occur
Ex4: Manually create and assign tickets in the organization’s ticketing
system when technical staff discover indicators of compromise
Ex1: Securely provide cyber threat intelligence feeds to detection
technologies, processes, and personnel
DE.AE-07: Cyber threat intelligence Ex2: Securely provide information from asset inventories to detection
and other contextual information are technologies, processes, and personnel
integrated into the analysis
Ex3: Rapidly acquire and analyze vulnerability disclosures for the
organization’s technologies from suppliers, vendors, and third-party security
advisories

DE.AE-08: Incidents are declared Ex1: Apply incident criteria to known and assumed characteristics of
when adverse events meet the defined activity in order to determine whether an incident should be declared
incident criteria Ex2: Take known false positives into account when applying incident
criteria

Ex1: Detection technologies automatically report confirmed incidents

RS.MA-01: The incident response Ex2: Request incident response assistance from the organization’s incident
plan is executed in coordination with response outsourcer
relevant third parties once an incident Ex3: Designate an incident lead for each incident
is declared Ex4: Initiate execution of additional cybersecurity plans as needed to
support incident response (for example, business continuity and disaster
recovery)
Ex1: Preliminarily review incident reports to confirm that they are
RS.MA-02: Incident reports are cybersecurity-related and necessitate incident response activities
triaged and validated
Ex2: Apply criteria to estimate the severity of an incident
Ex1: Further review and categorize incidents based on the type of incident
(e.g., data breach, ransomware, DDoS, account compromise)
Ex2: Prioritize incidents based on their scope, likely impact, and time-
RS.MA-03: Incidents are categorized critical nature
and prioritized
Ex3: Select incident response strategies for active incidents by balancing
the need to quickly recover from an incident with the need to observe the
attacker or conduct a more thorough investigation
Ex1: Track and validate the status of all ongoing incidents
RS.MA-04: Incidents are escalated or
elevated as needed Ex2: Coordinate incident escalation or elevation with designated internal
and external stakeholders
 Ex1: Apply incident recovery criteria to known and assumed characteristics
of the incident to determine whether incident recovery processes should be
RS.MA-05: The criteria for initiating initiated
incident recovery are applied
Ex2: Take the possible operational disruption of incident recovery activities
into account

Ex1: Determine the sequence of events that occurred during the incident
and which assets and resources were involved in each event
RS.AN-03: Analysis is performed to Ex2: Attempt to determine what vulnerabilities, threats, and threat actors
establish what has taken place during were directly or indirectly involved in the incident
an incident and the root cause of the
incident Ex3: Analyze the incident to find the underlying, systemic root causes
Ex4: Check any cyber deception technology for additional information on
attacker behavior
Ex1: Require each incident responder and others (e.g., system
RS.AN-06: Actions performed during administrators, cybersecurity engineers) who perform incident response
an investigation are recorded, and the tasks to record their actions and make the record immutable
records’ integrity and provenance are Ex2: Require the incident lead to document the incident in detail and be
preserved responsible for preserving the integrity of the documentation and the sources
of all information being reported

RS.AN-07: Incident data and Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident
metadata are collected, and their data and metadata (e.g., data source, date/time of collection) based on
integrity and provenance are preserved evidence preservation and chain-of-custody procedures
Ex1: Review other potential targets of the incident to search for indicators
RS.AN-08: An incident’s magnitude of compromise and evidence of persistence
is estimated and validated Ex2: Automatically run tools on targets to look for indicators of
compromise and evidence of persistence

Ex1: Follow the organization’s breach notification procedures after

discovering a data breach incident, including notifying affected customers
RS.CO-02: Internal and external Ex2: Notify business partners and customers of incidents in accordance
stakeholders are notified of incidents with contractual requirements
Ex3: Notify law enforcement agencies and regulatory bodies of incidents
based on criteria in the incident response plan and management approval
Ex1: Securely share information consistent with response plans and
information sharing agreements
Ex2: Voluntarily share information about an attacker’s observed TTPs, with
all sensitive data removed, with an Information Sharing and Analysis Center
(ISAC)
RS.CO-03: Information is shared with
designated internal and external Ex3: Notify HR when malicious insider activity occurs
stakeholders Ex4: Regularly update senior leadership on the status of major incidents
Ex5: Follow the rules and protocols defined in contracts for incident
information sharing between the organization and its suppliers
Ex6: Coordinate crisis communication methods between the organization
and its critical suppliers
 Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity
features of other technologies (e.g., operating systems, network
infrastructure devices) automatically perform containment actions
Ex2: Allow incident responders to manually select and perform containment
RS.MI-01: Incidents are contained actions
Ex3: Allow a third party (e.g., internet service provider, managed security
service provider) to perform containment actions on behalf of the
organization
Ex4: Automatically transfer compromised endpoints to a remediation
virtual local area network (VLAN)
Ex1: Cybersecurity technologies and cybersecurity features of other
technologies (e.g., operating systems, network infrastructure devices)
automatically perform eradication actions
RS.MI-02: Incidents are eradicated Ex2: Allow incident responders to manually select and perform eradication
actions
Ex3: Allow a third party (e.g., managed security service provider) to
perform eradication actions on behalf of the organization

RC.RP-01: The recovery portion of Ex1: Begin recovery procedures during or after incident response processes
the incident response plan is executed Ex2: Make all individuals with recovery responsibilities aware of the plans
once initiated from the incident for recovery and the authorizations required to implement each aspect of the
response process plans
Ex1: Select recovery actions based on the criteria defined in the incident
RC.RP-02: Recovery actions are response plan and available resources
selected, scoped, prioritized, and
performed Ex2: Change planned recovery actions based on a reassessment of
organizational needs and resources
RC.RP-03: The integrity of backups
Ex1: Check restoration assets for indicators of compromise, file corruption,
and other restoration assets is verified
and other integrity issues before use
before using them for restoration

Ex1: Use business impact and system categorization records (including

service delivery objectives) to validate that essential services are restored in
RC.RP-04: Critical mission functions the appropriate order
and cybersecurity risk management
are considered to establish post- Ex2: Work with system owners to confirm the successful restoration of
incident operational norms systems and the return to normal operations
Ex3: Monitor the performance of restored systems to verify the adequacy of
the restoration

RC.RP-05: The integrity of restored Ex1: Check restored assets for indicators of compromise and remediation of
assets is verified, systems and services root causes of the incident before production use
are restored, and normal operating Ex2: Verify the correctness and adequacy of the restoration actions taken
status is confirmed before putting a restored system online
RC.RP-06: The end of incident Ex1: Prepare an after-action report that documents the incident itself, the
recovery is declared based on criteria, response and recovery actions taken, and lessons learned
and incident-related documentation is
completed Ex2: Declare the end of incident recovery once the criteria are met
 Ex1: Securely share recovery information, including restoration progress,
consistent with response plans and information sharing agreements
RC.CO-03: Recovery activities and Ex2: Regularly update senior leadership on recovery status and restoration
progress in restoring operational progress for major incidents
capabilities are communicated to
designated internal and external Ex3: Follow the rules and protocols defined in contracts for incident
stakeholders information sharing between the organization and its suppliers
Ex4: Coordinate crisis communication between the organization and its
critical suppliers
Ex1: Follow the organization’s breach notification procedures for
RC.CO-04: Public updates on recovering from a data breach incident
incident recovery are shared using
approved methods and messaging Ex2: Explain the steps being taken to recover from the incident and to
prevent a recurrence
GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are esta
communicated, and monitored expectations, and policy
IDENTIFY (ID): The organization’s current cybersecurity risk is understood
PROTECT (PR): Safeguards to manage the organization’s cybersecurity risk are used
DETECT (DE): Possible cybersecurity attacks and compromises are found and analyzed
RESPOND (RS): Actions regarding a detected cybersecurity incident are taken
RECOVER (RC): Assets and operations affected by a cybersecurity incident are restored