CIS Controls v8.1 Mapping To NIST CSF v2.0 6 24 2024 Final 1
Uploaded by
alzubiabdallah9194CIS Controls v8.1 Mapping To NIST CSF v2.0 6 24 2024 Final 1
Uploaded by
alzubiabdallah9194This document contains mappings of the CIS Critical Security Controls (CIS Controls) v8.
1 and CIS Safegua
and Technology (NIST) Cybersecurity Framework (CSF) v2.0
_x000D_ Internal Only - General
#
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]
Editors
Thomas Sager
_x000D_ Internal Only - General
#
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
_x000D_ Internal Only - General
#
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-
are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
_x000D_ Internal Only - General
#
Mapping Methodology
_x000D_ Internal Only - General
#
Mapping Methodology
This page describes the methodology used to map the CIS Critical Security Controls to NIST Cybersecurit
Reference link for NIST CSF v2.0
https://www.nist.gov/cyberframework
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item
CIS Control 6.1 - Establish an Access Granting Process
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
_x000D_ Internal Only - General
#
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
_x000D_ Internal Only - General
#
_x000D_ Internal Only - General
#
Remember to download the CIS Controls Version 8.1 Guide where you can learn more about:
- This Version of the CIS Controls
- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8-1/
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/cis-controls-navigator
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
_x000D_ Internal Only - General
#
CIS Security
CIS Safeguard Asset Type
Control Function
1
1 1.1 Devices Identify
1 1.1 Devices Identify
1 1.2 Devices Respond
1 1.3 Devices Detect
1 1.4 Devices Identify
1 1.5 Devices Detect
_x000D_ Internal Only - General
#
2
2 2.1 Software Identify
2 2.2 Software Identify
2 2.3 Software Respond
2 2.4 Software Detect
2 2.5 Software Protect
2 2.6 Software Protect
2 2.7 Software Protect
3 3.1 Data Govern
3 3.2 Data Identify
_x000D_ Internal Only - General
#
3 3.3 Data Protect
3 3.4 Data Protect
3 3.5 Data Protect
3 3.6 Data Protect
3 3.7 Data Identify
3 3.8 Data Identify
3 3.9 Data Protect
3 3.10 Data Protect
3 3.11 Data Protect
3 3.12 Data Protect
3 3.13 Data Protect
3 3.14 Data Detect
4
_x000D_ Internal Only - General
#
Documentati
4 4.1 Govern
on
Documentati
4 4.2 Govern
on
4 4.3 Devices Protect
4 4.4 Devices Protect
4 4.5 Devices Protect
4 4.6 Devices Protect
4 4.7 Users Protect
4 4.8 Devices Protect
4 4.9 Devices Protect
4 4.10 Devices Protect
4 4.11 Data Protect
_x000D_ Internal Only - General
#
4 4.12 Data Protect
5 5.1 Users Identify
5 5.1 Users Identify
5 5.2 Users Protect
5 5.3 Users Protect
5 5.4 Users Protect
5 5.5 Users Identify
5 5.6 Users Protect
Documentati
6 6.1 Govern
on
Documentati
6 6.2 Govern
on
_x000D_ Internal Only - General
#
6 6.3 Users Protect
6 6.4 Users Protect
6 6.5 Users Protect
6 6.6 Software Identify
6 6.7 Users Protect
6 6.8 Users Govern
Documentati
7 7.1 Govern
on
Documentati
7 7.2 Govern
on
Documentati
7 7.2 Govern
on
7 7.3 Software Protect
7 7.4 Software Protect
7 7.5 Software Identify
7 7.6 Software Identify
_x000D_ Internal Only - General
#
7 7.7 Software Respond
8
Documentati
8 8.1 Govern
on
8 8.2 Data Detect
8 8.3 Data Protect
8 8.4 Network Protect
8 8.5 Data Detect
8 8.6 Data Detect
8 8.7 Data Detect
8 8.8 Data Detect
8 8.9 Data Detect
8 8.10 Data Protect
8 8.11 Data Detect
8 8.12 Data Detect
_x000D_ Internal Only - General
#
9 9.1 Software Protect
9 9.2 Devices Protect
9 9.3 Network Protect
9 9.4 Software Protect
9 9.5 Network Protect
9 9.6 Network Protect
9 9.7 Network Protect
10
10 10.1 Devices Detect
10 10.2 Devices Protect
10 10.3 Devices Protect
10 10.4 Devices Detect
10 10.5 Devices Protect
10 10.6 Devices Protect
10 10.7 Devices Detect
11
_x000D_ Internal Only - General
#
Documentati
11 11.1 Govern
on
11 11.2 Data Recover
11 11.3 Data Protect
11 11.4 Data Recover
11 11.5 Data Recover
11 11.5 Data Recover
12
12 12.1 Network Protect
12 12.2 Network Protect
12 12.3 Network Protect
Documentati
12 12.4 Govern
on
12 12.5 Network Protect
12 12.6 Network Protect
_x000D_ Internal Only - General
#
12 12.7 Devices Protect
12 12.8 Devices Protect
13
13 13.1 Network Detect
13 13.2 Devices Detect
13 13.3 Network Detect
13 13.4 Network Protect
13 13.5 Devices Protect
13 13.6 Network Detect
13 13.7 Devices Protect
13 13.8 Network Protect
13 13.9 Network Protect
13 13.10 Network Protect
13 13.11 Network Detect
14
_x000D_ Internal Only - General
#
Documentati
14 14.1 Govern
on
Documentati
14 14.1 Govern
on
14 14.2 Users Protect
14 14.3 Users Protect
14 14.4 Users Protect
14 14.5 Users Protect
14 14.6 Users Protect
14 14.7 Users Protect
14 14.8 Users Protect
14 14.9 Users Protect
_x000D_ Internal Only - General
#
14 14.9 N/A Protect
15
15 15.1 Users Identify
15 15.1 Users Identify
Documentati
15 15.2 Govern
on
Documentati
15 15.2 Govern
on
15 15.3 Users Govern
Documentati
15 15.4 Govern
on
_x000D_ Internal Only - General
#
Documentati
15 15.4 Govern
on
Documentati
15 15.4 Govern
on
15 15.5 Users Govern
15 15.6 Data Govern
15 15.6 Data Govern
15 15.6 Data Govern
15 15.7 Data Protect
16
_x000D_ Internal Only - General
#
Documentati
16 16.1 Govern
on
Documentati
16 16.2 Govern
on
16 16.3 Software Protect
16 16.4 Software Identify
16 16.5 Software Protect
Documentati
16 16.6 Govern
on
16 16.7 Software Protect
_x000D_ Internal Only - General
#
16 16.8 Network Protect
16 16.9 Users Protect
16 16.10 Software Protect
16 16.11 Software Identify
16 16.12 Software Protect
16 16.13 Software Govern
16 16.14 Software Protect
17
_x000D_ Internal Only - General
#
17 17.1 Users Respond
Documentati
17 17.2 Govern
on
Documentati
17 17.2 Govern
on
Documentati
17 17.2 Govern
on
Documentati
17 17.3 Govern
on
Documentati
17 17.4 Govern
on
17 17.5 Users Respond
17 17.6 Users Respond
17 17.7 Users Recover
_x000D_ Internal Only - General
#
17 17.8 Users Recover
Documentati
17 17.9 Recover
on
18
Documentati
18 18.1 Govern
on
18 18.2 Network Detect
18 18.3 Network Protect
18 18.4 Network Protect
18 18.5 Network Detect
_x000D_ Internal Only - General
#
Title
Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including p
mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected t
infrastructure physically, virtually, remotely, and those within cloud environments, to accurately kn
totality of assets that need to be monitored and protected within the enterprise. This will also suppo
identifying unauthorized and unmanaged assets to remove or remediate.
Establish and Maintain Detailed
Enterprise Asset Inventory
Establish and Maintain Detailed
Enterprise Asset Inventory
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host
Configuration Protocol (DHCP)
Logging to Update Enterprise
Asset Inventory
Use a Passive Asset Discovery
Tool
_x000D_ Internal Only - General
#
Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) o
network so that only authorized software is installed and can execute, and that unauthorized and u
software is found and prevented from installation or execution.
Establish and Maintain a
Software Inventory
Ensure Authorized Software is
Currently Supported
Address Unauthorized Software
Utilize Automated Software
Inventory Tools
Allowlist Authorized Software
Allowlist Authorized Libraries
Allowlist Authorized Scripts
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
Establish and Maintain a Data
Management Process
Establish and Maintain a Data
Inventory
_x000D_ Internal Only - General
#
Configure Data Access Control
Lists
Enforce Data Retention
Securely Dispose of Data
Encrypt Data on End-User
Devices
Establish and Maintain a Data
Classification Scheme
Document Data Flows
Encrypt Data on Removable
Media
Encrypt Sensitive Data in
Transit
Encrypt Sensitive Data at Rest
Segment Data Processing and
Storage Based on Sensitivity
Deploy a Data Loss Prevention
Solution
Log Sensitive Data Access
Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
mobile; network devices; non-computing/IoT devices; and servers) and software (operating system
applications).
_x000D_ Internal Only - General
#
Establish and Maintain a
Secure Configuration Process
Establish and Maintain a
Secure Configuration Process
for Network Infrastructure
Configure Automatic Session
Locking on Enterprise Assets
Implement and Manage a
Firewall on Servers
Implement and Manage a
Firewall on End-User Devices
Securely Manage Enterprise
Assets and Software
Manage Default Accounts on
Enterprise Assets and Software
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Configure Trusted DNS Servers
on Enterprise Assets
Enforce Automatic Device
Lockout on Portable End-User
Devices
Enforce Remote Wipe
Capability on Portable End-
User Devices
_x000D_ Internal Only - General
#
Separate Enterprise
Workspaces on Mobile End-
User Devices
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.
Establish and Maintain an
Inventory of Accounts
Establish and Maintain an
Inventory of Accounts
Use Unique Passwords
Disable Dormant Accounts
Restrict Administrator Privileges
to Dedicated Administrator
Accounts
Establish and Maintain an
Inventory of Service Accounts
Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.
Establish an Access Granting
Process
Establish an Access Revoking
Process
_x000D_ Internal Only - General
#
Require MFA for Externally-
Exposed Applications
Require MFA for Remote
Network Access
Require MFA for Administrative
Access
Establish and Maintain an
Inventory of Authentication and
Authorization Systems
Centralize Access Control
Define and Maintain Role-
Based Access Control
Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
private industry sources for new threat and vulnerability information.
Establish and Maintain a
Vulnerability Management
Process
Establish and Maintain a
Remediation Process
Establish and Maintain a
Remediation Process
Perform Automated Operating
System Patch Management
Perform Automated Application
Patch Management
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
_x000D_ Internal Only - General
#
Remediate Detected
Vulnerabilities
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.
Establish and Maintain an Audit
Log Management Process
Collect Audit Logs
Ensure Adequate Audit Log
Storage
Standardize Time
Synchronization
Collect Detailed Audit Logs
Collect DNS Query Audit Logs
Collect URL Request Audit
Logs
Collect Command-Line Audit
Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews
Collect Service Provider Logs
Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunit
attackers to manipulate human behavior through direct engagement.
_x000D_ Internal Only - General
#
Ensure Use of Only Fully
Supported Browsers and Email
Clients
Use DNS Filtering Services
Maintain and Enforce Network-
Based URL Filters
Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email
Server Anti-Malware
Protections
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Deploy and Maintain Anti-
Malware Software
Configure Automatic Anti-
Malware Signature Updates
Disable Autorun and Autoplay
for Removable Media
Configure Automatic Anti-
Malware Scanning of
Removable Media
Enable Anti-Exploitation
Features
Centrally Manage Anti-Malware
Software
Use Behavior-Based Anti-
Malware Software
Data Recovery
_x000D_ Internal Only - General
#
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
and trusted state.
Establish and Maintain a Data
Recovery Process
Perform Automated Backups
Protect Recovery Data
Establish and Maintain an
Isolated Instance of Recovery
Data
Test Data Recovery
Test Data Recovery
Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Ensure Network Infrastructure is
Up-to-Date
Establish and Maintain a
Secure Network Architecture
Securely Manage Network
Infrastructure
Establish and Maintain
Architecture Diagram(s)
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols
_x000D_ Internal Only - General
#
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
Resources for All Administrative
Work
Network Monitoring and
Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.
Centralize Security Event
Alerting
Deploy a Host-Based Intrusion
Detection Solution
Deploy a Network Intrusion
Detection Solution
Perform Traffic Filtering
Between Network Segments
Manage Access Control for
Remote Assets
Collect Network Traffic Flow
Logs
Deploy a Host-Based Intrusion
Prevention Solution
Deploy a Network Intrusion
Prevention Solution
Deploy Port-Level Access
Control
Perform Application Layer
Filtering
Tune Security Event Alerting
Thresholds
Security Awareness and Skills Training
_x000D_ Internal Only - General
#
Establish and maintain a security awareness program to influence behavior among the workforce t
security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Establish and Maintain a
Security Awareness Program
Establish and Maintain a
Security Awareness Program
Train Workforce Members to
Recognize Social Engineering
Attacks
Train Workforce Members on
Authentication Best Practices
Train Workforce on Data
Handling Best Practices
Train Workforce Members on
Causes of Unintentional Data
Exposure
Train Workforce Members on
Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
Enterprise Assets are Missing
Security Updates
Train Workforce on the Dangers
of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks
Conduct Role-Specific Security
Awareness and Skills Training
_x000D_ Internal Only - General
#
Conduct Role-Specific Security
Awareness and Skills Training
Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
critical IT platforms or processes, to ensure these providers are protecting those platforms and dat
appropriately.
Establish and Maintain an
Inventory of Service Providers
Establish and Maintain an
Inventory of Service Providers
Establish and Maintain a
Service Provider Management
Policy
Establish and Maintain a
Service Provider Management
Policy
Classify Service Providers
Ensure Service Provider
Contracts Include Security
Requirements
_x000D_ Internal Only - General
#
Ensure Service Provider
Contracts Include Security
Requirements
Ensure Service Provider
Contracts Include Security
Requirements
Assess Service Providers
Monitor Service Providers
Monitor Service Providers
Monitor Service Providers
Securely Decommission
Service Providers
Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
remediate security weaknesses before they can impact the enterprise.
_x000D_ Internal Only - General
#
Establish and Maintain a
Secure Application
Development Process
Establish and Maintain a
Process to Accept and Address
Software Vulnerabilities
Perform Root Cause Analysis
on Security Vulnerabilities
Establish and Manage an
Inventory of Third-Party
Software Components
Use Up-to-Date and Trusted
Third-Party Software
Components
Establish and Maintain a
Severity Rating System and
Process for Application
Vulnerabilities
Use Standard Hardening
Configuration Templates for
Application Infrastructure
_x000D_ Internal Only - General
#
Separate Production and Non-
Production Systems
Train Developers in Application
Security Concepts and Secure
Coding
Apply Secure Design Principles
in Application Architectures
Leverage Vetted Modules or
Services for Application
Security Components
Implement Code-Level Security
Checks
Conduct Application
Penetration Testing
Conduct Threat Modeling
Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
_x000D_ Internal Only - General
#
Designate Personnel to
Manage Incident Handling
Establish and Maintain Contact
Information for Reporting
Security Incidents
Establish and Maintain Contact
Information for Reporting
Security Incidents
Establish and Maintain Contact
Information for Reporting
Security Incidents
Establish and Maintain an
Enterprise Process for
Reporting Incidents
Establish and Maintain an
Incident Response Process
Assign Key Roles and
Responsibilities
Define Mechanisms for
Communicating During Incident
Response
Conduct Routine Incident
Response Exercises
_x000D_ Internal Only - General
#
Conduct Post-Incident Reviews
Establish and Maintain Security
Incident Thresholds
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac
Establish and Maintain a
Penetration Testing Program
Perform Periodic External
Penetration Tests
Remediate Penetration Test
Findings
Validate Security Measures
Perform Periodic Internal
Penetration Tests
_x000D_ Internal Only - General
#
Description IG1
l of Enterprise Assets
entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from X
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
_x000D_ Internal Only - General
#
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
X
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.
Ensure that only currently supported software is designated as authorized in the
software inventory for enterprise assets. If software is unsupported, yet necessary for
the fulfillment of the enterprise’s mission, document an exception detailing mitigating
X
controls and residual risk acceptance. For any unsupported software without an
exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or
X
receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, and .so files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, and .py files are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a documented data management process. In the process,
address data sensitivity, data owner, handling of data, data retention limits, and
disposal requirements, based on sensitivity and retention standards for the enterprise. X
Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain a data inventory based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory X
annually, at a minimum, with a priority on sensitive data.
_x000D_ Internal Only - General
#
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.
Retain data according to the enterprise’s documented data management process.
X
Data retention must include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s documented data management
process. Ensure the disposal process and method are commensurate with the data X
sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations X
can include: Windows BitLocker ®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Encrypt data on removable media.
Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer
encryption, also known as server-side encryption, meets the minimum requirement of
this Safeguard. Additional encryption methods may include application-layer
encryption, also known as client-side encryption, where access to the data storage
device(s) does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's data inventory.
Log sensitive data access, including modification and disposal.
of Enterprise Assets and Software
in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
_x000D_ Internal Only - General
#
Establish and maintain a documented secure configuration process for enterprise
assets (end-user devices, including portable and mobile, non-computing/IoT devices,
and servers) and software (operating systems and applications). Review and update X
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain a documented secure configuration process for network
devices. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of
inactivity. For general purpose operating systems, the period must not exceed 15 X
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a third-party X
firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices,
with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.
Securely manage enterprise assets and software. Example implementations include
managing configuration through version-controlled Infrastructure-as-Code (IaC) and
accessing administrative interfaces over secure network protocols, such as Secure X
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.
Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example implementations X
can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as
an unused file sharing service, web application module, or service function.
Configure trusted DNS servers on network infrastructure. Example implementations
include configuring network devices to use enterprise-controlled DNS servers and/or
reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
_x000D_ Internal Only - General
#
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory mustmust at a minimum include user, administrator accounts, and service
accounts. The inventory, at a minimum, should contain the person’s name, username, X
start/stop dates, and department. Validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory mustmust at a minimum include user, administrator accounts, and service
accounts. The inventory, at a minimum, should contain the person’s name, username, X
start/stop dates, and department. Validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using Multi-Factor Authentication X
(MFA) and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
X
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum,
must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.
Establish and follow a documented process, preferably automated, for granting access
X
to enterprise assets upon new hire or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
X
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
_x000D_ Internal Only - General
#
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a X
satisfactory implementation of this Safeguard.
Require MFA for remote network access. X
Require MFA for all administrative access accounts, where supported, on all enterprise
X
assets, whether managed on-site or through a service provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization
systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise
assets. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
X
process, with monthly, or more frequent, reviews.
Establish and maintain a risk-based remediation strategy documented in a remediation
X
process, with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch
X
management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch
X
management on a monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or
more frequent, basis. Conduct both authenticated and unauthenticated scans.
Perform automated vulnerability scans of externally-exposed enterprise assets.
Perform scans on a monthly, or more frequent, basis.
_x000D_ Internal Only - General
#
Remediate detected vulnerabilities in software through processes and tooling on a
monthly, or more frequent, basis, based on the remediation process.
and retain audit logs of events that could help detect, understand, or recover from an
Establish and maintain a documented audit log management process that defines the
enterprise’s logging requirements. At a minimum, address the collection, review, and
retention of audit logs for enterprise assets. Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
X
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
X
enterprise’s audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources
across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets in accordance with the documented audit log management process. Example
implementations include leveraging a SIEM tool to centralize multiple log sources.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include
collecting authentication and authorization events, data creation and disposal events,
and user management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.
_x000D_ Internal Only - General
#
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through X
the vendor.
Use DNS filtering services on all end-user devices, including remote and on-premises
X
assets, to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary
browser or email client plugins, extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment
scanning and/or sandboxing.
e installation, spread, and execution of malicious applications, code, or scripts on
Deploy and maintain anti-malware software on all enterprise assets. X
Configure automatic updates for anti-malware signature files on all enterprise assets. X
Disable autorun and autoplay auto-execute functionality for removable media. X
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible,
such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
_x000D_ Internal Only - General
#
in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident
Establish and maintain a documented data recovery process. In the process, address
the scope of data recovery activities, recovery prioritization, and the security of backup
X
data. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
X
more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference
X
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline, cloud, X
or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.
, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported network-
X
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.
Design and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum. Example
implementations will not solely include documentation, but also policy and design components.
Securely manage network infrastructure. Example implementations include version-
controlled Infrastructure-as-Code (IaC), and the use of secure network protocols, such
as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
_x000D_ Internal Only - General
#
Require users to authenticate to enterprise-managed VPN and authentication services
prior to accessing enterprise resources on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically
separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.
nd tooling to establish and maintain comprehensive network monitoring and defense
ats across the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where
appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where
appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
and Skills Training
_x000D_ Internal Only - General
#
in a security awareness program to influence behavior among the workforce to be
nd properly skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a X
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a X
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing,
X
business email compromise (BEC), pretexting, and tailgating.
Train workforce members on authentication best practices. Example topics include
X
MFA, password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their X
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.
Example topics include mis-delivery of sensitive data, losing a portable end-user X
device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to
X
report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include X
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
X
training must include guidance to ensure that all users securely configure their home
network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations
include secure system administration courses for IT professionals, OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.
_x000D_ Internal Only - General
#
Conduct role-specific security awareness and skills training. Example implementations
include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
X
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
X
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.
_x000D_ Internal Only - General
#
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider
management policy. Monitoring may include periodic reassessment of service provider
compliance, monitoring service provider release notes, and dark web monitoring.
Monitor service providers consistent with the enterprise’s service provider
management policy. Monitoring may include periodic reassessment of service provider
compliance, monitoring service provider release notes, and dark web monitoring.
Monitor service providers consistent with the enterprise’s service provider
management policy. Monitoring may include periodic reassessment of service provider
compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and
service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.
_x000D_ Internal Only - General
#
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software
vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that
helps to set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities,
root cause analysis is the task of evaluating underlying issues that create
vulnerabilities in code, and allows development teams to move beyond just fixing
individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in
development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.
Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for
application infrastructure components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.
_x000D_ Internal Only - General
#
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles
include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as
identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is
conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.
anagement
to develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.
_x000D_ Internal Only - General
#
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, service providers, or a hybrid approach. If using a X
service provider, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, service vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, service vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, service vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an documented enterprise process for the workforce to report
security incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the X
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a documented incident response process that addresses roles
and responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts. Review annually, or when significant enterprise changes
occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate
and report during a security incident. Mechanisms can include phone calls, emails,
secure chat, or notification letters. Keep in mind that certain mechanisms, such as
emails, can be affected during a security incident. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
_x000D_ Internal Only - General
#
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence
through identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum,
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
s and resiliency of enterprise assets through identifying and exploiting weaknesses in
cesses, and technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size,
complexity, industry, and maturity of the enterprise. Penetration testing program
characteristics include scope, such as network, web application, Application
Programming Interface (API), hosted services, and physical premise controls;
frequency; limitations, such as acceptable hours, and excluded attack types; point of
contact information; remediation, such as how findings will be routed internally; and
retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less
than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party. The
testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s documented
vulnerability remediation process. This should include determining a timeline and level
of effort based on the impact and prioritization of each identified finding.
Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
_x000D_ Internal Only - General
#
IG2 IG3 Relationship CSF Subcategories
X X Equivalent ID.AM-01
X X Subset ID.AM-08
X X Subset PR.PS-03
X X
X X
_x000D_ Internal Only - General
#
X X Subset ID.AM-02
X X Subset PR.PS-02
X X Subset PR.PS-02
X X
X X Equivalent PR.PS-05
X X
X X
X X Equivalent ID.AM-07
_x000D_ Internal Only - General
#
X X
X X
X X Subset ID.AM-08
X X
X X Subset ID.AM-05
X X Subset ID.AM-03
X X
X X Subset PR.DS-02
X X Subset PR.DS-01
X X Subset PR.IR-01
_x000D_ Internal Only - General
#
X X Subset PR.PS-01
X X Subset PR.PS-01
X X
X X
X X
X X
X X
X X
X X
X X
X X
_x000D_ Internal Only - General
#
X
X X Subset PR.AA-01
X X Subset PR.AA-05
X X
X X
X X
X X
X X Subset PR.AA-01
X X Subset GV.RR-04
X X Subset GV.RR-04
_x000D_ Internal Only - General
#
X X
X X
X X
X X
X X
X Equivalent PR.AA-05
X X Superset ID.RA-01
X X Superset ID.RA-08
X X Superset ID.IM-02
X X
X X
X X
X X
_x000D_ Internal Only - General
#
X X
X X
X X Equivalent PR.PS-04
X X
X X
X X
X X
X X
X X
X X
X X
X X Superset DE.AE-02
_x000D_ Internal Only - General
#
X X
X X
X X
X X
X X
X X
X X Subset DE.CM-09
X X
X X
X X
X X
X X
X X Subset DE.CM-03
_x000D_ Internal Only - General
#
X X
X X Subset PR.DS-11
X X Subset PR.DS-11
X X
X X Subset PR.DS-11
X X Superset RC.RP-03
X X
X X Subset PR.IR-01
X X
X X
X X
X X
_x000D_ Internal Only - General
#
X X
X X Subset DE.CM-01
X X
X X
X X
X X
X X
_x000D_ Internal Only - General
#
X X Subset GV.RR-01
X X Equivalent PR.AT-01
X X
X X
X X
X X
X X
X X
X X
X X Subset GV.RR-02
_x000D_ Internal Only - General
#
X X Equivalent PR.AT-02
X X Subset GV.SC-04
X X Subset ID.AM-04
X X Subset GV.SC-01
X X Superset DE.CM-06
X X Subset GV.SC-04
X X Subset GV.SC-02
_x000D_ Internal Only - General
#
X X Equivalent GV.SC-05
X X Superset GV.SC-08
X Equivalent GV.SC-06
X Superset GV.SC-07
X Subset GV.SC-09
X Subset DE.CM-06
X Subset GV.SC-10
_x000D_ Internal Only - General
#
X X Superset PR.PS-06
X X
X X
X X
X X
X X
X X
_x000D_ Internal Only - General
#
X X
X X
X X
X X
_x000D_ Internal Only - General
#
X X
X X Subset RS.CO-02
X X Subset RS.CO-03
X X Subset RC.CO-04
X X
X X Superset RS.MA-01
X X
X X Subset RC.CO-04
X X
_x000D_ Internal Only - General
#
X X Equivalent RS.AN-03
X Equivalent RS.MA-05
X X
X X
X X
_x000D_ Internal Only - General
#
Descriptions
Inventories of hardware managed by the organization are
maintained
Systems, hardware, software, services, and data are
managed throughout their life cycles
Hardware is maintained, replaced, and removed
commensurate with risk
_x000D_ Internal Only - General
#
Inventories of software, services, and systems managed
by the organization are maintained
Software is maintained, replaced, and removed
commensurate with risk
Software is maintained, replaced, and removed
commensurate with risk
Installation and execution of unauthorized software are
prevented
Inventories of data and corresponding metadata for
designated data types are maintained
_x000D_ Internal Only - General
#
Systems, hardware, software, services, and data are
managed throughout their life cycles
Assets are prioritized based on classification, criticality,
resources, and impact on the mission
Representations of the organization's authorized network
communication and internal and external network data
flows are maintained
The confidentiality, integrity, and availability of data-in-
transit are protected
The confidentiality, integrity, and availability of data-at-rest
are protected
Networks and environments are protected from
unauthorized logical access and usage
_x000D_ Internal Only - General
#
Configuration management practices are established and
applied
Configuration management practices are established and
applied
_x000D_ Internal Only - General
#
Identities and credentials for authorized users, services,
and hardware are managed by the organization
Access permissions, entitlements, and authorizations are
defined in a policy, managed, enforced, and reviewed,
and incorporate the principles of least privilege and
separation of duties
Identities and credentials for authorized users, services,
and hardware are managed by the organization
Cybersecurity is included in human resources practices
Cybersecurity is included in human resources practices
_x000D_ Internal Only - General
#
Access permissions, entitlements, and authorizations are
defined in a policy, managed, enforced, and reviewed,
and incorporate the principles of least privilege and
separation of duties
Vulnerabilities in assets are identified, validated, and
recorded
Processes for receiving, analyzing, and responding to
vulnerability disclosures are established
Improvements are identified from security tests and
exercises, including those done in coordination with
suppliers and relevant third parties
_x000D_ Internal Only - General
#
Log records are generated and made available for
continuous monitoring
Potentially adverse events are analyzed to better
understand associated activities
_x000D_ Internal Only - General
#
Computing hardware and software, runtime environments,
and their data are monitored to find potentially adverse
events
Personnel activity and technology usage are monitored to
find potentially adverse events
_x000D_ Internal Only - General
#
Backups of data are created, protected, maintained, and
tested
Backups of data are created, protected, maintained, and
tested
Backups of data are created, protected, maintained, and
tested
The integrity of backups and other restoration assets is
verified before using them for restoration
Networks and environments are protected from
unauthorized logical access and usage
_x000D_ Internal Only - General
#
Networks and network services are monitored to find
potentially adverse events
_x000D_ Internal Only - General
#
Organizational leadership is responsible and accountable
for cybersecurity risk and fosters a culture that is risk-
aware, ethical, and continually improving
Personnel are provided awareness and training so they
possess the knowledge and skills to perform general tasks
with security risks in mind
Roles, responsibilities, and authorities related to
cybersecurity risk management are established,
communicated, understood, and enforced
_x000D_ Internal Only - General
#
Individuals in specialized roles are provided awareness
and training so they possess the knowledge and skills to
perform relevant tasks with security risks in mind
Suppliers are known and prioritized by criticality
Inventories of services provided by suppliers are
maintained
A cybersecurity supply chain risk management program,
strategy, objectives, policies, and processes are
established and agreed to by organizational stakeholders
External service provider activities and services are
monitored to find potentially adverse events
Suppliers are known and prioritized by criticality
Cybersecurity roles and responsibilities for suppliers,
customers, and partners are established, communicated,
and coordinated internally and externally
_x000D_ Internal Only - General
#
Requirements to address cybersecurity risks in supply
chains are established, prioritized, and integrated into
contracts and other types of agreements with suppliers
and other relevant third parties
Relevant suppliers and other third parties are included in
incident planning, response, and recovery activities
Planning and due diligence are performed to reduce risks
before entering into formal supplier or other third-party
relationships
The risks posed by a supplier, their products and services,
and other third parties are understood, recorded,
prioritized, assessed, responded to, and monitored over
the course of the relationship
Supply chain security practices are integrated into
cybersecurity and enterprise risk management programs,
and their performance is monitored throughout the
technology product and service life cycle
External service provider activities and services are
monitored to find potentially adverse events
Cybersecurity supply chain risk management plans
include provisions for activities that occur after the
conclusion of a partnership or service agreement
_x000D_ Internal Only - General
#
Secure software development practices are integrated
and their performance is monitored throughout the
software development life cycle
_x000D_ Internal Only - General
#
_x000D_ Internal Only - General
#
Internal and external stakeholders are notified of incidents
Information is shared with designated internal and
external stakeholders
Public updates on incident recovery are shared using
approved methods and messaging
The incident response plan is executed once an incident
is declared in coordination with relevant third parties
Public updates on incident recovery are shared using
approved methods and messaging
_x000D_ Internal Only - General
#
Analysis is performed to establish what has taken place
during an incident and the root cause of the incident
The criteria for initiating incident recovery are applied
_x000D_ Internal Only - General
#
The following Subcategorys of NIST CSF 2.0 are NOT mapped to the CIS Controls
GV.OC-01 The organizational mission is understood and informs cybersecurity risk management
GV.OC-02 Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk m
GV.OC-03 Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligati
GV.OC-04 Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are under
GV.OC-05 Outcomes, capabilities, and services that the organization depends on are understood and communicated
GV.RM-01 Risk management objectives are established and agreed to by organizational stakeholders
GV.RM-02 Risk appetite and risk tolerance statements are established, communicated, and maintained
GV.RM-03 Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
GV.RM-04 Strategic direction that describes appropriate risk response options is established and communicated
GV.RM-05 Lines of communication across the organization are established for cybersecurity risks, including risks from supplier
GV.RM-06 A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established
GV.RM-07 Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk di
GV.RR-03 Adequate resources are allocated commensurate with cybersecurity risk strategy, roles and responsibilities, and po
GV.PO-01 Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and p
GV.PO-02 Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in req
GV.OV-01 Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
GV.OV-02 The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational require
GV.OV-03 Organizational cybersecurity risk management performance is measured and reviewed for adjustments needed
GV.SC-03 Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk a
ID.RA-02 Cyber threat intelligence is received from information sharing forums and sources
ID.RA-03 Internal and external threats to the organization are identified and recorded
ID.RA-04 Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
ID.RA-05 Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prio
ID.RA-06 Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated
ID.RA-07 Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
ID.RA-09 The authenticity and integrity of hardware and software are assessed prior to acquisition and use
ID.RA-10 Critical suppliers are assessed prior to acquisition
ID.IM-01 Improvements are identified from evaluations
ID.IM-03 Improvements are identified from execution of operational processes, procedures, and activities
ID.IM-04 Cybersecurity plans that affect operations are established, communicated, maintained, and improved
PR.AA-02 Identities are proofed and bound to credentials based on the context of interactions
PR.AA-03 Users, services, and hardware are authenticated
PR.AA-04 Identity assertions are protected, conveyed, and verified
PR.AA-06 Physical access to assets is managed, monitored, and enforced commensurate with risk
PR.DS-10 The confidentiality, integrity, and availability of data-in-use are protected
PR.IR-02 The organization's technology assets are protected from environmental threats
PR.IR-03 Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
PR.IR-04 Adequate resource capacity to ensure availability is maintained
DE.CM-02 The physical environment is monitored to find potentially adverse events
DE.AE-03 Information is correlated from multiple sources
DE.AE-04 The estimated impact and scope of adverse events are understood
DE.AE-06 Information on adverse events is provided to authorized staff and tools
DE.AE-07 Cyber threat intelligence and other contextual information are integrated into the analysis
DE.AE-08 Incidents are declared when adverse events meet the defined incident criteria
_x000D_ Internal Only - General
#
RS.MA-02 Incident reports are triaged and validated
RS.MA-03 Incidents are categorized and prioritized
RS.MA-04 Incidents are escalated or elevated as needed
RS.AN-06 Actions performed during an investigation are recorded and the records' integrity and provenance are preserved
RS.AN-07 Incident data and metadata are collected, and their integrity and provenance are preserved
RS.AN-08 An incident's magnitude is estimated and validated
RS.MI-01 Incidents are contained
RS.MI-02 Incidents are eradicated
RC.RP-01 The recovery portion of the incident response plan is executed once initiated from the incident response process
RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed
RC.RP-04 Critical mission functions and cybersecurity risk management are considered to establish post-incident operational
RC.RP-05 The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirm
RC.RP-06 The criteria for determining the end of incident recovery are applied, and incident-related documentation is comple
RC.CO-03 Recovery activities and progress in restoring operational capabilities are communicated to designated internal and
_x000D_ Internal Only - General
#
regarding cybersecurity risk management are understood and considered
ivacy and civil liberties obligations - are understood and managed
om the organization are understood and communicated
d and communicated
k management processes
communicated
, including risks from suppliers and other third parties
bersecurity risks is established and communicated
nizational cybersecurity risk discussions
es and responsibilities, and policies
, cybersecurity strategy, and priorities and is communicated and enforced
orced to reflect changes in requirements, threats, technology, and organizational mission
strategy and direction
rage of organizational requirements and risks
d for adjustments needed
rprise risk management, risk assessment, and improvement processes
and inform risk response prioritization
nd communicated
tion and use
d, and improved
rse situations
_x000D_ Internal Only - General
#
provenance are preserved
e incident response process
lish post-incident operational norms
mal operating status is confirmed
ated documentation is completed
ed to designated internal and external stakeholders
_x000D_ Internal Only - General
#
The following CIS Controls Safeguards are NOT mapped to NIST CSF 2.0
1.3 Utilize an Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the ac
1.4 Use DynamiUse DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
1.5 Use a PassiUse a passive discovery tool to identify assets connected to the enterprise’s network. Review and use sc
2.4 Utilize Au Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery an
2.6 Allowlist A Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, et
2.7 Allowlist A Use technical controls, such as digital signatures and version control, to ensure that only authorized scrip
3.1 Establish Establish and maintain a data management process. In the process, address data sensitivity, data owner
3.3 Configure DConfigure data access control lists based on a user’s need to know. Apply data access control lists, also k
3.4 Enforce DaRetain data according to the enterprise’s data management process. Data retention must include both m
3.6 Encrypt DaEncrypt data on end-user devices containing sensitive data. Example implementations can include: Wind
3.9 Encrypt DaEncrypt data on removable media.
3.13 Deploy a DaImplement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensiti
3.14 Log SensitiLog sensitive data access, including modification and disposal.
4.3 Configure AConfigure automatic session locking on enterprise assets after a defined period of inactivity. For general
4.4 ImplementImplement and manage a firewall on servers, where supported. Example implementations include a virtu
4.5 ImplementImplement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-de
4.6 Securely MSecurely manage enterprise assets and software. Example implementations include managing configurati
4.7 Manage Def Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-c
4.8 Uninstall oUninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharin
4.9 Configure TConfigure trusted DNS servers on enterprise assets. Example implementations include: configuring asset
4.10 Enforce AuEnforce automatic device lockout following a predetermined threshold of local failed authentication atte
4.11 Enforce ReRemotely wipe enterprise data from enterprise-owned portable end-user devices when deemed approp
4.12 Separate EEnsure separate enterprise workspaces are used on mobile end-user devices, where supported. Example
5.2 Use UniqueUse unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an
5.3 Disable DoDelete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
5.4 Restrict AdRestrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct gene
5.5 Establish aEstablish and maintain an inventory of service accounts. The inventory, at a minimum, must contain dep
5.6 Centralize Centralize account management through a directory or identity service.
6.3 Require MFRequire all externally-exposed enterprise or third-party applications to enforce MFA, where supported. E
6.4 Require MFRequire MFA for remote network access.
6.5 Require MFRequire MFA for all administrative access accounts, where supported, on all enterprise assets, whether m
6.6 Establish aEstablish and maintain an inventory of the enterprise’s authentication and authorization systems, includ
6.7 Centralize Centralize access control for all enterprise assets through a directory service or SSO provider, where sup
7.3 Perform A Perform operating system updates on enterprise assets through automated patch management on a mo
7.4 Perform AuPerform application updates on enterprise assets through automated patch management on a monthly,
7.5 Perform Aut Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, ba
7.6 Perform Aut Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant v
7.7 RemediateRemediate detected vulnerabilities in software through processes and tooling on a monthly, or more fre
8.1 Establish Establish and maintain an audit log management process that defines the enterprise’s logging requireme
8.3 Ensure AdeEnsure that logging destinations maintain adequate storage to comply with the enterprise’s audit log ma
8.4 StandardizStandardize time synchronization. Configure at least two synchronized time sources across enterprise as
8.5 Collect DetConfigure detailed audit logging for enterprise assets containing sensitive data. Include event source, da
8.6 Collect DN Collect DNS query audit logs on enterprise assets, where appropriate and supported.
8.7 Collect UR Collect URL request audit logs on enterprise assets, where appropriate and supported.
_x000D_ Internal Only - General
#
8.8 Collect Co Collect command-line audit logs. Example implementations include collecting audit logs from PowerShel
8.9 Centralize Centralize, to the extent possible, audit log collection and retention across enterprise assets.
8.10 Retain AudiRetain audit logs across enterprise assets for a minimum of 90 days.
8.12 Collect SerCollect service provider logs, where supported. Example implementations include collecting authenticati
9.1 Ensure UseEnsure only fully supported browsers and email clients are allowed to execute in the enterprise, only usi
9.2 Use DNS FilUse DNS filtering services on all enterprise assets to block access to known malicious domains.
9.3 Maintain aEnforce and update network-based URL filters to limit an enterprise asset from connecting to potentially
9.4 Restrict U Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email clien
9.5 ImplementTo lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and ve
9.6 Block UnneBlock unnecessary file types attempting to enter the enterprise’s email gateway.
9.7 Deploy andDeploy and maintain email server anti-malware protections, such as attachment scanning and/or sandbo
10.2 Configure Configure automatic updates for anti-malware signature files on all enterprise assets.
10.3 Disable AuDisable autorun and autoplay auto-execute functionality for removable media.
10.4 Configure Configure anti-malware software to automatically scan removable media.
10.5 Enable AntiEnable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft®
10.6 Centrally Centrally manage anti-malware software.
11.1 Establish and
Establish
Maintain
andamaintain
Data Recovery
a dataProcess
recovery process. In the process, address the scope of data recovery activi
11.4 Establish and
Establish
Maintain
andanmaintain
Isolatedan
Instance
isolatedofinstance
RecoveryofData
recovery data. Example implementations include, version
12.1 Ensure Netw Ensure network infrastructure is kept up-to-date. Example implementations include running the latest st
12.3 Securely MSecurely manage network infrastructure. Example implementations include version-controlled-infrastruc
12.4 Establish aEstablish and maintain architecture diagram(s) and/or other network system documentation. Review an
12.5 Centralize Centralize network AAA.
12.6 Use of Secure
UseNetwork
secure network
Management
management
and Communication
and communication
Protocols
protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (
12.7 Ensure Remo Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing
12.8 Establish Establish and maintain dedicated computing resources, either physically or logically separated, for all ad
13.2 Deploy a Ho Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or suppor
13.3 Deploy a NDeploy a network intrusion detection solution on enterprise assets, where appropriate. Example implem
13.4 Perform TrPerform traffic filtering between network segments, where appropriate.
13.5 Manage Acc Manage access control for assets remotely connecting to enterprise resources. Determine amount of acc
13.6 Collect NetCollect network traffic flow logs and/or network traffic to review and alert upon from network devices.
13.7 Deploy a HoDeploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supp
13.8 Deploy a NDeploy a network intrusion prevention solution, where appropriate. Example implementations include th
13.9 Deploy PortDeploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contr
13.10 Perform App Perform application layer filtering. Example implementations include a filtering proxy, application layer fi
13.11 Tune SecuriTune security event alerting thresholds monthly, or more frequently.
14.2 Train WorkTrain workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailg
14.3 Train WorkTrain workforce members on authentication best practices. Example topics include MFA, password comp
14.4 Train WorkfTrain workforce members on how to identify and properly store, transfer, archive, and destroy sensitive
14.5 Train WorkTrain workforce members to be aware of causes for unintentional data exposure. Example topics include
14.6 Train WorkTrain workforce members to be able to recognize a potential incident and be able to report such an incid
14.7 Train WorkfTrain workforce to understand how to verify and report out-of-date software patches or any failures in a
14.8 Train WorkTrain workforce members on the dangers of connecting to, and transmitting data over, insecure network
16.2 Establish a Third-party application developers need to consider this an externally-facing policy that helps to set expe
16.3 Perform Roo Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analys
16.4 Establish Establish and manage an updated inventory of third-party components used in development, often refer
_x000D_ Internal Only - General
#
16.5 Use Up-to-Use up-to-date and trusted third-party software components. When possible, choose established and pr
16.6 Establish aEstablish and maintain a severity rating system and process for application vulnerabilities that facilitates
16.7 Use StandarUse standard, industry-recommended hardening configuration templates for application infrastructure c
16.8 Separate PMaintain separate environments for production and non-production systems.
16.9 Train DevelEnsure that all software development personnel receive training in writing secure code for their specific
16.10 Apply SecurApply secure design principles in application architectures. Secure design principles include the concept
16.11 Leverage VLeverage vetted modules or services for application security components, such as identity management,
16.12 ImplementApply static and dynamic analysis tools within the application life cycle to verify that secure coding practi
16.13 Conduct ApConduct application penetration testing. For critical applications, authenticated penetration testing is be
16.14 Conduct ThConduct threat modeling. Threat modeling is the process of identifying and addressing application secur
17.1 Designate Designate one key person, and at least one backup, who will manage the enterprise’s incident handling p
17.3 Establish aEstablish and maintain an enterprise process for the workforce to report security incidents. The process
17.5 Assign Key Assign key roles and responsibilities for incident response, including staff from legal, IT, information secu
17.7 Conduct RoPlan and conduct routine incident response exercises and scenarios for key personnel involved in the inc
18.1 Establish aEstablish and maintain a penetration testing program appropriate to the size, complexity, and maturity o
18.2 Perform PerPerform periodic external penetration tests based on program requirements, no less than annually. Exte
18.3 RemediateRemediate penetration test findings based on the enterprise’s policy for remediation scope and prioritiza
18.4 Validate S Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabi
18.5 Perform PerPerform periodic internal penetration tests based on program requirements, no less than annually. The t
_x000D_ Internal Only - General
#
se’s network. Configure the active discovery tool to execute daily, or more frequently.
nagement tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more
s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
to automate the discovery and documentation of installed software.
ch as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system pr
sure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Re
s data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standa
ata access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
retention must include both minimum and maximum timelines.
mentations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a re
riod of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period
mplementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
s include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure n
administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making the
e, such as an unused file sharing service, web application module, or service function.
ons include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
ocal failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authenti
devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
es, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterp
on includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.
ity, where supported.
nterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary
a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accoun
orce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard
ll enterprise assets, whether managed on-site or through a third-party provider.
authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, an
e or SSO provider, where supported.
d patch management on a monthly, or more frequent, basis.
h management on a monthly, or more frequent, basis.
uarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning t
sets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
ing on a monthly, or more frequent, basis, based on the remediation process.
enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review a
h the enterprise’s audit log management process.
e sources across enterprise assets, where supported.
data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could ass
supported.
_x000D_ Internal Only - General
#
ng audit logs from PowerShell®, BASH™, and remote administrative terminals.
enterprise assets.
nclude collecting authentication and authorization events, data creation and disposal events, and user management events.
ute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
malicious domains.
rom connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-b
cessary browser or email client plugins, extensions, and add-on applications.
plement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Ma
ment scanning and/or sandboxing.
possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Pro
scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or
ementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.
s include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review soft
e version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
m documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeg
1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).
tion services prior to accessing enterprise resources on end-user devices.
logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented fr
re appropriate and/or supported.
appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provid
ces. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance
upon from network devices.
here appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-bas
ple implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
r similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.
ring proxy, application layer firewall, or gateway.
phishing, pre-texting, and tailgating.
include MFA, password composition, and credential management.
archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking
osure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audience
be able to report such an incident.
re patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in au
g data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure th
ng policy that helps to set expectations for outside stakeholders.
nerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development team
ed in development, often referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include any ri
_x000D_ Internal Only - General
#
ble, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sour
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum l
or application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, P
secure code for their specific development environment and responsibilities. Training can include general security principles and applicati
rinciples include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the co
such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce develo
erify that secure coding practices are being followed.
ated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Pene
d addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals w
nterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident respon
ecurity incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum informatio
om legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review an
personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communica
ze, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web applicatio
ts, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable inf
mediation scope and prioritization.
ry, modify rulesets and capabilities to detect the techniques used during testing.
s, no less than annually. The testing may be clear box or opaque box.
_x000D_ Internal Only - General
#
set inventory weekly, or more frequently.
from loading into a system process. Reassess bi-annually, or more frequently.
zed scripts from executing. Reassess bi-annually, or more frequently.
ensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes o
pplications.
those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory.
e end-user devices, the period must not exceed 2 minutes.
ative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use inse
efault accounts or making them unusable.
ble DNS servers.
w more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example imp
e enterprise.
Work Profile to separate enterprise applications and data from personal applications and data.
r accounts not using MFA.
e use, from the user’s primary, non-privileged account.
validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
ementation of this Safeguard.
e inventory, at a minimum, annually, or more frequently.
pliant vulnerability scanning tool.
or enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Saf
useful elements that could assist in a forensic investigation.
_x000D_ Internal Only - General
#
gement events.
y-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
he DomainKeys Identified Mail (DKIM) standards.
or Apple® System Integrity Protection (SIP) and Gatekeeper™.
e documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
e (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
r that could impact this Safeguard.
urces should be segmented from the enterprise's primary network and not be allowed internet access.
quivalent cloud service provider (CSP) service.
ed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are u
ponse (EDR) client or host-based IPS agent.
best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at th
data to unintended audiences.
personnel of any failures in automated processes and tools.
nclude guidance to ensure that all users securely configure their home network infrastructure.
and allows development teams to move beyond just fixing individual vulnerabilities as they arise.
s inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or
_x000D_ Internal Only - General
#
omponents from trusted sources or evaluate the software for vulnerabilities before use.
includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of tria
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to
curity principles and application security standard practices. Conduct training at least annually and design in a way to promote security wi
user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and do
y functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems p
mated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and
specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is
mentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hyb
, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when s
ysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
cises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.
ch as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limita
ance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qu
_x000D_ Internal Only - General
#
gnificant enterprise changes occur that could impact this Safeguard.
ecure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
tication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
cur that could impact this Safeguard.
_x000D_ Internal Only - General
#
system and applications are up-to-date.
and virtual whiteboards at the end of meetings, and storing data and assets securely.
thly to identify any changes or updates to these components, and validate that the component is still supported.
_x000D_ Internal Only - General
#
bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Re
-house developed software to weaken configuration hardening.
a way to promote security within the development team, and build a culture of security among the developers.
checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also m
s. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanis
ation as an authenticated and unauthenticated user.
nt and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weakness
, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to overse
e. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
asis, at a minimum.
ise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such a
ust be conducted through a qualified party. The testing may be clear box or opaque box.
_x000D_ Internal Only - General
#
ess operationally essential.
n Profile maxFailedAttempts.
_x000D_ Internal Only - General
#
_x000D_ Internal Only - General
#
severe bugs are fixed first. Review and update the system and process annually.
ormats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and serv
on and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption
y to understand its weaknesses.
nal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this
ormation; remediation, such as how findings will be routed internally; and retrospective requirements.
_x000D_ Internal Only - General
#
_x000D_ Internal Only - General
#
ff unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts.
tensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.
es occur that could impact this Safeguard.
_x000D_ Internal Only - General
#
_x000D_ Internal Only - General
#
ult accounts.
in secure audit logs.
_x000D_ Internal Only - General
#
You might also like
- CCM v4.0 Implementation Guidelines v2.0 20240528No ratings yetCCM v4.0 Implementation Guidelines v2.0 20240528366 pages
- Section 1 - Technical Sales Foundations For IBM QRadar For Cloud (QRoC) V1 P10000-017No ratings yetSection 1 - Technical Sales Foundations For IBM QRadar For Cloud (QRoC) V1 P10000-017215 pages
- CIS Controls v8 234to ASD Essential Eight 2 2023No ratings yetCIS Controls v8 234to ASD Essential Eight 2 2023107 pages
- CIS_Controls_v8_Mapping_to_CSF_2.0__February_2024_No ratings yetCIS_Controls_v8_Mapping_to_CSF_2.0__February_2024_100 pages
- DEA-1TT4 Exam – Free Actual Q&As, Page 1 _ ExamTopicsNo ratings yetDEA-1TT4 Exam – Free Actual Q&As, Page 1 _ ExamTopics40 pages
- GRC Analyst Resume - Hire IT People - We Get IT Done100% (1)GRC Analyst Resume - Hire IT People - We Get IT Done7 pages
- Security of Critical Infrastructure Act 2018100% (1)Security of Critical Infrastructure Act 2018141 pages
- 0xcybery Github Io Blog Splunk Use CasesNo ratings yet0xcybery Github Io Blog Splunk Use Cases14 pages
- System Hardening Configuration Review - Datasheet (Revised) - ControlledNo ratings yetSystem Hardening Configuration Review - Datasheet (Revised) - Controlled2 pages
- CC Certified in Cybersecurity Cert Guide (For Raymond Rhine)No ratings yetCC Certified in Cybersecurity Cert Guide (For Raymond Rhine)454 pages
- CDM-CYBER-DEFENSE-eMAGAZINE-January-2025No ratings yetCDM-CYBER-DEFENSE-eMAGAZINE-January-2025247 pages
- Abu Dhabi Healthcare Information and Cyber Security Workforce GuidelineNo ratings yetAbu Dhabi Healthcare Information and Cyber Security Workforce Guideline127 pages
- Integrating Zscaler With Microsoft SentinelNo ratings yetIntegrating Zscaler With Microsoft Sentinel18 pages
- SEC450 W7 ILab SEC450 W7 Network Vulnerability Case Study Instructions0% (1)SEC450 W7 ILab SEC450 W7 Network Vulnerability Case Study Instructions2 pages
- Lessons Learned Applying ATT&CK - Based SOC Assessments - PDFNo ratings yetLessons Learned Applying ATT&CK - Based SOC Assessments - PDF47 pages
- CRISC Certified in Risk and Information Systems Control Updated Dumps100% (1)CRISC Certified in Risk and Information Systems Control Updated Dumps126 pages
- Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) LogsNo ratings yetCorelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs6 pages
- TRENDsCampus ADVANCED Hybrid Cloud Security Deck V5No ratings yetTRENDsCampus ADVANCED Hybrid Cloud Security Deck V5224 pages
- Enabling Protection Against Data Exfiltration by Implementing Iso 27001:2022 UpdateNo ratings yetEnabling Protection Against Data Exfiltration by Implementing Iso 27001:2022 Update17 pages
- Download full CASP Practice Tests 1st Edition Nadean H. Tanner ebook all chapters100% (2)Download full CASP Practice Tests 1st Edition Nadean H. Tanner ebook all chapters55 pages
- Infoblox Installation Guide 1405 Series AppliancesNo ratings yetInfoblox Installation Guide 1405 Series Appliances26 pages
- CND Labs Module 04 Network Security Policy Design and ImplementationNo ratings yetCND Labs Module 04 Network Security Policy Design and Implementation7 pages
- NGF03 NextGen Firewall Features Slide Deck FW7.1.1No ratings yetNGF03 NextGen Firewall Features Slide Deck FW7.1.128 pages
- The Zero Trust EXtended Security Maturity AssessmentNo ratings yetThe Zero Trust EXtended Security Maturity Assessment38 pages
- Adaptive Orbital Pipe Welding - Hamidreza Latifi100% (1)Adaptive Orbital Pipe Welding - Hamidreza Latifi140 pages
- Glossary of Key Accounting Terms This Glossary Contains Most ofNo ratings yetGlossary of Key Accounting Terms This Glossary Contains Most of20 pages
- ComplianceForge Hierarchical Cybersecurity Governance FrameworkNo ratings yetComplianceForge Hierarchical Cybersecurity Governance Framework5 pages
- User's Manual: Stellaris® LM3S811 Evaluation BoardNo ratings yetUser's Manual: Stellaris® LM3S811 Evaluation Board35 pages
- Research Design & Factors To Consider in The Choice of A Research DesignNo ratings yetResearch Design & Factors To Consider in The Choice of A Research Design6 pages
- Step by Step Guide Answers For Practical Test Visual ArtsRBUNo ratings yetStep by Step Guide Answers For Practical Test Visual ArtsRBU5 pages
- Chapter 14 - Material Requirement Planning (MRP)No ratings yetChapter 14 - Material Requirement Planning (MRP)3 pages
- Code Coverage - Firefox Source Docs DocumentationNo ratings yetCode Coverage - Firefox Source Docs Documentation5 pages
- OVERHEAD BRIDGE AND GANTRY CRANE MANUAL - CompressedNo ratings yetOVERHEAD BRIDGE AND GANTRY CRANE MANUAL - Compressed63 pages
- Practice Question Cyber-Resilience Range of PracticesNo ratings yetPractice Question Cyber-Resilience Range of Practices7 pages
- Hacker Opens High Security Handcuffs With 3DNo ratings yetHacker Opens High Security Handcuffs With 3D5 pages
