NIST Cybersecurity Framework

Title (CSF)
The 2.0Cybersecurity
NIST ReferenceFramework
Tool
Read Me (CSF)is 2.0
This a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core
Change Log Final
 The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

Function Category Subcategory

GOVERN (GV): The organization's
cybersecurity risk management Organizational Context (GV.OC): The
circumstances - mission, stakeholder GV.OC-01: The organizational mission is
understood and informs
GV.OC-02: Internal cybersecurity
and external risk
stakeholders
are understood,
GV.OC-03: Legal,and their needs
regulatory, and and
contractual
requirements regarding cybersecurity - including
GV.OC-04: Critical objectives, capabilities, and
services that stakeholders depend on or expect
GV.OC-05: Outcomes, capabilities, and services
Risk Management Strategy (GV.RM): The that the organization depends on are
organization's priorities, constraints, risk GV.RM-01: Risk management objectives are
established and appetite
GV.RM-02: Risk agreed toand
by organizational
risk tolerance
statements
GV.RM-03: Cybersecurity risk management and
are established, communicated,
activities
GV.RM-04: and outcomes
Strategic are included
direction in
that describes
appropriate risk response
GV.RM-05: Lines options is across
of communication established
the
organization are established for
GV.RM-06: A standardized method for cybersecurity
calculating, documenting,
GV.RM-07: Strategic categorizing,
opportunities (i.e.,and
positive
Roles, Responsibilities, and Authorities risks) are characterized and are included in
(GV.RR): Cybersecurity roles, GV.RR-01: Organizational leadership is
responsible and accountable
GV.RR-02: Roles, for cybersecurity
responsibilities, and authorities
related to cybersecurity risk management
GV.RR-03: Adequate resources are allocated are
commensurate with the cybersecurity risk
GV.RR-04: Cybersecurity is included in human
Policy (GV.PO): Organizational resources practices
cybersecurity policy is established, GV.PO-01: Policy for managing cybersecurity
risks is established
GV.PO-02: based
Policy for on organizational
managing cybersecurity
Oversight (GV.OV): Results of organization- risks is reviewed, updated, communicated, and
wide cybersecurity risk management GV.OV-01: Cybersecurity risk management
strategy
GV.OV-02: outcomes are reviewed
The cybersecurity riskto inform and
management
strategy
GV.OV-03: is reviewed and adjusted
Organizational to ensure
cybersecurity risk
management performance is evaluated and
CSF 2.0 Page 2 of 11
 Function Category Subcategory
Cybersecurity Supply Chain Risk
Management (GV.SC): Cyber supply chain GV.SC-01: A cybersecurity supply chain risk
management program, strategy,
GV.SC-02: Cybersecurity roles andobjectives,
responsibilities for suppliers,
GV.SC-03: Cybersecurity customers,
supply chain riskand
management is integrated
GV.SC-04: Suppliers are knowninto and
cybersecurity
prioritized by
criticality
GV.SC-05: Requirements to address
cybersecurity risks inand
GV.SC-06: Planning supply
due chains areare
diligence
performed
GV.SC-07: The to reduce risks before
risks posed entering
by a supplier, into
their
products
GV.SC-08:and services,
Relevant and other
suppliers andthird
otherparties
third
parties are included in incident planning,
GV.SC-09: Supply chain security practices are
integrated into cybersecurity
GV.SC-10: Cybersecurity and
supply enterprise
chain risk risk
GOVERN (GV) management plans include provisions for
IDENTIFY (ID): The organization's
current cybersecurity risks are Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems, ID.AM-01: Inventories of hardware managed by
the organization
ID.AM-02: are maintained
Inventories of software, services, and
systems managed by
ID.AM-03: Representations the organization are
of the organization's
authorized network communication
ID.AM-04: Inventories of services provided and internal
by
suppliers are maintained
ID.AM-05: Assets are prioritized based on
classification, criticality,ofresources,
ID.AM-07: Inventories data and and impact
corresponding
ID.AM-08: Systems,metadata for designated
hardware, software,data
Risk Assessment (ID.RA): The cybersecurity services, and data are managed throughout their
risk to the organization, assets, and ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded
ID.RA-02: Cyber threat intelligence is received
from
ID.RA-03: Internalsharing
information forumsthreats
and external and sources
to the
organization are identified and recorded
ID.RA-04: Potential impacts and likelihoods of
threats
ID.RA-05:exploiting
Threats,vulnerabilities
vulnerabilities,are identified
likelihoods,
and impacts
ID.RA-06: are
Risk used to understand
responses are chosen,inherent
prioritized,
planned, tracked, and communicated
ID.RA-07: Changes and exceptions are managed,
assessed
ID.RA-08:for risk impact,
Processes recorded,analyzing,
for receiving, and tracked
and
responding to vulnerability disclosures
ID.RA-09: The authenticity and integrity of are
hardware and software
ID.RA-10: Critical areare
suppliers assessed prior
assessed to to
prior
Improvement (ID.IM): Improvements to acquisition
organizational cybersecurity risk
CSF 2.0 Page 3 of 11
 Function Category Subcategory
ID.IM-01: Improvements are identified from
evaluations
ID.IM-02: Improvements are identified from
security
ID.IM-03:tests and exercises,
Improvements areincluding
identifiedthose
from
execution of operational processes, procedures,
ID.IM-04: Incident response plans and other
IDENTIFY (ID) cybersecurity plans that affect operations are
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks Identity Management, Authentication, and
Access Control (PR.AA): Access to physical PR.AA-01: Identities and credentials for
authorized users, services,
PR.AA-02: Identities and hardware
are proofed and boundareto
credentials based on the context of
PR.AA-03: Users, services, and hardware are interactions
authenticated
PR.AA-04: Identity assertions are protected,
conveyed,
PR.AA-05: and verified
Access permissions, entitlements, and
authorizations
PR.AA-06: Physicaldefined
are access to in assets
a policy, managed,
is managed,
Awareness and Training (PR.AT): The monitored, and enforced commensurate with
organization's personnel are provided with PR.AT-01: Personnel are provided with
awareness and training
PR.AT-02: Individuals in so that theyroles
specialized possess
are the
Data Security (PR.DS): Data are managed provided with awareness and training so that
consistent with the organization's risk PR.DS-01: The confidentiality, integrity, and
availability
PR.DS-02: Theof data-at-rest are protected
confidentiality, integrity, and
availability of data-in-transit are protected
PR.DS-10: The confidentiality, integrity, and
availability of data-in-use are protected
PR.DS-11: Backups of data are created,
Platform Security (PR.PS): The hardware, protected, maintained, and tested
software (e.g., firmware, operating systems, PR.PS-01: Configuration management practices
are established
PR.PS-02: and is
Software applied
maintained, replaced, and
removed commensurate with risk replaced, and
PR.PS-03: Hardware is maintained,
removed
PR.PS-04: Log records arewith
commensurate risk and made
generated
available
PR.PS-05:for continuous
Installation andmonitoring
execution of
unauthorized software are prevented
PR.PS-06: Secure software development
Technology Infrastructure Resilience practices are integrated, and their performance
(PR.IR): Security architectures are managed PR.IR-01: Networks and environments are
protected fromorganization's
PR.IR-02: The unauthorizedtechnology
logical access and
assets
are protected
PR.IR-03: from environmental
Mechanisms are implemented threats
to
achieve resilience requirements in normal
PR.IR-04: Adequate resource capacity to ensure and
availability is maintained
CSF 2.0 Page 4 of 11
 Function Category Subcategory
PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found Continuous Monitoring (DE.CM): Assets are
monitored to find anomalies, indicators of DE.CM-01: Networks and network services are
monitored
DE.CM-02: toThefind potentially
physical adverse is
environment events
monitored to find potentially adverse
DE.CM-03: Personnel activity and technologyevents
usage are monitored
DE.CM-06: to findprovider
External service potentially adverse
activities
and servicesComputing
DE.CM-09: are monitored to find
hardware potentially
and software,
Adverse Event Analysis (DE.AE): Anomalies, runtime environments, and their data are
indicators of compromise, and other DE.AE-02: Potentially adverse events are
analyzed
DE.AE-03:toInformation
better understand associated
is correlated from
multiple sources
DE.AE-04: The estimated impact and scope of
adverse
DE.AE-06:events are understood
Information on adverse events is
provided
DE.AE-07: Cyber threat staff
to authorized and tools
intelligence and other
contextual
DE.AE-08: Incidents are declared wheninto
information are integrated the
adverse
DETECT (DE) events meet the defined incident criteria
RESPOND (RS): Actions regarding a
detected cybersecurity incident are Incident Management (RS.MA): Responses
to detected cybersecurity incidents are RS.MA-01: The incident response plan is
executed
RS.MA-02:inIncident
coordination with
reports arerelevant
triaged third
and
validated
RS.MA-03: Incidents are categorized and
prioritized
RS.MA-04: Incidents are escalated or elevated as
needed
RS.MA-05: The criteria for initiating incident
Incident Analysis (RS.AN): Investigations recovery are applied
are conducted to ensure effective response RS.AN-03: Analysis is performed to establish
what has taken
RS.AN-06: place
Actions during anduring
performed incident
an and the
investigation are recorded,
RS.AN-07: Incident data andand the records'
metadata are
collected, and their integrity and provenance
RS.AN-08: An incident's magnitude is estimated are
Incident Response Reporting and and validated
Communication (RS.CO): Response RS.CO-02: Internal and external stakeholders are
notified
RS.CO-03:of Information
incidents is shared with designated
Incident Mitigation (RS.MI): Activities are internal and external stakeholders
performed to prevent expansion of an RS.MI-01: Incidents are contained

CSF 2.0 Page 5 of 11

 Function Category Subcategory
RS.MI-02: Incidents are eradicated
RESPOND (RS)
RECOVER (RC): Assets and operations
affected by a cybersecurity incident Incident Recovery Plan Execution (RC.RP):
Restoration activities are performed to RC.RP-01: The recovery portion of the incident
response
RC.RP-02:plan is executed
Recovery actionsonce initiated from
are selected, scoped,
prioritized, and performed
RC.RP-03: The integrity of backups and other
restoration assets mission
RC.RP-04: Critical is verified before using
functions and them
cybersecurity
RC.RP-05: Therisk management
integrity are assets
of restored considered
is
verified,
RC.RP-06: The end of incident recovery is and
systems and services are restored,
Incident Recovery Communication (RC.CO): declared based on criteria, and incident-related
Restoration activities are coordinated with RC.CO-03: Recovery activities and progress in
restoring
RC.CO-04:operational capabilities
Public updates are recovery
on incident
RECOVER (RC) are shared using approved methods and

CSF 2.0 Page 6 of 11

 Implementation Examples

1st: 1st Party Risk

Ex1: Share
1st: 1st theRisk
Party organization's mission (e.g.,
3rd: 3rdParty
1st: 1st PartyRisk
Risk
3rd: 3rdParty
1st: 1st PartyRisk
Risk
3rd:
Ex1: 3rd Party
Create anRisk
inventory of the
organization's dependencies on external
1st: 1st Party Risk
Ex1: Update
1st: 1st Partynear-term
Risk and long-term
3rd: 3rdParty
1st: 1st PartyRisk
Risk
Ex1: Aggregate and manage cybersecurity
1st: 1st Party Risk
Ex1: Specify
1st: 1st Partycriteria
Risk for accepting and
3rd: 3rdParty
1st: 1st PartyRisk
Risk
Ex1: Establish
1st: 1st criteria for using a
Party Risk
Ex1: Define and communicate guidance and
1st: 1st Party Risk
Ex1: Leaders
1st: 1st Party(e.g.,
Risk directors) agree on their
Ex1: Document
1st: 1st risk management roles and
Party Risk
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: Integrate cybersecurity risk
1st: 1st Party Risk
Ex1: Create,
1st: 1st Partydisseminate,
Risk and maintain an
Ex1: Update policy based on periodic
1st: 1st Party Risk
Ex1: Measure
1st: 1st how well the risk
Party Risk
Ex1: Review
1st: 1st Partyaudit
Risk findings to confirm
Ex1: Review key performance indicators
CSF 2.0 Page 7 of 11
 Implementation Examples

Ex1: Establish a strategy that expresses the

objectives
Ex1: Identify of one
the cybersecurity
or more specific supply
roleschain
or
positions that will be responsible and
Ex1: Identify areas of alignment and overlap
with cybersecurity
Ex1: Develop and
criteria forenterprise risk
supplier criticality
based on, for example, the sensitivity
Ex1: Establish security requirements for of
suppliers,
Ex1: Perform products,
thoroughanddue
services
diligence on
prospective suppliers that
Ex1: Adjust assessment formats is consistent
and with
frequencies
Ex1: Define andbaseduseonrules
the and
thirdprotocols
party's for
reporting incident response
Ex1: Policies and procedures requireand recovery
provenance
Ex1: Establish records for all
processes foracquired
terminating
critical relationships under both normal and

1st: 1st Party Risk

Ex1: Maintain
1st: 1st inventories for all types of
Party Risk
Ex1: Maintain
1st: 1st inventories for all types of
Party Risk
3rd:
Ex1: InventoryRisk
3rd Party all external services used by
the
1st: 1st Party Riskincluding third-party
organization,
Ex1: Define
1st: 1st Partycriteria
Risk for prioritizing each
Ex1: Maintain
1st: 1st a list of the designated data
Party Risk
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: UseParty
1st: 1st vulnerability
Risk management
Ex1: Configure
1st: 1st cybersecurity tools and
Party Risk
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: Business
1st: 1st leaders and cybersecurity risk
Party Risk
Ex1: Develop
1st: 1st Party threat
Risk models to better
Ex1:
Ex1: Apply the vulnerability
Implement management
and follow procedures for
the formal documentation,
1st: 1st Party Risk review, testing,
3rd:
Ex1: 3rd Party
Assess theRisk
authenticity and
cybersecurity of criticalrisk
Ex1: Conduct supplier technology
assessments
against business and applicable

CSF 2.0 Page 8 of 11

 Implementation Examples
1st: 1st Party Risk
Ex1: Perform
1st: 1st Party self-assessments
Risk of critical
3rd: 3rdParty
1st: 1st PartyRisk
Risk
Ex1: Conduct
1st: 1st collaborative lessons learned
Party Risk
Ex1: Establish contingency plans (e.g.,

1st: 1st Party Risk

Ex1: Initiate
1st: 1st Partyrequests
Risk for new access or
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: Require
1st: 1st Partymultifactor
Risk authentication
Ex1: Protect
1st: 1st Partyidentity
Risk assertions that are
Ex1: Review
1st: 1st Partylogical
Risk and physical access
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: Provide
1st: 1st Partybasic
Risk cybersecurity awareness
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: UseParty
1st: 1st encryption,
Risk digital signatures, and
Ex1: UseParty
1st: 1st encryption,
Risk digital signatures, and
Ex1: Remove
1st: 1st Party data
Risk that must remain
Ex1: Continuously back up critical data in
1st: 1st Party Risk
Ex1: Establish,
1st: 1st test, deploy, and maintain
Party Risk
Ex1: Perform
1st: 1st Party routine
Risk and emergency
3rd: 3rd Party Risk
1st: 1st Party Risk
Ex1: Configure
1st: 1st all operating systems,
Party Risk
Ex1: When
1st: 1st riskRisk
Party warrants it, restrict software
Ex1: Protect all components of
1st: 1st Party Risk
3rd: 3rdParty
1st: 1st PartyRisk
Risk
3rd: 3rdParty
1st: 1st PartyRisk
Risk
Ex1:
Ex1: Avoid
Monitorsingle points
usage of failure
of storage, in
power,
compute, network bandwidth, and other
CSF 2.0 Page 9 of 11
 Implementation Examples

Ex1: Monitor DNS, BGP, and other network

services for adverse
Ex1: Monitor events
logs from physical access
control systems (e.g., badgesoftware
Ex1: Use behavior analytics readers) to
to find
detect anomalous
Ex1: Monitor remoteuser activity
and onsiteto mitigate
administration and maintenance
Ex1: Monitor email, activities
web, file sharing,
collaboration services, and other common
Ex1: Use security information and event
management
Ex1: Constantly(SIEM) or other
transfer tools
log data to
generated
by other
Ex1: Use sources
SIEMs ortoother
a relatively
tools tosmall
estimate
impact
Ex1: Use cybersecurity software to refine
and scope, and review and generate
alerts and provide
Ex1: Securely them
provide to the
cyber security
threat
intelligence feeds tocriteria
Ex1: Apply incident detection
to known and
assumed characteristics of activity in order

Ex1: Detection technologies automatically

report
1st: 1stconfirmed
Party Riskincidents
Ex1: Preliminarily
1st: 1st Party Risk review incident reports to
Ex1:
1st: 1st Partyreview
Further Risk and categorize
Ex1: Track
1st: 1st andRisk
Party validate the status of all
Ex1: Apply incident recovery criteria to
1st: 1st Party Risk
Ex1: Determine
1st: 1st the sequence of events that
Party Risk
Ex1: Require
1st: 1st Partyeach
Risk incident responder and
Ex1: Collect,
1st: 1st Partypreserve,
Risk and safeguard the
Ex1: Review other potential targets of the
1st: 1st Party Risk
3rd: 3rdParty
1st: 1st PartyRisk
Risk
3rd: 3rd Party Risk
1st: 1st Party Risk
3rd: 3rd Party Risk
CSF 2.0 Page 10 of 11
 Implementation Examples
1st: 1st Party Risk
3rd: 3rd Party Risk

1st: 1st Party Risk

Ex1: Begin
1st: 1st recovery
Party Risk procedures during or
Ex1: Select
1st: 1st recovery
Party Risk actions based on the
Ex1: Check
1st: 1st restoration
Party Risk assets for indicators
Ex1: UseParty
1st: 1st business
Risk impact and system
Ex1:
1st: 1st Party Risk assets for indicators of
Check restored
Ex1: Prepare an after-action report that
1st: 1st Party Risk
3rd: 3rdParty
1st: 1st PartyRisk
Risk
Ex1: Follow the organization's breach

CSF 2.0 Page 11 of 11