0 ratings0% found this document useful (0 votes)
19 views152 pagesNist CSF Task Pack
Uploaded by
vendorCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
19 views152 pagesNist CSF Task Pack
Uploaded by
vendorCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 152
Framework App
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Asset Management (ID.AM)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Business Environment (ID.BE)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Governance (ID.GV)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Assessment (ID.RA)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Risk Management Strategy (ID.RM)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Access Control (PR.AC)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Awareness and Training (PR.AT)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Cybersecurity Framework v1.1 Data Security (PR.DS)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Information Protection Processes and Procedures
Cybersecurity Framework v1.1 (PR.IP)
Cybersecurity Framework v1.1 Maintenance (PR.MA)
Cybersecurity Framework v1.1 Maintenance (PR.MA)
Cybersecurity Framework v1.1 Maintenance (PR.MA)
Cybersecurity Framework v1.1 Maintenance (PR.MA)
Cybersecurity Framework v1.1 Maintenance (PR.MA)
Cybersecurity Framework v1.1 Maintenance (PR.MA)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Protective Technology (PR.PT)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Anomalies and Events (DE.AE)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Security Continuous Monitoring (DE.CM)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Detection Processes (DE.DP)
Cybersecurity Framework v1.1 Response Planning (PS.RP)
Cybersecurity Framework v1.1 Response Planning (PS.RP)
Cybersecurity Framework v1.1 Response Planning (PS.RP)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Communications (RS.CO)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Analysis (RS.AN)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Mitigation (RS.MI)
Cybersecurity Framework v1.1 Improvements (RS.IM)
Cybersecurity Framework v1.1 Improvements (RS.IM)
Cybersecurity Framework v1.1 Improvements (RS.IM)
Cybersecurity Framework v1.1 Improvements (RS.IM)
Cybersecurity Framework v1.1 Improvements (RS.IM)
Cybersecurity Framework v1.1 Improvements (RS.IM)
Cybersecurity Framework v1.1 Recovery Planning (RC.RP)
Cybersecurity Framework v1.1 Recovery Planning (RC.RP)
Cybersecurity Framework v1.1 Recovery Planning (RC.RP)
Cybersecurity Framework v1.1 Improvements (RC.IM)
Cybersecurity Framework v1.1 Improvements (RC.IM)
Cybersecurity Framework v1.1 Improvements (RC.IM)
Cybersecurity Framework v1.1 Improvements (RC.IM)
Cybersecurity Framework v1.1 Improvements (RC.IM)
Cybersecurity Framework v1.1 Improvements (RC.IM)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Communications (RC.CO)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Cybersecurity Framework v1.1 Supply Chain Risk Management (ID.SC)
Current Subcontrol Task Subject
Device and System Management (ID.AM-1) Physical Device/System Inventory
Device and System Management (ID.AM-1) Examine Additional Evidence
Device and System Management (ID.AM-1) Requirement Fullfillment
Software and Applications Management
(ID.AM-2) Software/Application Inventory
Software and Applications Management
(ID.AM-2) Examine Additional Evidence
Software and Applications Management
(ID.AM-2) Requirement Fullfillment
Organizational Communication (ID.AM-3) Organizational Communication/Data Flow
Organizational Communication (ID.AM-3) Examine Additional Evidence
Organizational Communication (ID.AM-3) Requirement Fullfillment
External Information Systems (ID.AM-4) External Information System Categorization
External Information Systems (ID.AM-4) Examine Additional Evidence
External Information Systems (ID.AM-4) Requirement Fullfillment
Resources Classification (ID.AM-5) Resource Prioritization
Resources Classification (ID.AM-5) Examine Additional Evidence
Resources Classification (ID.AM-5) Requirement Fullfillment
Workforce/Stakeholder Roles and
Roles and Responsibilities (ID.AM-6) Responsibilities
Roles and Responsibilities (ID.AM-6) Examine Additional Evidence
Roles and Responsibilities (ID.AM-6) Requirement Fullfillment
Supply Chain (ID.BE-1) Supply Chain Role
Supply Chain (ID.BE-1) Examine Additional Evidence
Supply Chain (ID.BE-1) Requirement Fullfillment
Industry Sector (ID.BE-2) Critical Infrastructure Role
Industry Sector (ID.BE-2) Examine Additional Evidence
Industry Sector (ID.BE-2) Requirement Fullfillment
Organizational Mission (ID.BE-3) Organizational Priorities
Organizational Mission (ID.BE-3) Examine Additional Evidence
Organizational Mission (ID.BE-3) Requirement Fullfillment
Dependencies (ID.BE-4) Dependencies and Critical Functions
Dependencies (ID.BE-4) Examine Additional Evidence
Dependencies (ID.BE-4) Requirement Fullfillment
Resilience Requirements (ID.BE-5) Resilience Requirements
Resilience Requirements (ID.BE-5) Examine Additional Evidence
Resilience Requirements (ID.BE-5) Requirement Fullfillment
Information Security Policy (ID.GV-1) Organizational Cybersecurity Policy
Information Security Policy (ID.GV-1) Examine Additional Evidence
Information Security Policy (ID.GV-1) Requirement Fullfillment
Roles and Responsibilities (ID.GV-2) Internal Roles and External Partners
Roles and Responsibilities (ID.GV-2) Examine Additional Evidence
Roles and Responsibilities (ID.GV-2) Requirement Fullfillment
Regulatory Requirements (ID.GV-3) Legal and Regulatory Requirements
Regulatory Requirements (ID.GV-3) Examine Additional Evidence
Regulatory Requirements (ID.GV-3) Requirement Fullfillment
Governance and Risk Management Processes
(ID.GV-4) Risk Management Process
Governance and Risk Management Processes
(ID.GV-4) Examine Additional Evidence
Governance and Risk Management Processes
(ID.GV-4) Requirement Fullfillment
Asset Vulnerabilities (ID.RA-1) Asset Vulnerabilities
Asset Vulnerabilities (ID.RA-1) Examine Additional Evidence
Asset Vulnerabilities (ID.RA-1) Requirement Fullfillment
Threat Information (ID.RA-2) Cyber Threat Intelligence
Threat Information (ID.RA-2) Examine Additional Evidence
Threat Information (ID.RA-2) Requirement Fullfillment
Threat Identification (ID.RA-3) Identify Threats
Threat Identification (ID.RA-3) Examine Additional Evidence
Threat Identification (ID.RA-3) Requirement Fullfillment
Business Impacts (ID.RA-4) Identify Business Impacts
Business Impacts (ID.RA-4) Examine Additional Evidence
Business Impacts (ID.RA-4) Requirement Fullfillment
Threat Analysis (ID.RA-5) Determining Risk
Threat Analysis (ID.RA-5) Examine Additional Evidence
Threat Analysis (ID.RA-5) Requirement Fullfillment
Risk Responses (ID.RA-6) Risk Responses
Risk Responses (ID.RA-6) Examine Additional Evidence
Risk Responses (ID.RA-6) Requirement Fullfillment
Risk Management Processes (ID.RM-1) Risk Management Processes
Risk Management Processes (ID.RM-1) Examine Additional Evidence
Risk Management Processes (ID.RM-1) Requirement Fullfillment
Risk Tolerance (ID.RM-2) Organizational Risk Tolerance
Risk Tolerance (ID.RM-2) Examine Additional Evidence
Risk Tolerance (ID.RM-2) Requirement Fullfillment
Sector Risk Analysis (ID.RM-3) Determining Risk Tolerance
Sector Risk Analysis (ID.RM-3) Examine Additional Evidence
Sector Risk Analysis (ID.RM-3) Requirement Fullfillment
Credential Management (PR.AC-1) Managing Identities and Credentials
Credential Management (PR.AC-1) Examine Additional Evidence
Credential Management (PR.AC-1) Requirement Fullfillment
Physical Access (PR.AC-2) Managing Physical Access
Physical Access (PR.AC-2) Examine Additional Evidence
Physical Access (PR.AC-2) Requirement Fullfillment
Remote Access (PR.AC-3) Managing Remote Access
Remote Access (PR.AC-3) Examine Additional Evidence
Remote Access (PR.AC-3) Requirement Fullfillment
Access Permissions (PR.AC-4) Managing Access Permissions
Access Permissions (PR.AC-4) Examine Additional Evidence
Access Permissions (PR.AC-4) Requirement Fullfillment
Network Integrity (PR.AC-5) Protect Network Integrity
Network Integrity (PR.AC-5) Examine Additional Evidence
Network Integrity (PR.AC-5) Requirement Fullfillment
Identity Management (PR.AC-6) Identity Assertion
Identity Management (PR.AC-6) Examine Additional Evidence
Identity Management (PR.AC-6) Requirement Fullfillment
Asset Authentication (PR.AC-7) Commensurate Authentication
Asset Authentication (PR.AC-7) Examine Additional Evidence
Asset Authentication (PR.AC-7) Requirement Fullfillment
Employee Training (PR.AT-1) User Training
Employee Training (PR.AT-1) Examine Additional Evidence
Employee Training (PR.AT-1) Requirement Fullfillment
Privileged Users (PR.AT-2) Privileged Users
Privileged Users (PR.AT-2) Examine Additional Evidence
Privileged Users (PR.AT-2) Requirement Fullfillment
Third Party Stakeholders (PR.AT-3) Third-Party Stakeholders
Third Party Stakeholders (PR.AT-3) Examine Additional Evidence
Third Party Stakeholders (PR.AT-3) Requirement Fullfillment
Senior Executives (PR.AT-4) Senior Executives
Senior Executives (PR.AT-4) Examine Additional Evidence
Senior Executives (PR.AT-4) Requirement Fullfillment
Security Personnel (PR.AT-5) Physical/Information Security Personnel
Security Personnel (PR.AT-5) Examine Additional Evidence
Security Personnel (PR.AT-5) Requirement Fullfillment
Data-at-Rest (PR.DS-1) Protect Data-At-Rest
Data-at-Rest (PR.DS-1) Examine Additional Evidence
Data-at-Rest (PR.DS-1) Requirement Fullfillment
Data-in-transit (PR.DS-2) Protect Data-In-Transit
Data-in-transit (PR.DS-2) Examine Additional Evidence
Data-in-transit (PR.DS-2) Requirement Fullfillment
Asset Management (PR.DS-3) Managing Assets
Asset Management (PR.DS-3) Examine Additional Evidence
Asset Management (PR.DS-3) Requirement Fullfillment
Capacity (PR.DS-4) Ensuring Availability
Capacity (PR.DS-4) Examine Additional Evidence
Capacity (PR.DS-4) Requirement Fullfillment
Data Leaks (PR.DS-5) Protection Against Data Leaks
Data Leaks (PR.DS-5) Examine Additional Evidence
Data Leaks (PR.DS-5) Requirement Fullfillment
Integrity Verification (PR.DS-6) Software Integrity Checking
Integrity Verification (PR.DS-6) Examine Additional Evidence
Integrity Verification (PR.DS-6) Requirement Fullfillment
Separate Development/Production
Development and Testing (PR.DS-7) Environments
Development and Testing (PR.DS-7) Examine Additional Evidence
Development and Testing (PR.DS-7) Requirement Fullfillment
Hardware Integrity Checking (PR.DS-8) Hardware Integrity Checking
Hardware Integrity Checking (PR.DS-8) Examine Additional Evidence
Hardware Integrity Checking (PR.DS-8) Requirement Fullfillment
Baseline Configuration (PR.IP-1) Baseline Configuration
Baseline Configuration (PR.IP-1) Examine Additional Evidence
Baseline Configuration (PR.IP-1) Requirement Fullfillment
System Development Lifecycle (PR.IP-2) System Development Life Cycle
System Development Lifecycle (PR.IP-2) Examine Additional Evidence
System Development Lifecycle (PR.IP-2) Requirement Fullfillment
Configuration Change Control (PR.IP-3) Configuration Management
Configuration Change Control (PR.IP-3) Examine Additional Evidence
Configuration Change Control (PR.IP-3) Requirement Fullfillment
Information Backups (PR.IP-4) Information Backups
Information Backups (PR.IP-4) Examine Additional Evidence
Information Backups (PR.IP-4) Requirement Fullfillment
Physical Operating Environment (PR.IP-5) Physical Operating Environment
Physical Operating Environment (PR.IP-5) Examine Additional Evidence
Physical Operating Environment (PR.IP-5) Requirement Fullfillment
Data Destruction (PR.IP-6) Data Destruction
Data Destruction (PR.IP-6) Examine Additional Evidence
Data Destruction (PR.IP-6) Requirement Fullfillment
Protection Processes (PR.IP-7) Protection Process Improvement
Protection Processes (PR.IP-7) Examine Additional Evidence
Protection Processes (PR.IP-7) Requirement Fullfillment
Protection Technologies (PR.IP-8) Sharing Protection Effectiveness
Protection Technologies (PR.IP-8) Examine Additional Evidence
Protection Technologies (PR.IP-8) Requirement Fullfillment
Response Plans (PR.IP-9) Response and Recovery Plans
Response Plans (PR.IP-9) Examine Additional Evidence
Response Plans (PR.IP-9) Requirement Fullfillment
Plan Testing (PR.IP-10) Testing Response and Recovery Plans
Plan Testing (PR.IP-10) Examine Additional Evidence
Plan Testing (PR.IP-10) Requirement Fullfillment
HR Practices (PR.IP-11) Cybersecurity HR Practices
HR Practices (PR.IP-11) Examine Additional Evidence
HR Practices (PR.IP-11) Requirement Fullfillment
Vulnerability Management Plan (PR.IP-12) Vulnerability Management Plan
Vulnerability Management Plan (PR.IP-12) Examine Additional Evidence
Vulnerability Management Plan (PR.IP-12) Requirement Fullfillment
Assets Maintenance and Repair (PR.MA-1) Maintenance/Repaire Logs
Assets Maintenance and Repair (PR.MA-1) Examine Additional Evidence
Assets Maintenance and Repair (PR.MA-1) Requirement Fullfillment
Remote Maintenance (PR.MA-2) Remote Maintenance Logs
Remote Maintenance (PR.MA-2) Examine Additional Evidence
Remote Maintenance (PR.MA-2) Requirement Fullfillment
Audit/log Records (PR.PT-1) Audit/Log Records
Audit/log Records (PR.PT-1) Examine Additional Evidence
Audit/log Records (PR.PT-1) Requirement Fullfillment
Removable Media (PR.PT-2) Protecting Removable Media
Removable Media (PR.PT-2) Examine Additional Evidence
Removable Media (PR.PT-2) Requirement Fullfillment
Controlled Access (PR.PT-3) Incorporate Principle of Least Functionality
Controlled Access (PR.PT-3) Examine Additional Evidence
Requirement Fullfillment
Communications and Control Networks (PR.PT- Protecting Communication and Control
4) Networks
Communications and Control Networks (PR.PT-
4) Examine Additional Evidence
Communications and Control Networks (PR.PT-
4) Requirement Fullfillment
Mechanisms for Resilience Requirements
(PR.PT-5) Mechanisms for Resilience Requirements
Mechanisms for Resilience Requirements
(PR.PT-5) Examine Additional Evidence
Mechanisms for Resilience Requirements
(PR.PT-5) Requirement Fullfillment
Network Operations Baseline (DE.AE-1) Network Operations Baseline
Network Operations Baseline (DE.AE-1) Examine Additional Evidence
Network Operations Baseline (DE.AE-1) Requirement Fullfillment
Event Analysis (DE.AE-2) Analyzing Detected Events
Event Analysis (DE.AE-2) Examine Additional Evidence
Event Analysis (DE.AE-2) Requirement Fullfillment
Event Data Aggregation (DE.AE-3) Aggregating Event Data
Event Data Aggregation (DE.AE-3) Examine Additional Evidence
Event Data Aggregation (DE.AE-3) Requirement Fullfillment
Impact of Events (DE.AE-4) Determine Impact of Events
Impact of Events (DE.AE-4) Examine Additional Evidence
Impact of Events (DE.AE-4) Requirement Fullfillment
Incident Alerting (DE.AE-5) Incident Alert Thresholds
Incident Alerting (DE.AE-5) Examine Additional Evidence
Incident Alerting (DE.AE-5) Requirement Fullfillment
Network Monitoring (DE.CM-1) Network Monitoring
Network Monitoring (DE.CM-1) Examine Additional Evidence
Network Monitoring (DE.CM-1) Requirement Fullfillment
Physical Environment (DE.CM-2) Physical Environment Monitoring
Physical Environment (DE.CM-2) Examine Additional Evidence
Physical Environment (DE.CM-2) Requirement Fullfillment
Personnel Activty (DE.CM-3) Personnel Activity Monitoring
Personnel Activty (DE.CM-3) Examine Additional Evidence
Personnel Activty (DE.CM-3) Requirement Fullfillment
Malicious Code (DE.CM-4) Detect Malicious Code
Malicious Code (DE.CM-4) Examine Additional Evidence
Malicious Code (DE.CM-4) Requirement Fullfillment
Unauthorized Mobile Code (DE.CM-5) Detect Unauthorized Mobile Code
Unauthorized Mobile Code (DE.CM-5) Examine Additional Evidence
Unauthorized Mobile Code (DE.CM-5) Requirement Fullfillment
Service Provider Monitoring (DE.CM-6) Service Provider Monitoring
Service Provider Monitoring (DE.CM-6) Examine Additional Evidence
Service Provider Monitoring (DE.CM-6) Requirement Fullfillment
Environment Monitoring (DE.CM-7) Environment Monitoring
Environment Monitoring (DE.CM-7) Examine Additional Evidence
Environment Monitoring (DE.CM-7) Requirement Fullfillment
Vulnerability Scanning (DE.CM-8) Vunerability Scans
Vulnerability Scanning (DE.CM-8) Examine Additional Evidence
Vulnerability Scanning (DE.CM-8) Requirement Fullfillment
Roles and Responsibilities (DE.DP-1) Detection Roles and Responsibilities
Roles and Responsibilities (DE.DP-1) Examine Additional Evidence
Roles and Responsibilities (DE.DP-1) Requirement Fullfillment
Detection Compliance (DE.DP-2) Detection Activity Compliance
Detection Compliance (DE.DP-2) Examine Additional Evidence
Detection Compliance (DE.DP-2) Requirement Fullfillment
Detection Testing (DE.DP-3) Testing Detection Processes
Detection Testing (DE.DP-3) Examine Additional Evidence
Detection Testing (DE.DP-3) Requirement Fullfillment
Event Detection (DE.DP-4) Communication Event Information
Event Detection (DE.DP-4) Examine Additional Evidence
Event Detection (DE.DP-4) Requirement Fullfillment
Detection Process Improvement (DE.DP-5) Improving Detection Processes
Detection Process Improvement (DE.DP-5) Examine Additional Evidence
Detection Process Improvement (DE.DP-5) Requirement Fullfillment
Response Plan (RS.RP-1) Response Plan Execution
Response Plan (RS.RP-1) Examine Additional Evidence
Response Plan (RS.RP-1) Requirement Fullfillment
Roles and Responsibilities (RS.CO-1) Response Role and Responsibilities
Roles and Responsibilities (RS.CO-1) Examine Additional Evidence
Roles and Responsibilities (RS.CO-1) Requirement Fullfillment
Incident Reporting (RS.CO-2) Event Reporting
Incident Reporting (RS.CO-2) Examine Additional Evidence
Incident Reporting (RS.CO-2) Requirement Fullfillment
Information Sharing (RS.CO-3) Incident Information Sharing
Information Sharing (RS.CO-3) Examine Additional Evidence
Information Sharing (RS.CO-3) Requirement Fullfillment
Stakeholder Coordination (RS.CO-4) Coordination with Stakeholders
Stakeholder Coordination (RS.CO-4) Examine Additional Evidence
Stakeholder Coordination (RS.CO-4) Requirement Fullfillment
External Information Sharing (RS.CO-5) Voluntary Information Sharing
External Information Sharing (RS.CO-5) Examine Additional Evidence
External Information Sharing (RS.CO-5) Requirement Fullfillment
Notifications (RS.AN-1) Investigating Notifications
Notifications (RS.AN-1) Examine Additional Evidence
Notifications (RS.AN-1) Requirement Fullfillment
Incident Impact (RS.AN-2) Incident Impact
Incident Impact (RS.AN-2) Examine Additional Evidence
Incident Impact (RS.AN-2) Requirement Fullfillment
Forensics (RS.AN-3) Performing Forensics
Forensics (RS.AN-3) Examine Additional Evidence
Forensics (RS.AN-3) Requirement Fullfillment
Incident Categorization (RS.AN-4) Categorizing Incidents
Incident Categorization (RS.AN-4) Examine Additional Evidence
Incident Categorization (RS.AN-4) Requirement Fullfillment
Vulnerability Management (RS.AN-5) Vulnerability Response Process
Vulnerability Management (RS.AN-5) Examine Additional Evidence
Vulnerability Management (RS.AN-5) Requirement Fullfillment
Incident Containment (RS.MI-1) Containing Incidents
Incident Containment (RS.MI-1) Examine Additional Evidence
Incident Containment (RS.MI-1) Requirement Fullfillment
Incident Mitigation (RS.MI-2) Mitigating Incidents
Incident Mitigation (RS.MI-2) Examine Additional Evidence
Incident Mitigation (RS.MI-2) Requirement Fullfillment
Vulnerability Identification (RS.MI-3) Newly Identified Vulnerabilities
Vulnerability Identification (RS.MI-3) Examine Additional Evidence
Vulnerability Identification (RS.MI-3) Requirement Fullfillment
Lessons Learned (RS.IM-1) Response Plan Lessons Learned
Lessons Learned (RS.IM-1) Examine Additional Evidence
Lessons Learned (RS.IM-1) Requirement Fullfillment
Response Strategies (RS.IM-2) Updating Response Strategies
Response Strategies (RS.IM-2) Examine Additional Evidence
Response Strategies (RS.IM-2) Requirement Fullfillment
Recovery Plan (RC.RP-1) Recovery Plan Execution
Recovery Plan (RC.RP-1) Examine Additional Evidence
Recovery Plan (RC.RP-1) Requirement Fullfillment
Lessons Learned (RC.IM-1) Recovery Plan Lessons Learned
Lessons Learned (RC.IM-1) Examine Additional Evidence
Lessons Learned (RC.IM-1) Requirement Fullfillment
Recovery Strategies (RC.IM-2) Updating Recovery Strategies
Recovery Strategies (RC.IM-2) Examine Additional Evidence
Recovery Strategies (RC.IM-2) Requirement Fullfillment
Public Relations (RC.CO-1) Public Relation Management
Public Relations (RC.CO-1) Examine Additional Evidence
Public Relations (RC.CO-1) Requirement Fullfillment
Reputation Management (RC.CO-2) Repairing Reputation
Reputation Management (RC.CO-2) Examine Additional Evidence
Reputation Management (RC.CO-2) Requirement Fullfillment
Recovery Communications (RC.CO-3) Communicating Recovery Activities
Recovery Communications (RC.CO-3) Examine Additional Evidence
Recovery Communications (RC.CO-3) Requirement Fullfillment
Organization - Cyber Supply Chain Risk Organizational Cyber Supply Chain Risk
Management Process (ID.SC-1) Management
Organization - Cyber Supply Chain Risk
Management Process (ID.SC-1) Examine Additional Evidence
Organization - Cyber Supply Chain Risk
Management Process (ID.SC-1) Requirement Fullfillment
Supplier - Cyber Supply Chain Risk Management
Process (ID.SC-2) Supplier Cyber Supply Chain Risk Management
Supplier - Cyber Supply Chain Risk Management
Process (ID.SC-2) Examine Additional Evidence
Supplier - Cyber Supply Chain Risk Management
Process (ID.SC-2) Requirement Fullfillment
Supplier Contracts (ID.SC-3) Supplier Contracts
Supplier Contracts (ID.SC-3) Examine Additional Evidence
Supplier Contracts (ID.SC-3) Requirement Fullfillment
Supplier Assessments (ID.SC-4) Evaluating Supplier Security
Supplier Assessments (ID.SC-4) Examine Additional Evidence
Supplier Assessments (ID.SC-4) Requirement Fullfillment
Response and Recovery Planning and Testing
(ID.SC-5) Response and Recovery Testing with Suppliers
Response and Recovery Planning and Testing
(ID.SC-5) Examine Additional Evidence
Response and Recovery Planning and Testing
(ID.SC-5) Requirement Fullfillment
Action Items Assigned To (must be a User in Apptega)
Verify that physical devices and systems within the organization
are inventoried.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that software platforms and applications within the
organization are inventoried.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that organizational communication and data flows are
mapped.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that external information systems are catalogued.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that resources (e.g., hardware, devices, data, and software)
are prioritized based on their classification, criticality, and business
value.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that cybersecurity roles and responsibilities for the entire
workforce and third-party stakeholders (e.g., suppliers, customers,
partners) are established.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the organization’s role in the supply chain is identified and
communicated.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the organization’s place in critical infrastructure and its
industry sector is identified and communicated.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify priorities for organizational mission, objectives, and
activities are established and communicated.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify dependencies and critical functions for delivery of critical
services are established.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that resilience requirements to support delivery of critical
services are established for all operating states (e.g. under
duress/attack, during recovery, normal operations).
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify organizational cybersecurity policy is established and
communicated.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify cybersecurity roles and responsibilites are coordinated and
aligned with internal roles and external partners.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify legal and regulatory requirements regarding cybersecurity,
including privacy and civil liberties obligations, are understood and
managed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify governance and risk management processes address
cybersecurity risks.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that asset vulnerabilities are identified and documented.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify cyber threat intelligence is received from information
sharing forums and sources.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that internal and external threats are identified and
documented.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify potential business impacts and likelihoods are identified.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that threats, vulnerabilities, likelihoods, and impacts are
used to determine risk.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify risk responses are identified and prioritized.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify risk management processes are established, managed, and
agreed to by organizational stakeholders.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify organizational risk tolerance is determined and clearly
expressed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the organization’s determination of risk tolerance is
informed by its role in critical infrastructure and sector specific risk
analysis.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify identities and credentials are managed for authorized
devices and users.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify physical access to assets is managed and protected.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify remote access is managed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify access permissions are managed and incorporate the
principles of least privilege and separation of duties.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify network integrity is protected and incorporates network
segregation where appropriate.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify identities are proofed and bound to credentials and
asserted in interactions.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify users, devices, and other assets are authenticated
commensurate with the risk of the transaction.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify all users are informed and trained.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify privileged users understand roles & responsibilities.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify third-party stakeholders understand roles & responsibilities.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify senior executives understand roles & responsibilities.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify physical and information security personnel understand
roles & responsibilities.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify data-at-rest is protected.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify data-in-transit is protected.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify assets are formally managed throughout removal, transfers,
and disposition.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify adequate capacity to ensure availability is maintained.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify protections against data leaks are implemented.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that integrity checking mechanisms are used to verify
software, firmware, and information integrity.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the development and testing environment(s) are separate
from the production environment.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify integrity checking mechanisms are used to verify hardware
integrity.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that a baseline configuration of information
technology/industrial control systems is created and maintained
incorporating security principles (e.g. concept of least
functionality).
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify that a System Development Life Cycle to manage systems is
implemented.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify configuration change control processes are in place.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify backups of information are conducted, maintained, and
tested periodically.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify policy and regulations regarding the physical operating
environment for organizational assets are met.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify data is destroyed according to policy.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify protection processes are continuously improved.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify effectiveness of protection technologies is shared with
appropriate parties.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify response and recovery plans are in place and managed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify response and recovery plans are tested.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify cybersecurity is included in human resources practices (e.g.,
deprovisioning, personnel screening).
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify a vulnerability management plan is developed and
implemented.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify maintenance and repair of organizational assets is
performed and logged in a timely manner, with approved and
controlled tools.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify remote maintenance of organizational assets is approved,
logged, and performed in a manner that prevents unauthorized
access.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify audit/log records are determined, documented,
implemented, and reviewed in accordance with policy.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify removable media is protected and its use restricted
according to policy.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the principle of least functionality is incorporated by
configuring systems to provide only essential capabilities.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify communications and control networks are protected.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify mechanisms (e.g., failsafe, load balancing, hot swap) are
implemented to achieve resilience requirements in normal and
adverse situations.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify a baseline of network operations and expected data flows
for users and systems is established and managed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify detected events are analyzed to understand attack targets
and methods.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify event data is aggregated and correlated from multiple
sources and sensors.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify impact of events is determined.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify incident alert thresholds are established.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the network is monitored to detect potential cybersecurity
events.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the physical environment is monitored to detect potential
cybersecurity events.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify personnel activity is monitored to detect potential
cybersecurity events.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify malicious code is detected.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify unauthorized mobile code is detected.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify external service provider activity is monitored to detect
potential cybersecurity events.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify monitoring for unauthorized personnel, connections,
devices, and software is performed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify vulnerability scans are performed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify roles and responsibilities for detection are well defined to
ensure accountability.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify detection activities comply with all applicable requirements.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify detection processes are tested.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify event detection information is communicated to
appropriate parties.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify detection processes are continuously improved.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify response plan is executed during or after an event.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify personnel know their roles and order of operations when a
response is needed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify events are reported consistent with established criteria.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify information is shared consistent with response plans.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify coordination with stakeholders occurs consistent with
response plans.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify voluntary information sharing occurs with external
stakeholders to achieve broader cybersecurity situational
awareness.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify notifications from detection systems are investigated.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify the impact of the incident is understood.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify forensics are performed.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify incidents are categorized consistent with response plans.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify processes are established to receive, analyze and respond to
vulnerabilities disclosed to the organization from internal and
external sources (e.g. internal testing, security bulletins, or security
researchers).
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify mechanisms are in place to contain incidents.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify mechanisms are in place to mitigate incidents.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify newly identified vulnerabilities are mitigated or
documented as accepted risks.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify response plans incorporate lessons learned.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify response strategies are kept up-to-date.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify recovery plan is executed during or after an event.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify recovery plans incorporate lessons learned.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify recovery strategies are kept up-to-date.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify procedures are in place to manage public relations after an
incident.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify processes are in place to repaire reputation after an event.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify recovery activities are communicated to internal
stakeholders and executive and management teams.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify cyber supply chain risk management processes are
identified, established, assessed, managed, and agreed to by
organizational stakeholders.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify suppliers and third party partners of information systems,
components, and services are identified, prioritized, and assessed
using a cyber supply chain risk assessment process.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify contracts with suppliers and third-party partners are used to
implement appropriate measures designed to meet the objectives
of an organization's cybersecurity program.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify suppliers and third-party partners are routinely assessed
using audits, test results, or other forms of evaluations to confirm
they are meeting their contractual obligations.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Verify response and recovery planning and testing are conducted
with suppliers and third-party providers.
Examine additional mechanisms, documentation, or evidence
artifacts related to the subcontrol.
The Informative References provided in the Additional Guidance
associated with this subcontrol provide broad references that are
more technical than the framework itself. Your organization may
wish to use some, none, or all of these references to inform the
activities that are undertaken to achieve the outcome described in
the Overview above. Regardless of what activities are selected to
meet the intent of this requirement, you should document the
activities and provide sufficient evidence that addresses this. If one
or more of the Informative References mentioned are employed,
identify which ones were employed as well.
Due Date Create Alert Status Priority
You might also like
- Appendix B. Offshore Operations ProfileNo ratings yetAppendix B. Offshore Operations Profile225 pages
- Assessment of Risk Management in Ethiopian Construction IndustryNo ratings yetAssessment of Risk Management in Ethiopian Construction Industry154 pages
- NCSC Cyber Assessment Framework CAF PwnDefend ToolNo ratings yetNCSC Cyber Assessment Framework CAF PwnDefend Tool111 pages
- Final Guidelines On Accounting For Expected Credit Losses (EBA-GL-2017-06)No ratings yetFinal Guidelines On Accounting For Expected Credit Losses (EBA-GL-2017-06)88 pages
- Module - 2 - CS701 - Information Security - Dr. M.selvamNo ratings yetModule - 2 - CS701 - Information Security - Dr. M.selvam30 pages
- CIS_Controls__Cost_of_Cyber_Defense__2023_09__1_No ratings yetCIS_Controls__Cost_of_Cyber_Defense__2023_09__1_34 pages
- Project Charter FINAL - Megva Senyurt Cam, Elchin Baghirov 1No ratings yetProject Charter FINAL - Megva Senyurt Cam, Elchin Baghirov 16 pages
- IFC Risk Culture Governance Incentives ReportNo ratings yetIFC Risk Culture Governance Incentives Report88 pages
- 1.introduction To Software Engineering-1No ratings yet1.introduction To Software Engineering-111 pages
- Security Control Families - Vulnerabilities and MitigationNo ratings yetSecurity Control Families - Vulnerabilities and Mitigation16 pages
- Cyber Compliance IE - 07 23 - Huwyler - 1688548230295No ratings yetCyber Compliance IE - 07 23 - Huwyler - 168854823029529 pages
- Gantt Chart: A Gantt Chart Is A Popular Project Management Bar Chart That Tracks TasksNo ratings yetGantt Chart: A Gantt Chart Is A Popular Project Management Bar Chart That Tracks Tasks15 pages
- FRC Working Party - Oil and Gas Case Study MA Final 6feb2016No ratings yetFRC Working Party - Oil and Gas Case Study MA Final 6feb201618 pages
- Audit Framework Under Information System and Cyber Security RegulationsNo ratings yetAudit Framework Under Information System and Cyber Security Regulations16 pages
- Barangay Mainit Disaster Risk ReductionNo ratings yetBarangay Mainit Disaster Risk Reduction56 pages
- Muhlbauer PHMSA - Committee Pipeline Risk Assessment Management Mini Workshop 2016No ratings yetMuhlbauer PHMSA - Committee Pipeline Risk Assessment Management Mini Workshop 2016162 pages
- ISO QGCIO-Sample-SoA-annd-Essential-8-for-workshopNo ratings yetISO QGCIO-Sample-SoA-annd-Essential-8-for-workshop25 pages
- Ciso Mindmap 2020 What Security Professionals Really Do?50% (2)Ciso Mindmap 2020 What Security Professionals Really Do?1 page
- Security Privacy by Design Principles SPNo ratings yetSecurity Privacy by Design Principles SP2 pages
- CDA 2014 - Application of Dam Safety Guidelines To Mining Dams100% (2)CDA 2014 - Application of Dam Safety Guidelines To Mining Dams46 pages
- QGCIO Sample SoA Annd Essential 8 For WorkshopNo ratings yetQGCIO Sample SoA Annd Essential 8 For Workshop29 pages
- Framework For Improving Critical Infrastructure Cybersecurity CoreNo ratings yetFramework For Improving Critical Infrastructure Cybersecurity Core30 pages
- "Rescue From Darkness, Bringing To Light": Helping The Street KidsNo ratings yet"Rescue From Darkness, Bringing To Light": Helping The Street Kids7 pages
- RMF Security Control Assessor NIST 800-53A Security Control Assessment Guide: NIST 800 Cybersecurity, #3From EverandRMF Security Control Assessor NIST 800-53A Security Control Assessment Guide: NIST 800 Cybersecurity, #3No ratings yet
- NIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1From EverandNIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1No ratings yet
- Network Security Traceback Attack and React in the United States Department of Defense NetworkFrom EverandNetwork Security Traceback Attack and React in the United States Department of Defense NetworkNo ratings yet
