0% found this document useful (0 votes)
17 views17 pages

csf2

Uploaded by

Ehab Ismail
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
17 views17 pages

csf2

Uploaded by

Ehab Ismail
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 17

NIST Cybersecurity Framework

Title (CSF)
The 2.0Cybersecurity
NIST ReferenceFramework
Tool
Read Me (CSF)is 2.0
This a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core
Change Log Final
The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

Function Category Subcategory


GOVERN (GV): The organization's
cybersecurity risk management Organizational Context (GV.OC): The
circumstances - mission, stakeholder GV.OC-01: The organizational mission is
understood and informs
GV.OC-02: Internal cybersecurity
and external risk
stakeholders
are understood,
GV.OC-03: Legal,and their needs
regulatory, and and
contractual
requirements regarding cybersecurity - including
GV.OC-04: Critical objectives, capabilities, and
services that stakeholders depend on or expect
GV.OC-05: Outcomes, capabilities, and services
Risk Management Strategy (GV.RM): The that the organization depends on are
organization's priorities, constraints, risk GV.RM-01: Risk management objectives are
established and appetite
GV.RM-02: Risk agreed toand
by organizational
risk tolerance
statements
GV.RM-03: Cybersecurity risk management and
are established, communicated,
activities
GV.RM-04: and outcomes
Strategic are included
direction in
that describes
appropriate risk response
GV.RM-05: Lines options is across
of communication established
the
organization are established for
GV.RM-06: A standardized method for cybersecurity
calculating, documenting,
GV.RM-07: Strategic categorizing,
opportunities (i.e.,and
positive
Roles, Responsibilities, and Authorities risks) are characterized and are included in
(GV.RR): Cybersecurity roles, GV.RR-01: Organizational leadership is
responsible and accountable
GV.RR-02: Roles, for cybersecurity
responsibilities, and authorities
related to cybersecurity risk management
GV.RR-03: Adequate resources are allocated are
commensurate with the cybersecurity risk
GV.RR-04: Cybersecurity is included in human
Policy (GV.PO): Organizational resources practices
cybersecurity policy is established, GV.PO-01: Policy for managing cybersecurity
risks is established
GV.PO-02: based
Policy for on organizational
managing cybersecurity
Oversight (GV.OV): Results of organization- risks is reviewed, updated, communicated, and
wide cybersecurity risk management GV.OV-01: Cybersecurity risk management
strategy
GV.OV-02: outcomes are reviewed
The cybersecurity riskto inform and
management
strategy
GV.OV-03: is reviewed and adjusted
Organizational to ensure
cybersecurity risk
management performance is evaluated and
CSF 2.0 Page 2 of 17
Function Category Subcategory
Cybersecurity Supply Chain Risk
Management (GV.SC): Cyber supply chain GV.SC-01: A cybersecurity supply chain risk
management program, strategy,
GV.SC-02: Cybersecurity roles andobjectives,
responsibilities for suppliers,
GV.SC-03: Cybersecurity customers,
supply chain riskand
management is integrated
GV.SC-04: Suppliers are knowninto and
cybersecurity
prioritized by
criticality
GV.SC-05: Requirements to address
cybersecurity risks inand
GV.SC-06: Planning supply
due chains areare
diligence
performed
GV.SC-07: The to reduce risks before
risks posed entering
by a supplier, into
their
products
GV.SC-08:and services,
Relevant and other
suppliers andthird
otherparties
third
parties are included in incident planning,
GV.SC-09: Supply chain security practices are
integrated into cybersecurity
GV.SC-10: Cybersecurity and
supply enterprise
chain risk risk
GOVERN (GV) management plans include provisions for
IDENTIFY (ID): The organization's
current cybersecurity risks are Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems, ID.AM-01: Inventories of hardware managed by
the organization
ID.AM-02: are maintained
Inventories of software, services, and
systems managed by
ID.AM-03: Representations the organization are
of the organization's
authorized network communication
ID.AM-04: Inventories of services provided and internal
by
suppliers are maintained
ID.AM-05: Assets are prioritized based on
classification, criticality,ofresources,
ID.AM-07: Inventories data and and impact
corresponding
ID.AM-08: Systems,metadata for designated
hardware, software,data
services, and data are managed
ID.AM-06: [Withdrawn: Incorporated throughout
into their
Risk Assessment (ID.RA): The cybersecurity GV.RR-02, GV.SC-02]
risk to the organization, assets, and ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded
ID.RA-02: Cyber threat intelligence is received
from
ID.RA-03: Internalsharing
information forumsthreats
and external and sources
to the
organization are identified and recorded
ID.RA-04: Potential impacts and likelihoods of
threats
ID.RA-05:exploiting
Threats,vulnerabilities
vulnerabilities,are identified
likelihoods,
and impacts
ID.RA-06: are
Risk used to understand
responses are chosen,inherent
prioritized,
planned, tracked, and communicated
ID.RA-07: Changes and exceptions are managed,
assessed
ID.RA-08:for risk impact,
Processes recorded,analyzing,
for receiving, and tracked
and
responding to vulnerability disclosures
ID.RA-09: The authenticity and integrity of are
hardware and software
ID.RA-10: Critical areare
suppliers assessed prior
assessed to to
prior
acquisition
CSF 2.0 Page 3 of 17
Function Category Subcategory
Improvement (ID.IM): Improvements to
organizational cybersecurity risk ID.IM-01: Improvements are identified from
evaluations
ID.IM-02: Improvements are identified from
security
ID.IM-03:tests and exercises,
Improvements areincluding
identifiedthose
from
execution of operational processes, procedures,
ID.IM-04: Incident response plans and other
Business Environment (ID.BE): [Withdrawn: cybersecurity plans that affect operations are
Incorporated into GV.OC] ID.BE-01: [Withdrawn: Incorporated into GV.OC-
05]
ID.BE-02: [Withdrawn: Incorporated into GV.OC-
01]
ID.BE-03: [Withdrawn: Incorporated into GV.OC-
01]
ID.BE-04: [Withdrawn: Incorporated into GV.OC-
04, GV.OC-05]
ID.BE-05: [Withdrawn: Incorporated into GV.OC-
Governance (ID.GV): [Withdrawn: 04]
Incorporated into GV] ID.GV-01: [Withdrawn: Incorporated into GV.PO,
GV.PO-01, GV.PO-02] Incorporated into GV.OC-
ID.GV-02: [Withdrawn:
02, GV.RR,[Withdrawn:
ID.GV-03: GV.RR-02] Moved to GV.OC-03]
ID.GV-04: [Withdrawn: Moved to GV.RM-04]
Risk Management Strategy (ID.RM):
[Withdrawn: Incorporated into GV.RM] ID.RM-01: [Withdrawn: Incorporated into
GV.RM-01, GV.RM-06, GV.RR-03]
ID.RM-02: [Withdrawn: Incorporated into
GV.RM-02, GV.RM-04]
ID.RM-03: [Withdrawn: Moved into GV.RM-02]
Supply Chain Risk Management (ID.SC):
[Withdrawn: Incorporated into GV.SC] ID.SC-01: [Withdrawn: Incorporated into GV.RM-
05, GV.SC-01,
ID.SC-02: GV.SC-06,Incorporated
[Withdrawn: GV.SC-09, GV.SC-10]
into GV.OC-
02, GV.SC-03, GV.SC-04, GV.SC-07, ID.RA-10]
ID.SC-03: [Withdrawn: Moved to GV.SC-05]
ID.SC-04: [Withdrawn: Incorporated into GV.SC-
07, ID.RA-10]
ID.SC-05: [Withdrawn: Incorporated into GV.SC-
IDENTIFY (ID) 08, ID.IM-02]
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks Identity Management, Authentication, and
Access Control (PR.AA): Access to physical PR.AA-01: Identities and credentials for
authorized users, services,
PR.AA-02: Identities and hardware
are proofed and boundareto
credentials basedservices,
PR.AA-03: Users, on the context of interactions
and hardware are
authenticated
PR.AA-04: Identity assertions are protected,
conveyed, and verified
CSF 2.0 Page 4 of 17
Function Category Subcategory
PR.AA-05: Access permissions, entitlements, and
authorizations are defined
PR.AA-06: Physical in assets
access to a policy, managed,
is managed,
Awareness and Training (PR.AT): The monitored, and enforced commensurate with
organization's personnel are provided with PR.AT-01: Personnel are provided with
awareness and training
PR.AT-02: Individuals in so that theyroles
specialized possess
are the
provided with awareness and training so
PR.AT-03: [Withdrawn: Incorporated into PR.AT- that
01, PR.AT-02]
PR.AT-04: [Withdrawn: Incorporated into PR.AT-
02]
PR.AT-05: [Withdrawn: Incorporated into PR.AT-
Data Security (PR.DS): Data are managed 02]
consistent with the organization's risk PR.DS-01: The confidentiality, integrity, and
availability
PR.DS-02: Theof data-at-rest are protected
confidentiality, integrity, and
availability of data-in-transit are protected
PR.DS-10: The confidentiality, integrity, and
availability of data-in-use are protected
PR.DS-11: Backups of data are created,
protected, maintained, Incorporated
PR.DS-03: [Withdrawn: and tested into ID.AM-
08, PR.PS-03]
PR.DS-04: [Withdrawn: Moved to PR.IR-04]
PR.DS-05: [Withdrawn: Incorporated into PR.DS-
01, PR.DS-02,
PR.DS-06: PR.DS-10]Incorporated into PR.DS-
[Withdrawn:
01, DE.CM-09]
PR.DS-07: [Withdrawn: Incorporated into PR.IR-
01]
PR.DS-08: [Withdrawn: Incorporated into ID.RA-
Platform Security (PR.PS): The hardware, 09, DE.CM-09]
software (e.g., firmware, operating systems, PR.PS-01: Configuration management practices
are established
PR.PS-02: and is
Software applied
maintained, replaced, and
removed commensurate with risk replaced, and
PR.PS-03: Hardware is maintained,
removed
PR.PS-04:commensurate
Log records arewith risk and made
generated
available
PR.PS-05:for continuous
Installation andmonitoring
execution of
unauthorized software
PR.PS-06: Secure software are development
prevented
Technology Infrastructure Resilience practices are integrated, and their performance
(PR.IR): Security architectures are managed PR.IR-01: Networks and environments are
protected fromorganization's
PR.IR-02: The unauthorizedtechnology
logical access and
assets
are protected from environmental
PR.IR-03: Mechanisms are implemented to threats
achieve
PR.IR-04:resilience
Adequate requirements in normal
resource capacity and
to ensure
Identity Management, Authentication and availability is maintained
Access Control (PR.AC): [Withdrawn: Moved PR.AC-01: [Withdrawn: Incorporated into PR.AA-
01, PR.AA-05]
CSF 2.0 Page 5 of 17
Function Category Subcategory
PR.AC-02: [Withdrawn: Moved to PR.AA-06]
PR.AC-03: [Withdrawn: Incorporated into PR.AA-
03, PR.AA-05,
PR.AC-04: PR.IR-01] Moved to PR.AA-05]
[Withdrawn:
PR.AC-05: [Withdrawn: Incorporated into PR.IR-
01]
PR.AC-06: [Withdrawn: Moved to PR.AA-02]
PR.AC-07: [Withdrawn: Moved to PR.AA-03]
Information Protection Processes and
Procedures (PR.IP): [Withdrawn: PR.IP-01: [Withdrawn: Incorporated into PR.PS-
01]
PR.IP-02: [Withdrawn: Incorporated into ID.AM-
08, PR.PS-06]
PR.IP-03: [Withdrawn: Incorporated into PR.PS-
01, ID.RA-07]
PR.IP-04: [Withdrawn: Moved to PR.DS-11]
PR.IP-05: [Withdrawn: Moved to PR.IR-02]
PR.IP-06: [Withdrawn: Incorporated into ID.AM-
08]
PR.IP-07: [Withdrawn: Incorporated into ID.IM,
ID.IM-03] [Withdrawn: Moved to ID.IM-03]
PR.IP-08:
PR.IP-09: [Withdrawn: Moved to ID.IM-04]
PR.IP-10: [Withdrawn: Incorporated into ID.IM-
02, ID.IM-04]
PR.IP-11: [Withdrawn: Moved to GV.RR-04]
PR.IP-12: [Withdrawn: Incorporated into ID.RA-
Maintenance (PR.MA): [Withdrawn: 01, PR.PS-02]
Incorporated into ID.AM-08] PR.MA-01: [Withdrawn: Incorporated into
ID.AM-08,
PR.MA-02:PR.PS-03]
[Withdrawn: Incorporated into
Protective Technology (PR.PT): [Withdrawn: ID.AM-08, PR.PS-02]
Incorporated into other Protect Categories] PR.PT-01: [Withdrawn: Incorporated into PR.PS-
04]
PR.PT-02: [Withdrawn: Incorporated into PR.DS-
01, PR.PS-01]
PR.PT-03: [Withdrawn: Incorporated into PR.PS-
01]
PR.PT-04: [Withdrawn: Incorporated into PR.AA-
06, PR.IR-01]
PR.PT-05: [Withdrawn: Moved to PR.IR-03]
PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found Continuous Monitoring (DE.CM): Assets are
monitored to find anomalies, indicators of DE.CM-01: Networks and network services are
monitored
DE.CM-02: to
Thefind potentially
physical adverse is
environment events
monitored to find potentially adverse events
CSF 2.0 Page 6 of 17
Function Category Subcategory
DE.CM-03: Personnel activity and technology
usage are monitored
DE.CM-06: to findprovider
External service potentially adverse
activities
and servicesComputing
DE.CM-09: are monitored to find
hardware potentially
and software,
runtime environments, and their data
DE.CM-04: [Withdrawn: Incorporated into are
DE.CM-01,
DE.CM-05: DE.CM-09]
[Withdrawn: Incorporated into
DE.CM-01,
DE.CM-07: DE.CM-09]
[Withdrawn: Incorporated into
DE.CM-01, DE.CM-03,
DE.CM-08: [Withdrawn: DE.CM-06, DE.CM-09]
Incorporated into ID.RA-
Adverse Event Analysis (DE.AE): Anomalies, 01]
indicators of compromise, and other DE.AE-02: Potentially adverse events are
analyzed
DE.AE-03:toInformation
better understand associated
is correlated from
multiple sources
DE.AE-04: The estimated impact and scope of
adverse
DE.AE-06:events are understood
Information on adverse events is
provided
DE.AE-07: Cyber threat staff
to authorized and tools
intelligence and other
contextual
DE.AE-08: Incidents are declared wheninto
information are integrated the
adverse
events meet
DE.AE-01: the definedIncorporated
[Withdrawn: incident criteria
into ID.AM-
03]
DE.AE-05: [Withdrawn: Moved to DE.AE-08]
Detection Processes (DE.DP): [Withdrawn:
Incorporated into other Categories and DE.DP-01: [Withdrawn: Incorporated into GV.RR-
02]
DE.DP-02: [Withdrawn: Incorporated into DE.AE]
DE.DP-03: [Withdrawn: Incorporated into ID.IM-
02]
DE.DP-04: [Withdrawn: Incorporated into DE.AE-
06]
DE.DP-05: [Withdrawn: Incorporated into ID.IM,
DETECT (DE) ID.IM-03]
RESPOND (RS): Actions regarding a
detected cybersecurity incident are Incident Management (RS.MA): Responses
to detected cybersecurity incidents are RS.MA-01: The incident response plan is
executed
RS.MA-02:inIncident
coordination with
reports arerelevant
triaged third
and
validated
RS.MA-03: Incidents are categorized and
prioritized
RS.MA-04: Incidents are escalated or elevated as
needed
RS.MA-05: The criteria for initiating incident
Incident Analysis (RS.AN): Investigations recovery are applied
are conducted to ensure effective response RS.AN-03: Analysis is performed to establish
what has taken
RS.AN-06: place
Actions during anduring
performed incident
an and the
investigation are recorded, and the records'
CSF 2.0 Page 7 of 17
Function Category Subcategory
RS.AN-07: Incident data and metadata are
collected,
RS.AN-08:and their integrity
An incident's and provenance
magnitude are
is estimated
and validated
RS.AN-01: [Withdrawn: Incorporated into
RS.MA-02]
RS.AN-02: [Withdrawn: Incorporated into
RS.MA-02, [Withdrawn:
RS.AN-04: RS.MA-03, RS.MA-04]
Moved to RS.MA-03]
RS.AN-05: [Withdrawn: Moved to ID.RA-08]
Incident Response Reporting and
Communication (RS.CO): Response RS.CO-02: Internal and external stakeholders are
notified
RS.CO-03:of Information
incidents is shared with designated
internal and external stakeholders
RS.CO-01: [Withdrawn: Incorporated into PR.AT-
01]
RS.CO-04: [Withdrawn: Incorporated into
RS.MA-01, RS.MA-04] Incorporated into RS.CO-
RS.CO-05: [Withdrawn:
Incident Mitigation (RS.MI): Activities are 03]
performed to prevent expansion of an RS.MI-01: Incidents are contained
RS.MI-02: Incidents are eradicated
RS.MI-03: [Withdrawn: Incorporated into ID.RA-
Response Planning (RS.RP): [Withdrawn: 06]
Incorporated into RS.MA] RS.RP-01: [Withdrawn: Incorporated into RS.MA-
Improvements (RS.IM): [Withdrawn: 01]
Incorporated into ID.IM] RS.IM-01: [Withdrawn: Incorporated into ID.IM-
03, ID.IM-04]
RS.IM-02: [Withdrawn: Incorporated into ID.IM-
RESPOND (RS) 03]
RECOVER (RC): Assets and operations
affected by a cybersecurity incident Incident Recovery Plan Execution (RC.RP):
Restoration activities are performed to RC.RP-01: The recovery portion of the incident
response
RC.RP-02:plan is executed
Recovery actionsonce initiated from
are selected, scoped,
prioritized, and performed
RC.RP-03: The integrity of backups and other
restoration assets mission
RC.RP-04: Critical is verified before using
functions and them
cybersecurity
RC.RP-05: Therisk management
integrity are assets
of restored considered
is
verified,
RC.RP-06: The end of incident recovery is and
systems and services are restored,
Incident Recovery Communication (RC.CO): declared based on criteria, and incident-related
Restoration activities are coordinated with RC.CO-03: Recovery activities and progress in
restoring
RC.CO-04:operational capabilities
Public updates are recovery
on incident
are shared using approved methods and
CSF 2.0 Page 8 of 17
Function Category Subcategory
RC.CO-01: [Withdrawn: Incorporated into RC.CO-
04]
RC.CO-02: [Withdrawn: Incorporated into RC.CO-
Improvements (RC.IM): [Withdrawn: 04]
Incorporated into ID.IM] RC.IM-01: [Withdrawn: Incorporated into ID.IM-
03, ID.IM-04]
RC.IM-02: [Withdrawn: Incorporated into ID.IM-
RECOVER (RC) 03]

CSF 2.0 Page 9 of 17


Implementation Examples Informative References
CRI Profile v2.0: GV
CSF v1.1: ID.GV
CRI Profile v2.0: GV.OC
CSF v1.1: ID.BE
Ex1: Share the organization's mission (e.g., CRI Profile v2.0: GV.OC-01
through vision
Ex1: Identify and mission
relevant internalstatements,
stakeholders CRICRI Profile
Profile v2.0:
v2.0: GV.OC-01.01
GV.OC-02
and their cybersecurity-related
Ex1: Determine a process to track and CRI
CRI Profile v2.0: GV.OC-02.01
Profile v2.0: GV.OC-03
manage
Ex1: Establish criteria for determining the CRI Profile v2.0: GV.OC-03.01
legal and regulatory requirements CRI Profile v2.0: GV.OC-04
criticality of capabilities
Ex1: Create an inventory of theand services as CRI
CRI Profile v2.0: GV.OC-04.01
Profile v2.0: GV.OC-05
organization's dependencies on external CRI
CRI Profile
Profile v2.0:
v2.0: GV.OC-05.01
GV.RM
Ex1: Update near-term and long-term CSF v1.1: ID.RM
CRI Profile v2.0: GV.RM-01
cybersecurity risk management
Ex1: Determine and communicate risk objectives CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-01.01
GV.RM-02
appetite
Ex1: Aggregate and manage cybersecurity CRI Profile v2.0: GV.RM-02.01
statements that convey CRI Profile v2.0: GV.RM-03
risks alongside
Ex1: Specify otherfor
criteria enterprise
acceptingrisks
and(e.g., CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-03.01
GV.RM-04
avoiding cybersecurity risk
Ex1: Determine how to update seniorfor various CRI
CRI Profile v2.0: GV.RM-04.01
Profile v2.0: GV.RM-05
executives, directors, and management
Ex1: Establish criteria for using a on CRI
CRI Profile v2.0: GV.RM-05.01
Profile v2.0: GV.RM-06
quantitative
Ex1: Define and communicate guidance and CRI Profile v2.0: GV.RM-06.01
approach to cybersecurity risk CRI Profile v2.0: GV.RM-07
methods for identifying opportunities and CRI CRI Profile
Profile v2.0:
v2.0: GV.RM-07.01
GV.RR
CSF v1.1: ID.GV-2
Ex1: Leaders (e.g., directors) agree on their CIS Controls v8.0: 14.1
roles and responsibilities
Ex1: Document in developing,
risk management roles and CRI Profile v2.0:
CIS Controls v8.0:GV.RR-01
14.9
responsibilities in policy CRI Profile
Ex1: Conduct periodic management reviews CRI Profile v2.0: GV.RR-03v2.0: GV.RR-02
to ensure
Ex1: that cybersecurity
Integrate those given cybersecurity
risk CRI Profile v2.0:
CIS Controls v8.0:GV.RR-03.01
6.1
management considerations into human CIS Controls v8.0: 6.2
CRI Profile v2.0: GV.PO
Ex1: Create, disseminate, and maintain an CSF v1.1: ID.GV-1
CRI Profile v2.0: GV.PO-01
understandable, usable risk
Ex1: Update policy based on periodic management CRI
CRI Profile v2.0:
Profile v2.0: GV.PO-01.01
GV.PO-02
reviews of cybersecurity risk management CRI CRI Profile
Profile v2.0:
v2.0: GV.OV
GV.PO-02.01
Ex1: Measure how well the risk CRI Profile v2.0: GV.OV-01
management strategy and risk
Ex1: Review audit findings to confirm results have CRI
CRI Profile
Profile v2.0:
v2.0: GV.OV-01.01
GV.OV-02
whether the existing cybersecurity
Ex1: Review key performance indicators strategy CRI
CRI Profile v2.0: GV.OV-02.01
Profile v2.0: GV.OV-03
(KPIs) to ensure that organization-wide CRI Profile v2.0: GV.OV-03.01
CSF 2.0 Page 10 of 17
Implementation Examples Informative References
CRI Profile v2.0: GV.SC
Ex1: Establish a strategy that expresses the CSF v1.1: ID.SC
CIS Controls v8.0: 15.2
objectives
Ex1: Identify one or more specific roles or CIS Controls v8.0:GV.SC-01
of the cybersecurity supply chain CRI Profile v2.0: 15.4
positions that will be responsible and CRI Profile v2.0:
Ex1: Identify areas of alignment and overlap CRI Profile v2.0: GV.SC-03 GV.SC-02
with cybersecurity
Ex1: Develop and
criteria forenterprise risk
supplier criticality CRI Profile v2.0:
CIS Controls v8.0:GV.SC-03.01
15.1
based on, for example, the sensitivity
Ex1: Establish security requirements for of CIS
CIS Controls v8.0:
Controls v8.0: 15.3
15.4
suppliers, products, and services
Ex1: Perform thorough due diligence on CRI Profile v2.0: EX.CN
CIS Controls v8.0: 15.5
prospective suppliers that
Ex1: Adjust assessment formats and is consistent with CRI Profile v2.0:
CIS Controls v8.0:EX.DD
15.6
frequencies based on the third party's CRI Profile
Ex1: Define and use rules and protocols for CIS Controls v8.0: 15.4v2.0: EX.MM
reporting incident
Ex1: Policies response and
and procedures recovery CRI
require Profile v2.0:
CIS Controls v8.0:GV.SC-08
15.6
provenance records for all acquired
Ex1: Establish processes for terminating CRI Profile v2.0: GV.SC-09
CIS Controls v8.0: 15.7
critical relationships under both normal and CRI Profile v2.0: EX.TR
CRI Profile v2.0: ID
CSF v1.1: IDv2.0: ID.AM
CRI Profile
Ex1: Maintain inventories for all types of CSF v1.1: ID.AM
CIS Controls v8.0: 1.1
hardware,
Ex1: Maintain including IT, IoT,for
inventories OT,
alland mobile
types of CRI
CIS Controls v8.0:ID.AM-01
Profile v2.0: 2.1
software and services, including
Ex1: Maintain baselines of communication CRI Profile v2.0: ID.AM-02
CIS Controls v8.0: 3.8
and
Ex1:data flows all
Inventory within the organization's
external services used by CRI Profile v2.0:
CIS Controls v8.0:ID.AM-03
15.1
the organization, including third-party
Ex1: Define criteria for prioritizing each CRI Profile v2.0: ID.AM-04
CIS Controls v8.0: 3.7
class of assets
Ex1: Maintain a list of the designated data CRI Profile v2.0:
CIS Controls v8.0:ID.AM-05
3.2
types of interest
Ex1: Integrate (e.g., personally
cybersecurity considerations CRI Profile v2.0: ID.AM-07
CIS Controls v8.0: 1.1
throughout the life cycles of systems, CIS Controls v8.0: 3.5
CRI Profile v2.0: ID.RA
Ex1: Use vulnerability management CSF v1.1: ID.RA
CIS Controls v8.0: 7.1
technologies to identify unpatched
Ex1: Configure cybersecurity tools and and CRI
CRI Profile v2.0: ID.RA-01
Profile v2.0: ID.RA-02
technologies with detection or
Ex1: Use cyber threat intelligence to response CRI
CRI Profile
Profile v2.0:
v2.0: ID.RA-02.01
ID.RA-03
maintain
Ex1: Business leaders and cybersecurity risk CRI Profile v2.0: ID.RA-03.01
awareness of the types of threat CRI Profile v2.0: ID.RA-04
management practitioners work
Ex1: Develop threat models to better together to CRI
CRI Profile v2.0: ID.RA-04.01
Profile v2.0: ID.RA-05
understand
Ex1: Apply the vulnerability management CRI Profile v2.0: ID.RA-05.01
risks to the data and identify CRI Profile v2.0: ID.RA-06
plan's criteria forand
Ex1: Implement deciding
followwhether
proceduresto for CRICRI Profile
Profile v2.0:
v2.0: ID.RA-06.01
ID.RA-07
the formal documentation, review,
Ex1: Conduct vulnerability information testing, CRI
CIS Controls v8.0:ID.RA-07.01
Profile v2.0: 7.2
sharing between the organization
Ex1: Assess the authenticity and and its CRI Profile v2.0: ID.RA-08
CRI Profile v2.0: EX.DD-04
cybersecurity of critical technology
Ex1: Conduct supplier risk assessments CRI
CRI Profile
Profile v2.0:
v2.0: EX.DD-04.01
EX.DD-03
against business and applicable CRI Profile v2.0: EX.DD-03.01
CSF 2.0 Page 11 of 17
Implementation Examples Informative References
CRI Profile v2.0: ID.IM
Ex1: Perform self-assessments of critical CSF v1.1: RS.IM
CRI Profile v2.0: ID.IM-01
services that improvements
Ex1: Identify take current threats and TTPs
for future CRI
CIS Controlsv2.0:
Profile v8.0:ID.IM-01.01
17.7
incident response
Ex1: Conduct activities lessons
collaborative based on
learned CRI Profile v2.0: ID.IM-02
CRI Profile v2.0: ID.IM-03
sessions with suppliers
Ex1: Establish contingency plans (e.g., CRI
CRI Profile
Profile v2.0:
v2.0: ID.IM-03.01
ID.IM-04
incident response, business continuity, CRI Profile v2.0: ID.IM-04.01

CRI Profile v2.0: PR


CSF v1.1: PRv2.0: PR.AA
CRI Profile
Ex1: Initiate requests for new access or CSF v1.1: PR.AC
CIS Controls v8.0: 5.1
additional
Ex1: Verifyaccess for employees,
a person's claimed identity at CIS Controls v8.0:PR.AA-02
CRI Profile v2.0: 6.7
enrollment time using
Ex1: Require multifactor government-issued
authentication CRI
CRI Profile
Profile v2.0:
v2.0: PR.AA-02.01
PR.AA-03
Ex2: Enforce policies for the
Ex1: Protect identity assertionsminimum
that are CRI
CRI Profile v2.0: PR.AA-03.01
Profile v2.0: PR.AA-04
used to convey authentication and user CRI Profile v2.0: PR.AA-04.01
CSF 2.0 Page 12 of 17
Implementation Examples Informative References
Ex1: Review logical and physical access CIS Controls v8.0: 3.3
privileges periodically
Ex1: Use security andsecurity
guards, whenevercameras, CIS
CRI Controls v8.0:PR.AA-06
Profile v2.0: 6.8
locked entrances, alarm systems, and other CRI
CRI Profile
Profile v2.0:
v2.0: PR.AA-06.01
PR.AT
CSF v1.1: PR.AT
Ex1: Provide basic cybersecurity awareness CIS Controls v8.0: 14.1
and
Ex1:training
Identify to
theemployees,
specializedcontractors,
roles within the CRI Profile v2.0:
CIS Controls v8.0:PR.AT-01
14.9
organization that require additional CRI Profile v2.0: PR.AT-02

CRI Profile v2.0: PR.DS


Ex1: Use encryption, digital signatures, and CSF v1.1: PR.DS
CIS Controls v8.0: 3.11
cryptographic hashesdigital
Ex1: Use encryption, to protect the and
signatures, CRI
CIS Controls v8.0:PR.DS-01
Profile v2.0: 3.10
cryptographic hashes
Ex1: Remove data thattomust
protect the
remain CRI Profile v2.0: PR.DS-02
CRI Profile v2.0: PR.DS-10
confidential (e.g., from
Ex1: Continuously back processors and in
up critical data CRI Profile v2.0:
CIS Controls v8.0:PR.DS-10.01
11.2
near-real-time, and back up other data CIS Controls v8.0: 11.3

CRI Profile v2.0: PR.PS


Ex1: Establish, test, deploy, and maintain CIS Controls v8.0: 4.1
hardened baselines
Ex1: Perform routinethat
andenforce
emergency the CIS
CIS Controls
Controls v8.0:
v8.0: 4.2
2.2
patching within
Ex1: Replace the timeframes
hardware specified in
when it lacks CIS
CIS Controls v8.0: 2.3
Controls v8.0: 1.2
needed securityallcapabilities
Ex1: Configure or when it
operating systems, CRI Profile v2.0: PR.PS-03
CIS Controls v8.0: 8.2
applications,
Ex1: When riskand servicesit,(including
warrants cloud-
restrict software CRI Profile v2.0:
CIS Controls v8.0:PR.PS-04
2.5
execution to permitted products
Ex1: Protect all components of only or CRI
CIS Controls v8.0:PR.PS-05
Profile v2.0: 16.1
organization-developed software from CRI Profile v2.0: PR.PS-06
CRI Profile v2.0: PR.IR
Ex1: Logically segment organization CIS Controls v8.0: 3.12
networks andorganizational
Ex1: Protect cloud-based platforms
equipment from CIS
CRI Controls v8.0:PR.IR-02
Profile v2.0: 12.2
known
Ex1: Avoid single pointsthreats,
environmental such
of failure in as CRI Profile v2.0: PR.IR-02.01
CRI Profile v2.0: PR.IR-03
systems and infrastructure
Ex1: Monitor usage of storage, power, CRI
CRI Profile
Profile v2.0:
v2.0: PR.IR-03.01
PR.IR-04
compute, network bandwidth, and other CRI Profile v2.0: PR.IR-04.01

CSF 2.0 Page 13 of 17


Implementation Examples Informative References

CRI Profile v2.0: DE


CSF v1.1: DE
CRI Profile v2.0: DE.CM
CSF v1.1: DE.CM
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1
services for adverse
Ex1: Monitor events
logs from physical access CRI
CRI Profile
Profile v2.0:
v2.0: DE.CM-01
DE.CM-02
control systems (e.g., badge readers) to find CRI Profile v2.0: DE.CM-02.01
CSF 2.0 Page 14 of 17
Implementation Examples Informative References
Ex1: Use behavior analytics software to CIS Controls v8.0: 10.7
detect anomalous
Ex1: Monitor user
remote andactivity
onsiteto mitigate CRI Profile v2.0:
CIS Controls v8.0:DE.CM-03
15.2
administration and maintenance
Ex1: Monitor email, activities
web, file sharing, CIS
CIS Controls v8.0: 15.6
Controls v8.0: 10.1
collaboration services, and other common CRI Profile v2.0: DE.CM-09

CRI Profile v2.0: DE.AE


Ex1: Use security information and event CSF v1.1: DE.AE
CIS Controls v8.0: 8.11
management
Ex1: Constantly transfer log data generated CRI Profile v2.0:
(SIEM) or other tools to CRI Profile v2.0: DE.AE-02
DE.AE-03
by
Ex1: Use SIEMs or other tools to estimate CRI Profile v2.0: DE.AE-03.01
other sources to a relatively small CRI Profile v2.0: DE.AE-04
impact
Ex1: Use cybersecurity software to generate CRI Profile v2.0: DE.AE-04.01
and scope, and review and refine CRI Profile v2.0: DE.AE-06
alerts and provide them to the
Ex1: Securely provide cyber threat security CRI
CRI Profile v2.0: DE.AE-06.01
Profile v2.0: DE.AE-07
intelligence
Ex1: Apply incident criteria to known and CRI
feeds to detection CRI Profile
Profile v2.0:
v2.0: DE.AE-07.01
DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01

CRI Profile v2.0: RS


CSF v1.1: RSv2.0: RS.MA
CRI Profile
CSF v1.1: RS.RP
Ex1: Detection technologies automatically CIS Controls v8.0: 17.4
report
Ex1: Preliminarily review incident reports to CRI Profile v2.0: RS.MA-01
confirmed incidents CRI Profile v2.0: RS.MA-02
confirm that they are cybersecurity-related
Ex1: Further review and categorize CRI
CRI Profile v2.0: RS.MA-02.01
Profile v2.0: RS.MA-03
incidents based on the type of incident
Ex1: Track and validate the status of all CRI
CRI Profile v2.0: RS.MA-03.01
Profile v2.0: RS.MA-04
ongoing incidents
Ex1: Apply incident recovery criteria to CRI Profile v2.0:
CIS Controls v8.0:RS.MA-04.01
17.9
known and assumed characteristics of the CRI Profile v2.0: RS.MA-05
CRI Profile v2.0: RS.AN
Ex1: Determine the sequence of events that CSF v1.1: RS.AN
CIS Controls v8.0: 17.8
occurred
Ex1: Require each incident responder and CRI Profile v2.0: RS.AN-03
during the incident and which CRI Profile v2.0: RS.AN-06
others (e.g., system administrators, CRI Profile v2.0: RS.AN-06.01
CSF 2.0 Page 15 of 17
Implementation Examples Informative References
Ex1: Collect, preserve, and safeguard the CRI Profile v2.0: RS.AN-07
integrity of all
Ex1: Review pertinent
other incident
potential data
targets of and
the CRI
CRI Profile
Profile v2.0:
v2.0: RS.AN-07.01
RS.AN-08
incident to search for indicators of CRI Profile v2.0: RS.AN-08.01

CRI Profile v2.0: RS.CO


Ex1: Follow the organization's breach CSF v1.1: RS.CO
CIS Controls v8.0: 17.2
notification
Ex1: Securely share information consistent CIS Controls v8.0:RS.CO-02
procedures after discovering a CRI Profile v2.0: 17.2
with response plans and information CRI Profile v2.0: RS.CO-03

CRI Profile v2.0: RS.MI


Ex1: Cybersecurity technologies (e.g., CSF v1.1: RS.MI
CRI Profile v2.0: RS.MI-01
antivirus software) technologies
Ex1: Cybersecurity and cybersecurity
and CRI
CRI Profile v2.0:
Profile v2.0: RS.MI-01.01
RS.MI-02
cybersecurity features of other CRI Profile v2.0: RS.MI-02.01

CRI Profile v2.0: RC


CSF v1.1: RCv2.0: RC.RP
CRI Profile
Ex1: Begin recovery procedures during or CSF v1.1: RC.RP
CRI Profile v2.0: RC.RP-01
after incident
Ex1: Select response
recovery processes
actions based on the CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-01.01
RC.RP-02
criteria defined in the incident
Ex1: Check restoration assets for response
indicators CRI
CIS Controls v8.0:RC.RP-02.01
Profile v2.0: 11.5
of
Ex1: Use business impact and systemother
compromise, file corruption, and CRI Profile v2.0: RC.RP-03
CRI Profile v2.0: RC.RP-04
categorization records
Ex1: Check restored (including
assets service of
for indicators CRI
CRI Profile
Profile v2.0:
v2.0: RC.RP-04.01
RC.RP-05
compromise and remediation of root
Ex1: Prepare an after-action report that CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-05.01
RC.RP-06
documents the incident itself, the response CRI
CRI Profile v2.0: RC.RP-06.01
Profile v2.0: RC.CO
Ex1: Securely share recovery information, CSF v1.1: RC.CO
CRI Profile v2.0: RC.CO-03
including
Ex1: Followrestoration progress,breach
the organization's consistent CRI Profile v2.0:
CIS Controls v8.0:RC.CO-03.01
17.2
notification procedures for recovering from CIS Controls v8.0: 17.6
CSF 2.0 Page 16 of 17
Implementation Examples Informative References

CSF 2.0 Page 17 of 17

You might also like