This document contains mappings of the CIS Critical Security Controls (CIS Controls) v8.

1 and CIS Safegua

Last updated June 2024
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to the Payment Card
Reference link for PCI: https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8.1 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8-1/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/cis-controls-navigator

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
 CIS Security
CIS Safeguard Asset Type Title
Control Function
1 Inventory and Control of Enterprise Ass
Actively manage (inventory, track, and c
non-computing/Internet of Things (IoT) d
cloud environments, to accurately know
support identifying unauthorized and un

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory
 Establish and Maintain Detailed
1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host

Configuration Protocol (DHCP)
1 1.4 Devices Identify
Logging to Update Enterprise
Asset Inventory
Use a Passive Asset Discovery
1 1.5 Devices Detect
Tool
2 Inventory and Control of Software Asse

Actively manage (inventory, track, and c

software is installed and can execute, a
 Establish and Maintain a
2 2.1 Software Identify
Software Inventory

Establish and Maintain a

2 2.1 Software Identify
Software Inventory

Ensure Authorized Software is

2 2.2 Software Identify
Currently Supported

Ensure Authorized Software is

2 2.2 Software Identify
Currently Supported

2 2.3 Software Respond Address Unauthorized Software

Utilize Automated Software

2 2.4 Software Detect
Inventory Tools
2 2.5 Software Protect Allowlist Authorized Software

2 2.5 Software Protect Allowlist Authorized Software

2 2.6 Software Protect Allowlist Authorized Libraries

2 2.6 Software Protect Allowlist Authorized Libraries

2 2.7 Software Protect Allowlist Authorized Scripts

2 2.7 Software Protect Allowlist Authorized Scripts

2 2.7 Software Protect Allowlist Authorized Scripts

3 Data Protection
Develop processes and technical contro

Establish and Maintain a Data

3 3.1 Data Govern
Management Process

Establish and Maintain a Data

3 3.1 Data Govern
Management Process

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Establish and Maintain a Data

3 3.2 Data Identify
Inventory
 Configure Data Access Control
3 3.3 Data Protect
Lists
Configure Data Access Control
3 3.3 Data Protect
Lists

3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Protect Securely Dispose of Data

3 3.5 Data Protect Securely Dispose of Data

3 3.5 Data Protect Securely Dispose of Data

Encrypt Data on End-User

3 3.6 Data Protect
Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

3 3.8 Data Identify Document Data Flows

3 3.8 Data Identify Document Data Flows

3 3.8 Data Identify Document Data Flows

Encrypt Data on Removable

3 3.9 Data Protect
Media

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit
Encrypt Sensitive Data in
3 3.10 Data Protect
Transit
Encrypt Sensitive Data in
3 3.10 Data Protect
Transit
3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and

3 3.12 Data Protect
Storage Based on Sensitivity

Segment Data Processing and

3 3.12 Data Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution
3 3.14 Data Detect Log Sensitive Data Access
3 3.14 Data Detect Log Sensitive Data Access
4 Secure Configuration of Enterprise Ass

Establish and maintain the secure confi

non-computing/IoT devices; and servers

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Documentati Establish and Maintain a

4 4.1 Govern
on Secure Configuration Process

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure
 Establish and Maintain a
Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Establish and Maintain a

Documentati
4 4.2 Govern Secure Configuration Process
on
for Network Infrastructure

Configure Automatic Session

4 4.3 Devices Protect
Locking on Enterprise Assets

Implement and Manage a

4 4.4 Devices Protect
Firewall on Servers

Implement and Manage a

4 4.4 Devices Protect
Firewall on Servers
 Implement and Manage a
4 4.5 Devices Protect
Firewall on End-User Devices

Securely Manage Enterprise

4 4.6 Devices Protect
Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software

Configure Trusted DNS Servers

4 4.9 Devices Protect
on Enterprise Assets
 Enforce Automatic Device
4 4.10 Devices Protect Lockout on Portable End-User
Devices

Enforce Remote Wipe

4 4.11 Data Protect Capability on Portable End-
User Devices
Separate Enterprise
4 4.12 Data Protect Workspaces on Mobile End-
User Devices
5 Account Management

Use processes and tools to assign and

service accounts, to enterprise assets a

Establish and Maintain an

5 5.1 Users Identify
Inventory of Accounts

5 5.2 Users Protect Use Unique Passwords

5 5.2 Users Protect Use Unique Passwords

5 5.2 Users Protect Use Unique Passwords

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Protect Disable Dormant Accounts
Restrict Administrator Privileges
5 5.4 Users Protect to Dedicated Administrator
Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

Centralize Account
5 5.6 Users Protect
Management
6 Access Control Management

Use processes and tools to create, assi

accounts for enterprise assets and softw

Documentati Establish an Access Granting

6 6.1 Govern
on Process

Documentati Establish an Access Granting

6 6.1 Govern
on Process
Documentati Establish an Access Granting
6 6.1 Govern
on Process

Documentati Establish an Access Granting

6 6.1 Govern
on Process

Documentati Establish an Access Granting

6 6.1 Govern
on Process
Documentati Establish an Access Granting
6 6.1 Govern
on Process

Documentati Establish an Access Revoking

6 6.2 Govern
on Process

Documentati Establish an Access Revoking

6 6.2 Govern
on Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications
 Require MFA for Remote
6 6.4 Users Protect
Network Access

Require MFA for Administrative

6 6.5 Users Protect
Access
Require MFA for Administrative
6 6.5 Users Protect
Access

Establish and Maintain an

6 6.6 Software Identify Inventory of Authentication and
Authorization Systems

6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control
 Define and Maintain Role-
6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

Define and Maintain Role-

6 6.8 Users Govern
Based Access Control

7 Continuous Vulnerability Management

Develop a plan to continuously assess a
remediate, and minimize, the window of
vulnerability information.

Establish and Maintain a

Documentati
7 7.1 Govern Vulnerability Management
on
Process

Establish and Maintain a

Documentati
7 7.1 Govern Vulnerability Management
on
Process

Establish and Maintain a

Documentati
7 7.1 Govern Vulnerability Management
on
Process
 Documentati Establish and Maintain a
7 7.2 Govern
on Remediation Process

Documentati Establish and Maintain a

7 7.2 Govern
on Remediation Process

Perform Automated Operating

7 7.3 Software Protect
System Patch Management

Perform Automated Application

7 7.4 Software Protect
Patch Management

Perform Automated
7 7.5 Software Identify Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
7 7.5 Software Identify Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
7 7.5 Software Identify Vulnerability Scans of Internal
Enterprise Assets
 Perform Automated
7 7.5 Software Identify Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
Vulnerability Scans of
7 7.6 Software Identify
Externally-Exposed Enterprise
Assets

Perform Automated
Vulnerability Scans of
7 7.6 Software Identify
Externally-Exposed Enterprise
Assets

Perform Automated
Vulnerability Scans of
7 7.6 Software Identify
Externally-Exposed Enterprise
Assets

Remediate Detected
7 7.7 Software Respond
Vulnerabilities

Remediate Detected
7 7.7 Software Respond
Vulnerabilities
 Remediate Detected
7 7.7 Software Respond
Vulnerabilities

8 Audit Log Management

Collect, alert, review, and retain audit lo

Documentati Establish and Maintain an Audit

8 8.1 Govern
on Log Management Process

Documentati Establish and Maintain an Audit

8 8.1 Govern
on Log Management Process

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

8 8.2 Data Detect Collect Audit Logs

Ensure Adequate Audit Log

8 8.3 Data Protect
Storage
Standardize Time
8 8.4 Network Protect
Synchronization
Standardize Time
8 8.4 Network Protect
Synchronization

Standardize Time
8 8.4 Network Protect
Synchronization

Standardize Time
8 8.4 Network Protect
Synchronization

8 8.5 Data Detect Collect Detailed Audit Logs

8 8.5 Data Detect Collect Detailed Audit Logs

8 8.5 Data Detect Collect Detailed Audit Logs

8 8.5 Data Detect Collect Detailed Audit Logs

8 8.5 Data Detect Collect Detailed Audit Logs

8 8.6 Data Detect Collect DNS Query Audit Logs

Collect URL Request Audit
8 8.7 Data Detect
Logs
Collect Command-Line Audit
8 8.8 Data Detect
Logs

8 8.9 Data Detect Centralize Audit Logs

8 8.10 Data Protect Retain Audit Logs

8 8.10 Data Protect Retain Audit Logs

8 8.11 Data Detect Conduct Audit Log Reviews

8 8.11 Data Detect Conduct Audit Log Reviews

8 8.11 Data Detect Conduct Audit Log Reviews

8 8.11 Data Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

9 Email and Web Browser Protections
Improve protections and detections of t
behavior through direct engagement.
Ensure Use of Only Fully
9 9.1 Software Protect Supported Browsers and Email
Clients

9 9.2 Devices Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters
 Maintain and Enforce Network-
9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Software Protect Unauthorized Browser and
Email Client Extensions

9 9.5 Network Protect Implement DMARC

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email

9 9.7 Network Protect Server Anti-Malware
Protections
Deploy and Maintain Email
9 9.7 Network Protect Server Anti-Malware
Protections
10 Malware Defenses
Prevent or control the installation, sprea

Deploy and Maintain Anti-

10 10.1 Devices Detect
Malware Software

Deploy and Maintain Anti-

10 10.1 Devices Detect
Malware Software
Deploy and Maintain Anti-
10 10.1 Devices Detect
Malware Software

Deploy and Maintain Anti-

10 10.1 Devices Detect
Malware Software

Configure Automatic Anti-

10 10.2 Devices Protect
Malware Signature Updates
Disable Autorun and Autoplay
10 10.3 Devices Protect
for Removable Media

Configure Automatic Anti-

10 10.4 Devices Detect Malware Scanning of
Removable Media
 Enable Anti-Exploitation
10 10.5 Devices Protect
Features

Centrally Manage Anti-Malware

10 10.6 Devices Protect
Software

Use Behavior-Based Anti-

10 10.7 Devices Detect
Malware Software

11 Data Recovery
Establish and maintain data recovery pr
Documentati Establish and Maintain a Data
11 11.1 Govern
on Recovery Process

11 11.2 Data Recover Perform Automated Backups

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an

11 11.4 Data Recover Isolated Instance of Recovery
Data
11 11.5 Data Recover Test Data Recovery
Network Infrastructure
12
Management
Establish, implement, and actively mana
network services and access points.

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture
 Establish and Maintain a
12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Securely Manage Network

12 12.3 Network Protect
Infrastructure
Documentati Establish and Maintain
12 12.4 Govern
on Architecture Diagram(s)
Centralize Network
12 12.5 Network Protect Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
12 12.6 Network Protect Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
12 12.8 Devices Protect
Resources for All Administrative
Work
Network Monitoring and
13
Defense
Operate processes and tooling to estab
the enterprise’s network infrastructure a

Centralize Security Event

13 13.1 Network Detect
Alerting
 Centralize Security Event
13 13.1 Network Detect
Alerting

Centralize Security Event

13 13.1 Network Detect
Alerting

Centralize Security Event

13 13.1 Network Detect
Alerting

Centralize Security Event

13 13.1 Network Detect
Alerting

Deploy a Host-Based Intrusion

13 13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution
 Deploy a Network Intrusion
13 13.3 Network Detect
Detection Solution

Perform Traffic Filtering

13 13.4 Network Protect
Between Network Segments

Perform Traffic Filtering

13 13.4 Network Protect
Between Network Segments

Perform Traffic Filtering

13 13.4 Network Protect
Between Network Segments

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Collect Network Traffic Flow

13 13.6 Network Detect
Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution
 Deploy Port-Level Access
13 13.9 Network Protect
Control

Deploy Port-Level Access

13 13.9 Network Protect
Control
Deploy Port-Level Access
13 13.9 Network Protect
Control
Deploy Port-Level Access
13 13.9 Network Protect
Control

Perform Application Layer

13 13.10 Network Protect
Filtering

Perform Application Layer

13 13.10 Network Protect
Filtering
Perform Application Layer
13 13.10 Network Protect
Filtering

Tune Security Event Alerting

13 13.11 Network Detect
Thresholds

14 Security Awareness and Skills Training

Establish and maintain a security aware
skilled to reduce cybersecurity risks to

Documentati Establish and Maintain a

14 14.1 Govern
on Security Awareness Program

Documentati Establish and Maintain a

14 14.1 Govern
on Security Awareness Program

Documentati Establish and Maintain a

14 14.1 Govern
on Security Awareness Program
 Documentati Establish and Maintain a
14 14.1 Govern
on Security Awareness Program

Documentati Establish and Maintain a

14 14.1 Govern
on Security Awareness Program

Train Workforce Members to

14 14.2 Users Protect Recognize Social Engineering
Attacks

Train Workforce Members on

14 14.3 Users Protect
Authentication Best Practices

Train Workforce on Data

14 14.4 Users Protect
Handling Best Practices

Train Workforce Members on

14 14.5 Users Protect Causes of Unintentional Data
Exposure
Train Workforce Members on
14 14.6 Users Protect Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
14 14.7 Users Protect
Enterprise Assets are Missing
Security Updates
Train Workforce on the Dangers
of Connecting to and
14 14.8 Users Protect
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security

14 14.9 Users Protect
Awareness and Skills Training
 Conduct Role-Specific Security
14 14.9 Users Protect
Awareness and Skills Training

Conduct Role-Specific Security

14 14.9 Users Protect
Awareness and Skills Training

15 Service Provider Management

Develop a process to evaluate service p

processes, to ensure these providers ar

Establish and Maintain an

15 15.1 Users Identify
Inventory of Service Providers

Establish and Maintain a

Documentati
15 15.2 Govern Service Provider Management
on
Policy

15 15.3 Users Govern Classify Service Providers

Ensure Service Provider

Documentati
15 15.4 Govern Contracts Include Security
on
Requirements

Ensure Service Provider

Documentati
15 15.4 Govern Contracts Include Security
on
Requirements

Ensure Service Provider

Documentati
15 15.4 Govern Contracts Include Security
on
Requirements

Ensure Service Provider

Documentati
15 15.4 Govern Contracts Include Security
on
Requirements
 Ensure Service Provider
Documentati
15 15.4 Govern Contracts Include Security
on
Requirements

Ensure Service Provider

Documentati
15 15.4 Govern Contracts Include Security
on
Requirements

Ensure Service Provider

Documentati
15 15.4 Govern Contracts Include Security
on
Requirements

15 15.5 Users Govern Assess Service Providers

15 15.6 Data Govern Monitor Service Providers

15 15.6 Data Govern Monitor Service Providers

15 15.6 Data Govern Monitor Service Providers

15 15.6 Data Govern Monitor Service Providers

Securely Decommission
15 15.7 Data Protect
Service Providers
16 Application Software Security
 Manage the security life cycle of in-hous
before they can impact the enterprise.

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process

Establish and Maintain a

Documentati
16 16.1 Govern Secure Application
on
Development Process
 Establish and Maintain a
Documentati
16 16.2 Govern Process to Accept and Address
on
Software Vulnerabilities

Perform Root Cause Analysis

16 16.3 Software Protect
on Security Vulnerabilities

Establish and Manage an

16 16.4 Software Identify Inventory of Third-Party
Software Components

Establish and Manage an

16 16.4 Software Identify Inventory of Third-Party
Software Components

Use Up-to-Date and Trusted

16 16.5 Software Protect Third-Party Software
Components

Use Up-to-Date and Trusted

16 16.5 Software Protect Third-Party Software
Components

Establish and Maintain a

Documentati Severity Rating System and
16 16.6 Govern
on Process for Application
Vulnerabilities
 Use Standard Hardening
16 16.7 Software Protect Configuration Templates for
Application Infrastructure

Separate Production and Non-

16 16.8 Network Protect
Production Systems

Train Developers in Application

16 16.9 Users Protect Security Concepts and Secure
Coding

Apply Secure Design Principles

16 16.10 Software Protect
in Application Architectures

Apply Secure Design Principles

16 16.10 Software Protect
in Application Architectures

Leverage Vetted Modules or

16 16.11 Software Identify Services for Application
Security Components

Implement Code-Level Security

16 16.12 Software Protect
Checks

Implement Code-Level Security

16 16.12 Software Protect
Checks
 Conduct Application
16 16.13 Software Govern
Penetration Testing

16 16.14 Software Protect Conduct Threat Modeling

17 Incident Response Management

Establish a program to develop and mai
communications) to prepare, detect, and

Designate Personnel to
17 17.1 Users Respond
Manage Incident Handling

Designate Personnel to
17 17.1 Users Respond
Manage Incident Handling

Establish and Maintain Contact

Documentati
17 17.2 Govern Information for Reporting
on
Security Incidents

Establish and Maintain an

Documentati
17 17.3 Govern Enterprise Process for
on
Reporting Incidents
 Documentati Establish and Maintain an
17 17.4 Govern
on Incident Response Process

Documentati Establish and Maintain an

17 17.4 Govern
on Incident Response Process

Assign Key Roles and

17 17.5 Users Respond
Responsibilities

Define Mechanisms for

17 17.6 Users Respond Communicating During Incident
Response

Conduct Routine Incident

17 17.7 Users Recover
Response Exercises

17 17.8 Users Recover Conduct Post-Incident Reviews

Documentati Establish and Maintain Security

17 17.9 Recover
on Incident Thresholds

18 Penetration Testing
Test the effectiveness and resiliency of
technology), and simulating the objectiv

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program
 Documentati Establish and Maintain a
18 18.1 Govern
on Penetration Testing Program

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program

Documentati Establish and Maintain a

18 18.1 Govern
on Penetration Testing Program
 Documentati Establish and Maintain a
18 18.1 Govern
on Penetration Testing Program

Perform Periodic External

18 18.2 Network Detect
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings

18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal

18 18.5 Network Detect
Penetration Tests
 Description
l of Enterprise Assets
entory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network de
net of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and th
to accurately know the totality of assets that need to be monitored and protected within the enterprise. This
nauthorized and unmanaged assets to remove or remediate.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.
 Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the pote
store or process data, to include: end-user devices (including portable and mobile), network devices,
non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hard
address, machine name, enterprise asset owner, department for each asset, and whether the asset has be
approved to connect to the network. For mobile end-user devices, MDM type tools can support this proces
appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, a
within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s n
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all e
assets bi-annually, or more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choos
remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine

Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the activ
tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or mo
frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use sca
update the enterprise’s asset inventory at least weekly, or more frequently.
l of Software Assets

entory, track, and correct) all software (operating systems and applications) on the network so that only auth
and can execute, and that unauthorized and unmanaged software is found and prevented from installation or
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The soft
inventory must document the title, publisher, initial install/use date, and business purpose for each entry; w
appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism
decommission date. Review and update the software inventory bi-annually, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The soft
inventory must document the title, publisher, initial install/use date, and business purpose for each entry; w
appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism
decommission date. Review and update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for ent
assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document a
detailing mitigating controls and residual risk acceptance. For any unsupported software without an except
documentation, designate as unauthorized. Review the software list to verify software support at least mon
more frequently.

Ensure that only currently supported software is designated as authorized in the software inventory for ent
assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document a
detailing mitigating controls and residual risk acceptance. For any unsupported software without an except
documentation, designate as unauthorized. Review the software list to verify software support at least mon
more frequently.

Ensure that unauthorized software is either removed from use on enterprise assets or receives a documen
exception. Review monthly, or more frequently.

Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and
documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execut
accessed. Reassess bi-annually, or more frequently.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execut
accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so
allowed to load into a system process. Block unauthorized libraries from loading into a system process. Re
annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so
allowed to load into a system process. Block unauthorized libraries from loading into a system process. Re
annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts
specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-
or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts
specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-
or more frequently.
 Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts
specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-
or more frequently.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a documented data management process. In the process, address data sensitivity,
owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention
for the enterprise. Review and update documentation annually, or when significant enterprise changes occ
could impact this Safeguard.
Establish and maintain a documented data management process. In the process, address data sensitivity,
owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention
for the enterprise. Review and update documentation annually, or when significant enterprise changes occ
could impact this Safeguard.

Establish and maintain a data inventory based on the enterprise’s data management process. Inventory se
data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

Establish and maintain a data inventory based on the enterprise’s data management process. Inventory se
data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

Establish and maintain a data inventory based on the enterprise’s data management process. Inventory se
data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

Establish and maintain a data inventory based on the enterprise’s data management process. Inventory se
data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also kn
access permissions, to local and remote file systems, databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also kn
access permissions, to local and remote file systems, databases, and applications.

Retain data according to the enterprise’s documented data management process. Data retention must incl
minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure th
process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure th
process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure th
process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windo
BitLocker®, Apple FileVault®, Linux® dm-crypt.

Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels
“Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and upda
classification scheme annually, or when significant enterprise changes occur that could impact this Safegu

Document data flows. Data flow documentation includes service provider data flows and should be based
enterprise’s data management process. Review and update documentation annually, or when significant e
changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based
enterprise’s data management process. Review and update documentation annually, or when significant e
changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based
enterprise’s data management process. Review and update documentation annually, or when significant e
changes occur that could impact this Safeguard.

Document data flows. Data flow documentation includes service provider data flows and should be based
enterprise’s data management process. Review and update documentation annually, or when significant e
changes occur that could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.
Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.
Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods
application-layer encryption, also known as client-side encryption, where access to the data storage device
not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data o
enterprise assets intended for lower sensitivity data.

Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data o
enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitiv
stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote s
provider, and update the enterprise's data inventory.
Log sensitive data access, including modification and disposal.
 Log sensitive data access, including modification and disposal.
of Enterprise Assets and Software

in the secure configuration of enterprise assets (end-user devices, including portable and mobile; network d
evices; and servers) and software (operating systems and applications).

Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.

Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.
Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.

Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.

Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.

Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.

Establish and maintain a documented secure configuration process for enterprise assets (end-user device
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applic
Review and update documentation annually, or when significant enterprise changes occur that could impa
Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general pu
operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must
2 minutes.

Implement and manage a firewall on servers, where supported. Example implementations include a virtual
operating system firewall, or a third-party firewall agent.

Implement and manage a firewall on servers, where supported. Example implementations include a virtual
operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny
drops all traffic except those services and ports that are explicitly allowed.

Securely manage enterprise assets and software. Example implementations include managing configuratio
version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure netwo
protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insec
management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-con
vendor accounts. Example implementations can include: disabling default accounts or making them unusa

Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-con
vendor accounts. Example implementations can include: disabling default accounts or making them unusa

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharin
web application module, or service function.

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharin
web application module, or service function.

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharin
web application module, or service function.

Configure trusted DNS servers on network infrastructure. Example implementations include configuring ne
devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
 Enforce automatic device lockout following a predetermined threshold of local failed authentication attempt
portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication a
tablets and smartphones, no more than 10 failed authentication attempts. Example implementations includ
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriat
lost or stolen devices, or when an individual no longer supports the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example
implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate ente
applications and data from personal applications and data.

ools to assign and manage authorization to credentials for user accounts, including administrator accounts,
enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a min
include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain th
name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a re
schedule at a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8
password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts
MFA.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8
password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts
MFA.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8
password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts
MFA.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8
password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts
MFA.
 Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct genera
activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileg

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain depar
owner, review date, and purpose. Perform service account reviews to validate that all active accounts are a
on a recurring schedule at a minimum quarterly, or more frequently.

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain depar
owner, review date, and purpose. Perform service account reviews to validate that all active accounts are a
on a recurring schedule at a minimum quarterly, or more frequently.

Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and ser
se assets and software.

Establish and follow a documented process, preferably automated, for granting access to enterprise assets
hire or role change of a user.

Establish and follow a documented process, preferably automated, for granting access to enterprise assets
hire or role change of a user.
Establish and follow a documented process, preferably automated, for granting access to enterprise assets
hire or role change of a user.

Establish and follow a documented process, preferably automated, for granting access to enterprise assets
hire or role change of a user.

Establish and follow a documented process, preferably automated, for granting access to enterprise assets
hire or role change of a user.
Establish and follow a documented process, preferably automated, for granting access to enterprise assets
hire or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through dis
accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, ins
deleting accounts, may be necessary to preserve audit trails.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through dis
accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, ins
deleting accounts, may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enf
through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether m
site or through a service provider.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether m
site or through a service provider.

Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including
hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, o
frequently.

Centralize access control for all enterprise assets through a directory service or SSO provider, where supp

Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.

Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.

Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
 Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.

Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
Define and maintain role-based access control, through determining and documenting the access rights ne
each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews
enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annua
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in o
mize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and
ion.

Establish and maintain a documented vulnerability management process for enterprise assets. Review and
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented vulnerability management process for enterprise assets. Review and
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a documented vulnerability management process for enterprise assets. Review and
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with mont
frequent, reviews.

Establish and maintain a risk-based remediation strategy documented in a remediation process, with mont
frequent, reviews.

Perform operating system updates on enterprise assets through automated patch management on a mont
frequent, basis.

Perform application updates on enterprise assets through automated patch management on a monthly, or
frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis
both authenticated and unauthenticated scans.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis
both authenticated and unauthenticated scans.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis
both authenticated and unauthenticated scans.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis
both authenticated and unauthenticated scans.

Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a month
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a month
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a month
frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more freque
based on the remediation process.

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more freque
based on the remediation process.
 Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more freque
based on the remediation process.

and retain audit logs of events that could help detect, understand, or recover from an attack.

Establish and maintain a documented audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise asse
and update documentation annually, or when significant enterprise changes occur that could impact this S

Establish and maintain a documented audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise asse
and update documentation annually, or when significant enterprise changes occur that could impact this S

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
enterprise assets.

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log mana
process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise ass
supported.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise ass
supported.

Standardize time synchronization. Configure at least two synchronized time sources across enterprise ass
supported.

Standardize time synchronization. Configure at least two synchronized time sources across enterprise ass
supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
timestamp, source addresses, destination addresses, and other useful elements that could assist in a foren
investigation.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
timestamp, source addresses, destination addresses, and other useful elements that could assist in a foren
investigation.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
timestamp, source addresses, destination addresses, and other useful elements that could assist in a foren
investigation.
 Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
timestamp, source addresses, destination addresses, and other useful elements that could assist in a foren
investigation.

Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
timestamp, source addresses, destination addresses, and other useful elements that could assist in a foren
investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Collect URL request audit logs on enterprise assets, where appropriate and supported.

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell ®
and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance
documented audit log management process. Example implementations include leveraging a SIEM tool to c
multiple log sources.
Retain audit logs across enterprise assets for a minimum of 90 days.
Retain audit logs across enterprise assets for a minimum of 90 days.

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat
reviews on a weekly, or more frequent, basis.

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat
reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat
reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat
reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication
authorization events, data creation and disposal events, and user management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate
ect engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using
version of browsers and email clients provided through the vendor.

Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block acc
known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially m
unapproved websites. Example implementations include category-based filtering, reputation-based filtering
through the use of block lists. Enforce filters for all enterprise assets.
 Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially m
unapproved websites. Example implementations include category-based filtering, reputation-based filtering
through the use of block lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client p
extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and veri
starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM
standards.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and veri
starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM
standards.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxi

Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxi

e installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

 Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® D
Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Pro
(SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Establish and maintain a documented data recovery process. In the process, address the scope of data re
activities, recovery prioritization, and the security of backup data. Review and update documentation annu
when significant enterprise changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based
sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation
requirements.

Establish and maintain an isolated instance of recovery data. Example implementations include, version co
backup destinations through offline, cloud, or off-site systems or services.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting v
access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stabl
software and/or using currently supported network-as-a-service (NaaS) offerings. Review software version
or more frequently, to verify software support.
Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.
Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.
Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.

Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.
Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.
 Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.

Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.

Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
and availability, at a minimum. Example implementations will not solely include documentation, but also policy and d
components.
Securely manage network infrastructure. Example implementations include version-controlled Infrastructur
(IaC), and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and u
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (W
Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing e
resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically separated, for all adm
tasks or tasks requiring administrative access. The computing resources should be segmented from the en
primary network and not be allowed internet access.

nd tooling to establish and maintain comprehensive network monitoring and defense against security threats
ork infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log a
platform configured with security-relevant correlation alerts also satisfies this Safeguard.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log a
platform configured with security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log a
platform configured with security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log a
platform configured with security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log a
platform configured with security-relevant correlation alerts also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implemen
include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implemen
include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP

Perform traffic filtering between network segments, where appropriate.

Perform traffic filtering between network segments, where appropriate.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources. Determine amount of acce
enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with t
enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-d

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supporte
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agen

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the u
Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the u
Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the u
Network Intrusion Prevention System (NIPS) or equivalent CSP service.
 Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contro
such as certificates, and may incorporate user and/or device authentication.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contro
such as certificates, and may incorporate user and/or device authentication.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contro
such as certificates, and may incorporate user and/or device authentication.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contro
such as certificates, and may incorporate user and/or device authentication.

Perform application layer filtering. Example implementations include a filtering proxy, application layer firew
gateway.

Perform application layer filtering. Example implementations include a filtering proxy, application layer firew
gateway.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firew
gateway.

Tune security event alerting thresholds monthly, or more frequently.

and Skills Training

in a security awareness program to influence behavior among the workforce to be security conscious and pr
ersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security awareness program is to
the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct
hire and, at a minimum, annually. Review and update content annually, or when significant enterprise chan
that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security awareness program is to
the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct
hire and, at a minimum, annually. Review and update content annually, or when significant enterprise chan
that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security awareness program is to
the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct
hire and, at a minimum, annually. Review and update content annually, or when significant enterprise chan
that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security awareness program is to
the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct
hire and, at a minimum, annually. Review and update content annually, or when significant enterprise chan
that could impact this Safeguard.

Establish and maintain a security awareness program. The purpose of a security awareness program is to
the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct
hire and, at a minimum, annually. Review and update content annually, or when significant enterprise chan
that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, business email compr
(BEC), pretexting, and tailgating.

Train workforce members on authentication best practices. Example topics include MFA, password compo
credential management.

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive da
includes training workforce members on clear screen and desk best practices, such as locking their screen
step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure. Example topics include m
of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report such an inciden

Train workforce to understand how to verify and report out-of-date software patches or any failures in auto
processes and tools. Part of this training should include notifying IT personnel of any failures in automated
and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks f
enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all
securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include secure syst
administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention train
application developers, and advanced social engineering awareness training for high-profile roles.
 Conduct role-specific security awareness and skills training. Example implementations include secure syst
administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention train
application developers, and advanced social engineering awareness training for high-profile roles.

Conduct role-specific security awareness and skills training. Example implementations include secure syst
administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention train
application developers, and advanced social engineering awareness training for high-profile roles.

evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platform
these providers are protecting those platforms and data appropriately.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers
classification(s), and designate an enterprise contact for each service provider. Review and update the inv
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the classificati
inventory, assessment, monitoring, and decommissioning of service providers. Review and update the poli
annually, or when significant enterprise changes occur that could impact this Safeguard.

Classify service providers. Classification consideration may include one or more characteristics, such as d
sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk.
review classifications annually, or when significant enterprise changes occur that could impact this Safegu

Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.
Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.

Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.

Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.
 Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.
Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.

Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the e
service provider management policy. Review service provider contracts annually to ensure contracts are n
security requirements.

Assess service providers consistent with the enterprise’s service provider management policy. Assessmen
may vary based on classification(s), and may include review of standardized assessment reports, such as
Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), custom
questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minim
new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
include periodic reassessment of service provider compliance, monitoring service provider release notes, a
web monitoring.

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
include periodic reassessment of service provider compliance, monitoring service provider release notes, a
web monitoring.

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
include periodic reassessment of service provider compliance, monitoring service provider release notes, a
web monitoring.

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
include periodic reassessment of service provider compliance, monitoring service provider release notes, a
web monitoring.
Securely decommission service providers. Example considerations include user and service account deac
termination of data flows, and secure disposal of enterprise data within service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security wea
ct the enterprise.
Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process, address such items as:
application design standards, secure coding practices, developer training, vulnerability management, secu
party code, and application security testing procedures. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including provid
means for external entities to report. The process is to include such items as: a vulnerability handling polic
identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, a
remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includ
ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Rev
update documentation annually, or when significant enterprise changes occur that could impact this Safeg

Third-party application developers need to consider this an externally-facing policy that helps to set expect
outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis
of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move
fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred
“bill of materials,” as well as components slated for future use. This inventory is to include any risks that ea
party component could pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.
Establish and manage an updated inventory of third-party components used in development, often referred
“bill of materials,” as well as components slated for future use. This inventory is to include any risks that ea
party component could pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.

Use up-to-date and trusted third-party software components. When possible, choose established and prov
frameworks and libraries that provide adequate security. Acquire these components from trusted sources o
the software for vulnerabilities before use.

Use up-to-date and trusted third-party software components. When possible, choose established and prov
frameworks and libraries that provide adequate security. Acquire these components from trusted sources o
the software for vulnerabilities before use.

Establish and maintain a severity rating system and process for application vulnerabilities that facilitates pr
the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of se
acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerab
improves risk management and helps ensure the most severe bugs are fixed first. Review and update the
process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure com
This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform a
(PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configu
hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code for their specific de
environment and responsibilities. Training can include general security principles and application security s
practices. Conduct training at least annually and design in a way to promote security within the developme
and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles include the concept o
privilege and enforcing mediation to validate every operation that the user makes, promoting the concept o
trust user input." Examples include ensuring that explicit error checking is performed and documented for a
including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the
infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary pr
files, and renaming or removing default accounts.
Apply secure design principles in application architectures. Secure design principles include the concept o
privilege and enforcing mediation to validate every operation that the user makes, promoting the concept o
trust user input." Examples include ensuring that explicit error checking is performed and documented for a
including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the
infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary pr
files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity management, e
and auditing and logging. Using platform features in critical security functions will reduce developers’ workl
minimize the likelihood of design or implementation errors. Modern operating systems provide effective me
for identification, authentication, and authorization and make those mechanisms available to applications. U
standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also
mechanisms to create and maintain secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practice
followed.

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practice
followed.
 Conduct application penetration testing. For critical applications, authenticated penetration testing is better
finding business logic vulnerabilities than code scanning and automated security testing. Penetration testin
the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

Conduct threat modeling. Threat modeling is the process of identifying and addressing application security
flaws within a design, before code is created. It is conducted through specially trained individuals who eval
application design and gauge security risks for each entry point and access level. The goal is to map out th
application, architecture, and infrastructure in a structured way to understand its weaknesses.

anagement
to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, train
prepare, detect, and quickly respond to an attack.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling pr
Management personnel are responsible for the coordination and documentation of incident response and r
efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If u
service provider, designate at least one person internal to the enterprise to oversee any third-party work. R
annually, or when significant enterprise changes occur that could impact this Safeguard.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling pr
Management personnel are responsible for the coordination and documentation of incident response and r
efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If u
service provider, designate at least one person internal to the enterprise to oversee any third-party work. R
annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain contact information for parties that need to be informed of security incidents. Conta
include internal staff, service vendors, law enforcement, cyber insurance providers, relevant government a
Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually t
that information is up-to-date.
Establish and maintain an documented enterprise process for the workforce to report security incidents. Th
includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum informatio
reported. Ensure the process is publicly available to all of the workforce. Review annually, or when signific
enterprise changes occur that could impact this Safeguard.
 Establish and maintain a documented incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant enterprise chan
that could impact this Safeguard.

Establish and maintain a documented incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant enterprise chan
that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information securi
public relations, human resources, incident responders, and analysts. Review annually, or when significan
changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a sec
incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind tha
mechanisms, such as emails, can be affected during a security incident. Review annually, or when signific
enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incid
response process to prepare for responding to real-world incidents. Exercises need to test communication
decision making, and workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying l
learned and follow-up action.

Establish and maintain security incident thresholds, including, at a minimum, differentiating between an inc
an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach,
incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safegua

s and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, proc
ulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.
Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.
Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.
Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and ma
enterprise. Penetration testing program characteristics include scope, such as network, web application, A
Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findin
routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less than annually. Externa
penetration testing must include enterprise and environmental reconnaissance to detect exploitable inform
Penetration testing requires specialized skills and experience and must be conducted through a qualified p
testing may be clear box or opaque box.

Remediate penetration test findings based on the enterprise’s documented vulnerability remediation proce
should include determining a timeline and level of effort based on the impact and prioritization of each iden
finding.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilit
detect the techniques used during testing.

Perform periodic internal penetration tests based on program requirements, no less than annually. The tes
clear box or opaque box.
 Requirement
IG1 IG2 IG3 Relationship
Number

X X X Superset 9.5.1

X X X Superset 9.5.1.1

X X X Superset 11.2

X X X Subset 11.2.1
X X X Superset 11.2.2

X X X Superset 12.5

X X X Superset 12.5.1

X X X Subset 11.2.1

X X

X X

X
X X X Subset 1.2.5

X X X Superset 6.3.2

X X X Superset 2.2.5

X X X Subset 12.3.4

X X X Subset 12.3.4

X X

X X Subset 1.2.5

X X Subset 2.2.4

X X Subset 1.2.5

X X Subset 2.2.4

X Subset 1.2.5

X Subset 2.2.4
 X Subset 6.4.3

X X X Superset 9.4

X X X Superset 9.4.2

X X X Subset 3.2.1

X X X Superset 9.4.2

X X X Superset 9.4.5.1

X X X Subset 12.5.2
X X X Superset 1.3.1

X X X Subset 7.1

X X X Subset 3.2.1

X X X Subset 3.2.1

X X X Superset 9.4.6

X X X Superset 9.4.7

X X X

X X Superset 9.4.2

X X Equivalent 1.2.4
X X Subset 1.3.1

X X Subset 1.3.2

X X Subset 12.5.2

X X Subset 3.5.1.2

X X Superset 2.2.7

X X Superset 4.1.1

X X Superset 4.2.1

X X Superset 4.2.1.2

X X Superset 4.2.2

X X Superset 8.3.2
X X Subset 3.1.1

X X Superset 3.3.2

X X Superset 3.3.3

X X Superset 3.5.1

X X Superset 3.5.1.2

X X Superset 3.5.1.3

X X Superset 8.3.2

X X Superset 1.4.1

X X Superset 1.4.4

X Subset 10.2.1
 X Superset 10.2.1.1

X X X Superset 1.1.1

X X X Superset 1.2.1

X X X Superset 1.2.6

X X X Superset 1.5.1

X X X Superset 1.2.7

X X X Superset 2.1.1

X X X Superset 2.2.1

X X X Superset 1.1.1
X X X Superset 1.2.1

X X X Superset 1.2.6

X X X Superset 1.2.7

X X X Superset 1.4.2

X X X Superset 1.5.1

X X X Superset 2.1.1

X X X Superset 2.2.1

X X X Equivalent 8.2.8

X X X Superset 1.2.1

X X X Superset 1.4.1
X X X Superset 1.2.1

X X X

X X X Equivalent 2.2.2

X X X Subset 2.3.1

X X Subset 1.2.5

X X Subset 2.2.4

X X Superset 6.4.1

X X
 X X Subset 8.3.4

X X

X X X Subset 12.5.2

X X X Subset 2.2.2

X X X Subset 8.3.5

X X X Subset 8.3.6

X X X Subset 8.6.3
X X X Equivalent 8.3.7

X X X

X X Subset 7.2.4

X X Subset 8.2.7

X X

X X X Subset 7.2.1

X X X Superset 7.2.3

X X X Subset 8.1

X X X Subset 8.1.1

X X X Superset 8.2.1

X X X Superset 8.2.4

X X X Subset 8.2.4

X X X Superset 8.2.5

X X X
X X X Equivalent 8.4.3

X X X Subset 2.2.7

X X X Superset 8.4.1

X X Subset 12.5.2

X X

X Superset 7.1

X Superset 7.1.1

X Superset 7.2

X Superset 7.2.1

X Superset 7.2.2
 X Superset 7.2.4

X Superset 7.2.6

X Superset 7.3

X Superset 7.3.1

X Superset 7.3.2

X Superset 10.3.1

X X X Equivalent 6.3.1

X X X Superset 6.3.3

X X X Subset 11.3
X X X Equivalent 6.3.1

X X X Superset 6.4.1

X X X

X X X

X X Subset 11.3.1

X X Subset 11.3.1.1

X X Subset 11.3.1.2
X X Subset 11.3.1.3

X X Superset 6.4.1

X X Superset 11.3.2

X X Subset 11.3.2.1

X X Subset 11.3.1

X X Subset 11.3.2
 X X Subset 11.3.2.1

X X X Superset 10.1

X X X Superset 10.1.1

X X X Superset 5.3.4

X X X Superset 6.4.1

X X X Superset 6.4.2

X X X Equivalent 10.2.1

X X X Superset 10.2.1.1

X X X Superset 10.2.1.2
X X X Superset 10.2.1.3

X X X Superset 10.2.1.4

X X X Superset 10.2.1.5

X X X Superset 10.2.1.6

X X X Superset 10.2.1.7

X X X Superset 10.2.2

X X X

X X Equivalent 10.6

X X Equivalent 10.6.1

X X Subset 10.6.2

X X Subset 10.6.3

X X Superset 9.4.5

X X Equivalent 10.2

X X Superset 10.2.1
 X X Superset 10.2.1.2

X X Superset 10.2.1.5

X X

X X

X X

X X Equivalent 10.3.3

X X Equivalent 10.5
X X Equivalent 10.5.1

X X Superset 10.4.1

X X Equivalent 10.4.1.1

X X Superset 10.4.2

X X Superset 10.4.3

X X X

X X X Subset 5.4.1

X X Subset 1.2.6
 X X Subset 1.4.2

X X Subset 2.2.4

X X Subset 1.4.3

X X Subset 5.4.1

X X Subset 5.4.1

X Subset 5.2.1

X Subset 5.4.1

X X X Subset 5.1.1

X X X Equivalent 5.2.1

X X X Superset 5.2.2

X X X Superset 5.3.2

X X X Equivalent 5.3.1

X X X

X X Equivalent 5.3.3
 X X

X X

X X Subset 5.3.2

X X X

X X X

X X X

X X X Superset 9.4.1

X X Superset 9.4.1.1

X X X

X X Superset 1.2.5

X X Superset 1.3.1

X X Superset 1.3.2

X X Superset 1.3.3

X X Superset 1.4.4
X X Superset 7.1

X X Superset 7.2.5.1

X X Superset 11.4.5

X X

X X Equivalent 1.2.3

X X

X X

X X

X X Superset 10.7
X X Superset 10.7.1

X X Superset 10.7.2

X X Superset 10.7.3

X X Subset 11.5

X X Superset 6.4.2

X X Subset 11.5.1
X X Subset 12.10.5

X X Superset 1.3.1

X X Superset 1.3.2

X X Superset 1.4.2

X X Superset 8.4.3

X X

X Superset 6.4.2

X Subset 11.5.1

X Subset 12.10.5
 X Subset 1.2.1

X Subset 1.2.5

X Subset 1.2.6

X Subset 2.2.4

X Subset 1.2.1

X Subset 1.2.5

X Subset 1.2.6

X Subset 12.10.5

X X X Superset 12.6

X X X Superset 12.6.1

X X X Superset 12.6.2
X X X Superset 12.6.3

X X X Superset 12.6.3.2

X X X Subset 12.6.3.1

X X X Equivalent 8.3.8

X X X

X X X

X X X

X X X

X X X Subset 12.6.3.2

X X Superset 9.5.1
 X X Superset 9.5.1.3

X X Superset 12.10.4

X X X Equivalent 12.8.1

X X Superset 12.8

X X Subset 12.8.5

X X Superset 11.4.7

X X Superset 12.4.1

X X Superset 12.8.2

X X Superset 12.8.5
X X Superset 12.9

X X Superset 12.9.1

X X Superset 12.9.2

X Equivalent 12.8.3

X Superset 8.2.7

X Superset 12.4.2

X Superset 12.4.2.1

X Equivalent 12.8.4

X
X X Equivalent 6.1

X X Superset 6.1.1

X X Superset 6.2.1

X X Superset 6.2.4

X X Superset 6.3.3

X X

X X
X X Subset 6.3.1

X X

X X

X X Subset 6.3.2

X X Subset 6.3.3

X X Subset 12.3.4

X X Subset 6.3.1
X X Subset 2.2.1

X X Equivalent 6.5.3

X X Equivalent 6.2.2

X X Superset 2.2.2

X X Subset 6.2.1

X X Subset 6.2.1

X Equivalent 6.2.3

X Superset 6.2.3.1
 X Subset 6.2.4

X Subset 12.3.2

X X X Superset 12.10.3

X X X Superset 12.10.4

X X X

X X X Subset 12.10
X X Equivalent 12.10.1

X X Superset 12.10.2

X X Superset 12.10.3

X X

X X

X X Subset 12.10.6

X Subset 12.10.5

X X Superset 11.1

X X Superset 11.1.1
X X Equivalent 11.4

X X Equivalent 11.4.1

X X Superset 11.4.2

X X Superset 11.4.3

X X Superset 11.4.4

X X Superset 11.4.5
X X Superset 11.4.6

X X Equivalent 11.4.3

X X Equivalent 11.4.4

X Equivalent 11.4.2
 Defined Approach Requirements

POI devices that capture payment card data via direct physical interaction with the payment card form factor are pro
tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devi

An up-to-date list of POI devices is maintained, including:

• Make and model of the device.
• Location of device.
• Device serial number or other methods of unique identification.

Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.

Authorized and unauthorized wireless access points are managed as follows:

• The presence of wireless (Wi-Fi) access points is tested for,
• All authorized and unauthorized wireless access points are detected and identified,
• Testing, detection, and identification occurs at least once every three months.
• If automated monitoring is used, personnel are notified via generated alerts.
An inventory of authorized wireless access points is maintained, including a documented business justification.

PCI DSS scope is documented and validated.

An inventory of system components that are in scope for PCI DSS, including a description of function/use, is mainta
current.

Authorized and unauthorized wireless access points are managed as follows:

• The presence of wireless (Wi-Fi) access points is tested for,
• All authorized and unauthorized wireless access points are detected and identified,
• Testing, detection, and identification occurs at least once every three months.
• If automated monitoring is used, personnel are notified via generated alerts.
All services, protocols, and ports allowed are identified, approved, and have a defined business need.

An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and
maintained to facilitate vulnerability and patch management.

If any insecure services, protocols, or daemons are present:

• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, proto

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the follow
• Analysis that the technologies continue to receive security fixes from vendors promptly.
• Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
• Documentation of any industry announcements or trends related to a technology, such as when a vendor has anno
plans for a technology.
• Documentation of a plan, approved by senior management, to remediate outdated technologies, including those fo
have announced “end of life” plans.

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the follow
• Analysis that the technologies continue to receive security fixes from vendors promptly.
• Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
• Documentation of any industry announcements or trends related to a technology, such as when a vendor has anno
plans for a technology.
• Documentation of a plan, approved by senior management, to remediate outdated technologies, including those fo
have announced “end of life” plans.

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is remov

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is remov

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is remov
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.

Media with cardholder data is securely stored, accessed, distributed, and destroyed.

All media with cardholder data is classified in accordance with the sensitivity of the data.

Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedur
that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a be
effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business re
• Specific retention requirements for stored account data that defines length of retention period and includes a docum
justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention p
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention
securely deleted or rendered unrecoverable.

All media with cardholder data is classified in accordance with the sensitivity of the data.

Inventories of electronic media with cardholder data are conducted at least once every 12 months.

PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant chan
environment. At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebac
acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per Requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) an
of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, an
• Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
• Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including jus
environments being out of scope.
• Identifying all connections from third-party entities with access to the CDE.
• Confirming that all identified data flows, account data, system components, segmentation controls, and connection
with access to the CDE are included in scope.
Inbound traffic to the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
Processes and mechanisms for restricting access to system components and cardholder data by business need to k
understood.

Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedur
that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a be
effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business re
• Specific retention requirements for stored account data that defines length of retention period and includes a docum
justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention p
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention
securely deleted or rendered unrecoverable.

Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedur
that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a be
effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business re
• Specific retention requirements for stored account data that defines length of retention period and includes a docum
justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention p
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention
securely deleted or rendered unrecoverable.

Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as fo
• Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
• Materials are stored in secure storage containers prior to destruction.

Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of t
• The electronic media is destroyed.
• The cardholder data is rendered unrecoverable so that it cannot be reconstructed.

All media with cardholder data is classified in accordance with the sensitivity of the data.

An accurate data-flow diagram(s) is maintained that meets the following:

• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
Inbound traffic to the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.

PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant chan
environment. At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebac
acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per Requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) an
of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, an
• Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
• Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including jus
environments being out of scope.
• Identifying all connections from third-party entities with access to the CDE.
• Confirming that all identified data flows, account data, system components, segmentation controls, and connection
with access to the CDE are included in scope.

If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to rend
it is implemented only as follows:
• On removable electronic media
OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets R

All non-console administrative access is encrypted using strong cryptography.

All security policies and operational procedures that are identified in Requirement 4 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over
networks:
• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are
revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of inse
algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use.

Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong crypto
authentication and transmission.

PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.

Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all s
All security policies and operational procedures that are identified in Requirement 3 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.

Additional requirement for issuers and companies that support issuing services and store sensitive authentication da
Any storage of sensitive authentication data is:
• Limited to that which is needed for a legitimate issuing business need and is secured.
• Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Note

PAN is rendered unreadable anywhere it is stored by using any of the following approaches:
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
– If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in
additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
• Index tokens.
• Strong cryptography with associated key-management processes and procedures.

If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to rend
it is implemented only as follows:
• On removable electronic media
OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets R

If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to rend
it is managed as follows:
• Logical access is managed separately and independently of native operating system authentication and access co
• Decryption keys are not associated with user accounts.

Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all s

NSCs are implemented between trusted and untrusted networks.

System components that store cardholder data are not directly accessible from untrusted networks.

Audit logs are enabled and active for all system components and cardholder data.
Audit logs capture all individual user access to cardholder data.

All security policies and operational procedures that are identified in Requirement 1 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
Configuration standards for NSC (Network Security Controls) rulesets are:
• Defined.
• Implemented.
• Maintained.

Security features are defined and implemented for all services, protocols, and ports that are in use and considered t
that the risk is mitigated.

Security controls are implemented on any computing devices, including company- and employee-owned devices, tha
untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorize
on a case-by-case basis for a limited period.

Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.

All security policies and operational procedures that are identified in Requirement 2 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

Configuration standards are developed, implemented, and maintained to:

• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system compon
a production environment.

All security policies and operational procedures that are identified in Requirement 1 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
Configuration standards for NSC (Network Security Controls) rulesets are:
• Defined.
• Implemented.
• Maintained.

Security features are defined and implemented for all services, protocols, and ports that are in use and considered t
that the risk is mitigated.

Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.

Inbound traffic from untrusted networks to trusted networks is restricted to:

• Communications with system components that are authorized to provide publicly accessible services, protocols, an
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.

Security controls are implemented on any computing devices, including company- and employee-owned devices, tha
untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorize
on a case-by-case basis for a limited period.

All security policies and operational procedures that are identified in Requirement 2 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

Configuration standards are developed, implemented, and maintained to:

• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system compon
a production environment.

If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the ter

Configuration standards for NSC (Network Security Controls) rulesets are:

• Defined.
• Implemented.
• Maintained.

NSCs are implemented between trusted and untrusted networks.

Configuration standards for NSC (Network Security Controls) rulesets are:
• Defined.
• Implemented.
• Maintained.

Vendor default accounts are managed as follows:

• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled.

For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are chan
are confirmed to be secure, including but not limited to:
• Default wireless encryption keys.
• Passwords or wireless access points.
• SNMP defaults.
• Any other security-related wireless vendor defaults.

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is remov

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these app
protected against known attacks as follows:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment to
follows:
– At least once every 12 months and after significant changes.
– By an entity that specializes in application security.
– Including, at a minimum, all common software attacks in Requirement 6.3.6.
– All vulnerabilities are ranked in accordance with requirement 6.2.1.
– All vulnerabilities are corrected.
– The application is re-evaluated after the corrections
OR
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
– Installed in front of public-facing web applications to detect and prevent web-based attacks.
– Actively running and up to date as applicable.
– Generating audit logs.
– Configured to either block web-based attacks or generate an alert that is immediately investigated.
Invalid authentication attempts are limited by:
• Locking out the user ID after not more than 10 attempts.
• Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.

PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant chan
environment. At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebac
acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per Requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) an
of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, an
• Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
• Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including jus
environments being out of scope.
• Identifying all connections from third-party entities with access to the CDE.
• Confirming that all identified data flows, account data, system components, segmentation controls, and connection
with access to the CDE are included in scope.

Vendor default accounts are managed as follows:

• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled.

If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for e
• Set to a unique value for first-time use and upon reset.
• Forced to be changed immediately after the first use.

If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following mi
complexity:
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight ch
• Contain both numeric and alphabetic characters.

Passwords/passphrases for any application and system accounts are protected against misuse as follows:
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, wh
according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity change
passwords/passphrases.
Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords

All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:
• At least once every six months.
• To ensure user accounts and access remain appropriate based on job function.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.

Accounts used by third parties to access, support, or maintain system components via remote access are managed
• Enabled only during the time period needed and disabled when not in use.
• Use is monitored for unexpected activity.

An access control model is defined and includes granting access as follows:

• Appropriate access depending on the entity’s business and access needs.
• Access to system components and data resources that is based on users’ job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function.

Required privileges are approved by authorized personnel.

Processes and mechanisms for identifying users and authenticating access to system components are defined and

All security policies and operational procedures that are identified in Requirement 8 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

All users are assigned a unique ID before access to system components or cardholder data is allowed.

Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as f
• Authorized with the appropriate approval.
• Implemented with only the privileges specified on the documented approval.
Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as f
• Authorized with the appropriate approval.
• Implemented with only the privileges specified on the documented approval.

Access for terminated users is immediately revoked.

MFA is implemented for all remote network access originating from outside the entity’s network that could
the CDE as follows:
• All remote access by all personnel, both users and administrators, originating from outside the entity’s ne
• All remote access by third parties and vendors.

All non-console administrative access is encrypted using strong cryptography.

MFA is implemented for all non-console access into the CDE for personnel with administrative access.

PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant chan
environment. At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebac
acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per Requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) an
of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, an
• Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
• Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including jus
environments being out of scope.
• Identifying all connections from third-party entities with access to the CDE.
• Confirming that all identified data flows, account data, system components, segmentation controls, and connection
with access to the CDE are included in scope.

Processes and mechanisms for restricting access to system components and cardholder data by business
defined and understood.

All security policies and operational procedures that are identified in Requirement 7 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

Access to system components and data is appropriately defined and assigned.

An access control model is defined and includes granting access as follows:

• Appropriate access depending on the entity’s business and access needs.
• Access to system components and data resources that is based on users’ job classification and functions
• The least privileges required (for example, user, administrator) to perform a job function.

Access is assigned to users, including privileged users, based on:

• Job classification and function.
• Least privileges necessary to perform job responsibilities.
All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:
• At least once every six months.
• To ensure user accounts and access remain appropriate based on job function.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.

All user access to query repositories of stored cardholder data is restricted as follows:
• Via applications or other programmatic methods, with access and allowed actions based on user roles and least pr
• Only the responsible administrator(s) can directly access or query repositories of stored CHD.

Access to system components and data is managed via an access control system(s).

An access control system(s) is in place that restricts access based on a user’s need to know and covers all system c

The access control system(s) is configured to enforce permissions assigned to individuals, applications, and system
classification and function.

Read access to audit logs files is limited to those with a job-related need.

Security vulnerabilities are identified and managed as follows:

• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, in
international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) a

All system components are protected from known vulnerabilities by installing applicable security patches/updates as
• Critical or high-security patches/updates are identified according to the risk ranking process at Requirement 6.3.1.
• Critical or high-security patches/updates are installed within one month of release.
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the e
within three months of release).

External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Security vulnerabilities are identified and managed as follows:
• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, in
international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) a

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these app
protected against known attacks as follows:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment to
follows:
– At least once every 12 months and after significant changes.
– By an entity that specializes in application security.
– Including, at a minimum, all common software attacks in Requirement 6.3.6.
– All vulnerabilities are ranked in accordance with requirement 6.2.1.
– All vulnerabilities are corrected.
– The application is re-evaluated after the corrections
OR
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
– Installed in front of public-facing web applications to detect and prevent web-based attacks.
– Actively running and up to date as applicable.
– Generating audit logs.
– Configured to either block web-based attacks or generate an alert that is immediately investigated.

Internal vulnerability scans are performed as follows:

• At least once every three months.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3
• Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been re
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists.

All other applicable vulnerabilities (those not ranked as high-risk or critical (per the entity’s vulnerability risk rankings
Requirement 6.3.1) are managed as follows:
• Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elem
Requirement 12.3.1.
• Rescans are conducted as needed.

Internal vulnerability scans are performed via authenticated scanning as follows:

• Systems that are unable to accept credentials for authenticated scanning are documented.
• With sufficient privileges, for those systems that accept credentials for scanning.
• If accounts used for authenticated scanning can be used for interactive login, they are managed in accordance with
Internal scans are performed after any significant change as follows:
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are res
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to b

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these app
protected against known attacks as follows:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment to
follows:
– At least once every 12 months and after significant changes.
– By an entity that specializes in application security.
– Including, at a minimum, all common software attacks in Requirement 6.3.6.
– All vulnerabilities are ranked in accordance with requirement 6.2.1.
– All vulnerabilities are corrected.
– The application is re-evaluated after the corrections
OR
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
– Installed in front of public-facing web applications to detect and prevent web-based attacks.
– Actively running and up to date as applicable.
– Generating audit logs.
– Configured to either block web-based attacks or generate an alert that is immediately investigated.

External vulnerability scans are performed as follows:

• At least once every three months.
• By PCI SSC Approved Scanning Vendor (ASV).
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirem
scan.

External scans are performed after any significant change as follows:

• Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to b

Internal vulnerability scans are performed as follows:

• At least once every three months.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3
• Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been re
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists.

External vulnerability scans are performed as follows:

• At least once every three months.
• By PCI SSC Approved Scanning Vendor (ASV).
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirem
scan.
External scans are performed after any significant change as follows:
• Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to b

Processes and mechanisms for logging and monitoring all access to system components and cardholder d
and documented.

All security policies and operational procedures that are identified in Requirement 10 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

Audit logs for the anti-malware solution are enabled and retained in accordance with Requirement 10.5.1.

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these app
protected against known attacks as follows:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment to
follows:
– At least once every 12 months and after significant changes.
– By an entity that specializes in application security.
– Including, at a minimum, all common software attacks in Requirement 6.3.6.
– All vulnerabilities are ranked in accordance with requirement 6.2.1.
– All vulnerabilities are corrected.
– The application is re-evaluated after the corrections
OR
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
– Installed in front of public-facing web applications to detect and prevent web-based attacks.
– Actively running and up to date as applicable.
– Generating audit logs.
– Configured to either block web-based attacks or generate an alert that is immediately investigated.

For public-facing web applications, an automated technical solution is deployed that continually detects and prevents
with at least the following:
• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

Audit logs are enabled and active for all system components and cardholder data.

Audit logs capture all individual user access to cardholder data.

Audit logs capture all actions taken by any individual with administrative access, including any interactive use of app
accounts.
Audit logs capture all access to audit logs.

Audit logs capture all invalid logical access attempts.

Audit logs capture all changes to identification and authentication credentials including, but not limited to:
• Creation of new accounts.
• Elevation of privileges.
• All changes, additions, or deletions to accounts with administrative access.
Audit logs capture the following:
• All initialization of new audit logs, and
• All starting, stopping, or pausing of the existing audit logs.

Audit logs capture all creation and deletion of system-level objects.

Audit logs record the following details for each auditable event:
• User identification.
• Type of event.
• Date and time.
• Success and failure indication.
• Origination of event.
• Identity or name of affected data, system component, resource, or service (for example, name and protocol).

Time-synchronization mechanisms support consistent time settings across all systems.

System clocks and time are synchronized using time-synchronization technology.

Systems are configured to the correct and consistent time as follows:

• One or more designated time servers are in use.
• Only the designated central time server(s) receives time from external sources.
• Time received from external sources is based on International Atomic Time or Coordinated Universal Tim
• The designated time server(s) accept time updates only from specific industry-accepted external sources
• Where there is more than one designated time server, the time servers peer with one another to keep acc
• Internal systems receive time information only from designated central time server(s).
Time synchronization settings and data are protected as follows:
• Access to time data is restricted to only personnel with a business need.
• Any changes to time settings on critical systems are logged, monitored, and reviewed.

Inventory logs of all electronic media with cardholder data are maintained.

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis o

Audit logs are enabled and active for all system components and cardholder data.
Audit logs capture all actions taken by any individual with administrative access, including any interactive use of app
accounts.

Audit logs capture all changes to identification and authentication credentials including, but not limited to:
• Creation of new accounts.
• Elevation of privileges.
• All changes, additions, or deletions to accounts with administrative access.

Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal
media that is difficult to modify.

Audit log history is retained and available for analysis.

Retain audit log history for at least 12 months, with at least the most recent three months immediately avai

The following audit logs are reviewed at least once daily:

• All security events.
• Logs of all system components that store, process, or transmit CHD and/or SAD.
• Logs of all critical system components.
• Logs of all servers and system components that perform security functions (for example, network security controls,
systems/intrusion-prevention systems (IDS/IPS), authentication servers).

Automated mechanisms are used to perform audit log reviews.

Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.

Exceptions and anomalies identified during the review process are addressed.

Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

Security features are defined and implemented for all services, protocols, and ports that are in use and considered t
that the risk is mitigated.
Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, an
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality
disabled.

Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted n

Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

An anti-malware solution(s) is deployed on all system components, except for those system components identified in
evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

All security policies and operational procedures that are identified in Requirement 5 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
An anti-malware solution(s) is deployed on all system components, except for those system components identified in
evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.
The deployed anti-malware solution(s):
• Detects all known types of malware.
• Removes, blocks, or contains all known types of malware.
The anti-malware solution(s):
• Performs periodic scans and active or real-time scans.
OR
• Performs continuous behavioral analysis of systems or processes.

The anti-malware solution(s) is kept current via automatic updates.

For removable electronic media, the anti-malware solution:

• Performs automatic scans of when the media is inserted, connected, or logically mounted,
OR
• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logica
The anti-malware solution(s):
• Performs periodic scans and active or real-time scans.
OR
• Performs continuous behavioral analysis of systems or processes.

Offline media backups with cardholder data are stored in a secure location.

The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Inbound traffic to the CDE is restricted as follows:

• To only traffic that is necessary.
• All other traffic is specifically denied.
Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.

NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE
• All wireless traffic from wireless networks into the CDE is denied by default.
• Only wireless traffic with an authorized business purpose is allowed into the CDE.

System components that store cardholder data are not directly accessible from untrusted networks.
Processes and mechanisms for restricting access to system components and cardholder data by business need to k
understood.

All access by application and system accounts and related access privileges are reviewed as follows:
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elem
Requirement 12.3.1).
• The application/system access remains appropriate for the function being performed.
• Any inappropriate access is addressed.
• Management acknowledges that that access remains appropriate.

If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation co
• At least once every 12 months and after any changes to segmentation controls/methods
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requiremen
• Performed by a qualified internal resource or qualified external third party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).

An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, inc
networks.

Failures of critical security control systems are detected, reported, and responded to promptly.
Additional requirement for service providers only:
Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited t
following critical security control systems:
• Network security controls
• IDS/IPS
• FIM
• Anti-malware solutions
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used)

Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited t
following critical security control systems:
• Network security controls
• IDS/IPS
• Change-detection mechanisms
• Anti-malware solutions
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used)
• Audit log review mechanisms
• Automated security testing tools (if used)

Failures of any critical security controls systems are responded to promptly, including but not limited to:
• Restoring security functions.
• Identifying and documenting the duration (date and time from start to end) of the security failure.
• Identifying and documenting the cause(s) of failure and documenting required remediation.
• Identifying and addressing any security issues that arose during the failure.
• Determining whether further actions are required as a result of the security failure.
• Implementing controls to prevent the cause of failure from reoccurring.
• Resuming monitoring of security controls.

Network intrusions and unexpected file changes are detected and responded to.

For public-facing web applications, an automated technical solution is deployed that continually detects and prevents
with at least the following:
• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the netw
• All traffic is monitored at the perimeter of the CDE.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.
The security incident response plan includes monitoring and responding to alerts from security monitoring systems,
limited to:
• Intrusion-detection and intrusion-prevention systems.
• Network security controls.
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective da
Applicability Notes below for details.
• Detection of unauthorized wireless access points.

Inbound traffic to the CDE is restricted as follows:

• To only traffic that is necessary.
• All other traffic is specifically denied.
Outbound traffic from the CDE is restricted as follows:
• To only traffic that is necessary.
• All other traffic is specifically denied.
Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, an
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
MFA is implemented for all remote network access originating from outside the entity’s network that could
the CDE as follows:
• All remote access by all personnel, both users and administrators, originating from outside the entity’s ne
• All remote access by third parties and vendors.

For public-facing web applications, an automated technical solution is deployed that continually detects and prevents
with at least the following:
• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the netw
• All traffic is monitored at the perimeter of the CDE.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.

The security incident response plan includes monitoring and responding to alerts from security monitoring systems,
limited to:
• Intrusion-detection and intrusion-prevention systems.
• Network security controls.
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective da
Applicability Notes below for details.
• Detection of unauthorized wireless access points.
Configuration standards for NSC (Network Security Controls) rulesets are:
• Defined.
• Implemented.
• Maintained.

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Security features are defined and implemented for all services, protocols, and ports that are in use and considered t
that the risk is mitigated.

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is remov

Configuration standards for NSC (Network Security Controls) rulesets are:

• Defined.
• Implemented.
• Maintained.

All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Security features are defined and implemented for all services, protocols, and ports that are in use and considered t
that the risk is mitigated.

The security incident response plan includes monitoring and responding to alerts from security monitoring systems,
limited to:
• Intrusion-detection and intrusion-prevention systems.
• Network security controls.
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective da
Applicability Notes below for details.
• Detection of unauthorized wireless access points.

Security awareness education is an ongoing activity.

A formal security awareness program is implemented to make all personnel aware of the entity’s informatio
and procedures, and their role in protecting the cardholder data.

The security awareness program is:

• Reviewed at least once every 12 months, and
• Updated as needed to address any new threats and vulnerabilities that may impact the security of the en
information provided to personnel about their role in protecting cardholder data.
Personnel receive security awareness training as follows:
• Upon hire and at least once every 12 months.
• Multiple methods of communication are used.
• Personnel acknowledge at least once every 12 months that they have read and understood the informatio
and procedures.

Security awareness training includes awareness about the acceptable use of end-user technologies in accordance w
12.2.1.

Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the C
limited to:
• Phishing and related attacks.
• Social engineering.

Authentication policies and procedures are documented and communicated to all users including:
• Guidance on selecting strong authentication factors.
• Guidance for how users should protect their authentication factors.
• Instructions not to reuse previously used passwords/passphrases.
• Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphras
compromised and how to report the incident.

Security awareness training includes awareness about the acceptable use of end-user technologies in accordance w
12.2.1.

POI devices that capture payment card data via direct physical interaction with the payment card form facto
from tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitutio
Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI d
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting the
or troubleshoot devices.
• Procedures to ensure devices are not installed, replaced, or returned without verification.
• Being aware of suspicious behavior around devices.
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel.

Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodica
incident response responsibilities.

A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security o
maintained, including a description for each of the services provided.

Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by t
that are shared between the TPSP and the entity.

Additional requirement for third-party hosted/cloud service providers only:

Third-party hosted/cloud service providers support their customers for external penetration testing per Requirement

Additional requirement for service providers only:

Responsibility is established by executive management for the protection of cardholder data and a PCI DSS complia
include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management.

Written agreements with TPSPs are maintained as follows:

• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the secur
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account da
possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the se
CDE.

Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by t
that are shared between the TPSP and the entity.
Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.

Additional requirement for service providers only:

TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP pos
stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the c

Additional requirement for service providers only:

TPSPs support their customers’ requests for information to meet Requirements 12.8.4 and 12.8.5 by providing the fo
customer request:
• PCI DSS compliance status information for any service the TPSP performs on behalf of customers (Requirement 1
• Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility
including any shared responsibilities (Requirement 12.8.5).

An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

Accounts used by third parties to access, support, or maintain system components via remote access are managed
• Enabled only during the time period needed and disabled when not in use.
• Use is monitored for unexpected activity.

Additional requirement for service providers only:

Reviews are performed at least once every three months, by personnel other than those responsible for performing
confirm personnel are performing their tasks, in accordance with all security policies and all operational procedures,
limited to the following tasks:
• Daily log reviews.
• Configuration reviews for network security controls.
• Applying configuration standards to new systems.
• Responding to security alerts.
• Change-management processes.

Additional requirement for service providers only:

Reviews conducted in accordance with Requirement 12.4.2 are documented to include:
• Results of the reviews.
• Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.

A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
Processes and mechanisms for developing and maintaining secure systems and software are defined and

All security policies and operational procedures that are identified in Requirement 6 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
Bespoke and custom software are developed securely, as follows:
• Based on industry standards and/or best practices for secure development.
• In accordance with PCI DSS (for example, secure authentication and logging).
• Incorporating consideration of information security issues during each stage of the software development lifecycle.

Software engineering techniques or other methods are defined and in use for bespoke and custom software by softw
personnel to prevent or mitigate common software attacks and related vulnerabilities, including but not limited to the
• Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
• Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
• Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implem
algorithms, cipher suites, or modes of operation.
• Attacks on business logic, including attempts to abuse or bypass application features and functionalities through th
APIs, communication protocols and channels, client-side functionality, or other system/application functions and reso
cross-site scripting (XSS) and cross-site request forgery (CSRF).
• Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or auth
mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
• Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirem

All system components are protected from known vulnerabilities by installing applicable security patches/updates as
• Critical or high-security patches/updates are identified according to the risk ranking process at Requirement 6.3.1.
• Critical or high-security patches/updates are installed within one month of release.
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the e
within three months of release).
Security vulnerabilities are identified and managed as follows:
• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, in
international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) a

An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and
maintained to facilitate vulnerability and patch management.

All system components are protected from known vulnerabilities by installing applicable security patches/updates as
• Critical or high-security patches/updates are identified according to the risk ranking process at Requirement 6.3.1.
• Critical or high-security patches/updates are installed within one month of release.
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the e
within three months of release).

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the follow
• Analysis that the technologies continue to receive security fixes from vendors promptly.
• Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
• Documentation of any industry announcements or trends related to a technology, such as when a vendor has anno
plans for a technology.
• Documentation of a plan, approved by senior management, to remediate outdated technologies, including those fo
have announced “end of life” plans.

Security vulnerabilities are identified and managed as follows:

• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, in
international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) a
Configuration standards are developed, implemented, and maintained to:
• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system compon
a production environment.

Pre-production environments are separated from production environments and the separation is enforced with acce

Software development personnel working on bespoke and custom software are trained at least once every 12 month
• On software security relevant to their job function and development languages.
• Including secure software design and secure coding techniques.
• Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.

Vendor default accounts are managed as follows:

• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled.

Bespoke and custom software are developed securely, as follows:

• Based on industry standards and/or best practices for secure development.
• In accordance with PCI DSS (for example, secure authentication and logging).
• Incorporating consideration of information security issues during each stage of the software development lifecycle.

Bespoke and custom software are developed securely, as follows:

• Based on industry standards and/or best practices for secure development.
• In accordance with PCI DSS (for example, secure authentication and logging).
• Incorporating consideration of information security issues during each stage of the software development lifecycle.

Bespoke and custom software is reviewed prior to being released into production or to customers, to identi
potential coding vulnerabilities, as follows:
• Code reviews ensure code is developed according to secure coding guidelines.
• Code reviews look for both existing and emerging software vulnerabilities.
• Appropriate corrections are implemented prior to release.
If manual code reviews are performed for bespoke and custom software prior to release to production, code change
• Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review tec
coding practices.
• Reviewed and approved by management prior to release.
Software engineering techniques or other methods are defined and in use for bespoke and custom software by softw
personnel to prevent or mitigate common software attacks and related vulnerabilities, including but not limited to the
• Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
• Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
• Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implem
algorithms, cipher suites, or modes of operation.
• Attacks on business logic, including attempts to abuse or bypass application features and functionalities through th
APIs, communication protocols and channels, client-side functionality, or other system/application functions and reso
cross-site scripting (XSS) and cross-site request forgery (CSRF).
• Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or auth
mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
• Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirem

A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customiz
include:
• Documented evidence detailing each element specified in Appendix D: Customized Approach (including,
controls matrix and risk analysis).
• Approval of documented evidence by senior management.
• Performance of the targeted analysis of risk at least once every 12 months.

Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security inci

Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodica
incident response responsibilities.

Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incide
includes, but is not limited to:
• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security
notification of payment brands and acquirers, at a minimum.
• Incident response procedures with specific containment and mitigation activities for different types of incidents.
• Business recovery and continuity procedures.
• Data backup processes.
• Analysis of legal requirements for reporting compromises.
• Coverage and responses of all critical system components.
• Reference or inclusion of incident response procedures from the payment brands.

At least once every 12 months, the security incident response plan is:
• Reviewed and the content is updated as needed.
• Tested, including all elements listed in Requirement 12.10.1.

Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security inci

The security incident response plan is modified and evolved according to lessons learned and to incorporate industr

The security incident response plan includes monitoring and responding to alerts from security monitoring systems,
limited to:
• Intrusion-detection and intrusion-prevention systems.
• Network security controls.
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective da
Applicability Notes below for details.
• Detection of unauthorized wireless access points.

Processes and mechanisms for regularly testing security of systems and networks are defined and unders

All security policies and operational procedures that are identified in Requirement 11 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security
corrected.

A penetration testing methodology is defined, documented, and implemented by the entity, and includes:
• Industry-accepted penetration testing approaches.
• Coverage for the entire CDE perimeter and critical systems.
• Testing from both inside and outside the network.
• Testing to validate any segmentation and scope-reduction controls.
• Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2
• Network-layer penetration tests that encompass all components that support network functions as well as
systems.
• Review and consideration of threats and vulnerabilities experienced in the last 12 months.
• Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and secu
found during penetration testing.
• Retention of penetration testing results and remediation activities results for at least 12 months.

Internal penetration testing is performed:

• Per the entity’s defined methodology,
• At least once every 12 months
• After any significant infrastructure or application upgrade or change
• By a qualified internal resource or qualified external third-party
• Organizational independence of the tester exists (not required to be a QSA or ASV).

External penetration testing is performed:

• Per the entity’s defined methodology
• At least once every 12 months
• After any significant infrastructure or application upgrade or change
• By a qualified internal resource or qualified external third party
• Organizational independence of the tester exists (not required to be a QSA or ASV).

Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:
• In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1
• Penetration testing is repeated to verify the corrections.

If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation co
• At least once every 12 months and after any changes to segmentation controls/methods
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requiremen
• Performed by a qualified internal resource or qualified external third party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).
Additional requirement for service providers only:
If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation co
• At least once every six months and after any changes to segmentation controls/methods.
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requiremen
• Performed by a qualified internal resource or qualified external third party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).

External penetration testing is performed:

• Per the entity’s defined methodology
• At least once every 12 months
• After any significant infrastructure or application upgrade or change
• By a qualified internal resource or qualified external third party
• Organizational independence of the tester exists (not required to be a QSA or ASV).

Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:
• In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1
• Penetration testing is repeated to verify the corrections.

Internal penetration testing is performed:

• Per the entity’s defined methodology,
• At least once every 12 months
• After any significant infrastructure or application upgrade or change
• By a qualified internal resource or qualified external third-party
• Organizational independence of the tester exists (not required to be a QSA or ASV).
The following PCI requirements are NOT mapped to the CIS Controls
1.1.2

1.2.2

1.2.8
1.4.5
2.1.2

2.2.3
2.2.6

2.3.2
3.1.2
3.3

3.3.1
3.3.1.1
3.3.1.2

3.3.1.3

3.4.1

3.4.2

3.5.1.1

3.6.1
3.6.1.1

3.6.1.2
3.6.1.3
3.6.1.4

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.7.9
4.1.2
4.2.1.1
5.1.2

5.2.3

5.2.3.1

5.3.2.1

5.3.5
6.1.2
6.5

6.5.1

6.5.2

6.5.4

6.5.5
6.5.6
7.1.2
7.3.3
8.1.2

8.2

8.2.2

8.2.3
8.3
8.3.1
8.3.3

8.3.7

8.3.9

8.3.10

8.3.10.1

8.3.11
8.4
8.4.2
8.5

8.5.1
8.6

8.6.1

8.6.2
9.1

9.1.1
9.1.2
9.2
9.2.1

9.2.1.1

9.2.2

9.2.3
9.2.4
9.3

9.3.1

9.3.1.1

9.3.2

9.3.3

9.3.4

9.4.3
9.4.4
9.5
9.5.1.2

9.5.1.2.1
10.1.2
10.3
10.3.2

10.3.4

10.4.2.1
11.1.2

11.5.1.1

11.5.2
11.6

11.6.1

12.1

12.1.1

12.1.2

12.1.3

12.1.4
12.2
12.2.1
12.3

12.3.1

12.3.3
12.4

12.5.2.1

12.5.3
12.7

12.7.1

12.10.4.1

12.10.7
The following PCI requirements are NOT mapped to the CIS Controls
Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.
All changes to network connections and to configurations of NSCs are approved and managed in accordance with th
change control process defined at Requirement 6.5.1.
Configuration files for NSCs are:
• Secured from unauthorized access.
• Kept consistent with active network configurations.
The disclosure of internal IP addresses and routing information is limited to only authorized parties.
Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood.

Primary functions requiring different security levels are managed as follows:

• Only one primary function exists on a system component,
OR
• Primary functions with differing security levels that exist on the same system component are isolated from each oth
OR
• Primary functions with differing security levels on the same system component are all secured to the level required
function with the highest security need.
System security parameters are configured to prevent misuse.

For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are change
follows:
• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was neces
• Whenever a key is suspected of or known to be compromised.
Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood.
Sensitive authentication data (SAD) is not stored after authorization.
SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered
unrecoverable upon completion of the authorization process.
The full contents of any track are not retained upon completion of the authorization process.
The card verification code is not retained upon completion of the authorization process.

The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization pro

PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), suc
only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN.
When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel,
for those with documented, explicit authorization and a legitimate, defined business need.

Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes o
entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and

Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against
disclosure and misuse that include:
• Access to keys is restricted to the fewest number of custodians necessary.
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
• Key-encrypting keys are stored separately from data-encrypting keys.
• Keys are stored securely in the fewest possible locations and forms.
Additional requirement for service providers only:
A documented description of the cryptographic architecture is maintained that includes:
• Details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength
expiry date.
• Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practi
its effective date; refer to Applicability Notes below for details.
• Description of the key usage for each key.
• Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptogra
devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4

Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following form
times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separa
the data-encrypting key.
• Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of
interaction device.
• As at least two full-length key components or key shares, in accordance with an industry-accepted method.
Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary.
Cryptographic keys are stored in the fewest possible locations.
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used
protect stored account data.
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys use
protect stored account data.
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to
stored account data.

Key management policies and procedures are implemented for cryptographic key changes for keys that have reache
end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best
practices and guidelines, including the following:
• A defined cryptoperiod for each key type in use.
• A process for key changes at the end of the defined cryptoperiod.

Key management policies procedures are implemented to include the retirement, replacement, or destruction of key
to protect stored account data, as deemed necessary when:
• The key has reached the end of its defined cryptoperiod.
• The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key compone
leaves the company, or the role for which the key component was known.
• When keys are suspected of or known to be compromised.
• Retired or replaced keys are not used for encryption operations.

Where manual cleartext cryptographic key-management operations are performed by personnel, key-management p
and procedures are implemented include managing these operations using split knowledge and dual control.
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of
cryptographic keys.
Key management policies and procedures are implemented to include that cryptographic key custodians formally
acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.
Additional requirement for service providers only:
Where a service provider shares cryptographic keys with its customers for transmission or storage of account data,
guidance on secure transmission, storage and updating of such keys is documented and distributed to the service p
customers.
Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.
An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained.
Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood.
Any system components that are not at risk for malware are evaluated periodically to include the following:
• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection.
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the en
targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s
targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized b
management on a case-by-case basis for a limited time period.
Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.
Changes to all system components are managed securely.

Changes to all system components in the production environment are made according to established procedures tha
include:
• Reason for, and description of, the change.
• Documentation of security impact.
• Documented change approval by authorized parties.
• Testing to verify that the change does not adversely impact system security.
• For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before b
deployed into production.
• Procedures to address failures and return to a secure state.
Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all ne
changed systems and networks, and documentation is updated as applicable.
Roles and functions are separated between production and pre-production environments to provide accountability su
only reviewed and approved changes are deployed.
Live PANs are not used in pre-production environments, except where those environments are included in the CDE
protected in accordance with all applicable PCI DSS requirements.
Test data and test accounts are removed from system components before the system goes into production.
Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.
The access control system(s) is set to “deny all” by default.
Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood.

User identification and related accounts for users and administrators are strictly managed throughout an account’s li

Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an
exception basis, and are managed as follows:
• Account use is prevented unless needed for an exceptional circumstance.
• Use is limited to the time needed for the exceptional circumstance.
• Business justification for use is documented.
• Use is explicitly approved by management.
• Individual user identity is confirmed before access to an account is granted.
• Every action taken is attributable to an individual user.

Additional requirement for service providers only:

Service providers with remote access to customer premises use unique authentication factors for each customer pre
Strong authentication for users and administrators is established and managed.
All user access to system components for users and administrators is authenticated via at least one of the following
authentication factors:
• Something you know, such as a password or passphrase.
• Something you have, such as a token device or smart card.
• Something you are, such as a biometric element.
User identity is verified before modifying any authentication factor.
Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four
passwords/passphrases used.

If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authen
implementation) then either:
• Passwords/passphrases are changed at least once every 90 days,
OR
• The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically deter
accordingly.

Additional requirement for service providers only:

If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.
any single-factor authentication implementation), then guidance is provided to customer users including:
• Guidance for customers to change their user passwords/passphrases periodically.
• Guidance as to when, and under what circumstances, passwords/passphrases are changed.

Additional requirement for service providers only:

If passwords/passphrases are used as the only authentication factor for customer user access (i.e., in any single-fac
authentication implementation) then either:
• Passwords/passphrases are changed at least once every 90 days,
OR
• The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically deter
accordingly.
Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used:
• Factors are assigned to an individual user and not shared among multiple users.
• Physical and/or logical controls ensure only the intended user can use that factor to gain access.
Multi-factor authentication (MFA) is implemented to secure access into the CDE.
MFA is implemented for all access into the CDE.
Multi-factor authentication (MFA) systems are configured to prevent misuse.

MFA systems are implemented as follows:

• The MFA system is not susceptible to replay attacks.
• MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, an
authorized by management on an exception basis, for a limited time period.
• At least two different types of authentication factors are used.
• Success of all authentication factors is required before access is granted.
Use of application and system accounts and associated authentication factors are strictly managed.

If accounts used by systems or applications can be used for interactive login, they are managed as follows:
• Interactive use is prevented unless needed for an exceptional circumstance.
• Interactive use is limited to the time needed for the exceptional circumstance.
• Business justification for interactive use is documented.
• Interactive use is explicitly approved by management.
• Individual user identity is confirmed before access to account is granted.
• Every action taken is attributable to an individual user.
Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard
scripts, configuration/property files, or bespoke and custom source code.
Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

All security policies and operational procedures that are identified in Requirement 9 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.
Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.
Physical access controls manage entry into facilities and systems containing cardholder data.
Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.

Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical acce
control mechanisms (or both) as follows:
• Entry and exit points to/from sensitive areas within the CDE are monitored.
• Monitoring devices or mechanisms are protected from tampering or disabling.
• Collected data is reviewed and correlated with other entries.
• Collected data is stored for at least three months, unless otherwise restricted by law.

Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility
Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication
within the facility is restricted.
Access to consoles in sensitive areas is restricted via locking when not in use.
Physical access for personnel and visitors is authorized and managed.

Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including:
• Identifying personnel.
• Managing changes to an individual’s physical access requirements.
• Revoking or terminating personnel identification.
• Limiting access to the identification process or system to authorized personnel.
Physical access to sensitive areas within the CDE for personnel is controlled as follows:
• Access is authorized and based on individual job function.
• Access is revoked immediately upon termination.
• All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination.

Procedures are implemented for authorizing and managing visitor access to the CDE, including:
• Visitors are authorized before entering.
• Visitors are escorted at all times.
• Visitors are clearly identified and given a badge or other identification that expires.
• Visitor badges or other identification visibly distinguishes visitors from personnel.

Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expira

A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas, includ
• The visitor’s name and the organization represented.
• The date and time of the visit.
• The name of the personnel authorizing physical access.
• Retaining the log for at least three months, unless otherwise restricted by law.
Media with cardholder data sent outside the facility is secured as follows:
• Media sent outside the facility is logged.
• Media is sent by secured courier or other delivery method that can be accurately tracked.
• Offsite tracking logs include details about media location.
Management approves all media with cardholder data that is moved outside the facility (including when media is dist
to individuals).
Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targ
risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.
Audit logs are protected from destruction and unauthorized modifications.
Audit log files are protected to prevent modifications by individuals.
File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cann
changed without generating alerts.

The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is define
entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1
Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood.
Additional requirement for service providers only:
Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware
communication channels.
A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files
• To perform critical file comparisons at least once weekly.
Unauthorized changes on payment pages are detected and responded to.

A change- and tamper-detection mechanism is deployed as follows:

• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deleti
the HTTP headers and the contents of payment pages as received by the consumer browser.
• The mechanism is configured to evaluate the received HTTP header and payment page.
• The mechanism functions are performed as follows:
– At least once every seven days
OR
– Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elem
specified in Requirement 12.3.1).
A comprehensive information security policy that governs and provides direction for protection of the entity’s informa
assets is known and current.

An overall information security policy is:

• Established.
• Published.
• Maintained.
• Disseminated to all relevant personnel, as well as to relevant vendors and business partners.
The information security policy is:
• Reviewed at least once every 12 months.
• Updated as needed to reflect changes to business objectives or risks to the environment.
The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel a
aware of and acknowledge their information security responsibilities.
Responsibility for information security is formally assigned to a Chief Information Security Officer or other information
security knowledgeable member of executive management.
Acceptable use policies for end-user technologies are defined and implemented.
Acceptable use policies for end-user technologies are documented and implemented, including:
• Explicit approval by authorized parties.
• Acceptable uses of the technology.
• List of products approved by the company for employee use, including hardware and software.
Risks to the cardholder data environment are formally identified, evaluated, and managed.

Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to b
performed periodically) is supported by a targeted risk analysis that is documented and includes:
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performe
minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid
updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review.

Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, inclu
least the following:
• An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
• Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in
• A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
PCI DSS compliance is managed.

Additional requirement for service providers only:

PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant chan
the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 1
Additional requirement for service providers only:
Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS sco
applicability of controls, with results communicated to executive management.
Personnel are screened to reduce risks from insider threats.
Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire t
minimize the risk of attacks from internal sources.
The frequency of periodic training for incident response personnel is defined in the entity’s targeted risk analysis, wh
performed according to all elements specified in Requirement 12.3.1.

Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expec
include:
• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migrat
the currently defined CDE, as applicable.
• Identifying whether sensitive authentication data is stored with PAN.
• Determining where the account data came from and how it ended up where it was not expected.
• Remediating data leaks or process gaps that resulted in the account data being where it was not expected.
The following CIS Safeguards are NOT mapped to PCI-DSS

1.3

1.4

1.5

2.4

3.6

3.13

4.6

4.9

4.11

4.12

5.4
5.6

6.3
6.7

7.3

7.4

8.3
8.6
8.7

8.8

8.12

9.1
10.3

10.5
10.6

11.1

11.2

11.3

12.1

12.3
12.5

12.6

12.7

12.8
13.6

13.7

14.4

14.5
14.6

14.7

15.7

16.1
16.1

16.3

16.4

17.2

17.6

17.7

18.4
The following CIS Safeguards are NOT mapped to PCI-DSS

Utilize an Active Discovery Tool

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Use a Passive Asset Discovery Tool

Utilize Automated Software Inventory Tools

Encrypt Data on End-User Devices

Deploy a Data Loss Prevention Solution

Securely Manage Enterprise Assets and Software

Configure Trusted DNS Servers on Enterprise Assets

Enforce Remote Wipe Capability on Portable End-User Devices

Separate Enterprise Workspaces on Mobile End-User Devices

Restrict Administrator Privileges to Dedicated Administrator Accounts

Centralize Account Management

Require MFA for Externally-Exposed Applications

Centralize Access Control

Perform Automated Operating System Patch Management

Perform Automated Application Patch Management

Ensure Adequate Audit Log Storage

Collect DNS Query Audit Logs
Collect URL Request Audit Logs

Collect Command-Line Audit Logs

Collect Service Provider Logs

Ensure Use of Only Fully Supported Browsers and Email Clients

Disable Autorun and Autoplay for Removable Media

Enable Anti-Exploitation Features

Centrally Manage Anti-Malware Software

Establish and Maintain a Data Recovery Process

Perform Automated Backups

Protect Recovery Data

Ensure Network Infrastructure is Up-to-Date

Securely Manage Network Infrastructure

Centralize Network Authentication, Authorization, and Auditing (AAA)

Use of Secure Network Management and Communication Protocols

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Establish and Maintain Dedicated Computing Resources for All Administrative Work
Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion Prevention Solution

Train Workforce on Data Handling Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure

Train Workforce Members on Recognizing and Reporting Security Incidents

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Securely Decommission Service Providers

Establish and Maintain a Secure Application Development Process

Establish and Maintain a Secure Application Development Process

Perform Root Cause Analysis on Security Vulnerabilities

Establish and Manage an Inventory of Third-Party Software Components

Establish and Maintain Contact Information for Reporting Security Incidents

Define Mechanisms for Communicating During Incident Response

Conduct Routine Incident Response Exercises

Validate Security Measures

Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discove
execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to upda
enterprise’s asset inventory at least weekly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documenta
installed software.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLoc
FileVault®, Linux® dm-crypt.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data sto
processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, a
the enterprise's sensitive data inventory.
Securely manage enterprise assets and software. Example implementations include managing configuration through
controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Se
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telne
Network) and HTTP, unless operationally essential.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
controlled DNS servers and/or reputable externally accessible DNS servers.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
stolen devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data
personal applications and data.

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computin
activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged accou
Centralize account management through a directory or identity service.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Perform operating system updates on enterprise assets through automated patch management on a monthly, or mo
basis.

Perform application updates on enterprise assets through automated patch management on a monthly, or more freq

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
remote administrative terminals.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
events, data creation and disposal events, and user management events.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
browsers and email clients provided through the vendor.
Disable autorun and autoplay auto-execute functionality for removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and
Gatekeeper™.
Centrally manage anti-malware software.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recov
prioritization, and the security of backup data. Review and update documentation annually, or when significant enter
changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based o
requirements.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more
to verify software support.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code
use of secure network protocols, such as SSH and HTTPS.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En
greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise
on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative
tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary
and not be allowed internet access.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
training workforce members on clear screen and desk best practices, such as locking their screen when they step aw
their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets s
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.

Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Securely decommission service providers. Example considerations include user and service account deactivation, te
of data flows, and secure disposal of enterprise data within service provider systems.
Establish and maintain a secure application development process. In the process, address such items as: secure ap
design standards, secure coding practices, developer training, vulnerability management, security of third-party code
application security testing procedures. Review and update documentation annually, or when significant enterprise c
occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process, address such items as: secure ap
design standards, secure coding practices, developer training, vulnerability management, security of third-party code
application security testing procedures. Review and update documentation annually, or when significant enterprise c
occur that could impact this Safeguard.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just
individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
materials,” as well as components slated for future use. This inventory is to include any risks that each third-party co
could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate
component is still supported.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may in
internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Inform
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that informat
to-date.

Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can
during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safe
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident respo
process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision
and workflows. Conduct testing on an annual basis, at a minimum.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to dete
techniques used during testing.