The NIST Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework is composed of five primary functions: Identify, Protect, Detect, Respond, and Recover, each of which comprises various categories and subcategories of controls.
| Function | Category | Subcategory | Example Controls | Description |
|---|---|---|---|---|
| Identify | Asset Management (ID.AM) | ID.AM-1: Physical devices and systems within the organization are inventoried. | Asset Inventory System | Maintain an up-to-date inventory of all hardware devices and systems within the organization. Regularly update and review the inventory to ensure accuracy. |
| ID.AM-2: Software platforms and applications within the organization are inventoried. | Software Inventory Tools | Use automated tools to regularly scan and document all software applications and platforms in use. Ensure that the inventory is comprehensive and includes all versions and licenses. | ||
| Business Environment (ID.BE) | ID.BE-1: The organization’s role in the supply chain is identified and communicated. | Supply Chain Mapping | Document and communicate the organization's role and dependencies within the supply chain. Regularly review and update the supply chain documentation to reflect changes. | |
| ID.BE-2: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized. | Business Impact Analysis | Conduct a business impact analysis to understand and prioritize key business functions and their dependencies. Use the analysis to inform risk management and contingency planning. | ||
| Governance (ID.GV) | ID.GV-1: Organizational information security policy is established. | Information Security Policy | Develop, approve, and communicate an organization-wide information security policy. Ensure the policy is regularly reviewed and updated to reflect new security challenges and regulatory requirements. | |
| ID.GV-2: Information security roles and responsibilities are coordinated and aligned with internal roles and external partners. | Roles and Responsibilities Matrix | Define and document the information security roles and responsibilities across the organization and with external partners. Ensure that these roles are clearly communicated and understood. | ||
| Risk Assessment (ID.RA) | ID.RA-1: Asset vulnerabilities are identified and documented. | Vulnerability Assessment Tools | Conduct regular vulnerability assessments using automated tools and document identified vulnerabilities. Prioritize vulnerabilities based on their potential impact and likelihood of exploitation. | |
| ID.RA-2: Cyber threat intelligence is received from information-sharing forums and sources. | Threat Intelligence Feeds | Subscribe to and actively monitor threat intelligence feeds to receive up-to-date information on emerging threats. Integrate threat intelligence into the organization's risk management processes. | ||
| Risk Management Strategy (ID.RM) | ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders. | Risk Management Framework | Develop and implement a comprehensive risk management framework tailored to the organization's needs and risk appetite. Ensure stakeholder engagement and agreement on risk management processes. | |
| ID.RM-2: Organizational risk tolerance is determined and clearly expressed. | Risk Tolerance Statements | Establish and communicate clear risk tolerance levels to all relevant stakeholders. Regularly review and update risk tolerance statements to reflect changes in the organization's risk profile. | ||
| Protect | Identity Management and Access Control (PR.AC) | PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited. | Identity and Access Management System | Implement identity and access management (IAM) solutions to manage user identities and access rights throughout their lifecycle. Regularly audit IAM systems to ensure they are functioning correctly. |
| PR.AC-2: Physical access to assets is managed and protected. | Physical Access Control Systems | Use physical access control systems (e.g., key cards, biometric scanners) to secure access to critical facilities and assets. Regularly review and update physical access controls to ensure their effectiveness. | ||
| Awareness and Training (PR.AT) | PR.AT-1: All users are informed and trained. | Security Awareness Training Programs | Conduct regular security awareness training sessions for all employees to educate them on security policies and best practices. Use metrics to measure the effectiveness of training programs. | |
| PR.AT-2: Privileged users understand their roles and responsibilities. | Specialized Training for Privileged Users | Provide targeted training for users with privileged access to ensure they understand their specific roles and responsibilities. Regularly review and update training materials to address new threats and technologies. | ||
| Data Security (PR.DS) | PR.DS-1: Data-at-rest is protected. | Encryption Solutions for Data-at-Rest | Implement encryption technologies to protect sensitive data stored on physical media and databases. Regularly review and update encryption practices to ensure they meet current standards. | |
| PR.DS-2: Data-in-transit is protected. | Secure Communication Protocols (e.g., TLS, IPsec) | Use encryption protocols to secure data transmitted over networks, ensuring its confidentiality and integrity. Regularly review and update communication security practices to address new threats. | ||
| Information Protection Processes and Procedures (PR.IP) | PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained. | Baseline Configuration Management Tools | Establish and maintain secure baseline configurations for all IT and industrial control systems. Regularly review and update baseline configurations to reflect changes in technology and threats. | |
| PR.IP-2: A system development life cycle to manage systems is implemented. | System Development Life Cycle (SDLC) | Follow a formal SDLC that includes security considerations at each stage of system development and deployment. Regularly review and update SDLC processes to ensure they incorporate the latest security best practices. | ||
| Maintenance (PR.MA) | PR.MA-1: Maintenance and repair of organizational assets are performed and logged. | Maintenance Logs | Keep detailed logs of all maintenance activities performed on critical assets, including dates, personnel involved, and actions taken. Regularly review and audit maintenance logs to ensure accuracy and compliance. | |
| PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. | Secure Remote Maintenance Procedures | Implement secure methods for remote maintenance, including the use of VPNs and logging all remote maintenance sessions. Regularly review and update remote maintenance procedures to address new threats. | ||
| Protective Technology (PR.PT) | PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed. | Audit Log Management Systems | Establish and maintain audit logs for all critical systems, ensuring logs are regularly reviewed for suspicious activities. Regularly review and update audit log management practices to ensure they remain effective. | |
| PR.PT-2: Removable media is protected and its use restricted according to policy. | Removable Media Controls | Implement policies and controls to restrict and secure the use of removable media, such as USB drives. Regularly review and update removable media policies to address new security threats. | ||
| Detect | Anomalies and Events (DE.AE) | DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. | Network Baseline Monitoring Tools | Use network monitoring tools to establish normal operational baselines and detect anomalies. Regularly review and update network baselines to ensure they reflect current operations and threats. |
| DE.AE-2: Detected events are analyzed to understand attack targets and methods. | Event Analysis and Correlation Tools | Implement tools to analyze and correlate detected security events to understand attack vectors and targets. Regularly review and update event analysis processes to ensure they remain effective. | ||
| Security Continuous Monitoring (DE.CM) | DE.CM-1: The network is monitored to detect potential cybersecurity events. | Continuous Network Monitoring Solutions | Deploy continuous monitoring solutions to detect and respond to security events in real-time. Regularly review and update monitoring solutions to address new threats and vulnerabilities. | |
| DE.CM-2: The physical environment is monitored to detect potential cybersecurity events. | Physical Security Monitoring Systems | Use physical security systems, such as CCTV and motion sensors, to monitor and detect unauthorized access or other security events. Regularly review and update physical security monitoring practices to ensure they remain effective. | ||
| Detection Processes (DE.DP) | DE.DP-1: Roles and responsibilities for detection are well defined. | Incident Response Team Roles and Responsibilities | Define and document roles and responsibilities for the incident response team to ensure clear accountability. Regularly review and update roles and responsibilities to address changes in the organization and threat landscape. | |
| DE.DP-2: Detection activities comply with all applicable requirements. | Compliance Monitoring Tools | Ensure that detection processes and tools comply with relevant legal, regulatory, and organizational requirements. Regularly review and update compliance monitoring practices to ensure they remain effective. | ||
| Respond | Response Planning (RS.RP) | RS.RP-1: Response plan is executed during or after an incident. | Incident Response Plan | Develop, implement, and regularly test an incident response plan to ensure effective response to security incidents. Regularly review and update the incident response plan to address new threats and vulnerabilities. |
| Communications (RS.CO) | RS.CO-1: Personnel know their roles and order of operations when a response is needed. | Communication Plans for Incident Response | Provide clear communication plans and train personnel on their roles and responsibilities during incident response. Regularly review and update communication plans to ensure they remain effective. | |
| RS.CO-2: Incidents are reported consistent with established criteria. | Incident Reporting Procedures | Establish criteria and procedures for reporting incidents to relevant stakeholders and authorities. Regularly review and update incident reporting procedures to ensure they remain effective. | ||
| Analysis (RS.AN) | RS.AN-1: Notifications from detection systems are investigated. | Incident Analysis Tools | Investigate alerts and notifications from detection systems to determine their validity and impact. Regularly review and update incident analysis processes to ensure they remain effective. | |
| RS.AN-2: The impact of the incident is understood. | Impact Assessment Processes | Conduct thorough impact assessments to understand the scope and severity of security incidents. Use the results to inform response and recovery efforts. | ||
| Mitigation (RS.MI) | RS.MI-1: Incidents are contained. | Containment Strategies | Implement strategies to contain and limit the spread of security incidents. Regularly review and update containment strategies to address new threats and vulnerabilities. | |
| RS.MI-2: Incidents are mitigated. | Root Cause Analysis and Mitigation Measures | Apply root cause analysis and mitigation measures to address the underlying causes of incidents and prevent recurrence. Regularly review and update mitigation measures to ensure they remain effective. | ||
| Improvements (RS.IM) | RS.IM-1: Response plans incorporate lessons learned. | Post-Incident Review and Improvement Processes | Review and update incident response plans based on lessons learned from past incidents. Regularly conduct post-incident reviews to identify areas for improvement. | |
| RS.IM-2: Response strategies are updated. | Continuous Improvement of Response Strategies | Continuously improve response strategies to adapt to evolving threats and vulnerabilities. Regularly review and update response strategies to ensure they remain effective. | ||
| Recover | Recovery Planning (RC.RP) | RC.RP-1: Recovery plan is executed during or after a cybersecurity incident. | Disaster Recovery Plan | Develop, implement, and regularly test disaster recovery plans to ensure timely restoration of critical functions after incidents. Regularly review and update recovery plans to address new threats and vulnerabilities. |
| Improvements (RC.IM) | RC.IM-1: Recovery plans incorporate lessons learned. | Recovery Plan Review and Updates | Incorporate feedback and lessons learned from recovery efforts into future plans to improve effectiveness. Regularly review and update recovery plans based on lessons learned from past incidents. | |
| RC.IM-2: Recovery strategies are updated. | Regular Review and Update of Recovery Strategies | Regularly review and update recovery strategies to reflect changes in the business environment and technology landscape. Ensure recovery strategies remain effective in addressing new threats and vulnerabilities. | ||
| Communications (RC.CO) | RC.CO-1: Public relations are managed. | Crisis Communication Plans | Develop and implement communication plans to manage public relations during and after a cybersecurity incident. Regularly review and update communication plans to ensure they remain effective. | |
| RC.CO-2: Reputation after an event is repaired. | Reputation Management Strategies | Take proactive steps to repair and restore the organization's reputation following a cybersecurity incident. Regularly review and update reputation management strategies to ensure they remain effective. |