NIST Cybersecurity Framework to CISA Cybersecurity Performance Goals Mapping

The organizational mission is understood and informs cybersecurity risk management

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

A cybersecurity risk management policy is established and enforced

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Risk management objectives are established and agreed to by organizational stakeholders

Risk appetite and risk tolerance statements are established, communicated, and maintained

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Strategic direction that describes appropriate risk response options is established and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions

Organizational leadership is responsible and accountable for cybersecurity risk

Cybersecurity roles, responsibilities, and authorities are established and enforced

Adequate resources are allocated to cybersecurity commensurate with risk

A cybersecurity supply chain risk management program is established

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Supply chain risk management is integrated into enterprise risk management processes

Changes and exceptions are managed, assessed for risk impact, and tracked

A cybersecurity policy is established, approved, and communicated

The estimated impact and scope of adverse events are understood

Information on adverse events is provided to authorized staff and tools

Incidents are declared when adverse events meet the defined criteria

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Relevant suppliers are included in incident planning, response, and recovery activities

Incident response plans and cybersecurity plans are established, maintained, and improved

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Public updates on the incident and ongoing recovery are shared using approved methods and messaging

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

Forensics are performed

Execute the incident response plan in coordination with relevant third parties

Incidents are contained

Incidents are eradicated

Credentials are revoked immediately on known or suspected compromise

An incident response plan is documented and maintained

Incident response roles and contacts are designated and current

Incident response exercises are conducted at least annually

External service provider activities and services are monitored to detect potentially adverse events

A cybersecurity supply chain risk management program is established

Supply chain risk management plans include provisions for activities after a supplier relationship ends

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Supply chain risk management is integrated into enterprise risk management processes

Suppliers are known and prioritized by criticality

Cybersecurity requirements are integrated into contracts with suppliers

Due diligence is performed before entering into supplier relationships

Risks from suppliers are assessed, monitored, and responded to throughout the relationship

Relevant suppliers are included in incident planning, response, and recovery activities

Supply chain security practices are monitored throughout the technology product and service life cycle

Critical suppliers are assessed prior to acquisition

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Third-party vendors are required to meet minimum security standards

Third-party software and services are inventoried and assessed for risk

Vendor contracts include minimum cybersecurity requirements

Information is correlated from multiple sources

Alert thresholds are established

Networks and network services are monitored to detect adverse events

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Log records are generated and made available for continuous monitoring

Security logs are collected centrally and retained for investigation

Network and system anomalies are monitored and alerted on

Networks and network services are monitored to detect adverse events

Monitoring for unauthorized personnel, connections, devices, and software is performed

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Log records are generated and made available for continuous monitoring

Security logs are collected centrally and retained for investigation

Network and system anomalies are monitored and alerted on

External service provider activities and services are monitored to detect potentially adverse events

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Inventories of services provided by suppliers are maintained

Third-party vendors are required to meet minimum security standards

Third-party software and services are inventoried and assessed for risk

Information is correlated from multiple sources

Alert thresholds are established

Networks and network services are monitored to detect adverse events

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Endpoint detection and response (EDR) is deployed on all managed devices

Information on adverse events is provided to authorized staff and tools

Incidents are declared when adverse events meet the defined criteria

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Escalate or elevate incidents as needed

Incident response roles and contacts are designated and current

Malicious code is detected

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Installation and execution of unauthorized software are prevented

Incidents are contained

Endpoint detection and response (EDR) is deployed on all managed devices

Vulnerability scans are performed

Improvements are identified from evaluations

Incidents are eradicated

Vulnerability scanning is performed regularly on all systems

Critical and high vulnerabilities are remediated within defined SLAs

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Public updates on the incident and ongoing recovery are shared using approved methods and messaging

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

Escalate or elevate incidents as needed

Vendor contracts include minimum cybersecurity requirements

Execute the recovery plan once the incident response process initiates recovery

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

The end of incident recovery is declared based on criteria, and incident-related documentation is completed

Backups of critical data are maintained and tested

Recovery procedures are documented and tested

Investigate contributing factors to confirmed incidents

Forensics are performed

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

Incident data and metadata are collected, and their integrity and provenance are preserved

Security logs are collected centrally and retained for investigation

Incidents are declared when adverse events meet the defined criteria

Improvements are identified from security tests and exercises

Incident response plans and cybersecurity plans are established, maintained, and improved

Incident response exercises are conducted at least annually

Networks and network services are monitored to detect adverse events

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Log records are generated and made available for continuous monitoring

Security logs are collected centrally and retained for investigation

Vulnerability scans are performed

Vulnerabilities in assets are identified, validated, and recorded

Critical and high CVEs are patched within 14 days; all others within 30 days

CISA Known Exploited Vulnerabilities are remediated on priority timelines

Supply chain security practices are monitored throughout the technology product and service life cycle

The hardware and firmware of platforms are managed

The software of platforms is managed, including operating systems and applications

Critical and high vulnerabilities are remediated within defined SLAs

Incident response plans and cybersecurity plans are established, maintained, and improved

Execute the recovery plan once the incident response process initiates recovery

Execute the incident response plan in coordination with relevant third parties

An incident response plan is documented and maintained

Identities are proofed and bound to credentials based on the context of interactions

Users, services, and hardware are authenticated

Multi-factor authentication is required for all user accounts

Phishing-resistant MFA is enforced for privileged and high-value accounts

Identities are proofed and bound to credentials based on the context of interactions

Users, services, and hardware are authenticated

Multi-factor authentication is required for all user accounts

Strong password policies are enforced at the identity provider, including breached-password checks

The confidentiality, integrity, and availability of data-at-rest are protected

The confidentiality, integrity, and availability of data-in-transit are protected

Sensitive data at rest is encrypted using current standards

Full-disk encryption is enforced on all endpoints and portable storage

Personnel activity and technology usage are monitored to detect potentially adverse events

Cybersecurity is included in human resources practices

Employee and contractor offboarding revokes all access within 24 hours

Vulnerability scans are performed

Critical and high CVEs are patched within 14 days; all others within 30 days

Critical and high vulnerabilities are remediated within defined SLAs

Vulnerability scans are performed

Vulnerabilities in assets are identified, validated, and recorded

Critical and high CVEs are patched within 14 days; all others within 30 days

A cybersecurity risk management policy is established and enforced

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

A cybersecurity policy is established, approved, and communicated

Cybersecurity is included in human resources practices

Identities and credentials are managed for authorized users and devices

Employee and contractor offboarding revokes all access within 24 hours

Inventories of hardware assets are maintained

An inventory of authorized hardware and software assets is maintained

Devices are configured securely with hardened baselines

Inventories of software assets are maintained

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Software is obtained from trusted sources and integrity is verified

Cyber threat intelligence is received from information sharing forums and sources

Security incidents are reported to CISA when applicable

CISA Known Exploited Vulnerabilities are remediated on priority timelines

Identities are proofed and bound to credentials based on the context of interactions

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

Employees are trained to recognize and report phishing attempts

Re-establish critical mission functions and cybersecurity services

Backups of critical data are maintained and tested

Recovery procedures are documented and tested

The end of incident recovery is declared based on criteria, and incident-related documentation is completed

A cybersecurity policy is established, approved, and communicated

An incident response plan is documented and maintained

A baseline of network operations and expected data flows is established and managed

Devices are configured securely with hardened baselines

A baseline of network operations and expected data flows is established and managed

Network and system anomalies are monitored and alerted on

Information on adverse events is provided to authorized staff and tools

Network and system anomalies are monitored and alerted on

Personnel activity and technology usage are monitored to detect potentially adverse events

Sensitive data is inventoried and classified by type

Malicious code is detected

Endpoint detection and response (EDR) is deployed on all managed devices

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Network and system anomalies are monitored and alerted on

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Critical and high vulnerabilities are remediated within defined SLAs

Cybersecurity roles, responsibilities, and authorities are established and enforced

Incident response roles and contacts are designated and current

Supply chain risk management plans include provisions for activities after a supplier relationship ends

Employee and contractor offboarding revokes all access within 24 hours

Cybersecurity requirements are integrated into contracts with suppliers

Third-party vendors are required to meet minimum security standards

Cybersecurity requirements are integrated into contracts with suppliers

Third-party vendors are required to meet minimum security standards

Improvements are identified from security tests and exercises

Penetration testing or red team exercises are conducted at least annually

Improvements are identified from security tests and exercises

Penetration testing or red team exercises are conducted at least annually

Identities are proofed and bound to credentials based on the context of interactions

Strong password policies are enforced at the identity provider, including breached-password checks

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Privileged accounts are separated and access is minimized

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

All employees receive security awareness training at least annually

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

All employees receive security awareness training at least annually

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

Employees are trained to recognize and report phishing attempts

The confidentiality, integrity, and availability of data-at-rest are protected

Sensitive data at rest is encrypted using current standards

The confidentiality, integrity, and availability of data-at-rest are protected

Sensitive data at rest is encrypted using current standards

The confidentiality, integrity, and availability of data-in-transit are protected

Data in transit is encrypted using modern protocols

Backups of data are created, protected, maintained, and tested

Backups of critical data are maintained and tested

Networks and environments are protected from unauthorized logical access

Network segmentation isolates critical systems

Networks and environments are protected from unauthorized logical access

Network segmentation isolates critical systems

Networks and environments are protected from unauthorized logical access

Network segmentation isolates critical systems

Data are destroyed according to policy when platforms or storage media are decommissioned

Sensitive data is securely disposed of when no longer needed

Log records are generated and made available for continuous monitoring

Security logs are collected centrally and retained for investigation

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

Software is obtained from trusted sources and integrity is verified

The impact of the incident is understood

Sensitive data is inventoried and classified by type

Incidents are contained

Network segmentation isolates critical systems