NIST Cybersecurity Framework

The organizational mission is understood and informs cybersecurity risk management

Organizational Context

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Organizational Context

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Organizational Context

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Organizational Context

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Organizational Context

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

Oversight

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Oversight

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

Oversight

A cybersecurity risk management policy is established and enforced

Policy

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Policy

Risk management objectives are established and agreed to by organizational stakeholders

Risk Management Strategy

Risk appetite and risk tolerance statements are established, communicated, and maintained

Risk Management Strategy

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Risk Management Strategy

Strategic direction that describes appropriate risk response options is established and communicated

Risk Management Strategy

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Risk Management Strategy

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Risk Management Strategy

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions

Risk Management Strategy

Organizational leadership is responsible and accountable for cybersecurity risk

Roles, Responsibilities, and Authorities

Cybersecurity roles, responsibilities, and authorities are established and enforced

Roles, Responsibilities, and Authorities

Adequate resources are allocated to cybersecurity commensurate with risk

Roles, Responsibilities, and Authorities

Cybersecurity is included in human resources practices

Roles, Responsibilities, and Authorities

A cybersecurity supply chain risk management program is established

Cybersecurity Supply Chain Risk Management

Supply chain risk management plans include provisions for activities after a supplier relationship ends

Cybersecurity Supply Chain Risk Management

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Cybersecurity Supply Chain Risk Management

Supply chain risk management is integrated into enterprise risk management processes

Cybersecurity Supply Chain Risk Management

Suppliers are known and prioritized by criticality

Cybersecurity Supply Chain Risk Management

Cybersecurity requirements are integrated into contracts with suppliers

Cybersecurity Supply Chain Risk Management

Due diligence is performed before entering into supplier relationships

Cybersecurity Supply Chain Risk Management

Risks from suppliers are assessed, monitored, and responded to throughout the relationship

Cybersecurity Supply Chain Risk Management

Relevant suppliers are included in incident planning, response, and recovery activities

Cybersecurity Supply Chain Risk Management

Supply chain security practices are monitored throughout the technology product and service life cycle

Cybersecurity Supply Chain Risk Management

Inventories of hardware assets are maintained

Asset Management

Inventories of software assets are maintained

Asset Management

Authorized network communication and data flow representations are maintained

Asset Management

Inventories of services provided by suppliers are maintained

Asset Management

Assets are prioritized based on classification, criticality, and mission impact

Asset Management

Inventories of data and corresponding metadata for designated data types are maintained

Asset Management

Systems, hardware, software, services, and data are managed throughout their life cycles

Asset Management

Improvements are identified from evaluations

Improvement

Improvements are identified from security tests and exercises

Improvement

Improvements are identified from execution of operational processes and activities

Improvement

Incident response plans and cybersecurity plans are established, maintained, and improved

Improvement

Vulnerabilities in assets are identified, validated, and recorded

Risk Assessment

Critical suppliers are assessed prior to acquisition

Risk Assessment

Cyber threat intelligence is received from information sharing forums and sources

Risk Assessment

Internal and external threats to the organization are identified and recorded

Risk Assessment

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Risk Assessment

Risk information is used to understand inherent risk and prioritize responses

Risk Assessment

Risk responses are chosen, prioritized, planned, tracked, and communicated

Risk Assessment

Changes and exceptions are managed, assessed for risk impact, and tracked

Risk Assessment

Processes for receiving, analyzing, and responding to vulnerability disclosures are established

Risk Assessment

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Risk Assessment

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control

Identities are proofed and bound to credentials based on the context of interactions

Identity Management, Authentication, and Access Control

Users, services, and hardware are authenticated

Identity Management, Authentication, and Access Control

Identity assertions are protected, conveyed, and verified

Identity Management, Authentication, and Access Control

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Identity Management, Authentication, and Access Control

Physical access to assets is managed, monitored, and enforced commensurate with risk

Identity Management, Authentication, and Access Control

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

Awareness and Training

Individuals in specialized roles receive role-specific cybersecurity training

Awareness and Training

The confidentiality, integrity, and availability of data-at-rest are protected

Data Security

The confidentiality, integrity, and availability of data-in-transit are protected

Data Security

Data are destroyed according to policy when no longer needed

Data Security

Backups of data are created, protected, maintained, and tested

Data Security

Networks and environments are protected from unauthorized logical access

Technology Infrastructure Resilience

Technology assets are protected from environmental threats

Technology Infrastructure Resilience

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations

Technology Infrastructure Resilience

Adequate resource capacity to ensure availability is maintained

Technology Infrastructure Resilience

The hardware and firmware of platforms are managed

Platform Security

The software of platforms is managed, including operating systems and applications

Platform Security

Data are destroyed according to policy when platforms or storage media are decommissioned

Platform Security

Log records are generated and made available for continuous monitoring

Platform Security

Installation and execution of unauthorized software are prevented

Platform Security

Secure software development practices are integrated and their security is evaluated

Platform Security

A baseline of network operations and expected data flows is established and managed

Adverse Event Analysis

Potentially adverse events are analyzed to better understand associated activities

Adverse Event Analysis

Information is correlated from multiple sources

Adverse Event Analysis

The estimated impact and scope of adverse events are understood

Adverse Event Analysis

Alert thresholds are established

Adverse Event Analysis

Information on adverse events is provided to authorized staff and tools

Adverse Event Analysis

Cyber threat intelligence and other contextual information are integrated into the analysis

Adverse Event Analysis

Incidents are declared when adverse events meet the defined criteria

Adverse Event Analysis

Networks and network services are monitored to detect adverse events

Continuous Monitoring

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring

Personnel activity and technology usage are monitored to detect potentially adverse events

Continuous Monitoring

Malicious code is detected

Continuous Monitoring

Unauthorized network connections are detected

Continuous Monitoring

External service provider activities and services are monitored to detect potentially adverse events

Continuous Monitoring

Monitoring for unauthorized personnel, connections, devices, and software is performed

Continuous Monitoring

Vulnerability scans are performed

Continuous Monitoring

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Continuous Monitoring

Investigate contributing factors to confirmed incidents

Incident Analysis

The impact of the incident is understood

Incident Analysis

Forensics are performed

Incident Analysis

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

Incident Analysis

Incident data and metadata are collected, and their integrity and provenance are preserved

Incident Analysis

Internal and external stakeholders are notified of incidents in a timely manner

Incident Response Reporting and Communication

Information is shared with designated internal and external stakeholders

Incident Response Reporting and Communication

Execute the incident response plan in coordination with relevant third parties

Incident Management

Triage and validate incident reports

Incident Management

Categorize and prioritize incidents

Incident Management

Escalate or elevate incidents as needed

Incident Management

Apply the criteria for initiating incident recovery

Incident Management

Incidents are contained

Incident Mitigation

Incidents are eradicated

Incident Mitigation

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Incident Recovery Communication

Public updates on the incident and ongoing recovery are shared using approved methods and messaging

Incident Recovery Communication

Execute the recovery plan once the incident response process initiates recovery

Incident Recovery Plan Execution

Select, scope, prioritize, and perform recovery actions

Incident Recovery Plan Execution

Verify the integrity of backups and restoration assets before use

Incident Recovery Plan Execution

Re-establish critical mission functions and cybersecurity services

Incident Recovery Plan Execution

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

Incident Recovery Plan Execution

The end of incident recovery is declared based on criteria, and incident-related documentation is completed

Incident Recovery Plan Execution