NIST Cybersecurity Framework Security Controls
Version 2.0
The NIST Cybersecurity Framework 2.0 provides guidance for organizations to manage and reduce cybersecurity risk. It is organized around six core functions (Govern, Identify, Protect, Detect, Respond, and Recover) that apply to any organization regardless of size, sector, or maturity.
113
Total controls
29
Critical priority
514h
Est. implementation
6
Trust service categories
Public domain, published by the U.S. National Institute of Standards and Technology
Govern
31 controlsEstablish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.
Organizational Context
The organizational mission is understood and informs cybersecurity risk management
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
Outcomes, capabilities, and services that the organization depends on are understood and communicated
Oversight
Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy
The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments
Policy
Risk Management Strategy
Risk management objectives are established and agreed to by organizational stakeholders
Risk appetite and risk tolerance statements are established, communicated, and maintained
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Strategic direction that describes appropriate risk response options is established and communicated
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions
Roles, Responsibilities, and Authorities
Organizational leadership is responsible and accountable for cybersecurity risk
Cybersecurity roles, responsibilities, and authorities are established and enforced
Adequate resources are allocated to cybersecurity commensurate with risk
Cybersecurity is included in human resources practices
Cybersecurity Supply Chain Risk Management
A cybersecurity supply chain risk management program is established
Supply chain risk management plans include provisions for activities after a supplier relationship ends
Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated
Supply chain risk management is integrated into enterprise risk management processes
Suppliers are known and prioritized by criticality
Cybersecurity requirements are integrated into contracts with suppliers
Due diligence is performed before entering into supplier relationships
Risks from suppliers are assessed, monitored, and responded to throughout the relationship
Relevant suppliers are included in incident planning, response, and recovery activities
Supply chain security practices are monitored throughout the technology product and service life cycle
Identify
21 controlsUnderstand the organization's assets, suppliers, and related cybersecurity risks.
Asset Management
Inventories of hardware assets are maintained
Inventories of software assets are maintained
Authorized network communication and data flow representations are maintained
Inventories of services provided by suppliers are maintained
Assets are prioritized based on classification, criticality, and mission impact
Inventories of data and corresponding metadata for designated data types are maintained
Systems, hardware, software, services, and data are managed throughout their life cycles
Improvement
Improvements are identified from evaluations
Improvements are identified from security tests and exercises
Improvements are identified from execution of operational processes and activities
Incident response plans and cybersecurity plans are established, maintained, and improved
Risk Assessment
Vulnerabilities in assets are identified, validated, and recorded
Critical suppliers are assessed prior to acquisition
Cyber threat intelligence is received from information sharing forums and sources
Internal and external threats to the organization are identified and recorded
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Risk information is used to understand inherent risk and prioritize responses
Risk responses are chosen, prioritized, planned, tracked, and communicated
Changes and exceptions are managed, assessed for risk impact, and tracked
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
Protect
22 controlsUse safeguards to prevent or reduce cybersecurity risks.
Identity Management, Authentication, and Access Control
Identities and credentials are managed for authorized users and devices
Identities are proofed and bound to credentials based on the context of interactions
Users, services, and hardware are authenticated
Identity assertions are protected, conveyed, and verified
Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties
Physical access to assets is managed, monitored, and enforced commensurate with risk
Awareness and Training
Data Security
The confidentiality, integrity, and availability of data-at-rest are protected
The confidentiality, integrity, and availability of data-in-transit are protected
Data are destroyed according to policy when no longer needed
Backups of data are created, protected, maintained, and tested
Technology Infrastructure Resilience
Networks and environments are protected from unauthorized logical access
Technology assets are protected from environmental threats
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
Adequate resource capacity to ensure availability is maintained
Platform Security
The hardware and firmware of platforms are managed
The software of platforms is managed, including operating systems and applications
Data are destroyed according to policy when platforms or storage media are decommissioned
Log records are generated and made available for continuous monitoring
Installation and execution of unauthorized software are prevented
Secure software development practices are integrated and their security is evaluated
Detect
17 controlsFind and analyze possible cybersecurity attacks and compromises.
Adverse Event Analysis
A baseline of network operations and expected data flows is established and managed
Potentially adverse events are analyzed to better understand associated activities
Information is correlated from multiple sources
The estimated impact and scope of adverse events are understood
Alert thresholds are established
Information on adverse events is provided to authorized staff and tools
Cyber threat intelligence and other contextual information are integrated into the analysis
Incidents are declared when adverse events meet the defined criteria
Continuous Monitoring
Networks and network services are monitored to detect adverse events
The physical environment is monitored to detect potential cybersecurity events
Personnel activity and technology usage are monitored to detect potentially adverse events
Malicious code is detected
Unauthorized network connections are detected
External service provider activities and services are monitored to detect potentially adverse events
Monitoring for unauthorized personnel, connections, devices, and software is performed
Vulnerability scans are performed
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Respond
14 controlsTake action regarding a detected cybersecurity incident.
Incident Analysis
Investigate contributing factors to confirmed incidents
The impact of the incident is understood
Forensics are performed
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Incident data and metadata are collected, and their integrity and provenance are preserved
Incident Response Reporting and Communication
Incident Management
Execute the incident response plan in coordination with relevant third parties
Triage and validate incident reports
Categorize and prioritize incidents
Escalate or elevate incidents as needed
Apply the criteria for initiating incident recovery
Recover
8 controlsRestore assets and operations that were impacted by a cybersecurity incident.
Incident Recovery Communication
Incident Recovery Plan Execution
Execute the recovery plan once the incident response process initiates recovery
Select, scope, prioritize, and perform recovery actions
Verify the integrity of backups and restoration assets before use
Re-establish critical mission functions and cybersecurity services
The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed
The end of incident recovery is declared based on criteria, and incident-related documentation is completed