NIST Cybersecurity Framework: Identify Security Controls
Understand the organization's assets, suppliers, and related cybersecurity risks.
Asset Management
Inventories of hardware assets are maintained
You cannot protect assets you do not know exist. A complete, current inventory of every device (lapt...
Inventories of software assets are maintained
Unmanaged software is a primary attack vector. Outdated packages, unlicensed tools, and shadow IT al...
Authorized network communication and data flow representations are maintained
Knowing what devices and software you own is not enough if you do not know how they talk to each oth...
Inventories of services provided by suppliers are maintained
Third-party SaaS tools, APIs, and managed services are part of your attack surface even though you d...
Assets are prioritized based on classification, criticality, and mission impact
Not every asset deserves the same level of protection, and security resources are finite. Classifyin...
Inventories of data and corresponding metadata for designated data types are maintained
You cannot protect data you have not catalogued. Knowing where sensitive data lives, who owns it, an...
Systems, hardware, software, services, and data are managed throughout their life cycles
Assets that are not properly retired become liabilities. End-of-life software stops receiving securi...
Improvement
Improvements are identified from evaluations
Evaluations, whether internal assessments, external audits, or certification reviews, generate findi...
Improvements are identified from security tests and exercises
Security tests and exercises reveal gaps that document reviews miss. A tabletop exercise will surfac...
Improvements are identified from execution of operational processes and activities
The people running your security operations every day see things that auditors and testers miss: the...
Incident response plans and cybersecurity plans are established, maintained, and improved
An incident response plan that exists only as a document nobody has read is not an incident response...
Risk Assessment
Vulnerabilities in assets are identified, validated, and recorded
Unpatched vulnerabilities are the most common initial access vector in breaches. Regular scanning tu...
Critical suppliers are assessed prior to acquisition
Bringing a new critical supplier into your environment is a risk event that deserves the same scruti...
Cyber threat intelligence is received from information sharing forums and sources
Staying ahead of attackers means consuming intelligence about what they are doing, not just reacting...
Internal and external threats to the organization are identified and recorded
A vulnerability scan tells you about weaknesses in your assets, but threat identification tells you ...
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Knowing that a vulnerability exists is not the same as knowing how much it matters. A critical CVE i...
Risk information is used to understand inherent risk and prioritize responses
Risk data is only valuable if it drives decisions. Organizations that maintain a risk register but n...
Risk responses are chosen, prioritized, planned, tracked, and communicated
Identifying a risk without deciding what to do about it is just a longer list of problems. Every ris...
Changes and exceptions are managed, assessed for risk impact, and tracked
Every change to your environment, whether a new service, a configuration update, or a policy excepti...
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
Security researchers, customers, and employees regularly discover vulnerabilities in your products o...
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
Compromised hardware and software can be introduced into your environment during the acquisition pro...