Risk Management Strategy (GV.RM)
- GV.RM-01: Stakeholders agree on established risk management objectives
- GV.RM-02: Establish, communicate, and maintain risk appetite statements
- GV.RM-03: Integrate cybersecurity activities into enterprise risk processes
- GV.RM-04: Strategic direction describes appropriate risk response options
- GV.RM-05: Establish organizational communication lines for cyber risks
- GV.RM-06: Standardize methods for prioritizing organizational cyber risks
- GV.RM-07: Include strategic opportunities in cybersecurity risk discussions
Oversight (GV.OV)
- GV.OC-01: Organizational mission is understood and informs risk
- GV.OC-02: Stakeholder needs and expectations are clearly understood
- GV.OC-03: Manage legal regulatory and contractual cybersecurity requirements
Asset Management (ID.AM)
- ID.AM-01: Maintain inventories of hardware managed by organization
- ID.AM-02: Maintain inventories of software services and systems
- ID.AM-03: Map authorized network communication and data flows
- ID.AM-04: Maintain inventories of services provided by suppliers
- ID.AM-05: Prioritize assets based on classification and criticality
- ID.AM-07: Maintain inventories of data and corresponding metadata
- ID.AM-08: Manage systems and data throughout their lifecycles
Risk Assessment (ID.RA)
- ID.RA-01: Identify validate and record vulnerabilities in assets
- ID.RA-02: Receive cyber threat intelligence from sharing sources
- ID.RA-03: Identify and record internal and external threats
- ID.RA-04: Identify potential impacts and likelihoods of threats
- ID.RA-05: Understand inherent risk using threats and vulnerabilities
- ID.RA-06: Choose prioritize plan track and communicate responses
- ID.RA-07: Manage assess record and track risk exceptions
- ID.RA-08: Establish processes for responding to vulnerability disclosures
- ID.RA-09: Assess hardware and software integrity prior acquisition
Identity Management, Authentication, and Access Control (PR.AA)
- PR.AA-01: Manage identities and credentials for authorized users
- PR.AA-02: Proof and bind identities based on context
- PR.AA-03: Authenticate users services and managed hardware assets
- PR.AA-04: Protect convey and verify organizational identity assertions
- PR.AA-05: Enforce access permissions incorporating principle least privilege
Awareness and Training (PR.AT)
- PR.AT-01: Provide personnel awareness and training for tasks
- PR.AT-02: Provide specialized roles with relevant cybersecurity training
Data Security (PR.DS)
- PR.DS-01: Protect confidentiality integrity and availability data at-rest
- PR.DS-02: Protect confidentiality integrity and availability data in-transit
- PR.DS-10: Protect confidentiality integrity and availability data in-use
- PR.DS-11: Create protect maintain and test data backups
Platform Security (PR.PS)
- PR.PS-01: Establish and apply configuration management security practices
- PR.PS-02: Maintain replace and remove software commensurate risk
- PR.PS-03: Maintain replace and remove hardware commensurate risk
- PR.PS-04: Generate log records for continuous organizational monitoring
- PR.PS-05: Prevent installation and execution of unauthorized software
- PR.PS-06: Integrate secure software development practices into lifecycle
Technology Infrastructure Resilience (PR.IR)
- PR.IR-01: Protect networks from unauthorized logical access usage
- PR.IR-02: Protect technology assets from potential environmental threats
- PR.IR-04: Maintain adequate resource capacity to ensure availability
Continuous Monitoring (DE.CM)
- DE.CM-01: Monitor networks and services for adverse events
- DE.CM-02: Monitor physical environment to find adverse events
- DE.CM-03: Monitor personnel activity and technology usage patterns
- DE.CM-06: Monitor external service provider activities for events
- DE.CM-09: Monitor computing environments and data for events
Adverse Event Analysis (DE.AE)
- DE.AE-02: Analyze potentially adverse events to understand activities
- DE.AE-03: Correlate security information from multiple organizational sources
- DE.AE-04: Understand estimated impact and scope adverse events
- DE.AE-06: Provide information on adverse events to staff
- DE.AE-07: Integrate threat intelligence into adverse event analysis
- DE.AE-08: Declare incidents when events meet defined criteria
Incident Management (RS.MA)
- RS.MA-01: Execute incident response plan with third parties
- RS.MA-02: Triage and validate incident reports for response
- RS.MA-03: Categorize and prioritize incidents for effective management
- RS.MA-04: Escalate or elevate incidents as organizational needs
- RS.MA-05: Apply criteria for initiating organizational incident recovery
Incident Analysis (RS.AN)
- RS.AN-03: Establish root cause through incident analysis investigation
- RS.AN-06: Record investigation actions and preserve record integrity
- RS.AN-07: Collect incident data and preserve its integrity
- RS.AN-08: Estimate and validate magnitude of cybersecurity incidents
Incident Response Reporting and Communication (RS.CO)
- RS.CO-03: Share information with designated internal external stakeholders
Incident Mitigation (RS.MI)
- RS.MI-01: Contain incidents to prevent expansion of events
- RS.MI-02: Eradicate incidents from systems and organizational networks
Incident Recovery Plan Execution (RC.RP)
- RC.RP-03: Verify integrity of backups before restoration use
- RC.RP-05: Confirm normal operating status after asset restoration
