NIST Cyber Framework

NIST Cybersecurity Framework (Center of Internet Security)

Identify: Asset Management (ID.AM)

ID.AM-1 Physical devices and systems within the organization are inventoried.

Acceptable Use of Information Technology Resource Policy : Access Control Policy : Account Management/Access Control Standard : Identification and Authentication Policy: Information Security Policy : Security Assessment and Authorization Policy : Security Awareness and Training Policy

ID.AM-2 Software platforms and applications within the organization are inventoried.

Acceptable Use of Information Technology Resource Policy : Access Control Policy : Account Management/Access Control Standard : Identification and Authentication Policy : Information Security Policy : Security Assessment and Authorization Policy : Security Awareness and Training Policy

ID.AM-4 External information systems are catalogued.

System and Communications Protection Policy

ID.AM-5 Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value).

Information Classification Standard : Information Security Policy

ID.AM-6 Cybersecurity roles and responsibilities for the entire workforces and third-party stakeholders (e.g. suppliers, customers, partners) are established.

Acceptable Use of Information Technology Resource Policy : Information Security Policy : Security Awareness and Training Policy

Identify: Risk Management Strategy (ID.RM)

ID.RM-1 Risk management processes are established, managed, and agreed to by organizational stakeholders.

Information Security Policy : Information Security Risk Management Standard : Risk Assessment Policy

Identify: Supply Chain Risk Management (ID.SC)

ID.SC-2 Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.

Identification and Authentication Policy : Security Assessment and Authorization Policy : Systems and Services Acquisition Policy


ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

Identification and Authentication Policy : Security Assessment and Authorization Policy : Systems and Services Acquisition Policy

ID.SC-5 Response and recovery planning and testing are conducted with suppliers and third-party providers.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Systems and Services Acquisition Policy

Protect: Identity Management and Access Control (PR.AC)

PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.

Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard

PR.AC-3 Remote access is managed.

Remote Access Standard

PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard

PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation).

802.11 Wireless Network Security Standard : Mobile Device Security :
System and Information Integrity Policy

Protect: Awareness and Training (PR.AT)

PR.AT-1 All users are informed and trained.

Acceptable Use of Information Technology Resources Policy : Information Security Policy : Personnel Security Policy : Physical and Environmental Protection Policy : Security Awareness and Training Policy

Protect: Data Security (PR.DS)

PR.DS-1 Data-at-rest is protected

Computer Security Threat Response Policy : Cyber Incident Response Standard : Encryption Standard : Incident Response Policy : Information Security Policy : Maintenance Policy : Media Protection Policy : Mobile Device Security : Patch Management Standard

PR.DS-2 Data-in-transit is protected.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Encryption Standard : Incident Response Policy : Information Security Policy : Maintenance Policy : Media Protection Policy : Mobile Device Security : Patch Management Standard

PR.DS-3 Assets are formally managed throughout removal, transfers, and disposition.

Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard

PR.DS-8 Integrity checking mechanisms are used to verify hardware integrity.

System and Information Integrity Policy

Protect: Information Protection Processes and Procedures (PR.IP)

PR.IP-1 A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).

Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard

PR.IP-4 Backups of information are conducted, maintained, and tested.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Encryption Standard : Incident Response Policy : Information Security Policy : Maintenance Policy : Media Protection Policy : Mobile Device Security : Patch Management Standard

PR.IP-6 Data is destroyed according to policy.

Maintenance Policy : Media Protection Policy : Sanitization Secure Disposal Standard

PR.IP-9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Planning Policy

PR.IP-10 Response and recovery plans are tested.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Planning Policy

Protect: Maintenance (PR.MA)

PR.MA-2 Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.

Maintenance Policy : Remote Access Standard : Security Logging Standard

Protect: Protective Technology (PR.PT)


PR.PT-1 Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.

Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard :Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard : Security Logging Standard

PR.PT-2 Removable media is protected and its use restricted according to policy.

Acceptable Use of Technology Resources Policy : Media Protection Policy
Mobile Device Security

PR.PT-4 Communications and control networks are protected.

Encryption Standard : Information Security Policy : Maintenance Policy
Media Protection Policy : Mobile Device Security : System and Communications Protection Policy

Detect: Anomalies and Events (DE.AE)

DE.AE-3 Event data are collected and correlated from multiple sources and sensors.

Auditing and Accountability Standard : Security Logging Standard : System and Information Integrity Policy : Vulnerability Scanning Standard

Detect: Security Continuous Monitoring (DE.CM)

DE.CM-1 The network is monitored to detect potential cybersecurity events.

Encryption Standard : Information Security Policy : Maintenance Policy
Media Protection Policy : Mobile Device Security : Patch Management Standard
Security Assessment and Authorization Policy : Vulnerability Scanning Standard

DE.CM-4 Malicious code is detected.

Auditing and Accountability Standard : Secure Coding Standard : Security Logging Standard : System and Information Integrity Policy : Vulnerability Scanning Standard

DE.CM-7 Monitoring for unauthorized personnel, connections, devices, and software is performed.

Auditing and Accountability Standard : Security Logging Standard
System and Information Integrity Policy : Vulnerability Scanning Standard

Detect: Detection Processes (DE.DP)

DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Information Security Policy

DE.DP-4 Event detection information is communicated.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Information Security Policy

Respond: Response Planning (RS.RP)

RS.RP-1 Response plan is executed during or after an event.

Computer Security Threat Response Policy : Cyber Incident Response Standard: Incident Response Policy : Planning Policy

Respond: Communications (RS.CO)


RS.CO-1 Personnel know their roles and order of operations when a response is needed.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

RS.CO-2 Incidents are reported consistent with established criteria.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

RS.CO-3 Information is shared consistent with response plans.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

RS.CO-4 Coordination with stakeholders occurs consistent with response plans

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

RS.CO-5 Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

Respond: Analysis (RS.AN)

RS.AN-4 Incidents are categorized consistent with response plans.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

Respond: Improvements (RS.IM)


RS.IM-1 Response plans incorporate lessons learned.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

RS.IM-2 Response strategies are updated.

Computer Security Threat Response Policy : Cyber Incident Response Standard: Incident Response Policy

Recover: Recovery Planning (RC.RP)

RC.RP-1 Recovery plan is executed during or after a cybersecurity incident.

Computer Security Threat Response Policy : Contingency Planning Policy : Cyber Incident Response Standard : Incident Response Policy

Recover: Improvements (RC.IM)

RC.IM-1 Recovery plans incorporate lessons learned.

Computer Security Threat Response Policy : Contingency Planning Policy : Cyber Incident Response Standard : Incident Response Policy

RC.IM-2 Recovery strategies are updated.

Computer Security Threat Response Policy : Contingency Planning Policy : Cyber Incident Response Standard : Incident Response Policy

Recover: Communications (RC.CO)

RC.CO-1 Public relations are managed.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy

RC.CO-2 Reputation is repaired after an incident.

Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy