NIST Cyber Framework
Complete framework, with hyperlinks to helpful .docx template files to download. Thanks to the Center for Internet Security for publishing these!
Identify: Asset Management (ID.AM)
ID.AM-1 Physical devices and systems within the organization are inventoried.
Acceptable Use of Information Technology Resource Policy : Access Control Policy : Account Management/Access Control Standard : Identification and Authentication Policy: Information Security Policy : Security Assessment and Authorization Policy : Security Awareness and Training Policy
ID.AM-2 Software platforms and applications within the organization are inventoried.
Acceptable Use of Information Technology Resource Policy : Access Control Policy : Account Management/Access Control Standard : Identification and Authentication Policy : Information Security Policy : Security Assessment and Authorization Policy : Security Awareness and Training Policy
ID.AM-4 External information systems are catalogued.
System and Communications Protection Policy
ID.AM-5 Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value).
Information Classification Standard : Information Security Policy
ID.AM-6 Cybersecurity roles and responsibilities for the entire workforces and third-party stakeholders (e.g. suppliers, customers, partners) are established.
Acceptable Use of Information Technology Resource Policy : Information Security Policy : Security Awareness and Training Policy
Identify: Risk Management Strategy (ID.RM)
ID.RM-1 Risk management processes are established, managed, and agreed to by organizational stakeholders.
Information Security Policy : Information Security Risk Management Standard : Risk Assessment Policy
Identify: Supply Chain Risk Management (ID.SC)
ID.SC-2 Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.
Identification and Authentication Policy : Security Assessment and Authorization Policy : Systems and Services Acquisition Policy
ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
Identification and Authentication Policy : Security Assessment and Authorization Policy : Systems and Services Acquisition Policy
ID.SC-5 Response and recovery planning and testing are conducted with suppliers and third-party providers.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Systems and Services Acquisition Policy
Protect: Identity Management and Access Control (PR.AC)
PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard
PR.AC-3 Remote access is managed.
PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard
PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation).
802.11 Wireless Network Security Standard : Mobile Device Security :
System and Information Integrity Policy
Protect: Awareness and Training (PR.AT)
PR.AT-1 All users are informed and trained.
Acceptable Use of Information Technology Resources Policy : Information Security Policy : Personnel Security Policy : Physical and Environmental Protection Policy : Security Awareness and Training Policy
Protect: Data Security (PR.DS)
PR.DS-1 Data-at-rest is protected
Computer Security Threat Response Policy : Cyber Incident Response Standard : Encryption Standard : Incident Response Policy : Information Security Policy : Maintenance Policy : Media Protection Policy : Mobile Device Security : Patch Management Standard
PR.DS-2 Data-in-transit is protected.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Encryption Standard : Incident Response Policy : Information Security Policy : Maintenance Policy : Media Protection Policy : Mobile Device Security : Patch Management Standard
PR.DS-3 Assets are formally managed throughout removal, transfers, and disposition.
Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard
PR.DS-8 Integrity checking mechanisms are used to verify hardware integrity.
System and Information Integrity Policy
Protect: Information Protection Processes and Procedures (PR.IP)
PR.IP-1 A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard : Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard
PR.IP-4 Backups of information are conducted, maintained, and tested.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Encryption Standard : Incident Response Policy : Information Security Policy : Maintenance Policy : Media Protection Policy : Mobile Device Security : Patch Management Standard
PR.IP-6 Data is destroyed according to policy.
Maintenance Policy : Media Protection Policy : Sanitization Secure Disposal Standard
PR.IP-9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Planning Policy
PR.IP-10 Response and recovery plans are tested.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Planning Policy
Protect: Maintenance (PR.MA)
PR.MA-2 Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
Maintenance Policy : Remote Access Standard : Security Logging Standard
Protect: Protective Technology (PR.PT)
PR.PT-1 Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
Access Control Policy : Account Management/Access Control Standard : Authentication Tokens Standard :Configuration Management Policy : Identification and Authentication Policy : Sanitization Secure Disposal Standard : Secure Configuration Standard : Secure System Development Life Cycle Standard : Security Logging Standard
PR.PT-2 Removable media is protected and its use restricted according to policy.
Acceptable Use of Technology Resources Policy : Media Protection Policy
Mobile Device Security
PR.PT-4 Communications and control networks are protected.
Encryption Standard : Information Security Policy : Maintenance Policy
Media Protection Policy : Mobile Device Security : System and Communications Protection Policy
Detect: Anomalies and Events (DE.AE)
DE.AE-3 Event data are collected and correlated from multiple sources and sensors.
Auditing and Accountability Standard : Security Logging Standard : System and Information Integrity Policy : Vulnerability Scanning Standard
Detect: Security Continuous Monitoring (DE.CM)
DE.CM-1 The network is monitored to detect potential cybersecurity events.
Encryption Standard : Information Security Policy : Maintenance Policy
Media Protection Policy : Mobile Device Security : Patch Management Standard
Security Assessment and Authorization Policy : Vulnerability Scanning Standard
DE.CM-4 Malicious code is detected.
Auditing and Accountability Standard : Secure Coding Standard : Security Logging Standard : System and Information Integrity Policy : Vulnerability Scanning Standard
DE.CM-7 Monitoring for unauthorized personnel, connections, devices, and software is performed.
Auditing and Accountability Standard : Security Logging Standard
System and Information Integrity Policy : Vulnerability Scanning Standard
Detect: Detection Processes (DE.DP)
DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Information Security Policy
DE.DP-4 Event detection information is communicated.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy : Information Security Policy
Respond: Response Planning (RS.RP)
RS.RP-1 Response plan is executed during or after an event.
Computer Security Threat Response Policy : Cyber Incident Response Standard: Incident Response Policy : Planning Policy
Respond: Communications (RS.CO)
RS.CO-1 Personnel know their roles and order of operations when a response is needed.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
RS.CO-2 Incidents are reported consistent with established criteria.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
RS.CO-3 Information is shared consistent with response plans.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
RS.CO-4 Coordination with stakeholders occurs consistent with response plans
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
RS.CO-5 Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
Respond: Analysis (RS.AN)
RS.AN-4 Incidents are categorized consistent with response plans.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
Respond: Improvements (RS.IM)
RS.IM-1 Response plans incorporate lessons learned.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
RS.IM-2 Response strategies are updated.
Computer Security Threat Response Policy : Cyber Incident Response Standard: Incident Response Policy
Recover: Recovery Planning (RC.RP)
RC.RP-1 Recovery plan is executed during or after a cybersecurity incident.
Computer Security Threat Response Policy : Contingency Planning Policy : Cyber Incident Response Standard : Incident Response Policy
Recover: Improvements (RC.IM)
RC.IM-1 Recovery plans incorporate lessons learned.
Computer Security Threat Response Policy : Contingency Planning Policy : Cyber Incident Response Standard : Incident Response Policy
RC.IM-2 Recovery strategies are updated.
Computer Security Threat Response Policy : Contingency Planning Policy : Cyber Incident Response Standard : Incident Response Policy
Recover: Communications (RC.CO)
RC.CO-1 Public relations are managed.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy
RC.CO-2 Reputation is repaired after an incident.
Computer Security Threat Response Policy : Cyber Incident Response Standard : Incident Response Policy