Potentially adverse events are analyzed to better understand associated activities
family DE
framework nist-csf
Information is correlated from multiple sources
family DE
framework nist-csf
The estimated impact and scope of adverse events are understood
family DE
framework nist-csf
Information on adverse events is provided to authorized staff and tools
family DE
framework nist-csf
Cyber threat intelligence and other contextual information are integrated into the analysis
family DE
framework nist-csf
Incidents are declared when adverse events meet the defined incident criteria
family DE
framework nist-csf
Networks and network services are monitored to find potentially adverse events
family DE
framework nist-csf
The physical environment is monitored to find potentially adverse events
family DE
framework nist-csf
Personnel activity and technology usage are monitored to find potentially adverse events
family DE
framework nist-csf
External service provider activities and services are monitored to find potentially adverse events
family DE
framework nist-csf
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
family DE
framework nist-csf
The organizational mission is understood and informs cybersecurity risk management
family GV
framework nist-csf
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
family GV
framework nist-csf
Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
family GV
framework nist-csf
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
family GV
framework nist-csf
Outcomes, capabilities, and services that the organization depends on are understood and communicated
family GV
framework nist-csf
Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
family GV
framework nist-csf
The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
family GV
framework nist-csf
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
family GV
framework nist-csf
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
family GV
framework nist-csf
Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
family GV
framework nist-csf
Risk management objectives are established and agreed to by organizational stakeholders
family GV
framework nist-csf
Risk appetite and risk tolerance statements are established, communicated, and maintained
family GV
framework nist-csf
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
family GV
framework nist-csf
Strategic direction that describes appropriate risk response options is established and communicated
family GV
framework nist-csf
Lines of communication across the organization are established for cybersecurity risks
family GV
framework nist-csf
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
family GV
framework nist-csf
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
family GV
framework nist-csf
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
family GV
framework nist-csf
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
family GV
framework nist-csf
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
family GV
framework nist-csf
Cybersecurity is included in human resources practices
family GV
framework nist-csf
A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
family GV
framework nist-csf
Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
family GV
framework nist-csf
Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
family GV
framework nist-csf
Suppliers are known and prioritized by criticality
family GV
framework nist-csf
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
family GV
framework nist-csf
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
family GV
framework nist-csf
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
family GV
framework nist-csf
Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
family GV
framework nist-csf
Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
family GV
framework nist-csf
Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
family GV
framework nist-csf
Inventories of hardware managed by the organization are maintained
family ID
framework nist-csf
Inventories of software, services, and systems managed by the organization are maintained
family ID
framework nist-csf
Representations of the organization’s authorized network communication and internal and external network data flows are maintained
family ID
framework nist-csf
Inventories of services provided by suppliers are maintained
family ID
framework nist-csf
Assets are prioritized based on classification, criticality, resources, and impact on the mission
family ID
framework nist-csf
Inventories of data and corresponding metadata for designated data types are maintained
family ID
framework nist-csf
Systems, hardware, software, services, and data are managed throughout their life cycles
family ID
framework nist-csf
Improvements are identified from evaluations
family ID
framework nist-csf
Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
family ID
framework nist-csf
Improvements are identified from execution of operational processes, procedures, and activities
family ID
framework nist-csf
Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
family ID
framework nist-csf
Vulnerabilities in assets are identified, validated, and recorded
family ID
framework nist-csf
Cyber threat intelligence is received from information sharing forums and sources
family ID
framework nist-csf
Internal and external threats to the organization are identified and recorded
family ID
framework nist-csf
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
family ID
framework nist-csf
Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
family ID
framework nist-csf
Risk responses are chosen, prioritized, planned, tracked, and communicated
family ID
framework nist-csf
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
family ID
framework nist-csf
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
family ID
framework nist-csf
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
family ID
framework nist-csf
Critical suppliers are assessed prior to acquisition
family ID
framework nist-csf
Identities and credentials for authorized users, services, and hardware are managed by the organization
family PR
framework nist-csf
Identities are proofed and bound to credentials based on the context of interactions
family PR
framework nist-csf
Users, services, and hardware are authenticated
family PR
framework nist-csf
Identity assertions are protected, conveyed, and verified
family PR
framework nist-csf
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
family PR
framework nist-csf
Physical access to assets is managed, monitored, and enforced commensurate with risk
family PR
framework nist-csf
Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
family PR
framework nist-csf
Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
family PR
framework nist-csf
The confidentiality, integrity, and availability of data-at-rest are protected
family PR
framework nist-csf
The confidentiality, integrity, and availability of data-in-transit are protected
family PR
framework nist-csf
The confidentiality, integrity, and availability of data-in-use are protected
family PR
framework nist-csf
Backups of data are created, protected, maintained, and tested
family PR
framework nist-csf
Networks and environments are protected from unauthorized logical access and usage
family PR
framework nist-csf
The organization’s technology assets are protected from environmental threats
family PR
framework nist-csf
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
family PR
framework nist-csf
Adequate resource capacity to ensure availability is maintained
family PR
framework nist-csf
Configuration management practices are established and applied
family PR
framework nist-csf