← Frameworks / Financial Regulation

CBN Risk-Based Cybersecurity Framework for DMBs and PSBs

Central Bank of Nigeria mandatory risk-based cybersecurity framework for all deposit money banks and payment service banks. 10 parts covering governance, risk management, cyber resilience, threat intelligence, emerging technologies, metrics and reporting, compliance and enforcement, awareness and training, personnel security, and physical security. Requires annual self-assessment (CSAT) and participation in NigFinCERT. Effective July 2024.

Clauses: 25
Avg Coverage: 73.6%
Publisher: Central Bank of Nigeria (CBN) Version: 2024
CBN CSF → SP 800-53 SP 800-53 → CBN CSF Coverage Analysis
Clause Title SP 800-53 Controls
Part1.1 Cybersecurity Governance — Board of Directors Oversight
PM-01 PM-02 PM-03 PM-09 PM-13 PM-28 PM-29 PL-09 PS-09
Part1.2 Cybersecurity Governance — Senior Management and CISO
PM-02 PM-29 PS-01 PS-02 PS-03 PS-06 PS-07 PS-09 AT-03
Part1.3 Cybersecurity Policy Framework
PL-01 PL-02 PL-04 PL-09 PL-10 PL-11 PM-01 PM-04 PM-10 AC-01 AT-01 AU-01 IR-01 SC-01
Part2.1 Cybersecurity Risk Assessment and Measurement
RA-01 RA-02 RA-03 RA-04 RA-07 RA-09 PM-09 PM-28 PL-10 PL-11 CA-05
Part2.2 Risk Monitoring, Risk Register and Reporting
RA-03 RA-04 RA-07 CA-05 CA-07 PM-04 PM-06 PM-09 PM-28 SI-04
Part2.3 Vulnerability Assessment and Penetration Testing
RA-05 RA-06 CA-02 CA-07 CA-08 CA-09 PM-14 RA-09 SI-02
Part2.4 Third-Party Risk Management
SA-04 SA-09 SA-21 SA-22 SR-01 SR-02 SR-03 SR-05 SR-06 PM-30 PM-31 PM-32 PS-07 AC-20
Part3.1 Know Your Environment — Asset Management
CM-08 CM-09 CM-12 PM-05 RA-02 RA-09 SC-07 PL-02
Part3.2 Preventive Controls — Access Control and Identity Management
AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-10 AC-11 AC-12 AC-17 AC-19 AC-20 AC-24 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-08 IA-11 IA-12
Part3.3 Preventive Controls — Network and Infrastructure Security
SC-07 SC-05 SC-08 SC-12 SC-13 SC-20 SC-21 SC-22 SC-28 SC-39 SC-41 CM-01 CM-02 CM-03 CM-05 CM-06 CM-07 SI-02 SI-03 SI-04 SI-07 SI-16 RA-05 MA-01 MA-02 MA-03 MA-04 MA-05
Part3.4 Preventive Controls — Data Protection and Encryption
MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 SC-08 SC-13 SC-28 AC-04 AC-16 AC-23 PT-01 PT-02 PT-03 PT-05 SI-12 CM-12
Part3.5 Monitoring, Detection and 24/7 Security Operations
SI-04 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-12 CA-07 PM-16 RA-10 SC-26 SC-44 IR-04
Part3.6 Incident Response and Recovery
IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 CP-01 CP-02 CP-04 CP-09 CP-10
Part3.7 Cyber Resilience — Business Continuity and Disaster Recovery
CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13 SC-24 SI-13 SI-17 PM-08 PM-11
Part3.8 Cyber Drills and Industry Exercises
IR-03 CP-04 PM-14 CA-08 AT-02
Part4 Cyber Threat Intelligence
PM-15 PM-16 RA-03 RA-10 SI-04 SI-05 SC-26 SC-44 SA-08
Part5.1 Emerging Technologies — AI, Cloud, and DLT Governance
SA-04 SA-08 SA-09 SA-17 PM-32 SC-07 RA-03 RA-09 CA-02 PT-01 PT-02
Part5.2 Emerging Technologies — Open Banking and API Security
SA-04 SA-08 SA-11 SC-07 SC-08 SC-13 SC-23 AC-03 AC-04 IA-02 IA-08 SI-10
Part6.1 Cybersecurity Metrics and Performance Measurement
PM-06 PM-14 CA-07 PM-04 PM-01
Part6.2 Regulatory Reporting and Self-Assessment
CA-01 CA-02 CA-05 CA-06 CA-07 PM-04 PM-06 PM-10 PL-01 PL-02
Part7.1 Compliance with Statutory and Regulatory Requirements
PL-04 PM-10 PM-01 SI-12 PT-01 PT-02 PT-03 PT-05 PT-06
Part7.2 Enforcement and CBN Supervisory Oversight
CA-02 CA-07 PM-04 PM-06 PM-14
Part8 Cybersecurity Awareness and Training
AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-13 PM-15
Part9 Personnel Security and Insider Threat
PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 AC-05 AC-06 AU-06 AU-13 PM-12
Part10 Physical and Environmental Security
PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17