← Frameworks / CBN CSF / Control Mappings

CBN Risk-Based Cybersecurity Framework for DMBs and PSBs

Central Bank of Nigeria mandatory risk-based cybersecurity framework for all deposit money banks and payment service banks. 10 parts covering governance, risk management, cyber resilience, threat intelligence, emerging technologies, metrics and reporting, compliance and enforcement, awareness and training, personnel security, and physical security. Requires annual self-assessment (CSAT) and participation in NigFinCERT. Effective July 2024.

Controls: 193

Total Mappings: 303

Publisher: Central Bank of Nigeria (CBN) Version: 2024

CBN CSF → SP 800-53 SP 800-53 → CBN CSF Coverage Analysis

AC (16) AT (6) AU (11) CA (7) CM (9) CP (12) IA (9) IR (9) MA (5) MP (7) PE (15) PL (6) PM (20) PS (9) PT (5) RA (9) SA (7) SC (16) SI (10) SR (5)

AC Access Control

Control	Name	CBN CSF References
AC-01	Access Control Policies and Procedures	Part1.3Part3.2
AC-02	Account Management	Part3.2
AC-03	Access Enforcement	Part3.2Part5.2
AC-04	Information Flow Enforcement	Part3.2Part3.4Part5.2
AC-05	Separation Of Duties	Part3.2Part9
AC-06	Least Privilege	Part3.2Part9
AC-07	Unsuccessful Login Attempts	Part3.2
AC-10	Concurrent Session Control	Part3.2
AC-11	Session Lock	Part3.2
AC-12	Session Termination	Part3.2
AC-16	Automated Labeling	Part3.4
AC-17	Remote Access	Part3.2
AC-19	Access Control For Portable And Mobile Devices	Part3.2
AC-20	Use Of External Information Systems	Part2.4Part3.2
AC-23	Data Mining Protection	Part3.4
AC-24	Access Control Decisions	Part3.2

AT Awareness and Training

Control	Name	CBN CSF References
AT-01	Security Awareness And Training Policy And Procedures	Part1.3Part8
AT-02	Security Awareness	Part3.8Part8
AT-03	Security Training	Part1.2Part8
AT-04	Security Training Records	Part8
AT-05	Contacts With Security Groups And Associations	Part8
AT-06	Training Feedback	Part8

AU Audit and Accountability

Control	Name	CBN CSF References
AU-01	Audit And Accountability Policy And Procedures	Part1.3
AU-02	Auditable Events	Part3.5
AU-03	Content Of Audit Records	Part3.5
AU-04	Audit Storage Capacity	Part3.5
AU-05	Response To Audit Processing Failures	Part3.5
AU-06	Audit Monitoring, Analysis, And Reporting	Part3.5Part9
AU-07	Audit Reduction And Report Generation	Part3.5
AU-08	Time Stamps	Part3.5
AU-09	Protection Of Audit Information	Part3.5
AU-12	Audit Record Generation	Part3.5
AU-13	Monitoring for Information Disclosure	Part9

CA Security Assessment and Authorization

Control	Name	CBN CSF References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	Part6.2
CA-02	Security Assessments	Part2.3Part5.1Part6.2Part7.2
CA-05	Plan Of Action And Milestones	Part2.1Part2.2Part6.2
CA-06	Security Accreditation	Part6.2
CA-07	Continuous Monitoring	Part2.2Part2.3Part3.5Part6.1Part6.2Part7.2
CA-08	Penetration Testing	Part2.3Part3.8
CA-09	Internal System Connections	Part2.3

CM Configuration Management

Control	Name	CBN CSF References
CM-01	Configuration Management Policy And Procedures	Part3.3
CM-02	Baseline Configuration	Part3.3
CM-03	Configuration Change Control	Part3.3
CM-05	Access Restrictions For Change	Part3.3
CM-06	Configuration Settings	Part3.3
CM-07	Least Functionality	Part3.3
CM-08	Information System Component Inventory	Part3.1
CM-09	Configuration Management Plan	Part3.1
CM-12	Information Location	Part3.1Part3.4

CP Contingency Planning

Control	Name	CBN CSF References
CP-01	Contingency Planning Policy And Procedures	Part3.6Part3.7
CP-02	Contingency Plan	Part3.6Part3.7
CP-03	Contingency Training	Part3.7
CP-04	Contingency Plan Testing And Exercises	Part3.6Part3.7Part3.8
CP-06	Alternate Storage Site	Part3.7
CP-07	Alternate Processing Site	Part3.7
CP-08	Telecommunications Services	Part3.7
CP-09	Information System Backup	Part3.6Part3.7
CP-10	Information System Recovery And Reconstitution	Part3.6Part3.7
CP-11	Alternate Communications Protocols	Part3.7
CP-12	Safe Mode	Part3.7
CP-13	Alternative Security Mechanisms	Part3.7

IA Identification and Authentication

Control	Name	CBN CSF References
IA-01	Identification And Authentication Policy And Procedures	Part3.2
IA-02	User Identification And Authentication	Part3.2Part5.2
IA-03	Device Identification And Authentication	Part3.2
IA-04	Identifier Management	Part3.2
IA-05	Authenticator Management	Part3.2
IA-06	Authenticator Feedback	Part3.2
IA-08	Identification and Authentication (Non-Organizational Users)	Part3.2Part5.2
IA-11	Re-authentication	Part3.2
IA-12	Identity Proofing	Part3.2

IR Incident Response

Control	Name	CBN CSF References
IR-01	Incident Response Policy And Procedures	Part1.3Part3.6
IR-02	Incident Response Training	Part3.6
IR-03	Incident Response Testing And Exercises	Part3.6Part3.8
IR-04	Incident Handling	Part3.5Part3.6
IR-05	Incident Monitoring	Part3.6
IR-06	Incident Reporting	Part3.6
IR-07	Incident Response Assistance	Part3.6
IR-08	Incident Response Plan	Part3.6
IR-09	Information Spillage Response	Part3.6

MA Maintenance

Control	Name	CBN CSF References
MA-01	System Maintenance Policy And Procedures	Part3.3
MA-02	Controlled Maintenance	Part3.3
MA-03	Maintenance Tools	Part3.3
MA-04	Remote Maintenance	Part3.3
MA-05	Maintenance Personnel	Part3.3

MP Media Protection

Control	Name	CBN CSF References
MP-01	Media Protection Policy And Procedures	Part3.4
MP-02	Media Access	Part3.4
MP-03	Media Labeling	Part3.4
MP-04	Media Storage	Part3.4
MP-05	Media Transport	Part3.4
MP-06	Media Sanitization And Disposal	Part3.4
MP-07	Media Use	Part3.4

PE Physical and Environmental Protection

Control	Name	CBN CSF References
PE-01	Physical And Environmental Protection Policy And Procedures	Part10
PE-02	Physical Access Authorizations	Part10
PE-03	Physical Access Control	Part10
PE-04	Access Control For Transmission Medium	Part10
PE-05	Access Control For Display Medium	Part10
PE-06	Monitoring Physical Access	Part10
PE-08	Access Records	Part10
PE-09	Power Equipment And Power Cabling	Part10
PE-10	Emergency Shutoff	Part10
PE-11	Emergency Power	Part10
PE-12	Emergency Lighting	Part10
PE-13	Fire Protection	Part10
PE-14	Temperature And Humidity Controls	Part10
PE-15	Water Damage Protection	Part10
PE-17	Alternate Work Site	Part10

PL Planning

Control	Name	CBN CSF References
PL-01	Security Planning Policy And Procedures	Part1.3Part6.2
PL-02	System Security Plan	Part1.3Part3.1Part6.2
PL-04	Rules Of Behavior	Part1.3Part7.1
PL-09	Central Management	Part1.1Part1.3
PL-10	Baseline Selection	Part1.3Part2.1
PL-11	Baseline Tailoring	Part1.3Part2.1

PM Program Management

Control	Name	CBN CSF References
PM-01	Information Security Program Plan	Part1.1Part1.3Part6.1Part7.1
PM-02	Information Security Program Leadership Role	Part1.1Part1.2
PM-03	Information Security and Privacy Resources	Part1.1
PM-04	Plan of Action and Milestones Process	Part1.3Part2.2Part6.1Part6.2Part7.2
PM-05	System Inventory	Part3.1
PM-06	Measures of Performance	Part2.2Part6.1Part6.2Part7.2
PM-08	Critical Infrastructure Plan	Part3.7
PM-09	Risk Management Strategy	Part1.1Part2.1Part2.2
PM-10	Authorization Process	Part1.3Part6.2Part7.1
PM-11	Mission and Business Process Definition	Part3.7
PM-12	Insider Threat Program	Part9
PM-13	Security and Privacy Workforce	Part1.1Part8
PM-14	Testing, Training, and Monitoring	Part2.3Part3.8Part6.1Part7.2
PM-15	Security and Privacy Groups and Associations	Part4Part8
PM-16	Threat Awareness Program	Part3.5Part4
PM-28	Risk Framing	Part1.1Part2.1Part2.2
PM-29	Risk Management Program Leadership Roles	Part1.1Part1.2
PM-30	Supply Chain Risk Management Strategy	Part2.4
PM-31	Continuous Monitoring Strategy	Part2.4
PM-32	Purposing	Part2.4Part5.1

PS Personnel Security

Control	Name	CBN CSF References
PS-01	Personnel Security Policy And Procedures	Part1.2Part9
PS-02	Position Categorization	Part1.2Part9
PS-03	Personnel Screening	Part1.2Part9
PS-04	Personnel Termination	Part9
PS-05	Personnel Transfer	Part9
PS-06	Access Agreements	Part1.2Part9
PS-07	Third-Party Personnel Security	Part1.2Part2.4Part9
PS-08	Personnel Sanctions	Part9
PS-09	Position Descriptions	Part1.1Part1.2

PT Personally Identifiable Information Processing and Transparency

Control	Name	CBN CSF References
PT-01	Policy and Procedures	Part3.4Part5.1Part7.1
PT-02	Authority to Process Personally Identifiable Information	Part3.4Part5.1Part7.1
PT-03	Personally Identifiable Information Processing Purposes	Part3.4Part7.1
PT-05	Privacy Notice	Part3.4Part7.1
PT-06	System of Records Notice	Part7.1

RA Risk Assessment

Control	Name	CBN CSF References
RA-01	Risk Assessment Policy And Procedures	Part2.1
RA-02	Security Categorization	Part2.1Part3.1
RA-03	Risk Assessment	Part2.1Part2.2Part4Part5.1
RA-04	Risk Assessment Update	Part2.1Part2.2
RA-05	Vulnerability Scanning	Part2.3Part3.3
RA-06	Technical Surveillance Countermeasures Survey	Part2.3
RA-07	Risk Response	Part2.1Part2.2
RA-09	Criticality Analysis	Part2.1Part2.3Part3.1Part5.1
RA-10	Threat Hunting	Part3.5Part4

SA System and Services Acquisition

Control	Name	CBN CSF References
SA-04	Acquisitions	Part2.4Part5.1Part5.2
SA-08	Security Engineering Principles	Part4Part5.1Part5.2
SA-09	External Information System Services	Part2.4Part5.1
SA-11	Developer Security Testing	Part5.2
SA-17	Developer Security and Privacy Architecture and Design	Part5.1
SA-21	Developer Screening	Part2.4
SA-22	Unsupported System Components	Part2.4

SC System and Communications Protection

Control	Name	CBN CSF References
SC-01	System And Communications Protection Policy And Procedures	Part1.3
SC-05	Denial Of Service Protection	Part3.3
SC-07	Boundary Protection	Part3.1Part3.3Part5.1Part5.2
SC-08	Transmission Integrity	Part3.3Part3.4Part5.2
SC-12	Cryptographic Key Establishment And Management	Part3.3
SC-13	Use Of Cryptography	Part3.3Part3.4Part5.2
SC-20	Secure Name / Address Resolution Service (Authoritative Source)	Part3.3
SC-21	Secure Name / Address Resolution Service (Recursive Or Caching Resolver)	Part3.3
SC-22	Architecture And Provisioning For Name / Address Resolution Service	Part3.3
SC-23	Session Authenticity	Part5.2
SC-24	Fail in Known State	Part3.7
SC-26	Decoys	Part3.5Part4
SC-28	Protection of Information at Rest	Part3.3Part3.4
SC-39	Process Isolation	Part3.3
SC-41	Port and I/O Device Access	Part3.3
SC-44	Detonation Chambers	Part3.5Part4

SI System and Information Integrity

Control	Name	CBN CSF References
SI-02	Flaw Remediation	Part2.3Part3.3
SI-03	Malicious Code Protection	Part3.3
SI-04	Information System Monitoring Tools And Techniques	Part2.2Part3.3Part3.5Part4
SI-05	Security Alerts And Advisories	Part4
SI-07	Software And Information Integrity	Part3.3
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	Part5.2
SI-12	Information Output Handling And Retention	Part3.4Part7.1
SI-13	Predictable Failure Prevention	Part3.7
SI-16	Memory Protection	Part3.3
SI-17	Fail-safe Procedures	Part3.7

SR Supply Chain Risk Management

Control	Name	CBN CSF References
SR-01	Policy and Procedures	Part2.4
SR-02	Supply Chain Risk Management Plan	Part2.4
SR-03	Supply Chain Controls and Processes	Part2.4
SR-05	Acquisition Strategies, Tools, and Methods	Part2.4
SR-06	Supplier Assessments and Reviews	Part2.4