← Frameworks / Risk Framework

NIST Cybersecurity Framework 2.0

Voluntary guidance for managing and reducing cybersecurity risk. Organized around five core functions: Identify, Protect, Detect, Respond, Recover.

Clauses: 106
Avg Coverage: 85.3%
Publisher: NIST Version: 2.0
NIST CSF 2.0 → SP 800-53 SP 800-53 → NIST CSF 2.0 Coverage Analysis
Clause Title SP 800-53 Controls
DE.AE-02 Potentially adverse events are analyzed to better understand associated activities
SI-04 AU-06 IR-04
DE.AE-03 Information is correlated from multiple sources
AU-06 SI-04 PL-09
DE.AE-04 The estimated impact and scope of adverse events are understood
IR-04 RA-03 AU-06 SI-04
DE.AE-06 Information on adverse events is provided to authorized staff and tools
SI-04 IR-06 AU-06
DE.AE-07 Cyber threat intelligence and other contextual information are integrated into the analysis
PM-16 RA-03 SI-05 RA-10
DE.AE-08 Incidents are declared when adverse events meet the defined incident criteria
IR-04 IR-05 IR-06
DE.CM-01 Networks and network services are monitored to find potentially adverse events
SI-04 SC-07 AU-06 CA-07
DE.CM-02 The physical environment is monitored to find potentially adverse events
PE-06 PE-03 PE-20
DE.CM-03 Personnel activity and technology usage are monitored to find potentially adverse events
AU-06 AU-12 SI-04 AC-02
DE.CM-06 External service provider activities and services are monitored to find potentially adverse events
SA-09 SR-06 CA-07 SI-04
DE.CM-09 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
SI-04 SI-07 AU-06 CM-03
GV.OC-01 The organizational mission is understood and informs cybersecurity risk management
PM-07 PM-08 PM-11
GV.OC-02 Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
PM-08 PM-11 PM-15
GV.OC-03 Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed
PM-01 PL-04 SA-04
GV.OC-04 Critical objectives, capabilities, and services that external stakeholders depend on are understood and communicated
PM-08 PM-11 CP-02
GV.OC-05 Outcomes, capabilities, and services that the organization depends on are understood and communicated
PM-08 PM-11 SA-09 CP-02
GV.OV-01 Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
PM-09 PM-06 CA-07 PM-31
GV.OV-02 The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
PM-09 PM-28 CA-02 RA-03
GV.OV-03 Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
PM-06 CA-07 PM-14 CA-02
GV.PO-01 A policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
PL-01 PM-01 PM-09 PL-02
GV.PO-02 Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
PL-01 PM-01 PM-04 CA-07
GV.RM-01 Risk management objectives are established and expressed as statements that articulate the basis for cybersecurity risk management decisions
PM-09 PM-28 RA-01
GV.RM-02 Risk appetite and risk tolerance statements are established, communicated, and maintained
PM-09 PM-28
GV.RM-03 Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
PM-09 PM-28 PM-01
GV.RM-04 Strategic direction that describes appropriate risk response options is established and communicated
PM-09 RA-03 RA-07 CA-05
GV.RM-05 Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
PM-15 PM-16 IR-06 IR-07 SR-01
GV.RM-06 A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
RA-01 RA-02 RA-03 PM-09
GV.RM-07 Strategic opportunities (positive risks) are characterized and are included in organizational cybersecurity risk discussions
PM-09
GV.RR-01 Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
PM-01 PM-02 PM-13 AT-02
GV.RR-02 Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-02 PS-01 PS-02 PS-09 PL-01 PM-13
GV.RR-03 Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles and responsibilities, and policies
PM-03 PM-13 SA-02
GV.RR-04 Cybersecurity is included in human resources practices
PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09 AT-01 AT-02 AT-03 AT-04 PM-13
GV.SC-01 A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
SR-01 SR-02 SR-03 PM-30
GV.SC-02 Cybersecurity roles and responsibilities for suppliers, customers, and partners are established and communicated
SA-04 SA-09 SR-01 SR-03
GV.SC-03 Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
SR-01 SR-02 PM-09 PM-30
GV.SC-04 Suppliers are known and prioritized by criticality
SR-02 SR-03 SR-06 SA-04
GV.SC-05 Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
SA-04 SR-01 SR-02 SR-03
GV.SC-06 Planning and due diligence are conducted to reduce risks before entering into formal supplier or other third-party relationships
SR-03 SR-05 SR-06 SA-04
GV.SC-07 The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
SR-02 SR-03 SR-06 RA-03 RA-07
GV.SC-08 Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
IR-04 IR-08 SR-08 CP-02
GV.SC-09 Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
SR-01 SR-02 SR-03 SR-06 PM-30 SA-03
GV.SC-10 Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
SR-12 SA-04 SR-01 MP-06
ID.AM-01 Inventories of hardware managed by the organization are maintained
CM-08 PM-05
ID.AM-02 Inventories of software, services, and systems managed by the organization are maintained
CM-08 PM-05 CM-10
ID.AM-03 Representations of the organization's authorized network communication and internal and external network data flows are maintained
AC-04 PL-08 CA-03 SC-07 CM-12
ID.AM-04 Inventories of services provided by suppliers are maintained
SA-09 SR-06 PM-05
ID.AM-05 Assets are prioritized based on classification, criticality, resources, and impact to the mission
RA-02 PM-11 CP-02 PM-07
ID.AM-07 Inventories of data and corresponding metadata for designated data types are maintained
RA-02 CM-08 CM-12 CM-13 SI-12
ID.AM-08 Systems, hardware, software, services, and data are managed throughout their life cycles
SA-03 SA-22 CM-08 SI-12 MP-06
ID.IM-01 Improvements are identified from evaluations
CA-02 CA-07 PM-06 PM-04
ID.IM-02 Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
CA-08 IR-03 PM-14 CP-04
ID.IM-03 Improvements are identified from execution of operational processes, procedures, and activities
CA-07 PM-06 IR-04 SI-04 AT-06
ID.IM-04 Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved based on lessons learned and other factors
IR-08 IR-03 CP-02 CP-04
ID.RA-01 Vulnerabilities in assets are identified, validated, and recorded
RA-05 SI-02 SI-05
ID.RA-02 Cyber threat intelligence is received from information sharing forums and sources
PM-16 SI-05 PM-15
ID.RA-03 Internal and external threats to the organization are identified and recorded
RA-03 PM-16 RA-10
ID.RA-04 Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
RA-03 RA-02
ID.RA-05 Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
RA-03 RA-07 PM-09 CA-05
ID.RA-06 Risk responses are chosen, prioritized, planned, tracked, and communicated
RA-07 RA-03 PM-09 CA-05 PM-04
ID.RA-07 Changes and exceptions are managed, assessed for risk impact, and recorded
CM-03 CM-04 CA-06 RA-07 PM-09
ID.RA-08 Processes for receiving, analyzing, and responding to vulnerability disclosures are established
RA-05 SI-02 SI-05 PM-15
ID.RA-09 The authenticity and integrity of hardware and software are assessed prior to acquisition and use
SR-04 SR-05 SR-09 SR-10 SR-11 SA-04
ID.RA-10 Critical suppliers are assessed prior to acquisition
SR-03 SR-05 SR-06 SA-04
PR.AA-01 Identities and credentials for authorized users, services, and hardware are managed by the organization
IA-02 IA-04 IA-05 IA-08 IA-12
PR.AA-02 Identities are proofed and bound to credentials based on the context of interactions
IA-12 IA-04 IA-05
PR.AA-03 Users, services, and hardware are authenticated
IA-02 IA-03 IA-08 IA-09
PR.AA-04 Identity assertions are protected, conveyed, and verified
IA-02 IA-05 SC-23 IA-08
PR.AA-05 Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
AC-02 AC-03 AC-05 AC-06 AC-24
PR.AA-06 Physical access to assets is managed, monitored, and enforced commensurate with risk
PE-02 PE-03 PE-06 PE-08
PR.AT-01 Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
AT-02 AT-03 AT-06 PM-13
PR.AT-02 Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
AT-03 AT-06 PM-13 IR-02
PR.DS-01 The confidentiality, integrity, and availability of data-at-rest is protected
SC-28 MP-04 MP-05 AC-03
PR.DS-02 The confidentiality, integrity, and availability of data-in-transit is protected
SC-08 SC-12 SC-13 AC-17
PR.DS-10 The confidentiality, integrity, and availability of data-in-use is protected
SC-04 AC-03 AC-04 SC-39
PR.DS-11 Backups of data are created, protected, maintained, and tested in accordance with policy
CP-09 CP-06
PR.IR-01 Networks and environments are protected from unauthorized logical access and usage
SC-07 AC-04 AC-17 SC-32
PR.IR-02 The organization's technology assets are protected from environmental threats
PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15
PR.IR-03 Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
CP-02 CP-07 CP-08 CP-09 CP-10 SC-05 SC-36
PR.IR-04 Adequate resource capacity to ensure availability is maintained
AU-04 CP-02 SC-05 PE-11
PR.PS-01 Configuration management practices are established and applied
CM-01 CM-02 CM-03 CM-06 CM-07 CM-08 CM-09 PL-09
PR.PS-02 Software is maintained, replaced, and removed commensurate with risk
SI-02 SA-22 CM-07 CM-11
PR.PS-03 Hardware is maintained, replaced, and removed commensurate with risk
MA-02 MA-06 SA-22 CM-08
PR.PS-04 Log records are generated and made available for continuous monitoring
AU-02 AU-03 AU-06 AU-12 CA-07
PR.PS-05 Installation and execution of unauthorized software is prevented
CM-07 CM-11 CM-14
PR.PS-06 Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
SA-03 SA-08 SA-10 SA-11 SA-15 SA-17
RC.CO-03 Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
IR-06 IR-07 CP-02
RC.CO-04 Public updates on incident recovery are shared using approved methods and messaging
IR-06 IR-07
RC.RP-01 The recovery portion of the incident response plan is executed once initiated from the incident response process
CP-10 IR-04 CP-02
RC.RP-02 Recovery actions are selected, scoped, and prioritized, considering the business impact of the incident
CP-10 CP-02 IR-04
RC.RP-03 The integrity of backups and other restoration assets is verified before using them for restoration
CP-09 SI-07
RC.RP-04 Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
CP-10 IR-04 PM-11
RC.RP-05 The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
CP-10 SI-07 CA-07
RC.RP-06 The end of incident recovery is declared based on criteria, and incident-related documentation is completed
IR-04 IR-03
RS.AN-03 Analysis is performed to determine what has taken place during an incident and root cause
IR-04 AU-06 SI-04
RS.AN-06 Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
IR-04 AU-09 AU-11
RS.AN-07 Incident data and metadata are collected, and their integrity and provenance are preserved
IR-04 AU-03 AU-09 AU-11
RS.AN-08 An incident's magnitude is estimated and validated
IR-04 IR-05 RA-03
RS.CO-02 Internal and external stakeholders are notified of incidents
IR-06 IR-07
RS.CO-03 Information is shared with designated internal and external stakeholders
IR-06 PM-15 PM-16
RS.MA-01 The incident response plan is executed in coordination with relevant third parties once an incident is declared
IR-04 IR-06 IR-07 IR-08
RS.MA-02 Incident reports are triaged and validated
IR-04 IR-05
RS.MA-03 Incidents are categorized and prioritized
IR-04 IR-05
RS.MA-04 Incidents are escalated or elevated as needed
IR-04 IR-06 IR-07
RS.MA-05 The criteria for initiating incident recovery are applied
IR-04 CP-10
RS.MI-01 Incidents are contained
IR-04 SC-07
RS.MI-02 Incidents are eradicated
IR-04 SI-03