← Frameworks / Risk Framework

NIST Cybersecurity Framework 2.0

Voluntary guidance for managing and reducing cybersecurity risk. Organized around five core functions: Identify, Protect, Detect, Respond, Recover.

Controls: 88
Total Mappings: 480
Publisher: NIST
Version: 2.0
AC (3) AT (3) AU (4) CA (4) CM (8) CP (5) IA (4) IR (4) MA (3) MP (3) PE (9) PL (3) PS (3) PT (1) RA (4) SA (9) SC (5) SI (7) SR (6)

AC Access Control

Control Name NIST CSF 2.0 References
AC-01 Access Control Policies and Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +3 more
AC-05 Separation Of Duties
PR.AA-05
AC-06 Least Privilege
PR.AA-05PR.DS-10

AT Awareness and Training

Control Name NIST CSF 2.0 References
AT-01 Security Awareness And Training Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +2 more
AT-02 Security Awareness
PR.ATPR.AT-01
AT-03 Security Training
PR.ATPR.AT-01PR.AT-02

AU Audit and Accountability

Control Name NIST CSF 2.0 References
AU-01 Audit And Accountability Policy And Procedures
DE.AEDE.CM-01DE.CM-03DE.CM-06DE.CM-09GV.OVGV.OV-01GV.OV-02 +7 more
AU-02 Auditable Events
DE.AEDE.AE-03DE.AE-06DE.CM-01PR.DS-10PR.PSPR.PS-04PR.PS-05
AU-03 Content Of Audit Records
PR.PS-04
AU-06 Audit Monitoring, Analysis, And Reporting
DE.AE-03DE.AE-06

CA Security Assessment and Authorization

Control Name NIST CSF 2.0 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +2 more
CA-02 Security Assessments
ID.IM-01ID.IM-02ID.RA-01
CA-05 Plan Of Action And Milestones
ID.IM-01ID.IM-02ID.RA-01
CA-07 Continuous Monitoring
GV.OC-03

CM Configuration Management

Control Name NIST CSF 2.0 References
CM-01 Configuration Management Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +4 more
CM-02 Baseline Configuration
PR.DS-10PR.PSPR.PS-05
CM-03 Configuration Change Control
ID.RA-07
CM-04 Monitoring Configuration Changes
ID.RA-07
CM-05 Access Restrictions For Change
ID.RA-07
CM-06 Configuration Settings
PR.DS-10PR.PSPR.PS-05
CM-07 Least Functionality
PR.PS-05
CM-08 Information System Component Inventory
ID.AMID.AM-01ID.AM-02

CP Contingency Planning

Control Name NIST CSF 2.0 References
CP-01 Contingency Planning Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +10 more
CP-02 Contingency Plan
GV.SC-08ID.IM-04PR.IR-02PR.IR-03RCRC.RPRC.RP-02RC.RP-04 +1 more
CP-04 Contingency Plan Testing And Exercises
ID.IM-02ID.IM-03
CP-09 Information System Backup
PR.DS-11
CP-10 Information System Recovery And Reconstitution
GV.SC-08ID.IM-04PR.IR-02PR.IR-03RCRC.RPRC.RP-01RC.RP-02 +3 more

IA Identification and Authentication

Control Name NIST CSF 2.0 References
IA-01 Identification And Authentication Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +3 more
IA-02 User Identification And Authentication
PR.AA-01PR.AA-03PR.AA-05
IA-03 Device Identification And Authentication
PR.AA-01PR.AA-03PR.AA-05
IA-04 Identifier Management
PR.AAPR.AA-03PR.AA-04PR.AA-05

IR Incident Response

Control Name NIST CSF 2.0 References
IR-01 Incident Response Policy And Procedures
DE.AEGV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01 +9 more
IR-04 Incident Handling
DE.AEDE.AE-02DE.AE-03DE.AE-04DE.AE-06DE.AE-08GV.SC-08RC.RP-06 +13 more
IR-05 Incident Monitoring
DE.AE-06RC.RP-06RSRS.AN-06RS.CO
IR-06 Incident Reporting
DE.AE-06RSRS.CORS.CO-02RS.CO-03RS.MA-01

MA Maintenance

Control Name NIST CSF 2.0 References
MA-01 System Maintenance Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +4 more
MA-02 Controlled Maintenance
PR.PSPR.PS-02PR.PS-03
MA-06 Timely Maintenance
PR.PS-02PR.PS-03

MP Media Protection

Control Name NIST CSF 2.0 References
MP-01 Media Protection Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +6 more
MP-02 Media Access
DE.CM-09PR.DS
MP-04 Media Storage
ID.AM-07

PE Physical and Environmental Protection

Control Name NIST CSF 2.0 References
PE-01 Physical And Environmental Protection Policy And Procedures
DE.CM-02GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01 +6 more
PE-02 Physical Access Authorizations
PR.AAPR.AA-06
PE-03 Physical Access Control
DE.CM-02PR.AAPR.AA-06
PE-06 Monitoring Physical Access
DE.CM-02
PE-08 Access Records
DE.CM-02
PE-09 Power Equipment And Power Cabling
PR.IR-02
PE-13 Fire Protection
PR.IR-02
PE-14 Temperature And Humidity Controls
PR.IR-02
PE-15 Water Damage Protection
PR.IR-02

PL Planning

Control Name NIST CSF 2.0 References
PL-01 Security Planning Policy And Procedures
GV.OCGV.OC-03GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02 +9 more
PL-02 System Security Plan
ID.AM-03
PL-04 Rules Of Behavior
ID.AM

PS Personnel Security

Control Name NIST CSF 2.0 References
PS-01 Personnel Security Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.RR-04GV.SC-01 +3 more
PS-02 Position Categorization
GV.RR-02PR.AA-05
PS-08 Personnel Sanctions
GV.POGV.PO-01GV.PO-02

PT Personally Identifiable Information Processing and Transparency

Control Name NIST CSF 2.0 References
PT-01 Policy and Procedures
GV.OC-03GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01 +5 more

RA Risk Assessment

Control Name NIST CSF 2.0 References
RA-01 Risk Assessment Policy And Procedures
GVGV.OVGV.OV-01GV.OV-02GV.OV-03GV.POGV.PO-01GV.PO-02 +16 more
RA-02 Security Categorization
ID.AM
RA-03 Risk Assessment
GV.RM-06IDID.IM-01ID.IM-02ID.RA-01ID.RA-05
RA-05 Vulnerability Scanning
ID.RA-01

SA System and Services Acquisition

Control Name NIST CSF 2.0 References
SA-01 System And Services Acquisition Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +3 more
SA-02 Allocation Of Resources
GV.RR-03
SA-03 Life Cycle Support
GV.SC-09ID.AM-08PR.PS-02PR.PS-03
SA-04 Acquisitions
GV.SC-04GV.SC-06GV.SC-07GV.SC-08GV.SC-10ID.AMID.RA-09PR.PS-06
SA-05 Information System Documentation
ID.AM-05
SA-08 Security Engineering Principles
PR.DS-10PR.IRPR.IR-01PR.IR-03PR.PSPR.PS-05
SA-09 External Information System Services
GV.SC-06GV.SC-07
SA-10 Developer Configuration Management
ID.RA-09
SA-11 Developer Security Testing
ID.IM-01ID.IM-02ID.RA-01PR.PS-06

SC System and Communications Protection

Control Name NIST CSF 2.0 References
SC-01 System And Communications Protection Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +4 more
SC-05 Denial Of Service Protection
PR.IR-04
SC-06 Resource Priority
PR.IR-04
SC-08 Transmission Integrity
PR.DS-02
SC-13 Use Of Cryptography
PR.DS-01PR.DS-02PR.DS-10

SI System and Information Integrity

Control Name NIST CSF 2.0 References
SI-01 System And Information Integrity Policy And Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +4 more
SI-02 Flaw Remediation
ID.RA-01ID.RA-08PR.PS-02
SI-03 Malicious Code Protection
DE.CM-09ID.RA-01ID.RA-08PR.PS-02
SI-04 Information System Monitoring Tools And Techniques
DE.AEDE.AE-03DE.AE-06DE.CM-01DE.CM-03DE.CM-06DE.CM-09PR.PS-04
SI-05 Security Alerts And Advisories
DEDE.AE-07ID.RA-02ID.RA-03ID.RA-08
SI-07 Software And Information Integrity
DE.CM-09
SI-12 Information Output Handling And Retention
ID.AM-07

SR Supply Chain Risk Management

Control Name NIST CSF 2.0 References
SR-01 Policy and Procedures
GV.OVGV.OV-01GV.OV-02GV.POGV.PO-01GV.PO-02GV.SC-01GV.SC-03 +7 more
SR-02 Supply Chain Risk Management Plan
GV.SCGV.SC-01GV.SC-03GV.SC-05GV.SC-06GV.SC-07GV.SC-09GV.SC-10 +4 more
SR-03 Supply Chain Controls and Processes
GV.SC-06GV.SC-07
SR-06 Supplier Assessments and Reviews
GV.SC-07ID.IM-01ID.IM-02
SR-07 Supply Chain Operations Security
GV.SCGV.SC-01GV.SC-03GV.SC-05GV.SC-09GV.SC-10IDID.IM +2 more
SR-09 Tamper Resistance and Detection
ID.RA-09