← Frameworks / NIST CSF 2.0 / Control Mappings

NIST Cybersecurity Framework 2.0

Voluntary guidance for managing and reducing cybersecurity risk. Organized around five core functions: Identify, Protect, Detect, Respond, Recover.

Controls: 151
Total Mappings: 405
Publisher: NIST Version: 2.0
NIST CSF 2.0 → SP 800-53 SP 800-53 → NIST CSF 2.0 Coverage Analysis
AC (7) AT (5) AU (7) CA (6) CM (13) CP (7) IA (7) IR (7) MA (2) MP (3) PE (12) PL (5) PM (17) PS (9) RA (6) SA (10) SC (11) SI (6) SR (11)

AC Access Control

Control Name NIST CSF 2.0 References
AC-02 Account Management
DE.CM-03PR.AA-05
AC-03 Access Enforcement
PR.AA-05PR.DS-01PR.DS-10
AC-04 Information Flow Enforcement
ID.AM-03PR.DS-10PR.IR-01
AC-05 Separation Of Duties
PR.AA-05
AC-06 Least Privilege
PR.AA-05
AC-17 Remote Access
PR.DS-02PR.IR-01
AC-24 Access Control Decisions
PR.AA-05

AT Awareness and Training

Control Name NIST CSF 2.0 References
AT-01 Security Awareness And Training Policy And Procedures
GV.RR-04
AT-02 Security Awareness
GV.RR-01GV.RR-04PR.AT-01
AT-03 Security Training
GV.RR-04PR.AT-01PR.AT-02
AT-04 Security Training Records
GV.RR-04
AT-06 Training Feedback
ID.IM-03PR.AT-01PR.AT-02

AU Audit and Accountability

Control Name NIST CSF 2.0 References
AU-02 Auditable Events
PR.PS-04
AU-03 Content Of Audit Records
PR.PS-04RS.AN-07
AU-04 Audit Storage Capacity
PR.IR-04
AU-06 Audit Monitoring, Analysis, And Reporting
DE.AE-02DE.AE-03DE.AE-04DE.AE-06DE.CM-01DE.CM-03DE.CM-09PR.PS-04RS.AN-03
AU-09 Protection Of Audit Information
RS.AN-06RS.AN-07
AU-11 Audit Record Retention
RS.AN-06RS.AN-07
AU-12 Audit Record Generation
DE.CM-03PR.PS-04

CA Security Assessment and Authorization

Control Name NIST CSF 2.0 References
CA-02 Security Assessments
GV.OV-02GV.OV-03ID.IM-01
CA-03 Information System Connections
ID.AM-03
CA-05 Plan Of Action And Milestones
GV.RM-04ID.RA-05ID.RA-06
CA-06 Security Accreditation
ID.RA-07
CA-07 Continuous Monitoring
DE.CM-01DE.CM-06GV.OV-01GV.OV-03GV.PO-02ID.IM-01ID.IM-03PR.PS-04RC.RP-05
CA-08 Penetration Testing
ID.IM-02

CM Configuration Management

Control Name NIST CSF 2.0 References
CM-01 Configuration Management Policy And Procedures
PR.PS-01
CM-02 Baseline Configuration
PR.PS-01
CM-03 Configuration Change Control
DE.CM-09ID.RA-07PR.PS-01
CM-04 Monitoring Configuration Changes
ID.RA-07
CM-06 Configuration Settings
PR.PS-01
CM-07 Least Functionality
PR.PS-01PR.PS-02PR.PS-05
CM-08 Information System Component Inventory
ID.AM-01ID.AM-02ID.AM-07ID.AM-08PR.PS-01PR.PS-03
CM-09 Configuration Management Plan
PR.PS-01
CM-10 Software Usage Restrictions
ID.AM-02
CM-11 User-Installed Software
PR.PS-02PR.PS-05
CM-12 Information Location
ID.AM-03ID.AM-07
CM-13 Data Action Mapping
ID.AM-07
CM-14 Signed Components
PR.PS-05

CP Contingency Planning

Control Name NIST CSF 2.0 References
CP-02 Contingency Plan
GV.OC-04GV.OC-05GV.SC-08ID.AM-05ID.IM-04PR.IR-03PR.IR-04RC.CO-03RC.RP-01RC.RP-02
CP-04 Contingency Plan Testing And Exercises
ID.IM-02ID.IM-04
CP-06 Alternate Storage Site
PR.DS-11
CP-07 Alternate Processing Site
PR.IR-03
CP-08 Telecommunications Services
PR.IR-03
CP-09 Information System Backup
PR.DS-11PR.IR-03RC.RP-03
CP-10 Information System Recovery And Reconstitution
PR.IR-03RC.RP-01RC.RP-02RC.RP-04RC.RP-05RS.MA-05

IA Identification and Authentication

Control Name NIST CSF 2.0 References
IA-02 User Identification And Authentication
PR.AA-01PR.AA-03PR.AA-04
IA-03 Device Identification And Authentication
PR.AA-03
IA-04 Identifier Management
PR.AA-01PR.AA-02
IA-05 Authenticator Management
PR.AA-01PR.AA-02PR.AA-04
IA-08 Identification and Authentication (Non-Organizational Users)
PR.AA-01PR.AA-03PR.AA-04
IA-09 Service Identification and Authentication
PR.AA-03
IA-12 Identity Proofing
PR.AA-01PR.AA-02

IR Incident Response

Control Name NIST CSF 2.0 References
IR-02 Incident Response Training
PR.AT-02
IR-03 Incident Response Testing And Exercises
ID.IM-02ID.IM-04RC.RP-06
IR-04 Incident Handling
DE.AE-02DE.AE-04DE.AE-08GV.SC-08ID.IM-03RC.RP-01RC.RP-02RC.RP-04RC.RP-06RS.AN-03RS.AN-06RS.AN-07RS.AN-08RS.MA-01RS.MA-02RS.MA-03RS.MA-04RS.MA-05RS.MI-01RS.MI-02
IR-05 Incident Monitoring
DE.AE-08RS.AN-08RS.MA-02RS.MA-03
IR-06 Incident Reporting
DE.AE-06DE.AE-08GV.RM-05RC.CO-03RC.CO-04RS.CO-02RS.CO-03RS.MA-01RS.MA-04
IR-07 Incident Response Assistance
GV.RM-05RC.CO-03RC.CO-04RS.CO-02RS.MA-01RS.MA-04
IR-08 Incident Response Plan
GV.SC-08ID.IM-04RS.MA-01

MA Maintenance

Control Name NIST CSF 2.0 References
MA-02 Controlled Maintenance
PR.PS-03
MA-06 Timely Maintenance
PR.PS-03

MP Media Protection

Control Name NIST CSF 2.0 References
MP-04 Media Storage
PR.DS-01
MP-05 Media Transport
PR.DS-01
MP-06 Media Sanitization And Disposal
GV.SC-10ID.AM-08

PE Physical and Environmental Protection

Control Name NIST CSF 2.0 References
PE-02 Physical Access Authorizations
PR.AA-06
PE-03 Physical Access Control
DE.CM-02PR.AA-06
PE-06 Monitoring Physical Access
DE.CM-02PR.AA-06
PE-08 Access Records
PR.AA-06
PE-09 Power Equipment And Power Cabling
PR.IR-02
PE-10 Emergency Shutoff
PR.IR-02
PE-11 Emergency Power
PR.IR-02PR.IR-04
PE-12 Emergency Lighting
PR.IR-02
PE-13 Fire Protection
PR.IR-02
PE-14 Temperature And Humidity Controls
PR.IR-02
PE-15 Water Damage Protection
PR.IR-02
PE-20 Asset Monitoring and Tracking
DE.CM-02

PL Planning

Control Name NIST CSF 2.0 References
PL-01 Security Planning Policy And Procedures
GV.PO-01GV.PO-02GV.RR-02
PL-02 System Security Plan
GV.PO-01
PL-04 Rules Of Behavior
GV.OC-03
PL-08 Security and Privacy Architectures
ID.AM-03
PL-09 Central Management
DE.AE-03PR.PS-01

PM Program Management

Control Name NIST CSF 2.0 References
PM-01 Information Security Program Plan
GV.OC-03GV.PO-01GV.PO-02GV.RM-03GV.RR-01
PM-02 Information Security Program Leadership Role
GV.RR-01GV.RR-02
PM-03 Information Security and Privacy Resources
GV.RR-03
PM-04 Plan of Action and Milestones Process
GV.PO-02ID.IM-01ID.RA-06
PM-05 System Inventory
ID.AM-01ID.AM-02ID.AM-04
PM-06 Measures of Performance
GV.OV-01GV.OV-03ID.IM-01ID.IM-03
PM-07 Enterprise Architecture
GV.OC-01ID.AM-05
PM-08 Critical Infrastructure Plan
GV.OC-01GV.OC-02GV.OC-04GV.OC-05
PM-09 Risk Management Strategy
GV.OV-01GV.OV-02GV.PO-01GV.RM-01GV.RM-02GV.RM-03GV.RM-04GV.RM-06GV.RM-07GV.SC-03ID.RA-05ID.RA-06ID.RA-07
PM-11 Mission and Business Process Definition
GV.OC-01GV.OC-02GV.OC-04GV.OC-05ID.AM-05RC.RP-04
PM-13 Security and Privacy Workforce
GV.RR-01GV.RR-02GV.RR-03GV.RR-04PR.AT-01PR.AT-02
PM-14 Testing, Training, and Monitoring
GV.OV-03ID.IM-02
PM-15 Security and Privacy Groups and Associations
GV.OC-02GV.RM-05ID.RA-02ID.RA-08RS.CO-03
PM-16 Threat Awareness Program
DE.AE-07GV.RM-05ID.RA-02ID.RA-03RS.CO-03
PM-28 Risk Framing
GV.OV-02GV.RM-01GV.RM-02GV.RM-03
PM-30 Supply Chain Risk Management Strategy
GV.SC-01GV.SC-03GV.SC-09
PM-31 Continuous Monitoring Strategy
GV.OV-01

PS Personnel Security

Control Name NIST CSF 2.0 References
PS-01 Personnel Security Policy And Procedures
GV.RR-02GV.RR-04
PS-02 Position Categorization
GV.RR-02GV.RR-04
PS-03 Personnel Screening
GV.RR-04
PS-04 Personnel Termination
GV.RR-04
PS-05 Personnel Transfer
GV.RR-04
PS-06 Access Agreements
GV.RR-04
PS-07 Third-Party Personnel Security
GV.RR-04
PS-08 Personnel Sanctions
GV.RR-04
PS-09 Position Descriptions
GV.RR-02GV.RR-04

RA Risk Assessment

Control Name NIST CSF 2.0 References
RA-01 Risk Assessment Policy And Procedures
GV.RM-01GV.RM-06
RA-02 Security Categorization
GV.RM-06ID.AM-05ID.AM-07ID.RA-04
RA-03 Risk Assessment
DE.AE-04DE.AE-07GV.OV-02GV.RM-04GV.RM-06GV.SC-07ID.RA-03ID.RA-04ID.RA-05ID.RA-06RS.AN-08
RA-05 Vulnerability Scanning
ID.RA-01ID.RA-08
RA-07 Risk Response
GV.RM-04GV.SC-07ID.RA-05ID.RA-06ID.RA-07
RA-10 Threat Hunting
DE.AE-07ID.RA-03

SA System and Services Acquisition

Control Name NIST CSF 2.0 References
SA-02 Allocation Of Resources
GV.RR-03
SA-03 Life Cycle Support
GV.SC-09ID.AM-08PR.PS-06
SA-04 Acquisitions
GV.OC-03GV.SC-02GV.SC-04GV.SC-05GV.SC-06GV.SC-10ID.RA-09ID.RA-10
SA-08 Security Engineering Principles
PR.PS-06
SA-09 External Information System Services
DE.CM-06GV.OC-05GV.SC-02ID.AM-04
SA-10 Developer Configuration Management
PR.PS-06
SA-11 Developer Security Testing
PR.PS-06
SA-15 Development Process, Standards, and Tools
PR.PS-06
SA-17 Developer Security and Privacy Architecture and Design
PR.PS-06
SA-22 Unsupported System Components
ID.AM-08PR.PS-02PR.PS-03

SC System and Communications Protection

Control Name NIST CSF 2.0 References
SC-04 Information Remnance
PR.DS-10
SC-05 Denial Of Service Protection
PR.IR-03PR.IR-04
SC-07 Boundary Protection
DE.CM-01ID.AM-03PR.IR-01RS.MI-01
SC-08 Transmission Integrity
PR.DS-02
SC-12 Cryptographic Key Establishment And Management
PR.DS-02
SC-13 Use Of Cryptography
PR.DS-02
SC-23 Session Authenticity
PR.AA-04
SC-28 Protection of Information at Rest
PR.DS-01
SC-32 System Partitioning
PR.IR-01
SC-36 Distributed Processing and Storage
PR.IR-03
SC-39 Process Isolation
PR.DS-10

SI System and Information Integrity

Control Name NIST CSF 2.0 References
SI-02 Flaw Remediation
ID.RA-01ID.RA-08PR.PS-02
SI-03 Malicious Code Protection
RS.MI-02
SI-04 Information System Monitoring Tools And Techniques
DE.AE-02DE.AE-03DE.AE-04DE.AE-06DE.CM-01DE.CM-03DE.CM-06DE.CM-09ID.IM-03RS.AN-03
SI-05 Security Alerts And Advisories
DE.AE-07ID.RA-01ID.RA-02ID.RA-08
SI-07 Software And Information Integrity
DE.CM-09RC.RP-03RC.RP-05
SI-12 Information Output Handling And Retention
ID.AM-07ID.AM-08

SR Supply Chain Risk Management

Control Name NIST CSF 2.0 References
SR-01 Policy and Procedures
GV.RM-05GV.SC-01GV.SC-02GV.SC-03GV.SC-05GV.SC-09GV.SC-10
SR-02 Supply Chain Risk Management Plan
GV.SC-01GV.SC-03GV.SC-04GV.SC-05GV.SC-07GV.SC-09
SR-03 Supply Chain Controls and Processes
GV.SC-01GV.SC-02GV.SC-04GV.SC-05GV.SC-06GV.SC-07GV.SC-09ID.RA-10
SR-04 Provenance
ID.RA-09
SR-05 Acquisition Strategies, Tools, and Methods
GV.SC-06ID.RA-09ID.RA-10
SR-06 Supplier Assessments and Reviews
DE.CM-06GV.SC-04GV.SC-06GV.SC-07GV.SC-09ID.AM-04ID.RA-10
SR-08 Notification Agreements
GV.SC-08
SR-09 Tamper Resistance and Detection
ID.RA-09
SR-10 Inspection of Systems or Components
ID.RA-09
SR-11 Component Authenticity
ID.RA-09
SR-12 Component Disposal
GV.SC-10