Doe c2m2v2 1 CSF Mapping

Informative Reference Submission Form
Field Name
Informative Reference Name
Reference Version
Web Address
Focal Document Version
Summary
Target Audience (Community)
Comprehensive
Reference Document Author
Reference Document
Reference Document Date
Reference Document URL

Reference Developer
Comments
Point of Contact
Dependency/ Requirement
Citations
e Reference Submission Form
Value
NIST-CSF-V1.1-to-DOE-C2M2-V2.1-OLIR-Mapping
1.1.0
https://www.nccoe.nist.gov/sites/default/files/2023-03/DOE-
C2M2V2_1-CSF-mapping.xlsx
The National Institute of Standards and Technology (NIST)

Cybersecurity Framework (CSF) v1.1
A mapping of the United States Department of Energy

Cybersecurity Capability Maturity Model (C2M2) Version 2.1
practices to the NIST Cybersecurity Framework (CSF) version 1.1
Core.
Energy sector entities seeking to evaluate their cybersecurity

capabilities and optimize security investments.
No
The United States Department of Energy
The United States Department of Energy Cybersecurity Capability

Maturity Model (C2M2) V2.1
06/29/2022
https://energy.gov/c2m2
The National Institute of Standards and Technology
Not applicable
C2M2@hq.doe.gov
Stand-alone
Not applicable
Focal Document Element Focal Document Element Description
ID Develop an organizational understanding to manage cybersecurity
risk to systems, people, assets, data, and capabilities.
ID.AM The data, personnel, devices, systems, and facilities that enable the
organization to achieve business purposes are identified and
managed consistent with their relative importance to organizational
objectives and the organization’s risk strategy.
ID.AM-1 Physical devices and systems within the organization are inventoried
ID.AM-2 Software platforms and applications within the organization are

inventoried
inventoried
inventoried
inventoried
ID.AM-3 Organizational communication and data flows are mapped
ID.AM-4 External information systems are catalogued
ID.AM-5 Resources (e.g., hardware, devices, data, time, personnel, and

software) are prioritized based on their classification, criticality, and
business value
business value
business value
business value
business value
ID.AM-6 Cybersecurity roles and responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers, customers, partners) are
established
established
established
established
established
established
established
established
established
established
established
established
established
established
established
established
established
ID.BE The organization’s mission, objectives, stakeholders, and activities
are understood and prioritized; this information is used to inform
cybersecurity roles, responsibilities, and risk management decisions.
ID.BE-1 The organization’s role in the supply chain is identified and

communicated

communicated

communicated
ID.BE-2 The organization’s place in critical infrastructure and its industry

sector is identified and communicated


ID.BE-3 Priorities for organizational mission, objectives, and activities are

established and communicated
ID.BE-4 Dependencies and critical functions for delivery of critical services

are established

are established
are established

are established
ID.BE-5 Resilience requirements to support delivery of critical services are
established for all operating states (e.g. under duress/attack, during
recovery, normal operations)

ID.GV The policies, procedures, and processes to manage and monitor the
organization’s regulatory, legal, risk, environmental, and operational
requirements are understood and inform the management of
cybersecurity risk.
ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned

with internal roles and external partners



ID.GV-3 Legal and regulatory requirements regarding cybersecurity, including
privacy and civil liberties obligations, are understood and managed
























ID.GV-4 Governance and risk management processes address cybersecurity

risks
risks

risks
risks
risks
risks
risks
risks
risks
risks

risks
ID.RA The organization understands the cybersecurity risk to organizational
operations (including mission, functions, image, or reputation),
organizational assets, and individuals.
ID.RA-1 Asset vulnerabilities are identified and documented

ID.RA-2 Cyber threat intelligence is received from information sharing forums

and sources
and sources
and sources

and sources
and sources
and sources

and sources
and sources
and sources
ID.RA-3 Threats, both internal and external, are identified and documented
ID.RA-4 Potential business impacts and likelihoods are identified


ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to
determine risk
determine risk
determine risk
determine risk

determine risk
determine risk

determine risk
determine risk

determine risk

determine risk
ID.RA-6 Risk responses are identified and prioritized
ID.RA-6 Risk responses are identified and prioritized
ID.RM The organization’s priorities, constraints, risk tolerances, and

assumptions are established and used to support operational risk
decisions.
ID.RM-1 Risk management processes are established, managed, and agreed
to by organizational stakeholders




ID.RM-2 Organizational risk tolerance is determined and clearly expressed
ID.RM-3 The organization’s determination of risk tolerance is informed by its

role in critical infrastructure and sector specific risk analysis

ID.SC The organization’s priorities, constraints, risk tolerances, and

assumptions are established and used to support risk decisions
associated with managing supply chain risk. The organization has
established and implemented the processes to identify, assess and
manage supply chain risks.
ID.SC-1 Cyber supply chain risk management processes are identified,

established, assessed, managed, and agreed to by organizational
stakeholders
stakeholders
stakeholders
stakeholders
stakeholders
stakeholders
ID.SC-2 Suppliers and third party partners of information systems,
components, and services are identified, prioritized, and assessed
using a cyber supply chain risk assessment process


ID.SC-3 Contracts with suppliers and third-party partners are used to
implement appropriate measures designed to meet the objectives of
an organization’s cybersecurity program and Cyber Supply Chain Risk
Management Plan.
ID.SC-3 Contracts with suppliers and third-party partners are used to
implement appropriate measures designed to meet the objectives of
an organization’s cybersecurity program and Cyber Supply Chain Risk
Management Plan.
ID.SC-4 Suppliers and third-party partners are routinely assessed using
audits, test results, or other forms of evaluations to confirm they are
meeting their contractual obligations.
ID.SC-4 Suppliers and third-party partners are routinely assessed using

audits, test results, or other forms of evaluations to confirm they are
meeting their contractual obligations.
ID.SC-5 Response and recovery planning and testing are conducted with
suppliers and third-party providers
PR Develop and implement appropriate safeguards to ensure delivery of

critical services.
PR.AC Access to physical and logical assets and associated facilities is
limited to authorized users, processes, and devices, and is managed
consistent with the assessed risk of unauthorized access to
authorized activities and transactions.
PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and
audited for authorized devices, users and processes
PR.AC-2 Physical access to assets is managed and protected


PR.AC-3 Remote access is managed

PR.AC-4 Access permissions and authorizations are managed, incorporating

the principles of least privilege and separation of duties


PR.AC-5 Network integrity is protected (e.g., network segregation, network
segmentation)
segmentation)

segmentation)

segmentation)

segmentation)
segmentation)

segmentation)
segmentation)

segmentation)
segmentation)
PR.AC-6 Identities are proofed and bound to credentials and asserted in

interactions

interactions

interactions
interactions
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-
factor, multi-factor) commensurate with the risk of the transaction
(e.g., individuals’ security and privacy risks and other organizational
risks)
risks)
risks)
risks)
risks)
risks)
PR.AT The organization’s personnel and partners are provided

cybersecurity awareness education and are trained to perform their
cybersecurity-related duties and responsibilities consistent with
related policies, procedures, and agreements.
PR.AT-1 All users are informed and trained


PR.AT-2 Privileged users understand their roles and responsibilities

PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners)

understand their roles and responsibilities



PR.AT-4 Senior executives understand their roles and responsibilities


PR.AT-5 Physical and cybersecurity personnel understand their roles and

responsibilities
responsibilities
responsibilities
responsibilities
responsibilities
responsibilities
responsibilities

responsibilities
responsibilities
responsibilities
responsibilities
responsibilities
responsibilities

responsibilities
responsibilities
PR.DS Information and records (data) are managed consistent with the
organization’s risk strategy to protect the confidentiality, integrity,
and availability of information.
PR.DS-1 Data-at-rest is protected

PR.DS-2 Data-in-transit is protected

PR.DS-3 Assets are formally managed throughout removal, transfers, and

disposition
disposition
disposition

disposition
disposition

disposition
disposition

disposition
disposition
disposition
disposition
disposition
disposition
disposition
PR.DS-4 Adequate capacity to ensure availability is maintained

PR.DS-5 Protections against data leaks are implemented


PR.DS-6 Integrity checking mechanisms are used to verify software, firmware,

and information integrity
PR.DS-7 The development and testing environment(s) are separate from the
production environment
PR.DS-8 Integrity checking mechanisms are used to verify hardware integrity
PR.IP Security policies (that address purpose, scope, roles, responsibilities,

management commitment, and coordination among organizational
entities), processes, and procedures are maintained and used to
manage protection of information systems and assets.
PR.IP-1 A baseline configuration of information technology/industrial control

systems is created and maintained incorporating security principles
(e.g. concept of least functionality)

PR.IP-2 A System Development Life Cycle to manage systems is implemented
PR.IP-3 Configuration change control processes are in place



PR.IP-4 Backups of information are conducted, maintained, and tested
PR.IP-5 Policy and regulations regarding the physical operating environment

for organizational assets are met


PR.IP-6 Data is destroyed according to policy
PR.IP-7 Protection processes are improved



PR.IP-8 Effectiveness of protection technologies is shared
PR.IP-9 Response plans (Incident Response and Business Continuity) and

recovery plans (Incident Recovery and Disaster Recovery) are in
place and managed
place and managed
place and managed
place and managed
place and managed
place and managed
place and managed
place and managed
place and managed
place and managed

place and managed
place and managed
place and managed
place and managed
place and managed
PR.IP-10 Response and recovery plans are tested

PR.IP-11 Cybersecurity is included in human resources practices (e.g.,
deprovisioning, personnel screening)







PR.IP-12 A vulnerability management plan is developed and implemented
PR.IP-12 A vulnerability management plan is developed and implemented
PR.MA Maintenance and repairs of industrial control and information

system components are performed consistent with policies and
procedures.
PR.MA-1 Maintenance and repair of organizational assets are performed and
logged, with approved and controlled tools
PR.MA-2 Remote maintenance of organizational assets is approved, logged,
and performed in a manner that prevents unauthorized access

PR.PT Technical security solutions are managed to ensure the security and
resilience of systems and assets, consistent with related policies,
procedures, and agreements.
PR.PT-1 Audit/log records are determined, documented, implemented, and
reviewed in accordance with policy


PR.PT-2 Removable media is protected and its use restricted according to
policy
policy

policy
PR.PT-3 The principle of least functionality is incorporated by configuring
systems to provide only essential capabilities
PR.PT-4 Communications and control networks are protected
PR.PT-5 Mechanisms (e.g., failsafe, load balancing, hot swap) are

implemented to achieve resilience requirements in normal and
adverse situations
adverse situations
adverse situations
adverse situations
adverse situations
adverse situations
adverse situations

adverse situations
adverse situations
DE Develop and implement appropriate activities to identify the
occurrence of a cybersecurity event.
DE.AE Anomalous activity is detected and the potential impact of events is
understood.
DE.AE-1 A baseline of network operations and expected data flows for users
and systems is established and managed
DE.AE-1 A baseline of network operations and expected data flows for users
and systems is established and managed
DE.AE-2 Detected events are analyzed to understand attack targets and

methods
methods
methods
DE.AE-3 Event data are collected and correlated from multiple sources and
DE.AE-3 sensors
Event data are collected and correlated from multiple sources and
sensors
sensors
sensors
sensors
sensors
sensors
DE.AE-4 Impact of events is determined
DE.AE-5 Incident alert thresholds are established
DE.CM The information system and assets are monitored to identify

cybersecurity events and verify the effectiveness of protective
measures.
DE.CM-1 The network is monitored to detect potential cybersecurity events


DE.CM-2 The physical environment is monitored to detect potential
cybersecurity events

DE.CM-3 Personnel activity is monitored to detect potential cybersecurity
events
events
events
events
events
events

events
events
DE.CM-4 Malicious code is detected

DE.CM-5 Unauthorized mobile code is detected
DE.CM-6 External service provider activity is monitored to detect potential


DE.CM-7 Monitoring for unauthorized personnel, connections, devices, and
software is performed




DE.CM-8 Vulnerability scans are performed
DE.CM-8 Vulnerability scans are performed
DE.DP Detection processes and procedures are maintained and tested to

ensure awareness of anomalous events.
DE.DP-1 Roles and responsibilities for detection are well defined to ensure
accountability
accountability
accountability
accountability
accountability
accountability
accountability
accountability
accountability
DE.DP-2 Detection activities comply with all applicable requirements

DE.DP-3 Detection processes are tested
DE.DP-4 Event detection information is communicated
DE.DP-5 Detection processes are continuously improved

RS Develop and implement appropriate activities to take action

regarding a detected cybersecurity incident.
RS.RP Response processes and procedures are executed and maintained,
to ensure response to detected cybersecurity incidents.
RS.RP-1 Response plan is executed during or after an incident
RS.CO Response activities are coordinated with internal and external

stakeholders (e.g. external support from law enforcement agencies).
RS.CO-1 Personnel know their roles and order of operations when a response
is needed
is needed
is needed
is needed
is needed
is needed
is needed
is needed
is needed
RS.CO-2 Incidents are reported consistent with established criteria
RS.CO-3 Information is shared consistent with response plans

RS.CO-4 Coordination with stakeholders occurs consistent with response
plans

plans

plans
plans
plans
RS.CO-5 Voluntary information sharing occurs with external stakeholders to

achieve broader cybersecurity situational awareness




RS.AN Analysis is conducted to ensure effective response and support

recovery activities.
RS.AN-1 Notifications from detection systems are investigated
RS.AN-2 The impact of the incident is understood

RS.AN-3 Forensics are performed
RS.AN-4 Incidents are categorized consistent with response plans
RS.AN-5 Processes are established to receive, analyze and respond to

vulnerabilities disclosed to the organization from internal and
external sources (e.g. internal testing, security bulletins, or security
researchers)

researchers)

researchers)
researchers)

researchers)

researchers)

researchers)

researchers)

researchers)

researchers)

researchers)

researchers)
RS.MI Activities are performed to prevent expansion of an event, mitigate

its effects, and resolve the incident.
RS.MI-1 Incidents are contained
RS.MI-2 Incidents are mitigated

RS.MI-2 Incidents are mitigated
RS.MI-3 Newly identified vulnerabilities are mitigated or documented as

accepted risks
accepted risks
accepted risks
RS.IM Organizational response activities are improved by incorporating

lessons learned from current and previous detection/response
activities.
RS.IM-1 Response plans incorporate lessons learned

RS.IM-2 Response strategies are updated

RC Develop and implement appropriate activities to maintain plans for

resilience and to restore any capabilities or services that were
impaired due to a cybersecurity incident.
RC.RP Recovery processes and procedures are executed and maintained to
ensure restoration of systems or assets affected by cybersecurity
incidents.
RC.RP-1 Recovery plan is executed during or after a cybersecurity incident
RC.IM Recovery planning and processes are improved by incorporating

lessons learned into future activities.
RC.IM-1 Recovery plans incorporate lessons learned

RC.IM-2 Recovery strategies are updated

RC.CO Restoration activities are coordinated with internal and external

parties (e.g. coordinating centers, Internet Service Providers, owners
of attacking systems, victims, other CSIRTs, and vendors).
RC.CO-1 Public relations are managed
RC.CO-2 Reputation is repaired after an incident
RC.CO-3 Recovery activities are communicated to internal and external

stakeholders as well as executive and management teams


Reference Document
Rationale Relationship
Element
Semantic intersects with ASSET-1a
Semantic intersects with ASSET-1b
Semantic subset of ASSET-1f
Semantic intersects with ASSET-1g
Functional intersects with ARCHITECTURE-1c
Semantic intersects with ASSET-2f
Semantic intersects with ASSET-1c

Semantic intersects with ASSET-1d
Semantic intersects with THIRD-PARTIES-1d
Semantic intersects with THREAT-3d
Semantic intersects with RISK-5d
Semantic intersects with ACCESS-4d
Semantic intersects with SITUATION-4d
Semantic intersects with RESPONSE-5d
Semantic intersects with WORKFORCE-1e
Semantic superset of WORKFORCE-3a
Semantic superset of WORKFORCE-3b
Semantic superset of WORKFORCE-3c
Semantic superset of WORKFORCE-3d
Semantic intersects with WORKFORCE-5d
Semantic intersects with ARCHITECTURE-6d
Semantic intersects with PROGRAM-1e

Semantic intersects with PROGRAM-3d
Functional intersects with RISK-2m
Functional intersects with THIRD-PARTIES-1a
Functional intersects with PROGRAM-1c
Functional intersects with RISK-2m
Semantic intersects with PROGRAM-1c
Functional intersects with PROGRAM-1a
Semantic intersects with PROGRAM-1b
Semantic intersects with RISK-2m
Semantic intersects with RESPONSE-4e
Semantic intersects with RESPONSE-4f
Semantic intersects with THIRD-PARTIES-1a

Semantic intersects with SITUATION-3g
Semantic intersects with RESPONSE-4a
Functional intersects with RESPONSE-4g
Functional intersects with ARCHITECTURE-1f
Functional intersects with ARCHITECTURE-1j
Semantic intersects with THREAT-3c
Semantic intersects with RISK-1e
Semantic intersects with RISK-5c
Semantic intersects with ACCESS-4c
Semantic intersects with SITUATION-4c

Semantic intersects with RESPONSE-5c
Semantic intersects with THIRD-PARTIES-3c
Semantic intersects with WORKFORCE-2b
Semantic intersects with WORKFORCE-5c
Semantic intersects with ARCHITECTURE-6c
Semantic intersects with PROGRAM-1f
Semantic intersects with PROGRAM-2b
Semantic intersects with PROGRAM-2i

Semantic superset of RESPONSE-3a

Functional intersects with WORKFORCE-3b
Functional intersects with WORKFORCE-3c

Semantic intersects with PROGRAM-1g
Semantic intersects with RISK-1a
Semantic intersects with RISK-1g
Semantic intersects with RISK-1h
Functional intersects with ARCHITECTURE-1d
Semantic intersects with THREAT-1a
Semantic intersects with THREAT-1b

Semantic intersects with THREAT-1e
Semantic intersects with THREAT-1f
Semantic intersects with THREAT-1j
Semantic intersects with THREAT-1m
Semantic subset of THREAT-2b
Semantic subset of THREAT-2h
Functional intersects with THREAT-2k
Semantic subset of SITUATION-3e
Semantic intersects with SITUATION-3f
Semantic intersects with SITUATION-3e
Functional intersects with SITUATION-3f
Functional intersects with RISK-2b

Semantic intersects with RISK-3b
Functional intersects with THREAT-2d
Semantic intersects with THREAT-2g
Semantic intersects with RISK-2i
Semantic intersects with RISK-2j
Semantic subset of RISK-4b

Functional subset of RISK-1f
Functional intersects with RISK-3b

Functional intersects with RISK-1f
Functional superset of RISK-1f
Semantic intersects with RISK-2k
Functional intersects with THIRD-PARTIES-3f
Semantic intersects with THIRD-PARTIES-1b
Functional intersects with THIRD-PARTIES-2g

Semantic equal THIRD-PARTIES-2f
Semantic intersects with THIRD-PARTIES-2h
Semantic superset of THIRD-PARTIES-2g
Semantic intersects with THIRD-PARTIES-2l
Semantic intersects with RESPONSE-3g
Semantic intersects with RESPONSE-3j
Semantic intersects with RESPONSE-3k
Semantic intersects with RESPONSE-4i
Semantic superset of ACCESS-1a
Semantic superset of ACCESS-1b
Semantic superset of ACCESS-1c
Semantic superset of ACCESS-1d
Semantic intersects with ACCESS-1e

Semantic intersects with ACCESS-1f
Functional intersects with ACCESS-1h
Semantic superset of ACCESS-1j
Semantic intersects with ACCESS-2b

Semantic intersects with ACCESS-3e
Semantic intersects with ACCESS-3g
Semantic intersects with ACCESS-3h

Semantic intersects with ACCESS-3i
Semantic intersects with ACCESS-3j
Functional intersects with ARCHITECTURE-2a
Semantic intersects with ARCHITECTURE-3a
Semantic intersects with ARCHITECTURE-3h
Semantic intersects with ARCHITECTURE-3j
Semantic intersects with ACCESS-2a

Semantic superset of ACCESS-2d
Semantic superset of ACCESS-2e
Semantic superset of ACCESS-3g
Semantic superset of ACCESS-3i
Functional intersects with ARCHITECTURE-2e

Functional intersects with ARCHITECTURE-2a
Semantic intersects with ARCHITECTURE-2b
Semantic intersects with ARCHITECTURE-2e
Semantic intersects with ARCHITECTURE-2f
Semantic intersects with ARCHITECTURE-2i
Semantic intersects with ARCHITECTURE-2k
Semantic equal ACCESS-1h

Semantic superset of ASSET-5e
Semantic superset of THREAT-3e
Semantic superset of RISK-5e
Semantic superset of SITUATION-4e
Semantic superset of RESPONSE-5e
Semantic superset of THIRD-PARTIES-3e


Semantic intersects with WORKFORCE-4f
Semantic superset of WORKFORCE-5e
Semantic superset of ARCHITECTURE-6e
Semantic superset of PROGRAM-3e
Functional intersects with WORKFORCE-1e

Functional intersects with ASSET-5d

Functional intersects with RISK-5d
Functional intersects with ACCESS-4d
Functional intersects with SITUATION-4d
Functional intersects with RESPONSE-5d
Functional intersects with THIRD-PARTIES-3d
Functional intersects with WORKFORCE-3d
Functional intersects with PROGRAM-3d


Functional intersects with PROGRAM-2f

Semantic intersects with ASSET-1h

Semantic superset of ARCHITECTURE-5a
Semantic superset of ARCHITECTURE-5b
Semantic intersects with ARCHITECTURE-5g

Semantic superset of ARCHITECTURE-5c

Functional intersects with ASSET-2h
Functional intersects with ASSET-4e
Semantic subset of ASSET-4g
Functional intersects with ARCHITECTURE-3i
Functional intersects with RESPONSE-4b
Functional intersects with RESPONSE-4c
Functional intersects with RESPONSE-4e
Functional intersects with RESPONSE-4f
Functional intersects with RESPONSE-4l
Functional intersects with THIRD-PARTIES-1e
Semantic subset of ARCHITECTURE-3i


Semantic equal ARCHITECTURE-5f
Semantic intersects with THIRD-PARTIES-2m
Semantic intersects with ARCHITECTURE-3l
Semantic superset of ARCHITECTURE-4g
Functional intersects with ARCHITECTURE-5h
Semantic intersects with THIRD-PARTIES-2m
Semantic superset of ASSET-3a

Functional intersects with SITUATION-3g
Functional superset of ASSET-1h
Functional superset of ASSET-2h
Semantic intersects with ASSET-3e
Functional intersects with ARCHITECTURE-3l

Semantic intersects with ASSET-3e
Semantic superset of ASSET-4a

Semantic superset of ASSET-4b
Functional intersects with ASSET-4e
Semantic intersects with ASSET-4i
Semantic equal RESPONSE-4b
Semantic superset of ASSET-1h

Semantic superset of ASSET-2h
Functional intersects with ASSET-5f
Functional intersects with THREAT-3f
Functional intersects with RISK-4e
Functional intersects with RISK-5f
Functional intersects with ACCESS-4f
Semantic intersects with RESPONSE-3h
Functional intersects with WORKFORCE-5f
Functional intersects with PROGRAM-2g
Functional intersects with PROGRAM-2h

Functional intersects with PROGRAM-3f
Functional intersects with PROGRAM-2h
Functional intersects with RESPONSE-2a
Semantic superset of RESPONSE-3d
Semantic superset of RESPONSE-4a
Semantic intersects with RESPONSE-4o
Semantic superset of RESPONSE-4p

Semantic intersects with RESPONSE-4n

Functional intersects with ACCESS-1c
Functional intersects with ACCESS-1e
Functional intersects with ACCESS-1f
Functional intersects with ACCESS-1j
Functional intersects with ACCESS-2b
Functional intersects with ACCESS-3b
Semantic intersects with WORKFORCE-1a
Functional intersects with WORKFORCE-1g
Functional intersects with WORKFORCE-3a

Functional intersects with ASSET-4a
Functional intersects with ASSET-4g
Functional intersects with ASSET-4h
Semantic intersects with ASSET-4i

Functional intersects with ACCESS-2g
Semantic superset of SITUATION-1a
Semantic superset of SITUATION-1b
Semantic superset of SITUATION-1c
Semantic superset of SITUATION-1d
Semantic intersects with SITUATION-2a
Semantic intersects with SITUATION-2b
Semantic superset of ARCHITECTURE-3g
Semantic superset of ARCHITECTURE-3d

Functional intersects with ARCHITECTURE-3m
Semantic intersects with ARCHITECTURE-2i
Semantic intersects with RESPONSE-3l

Functional intersects with RESPONSE-4i
Functional intersects with RESPONSE-4l
Functional intersects with SITUATION-2i
Functional intersects with ARCHITECTURE-1c
Semantic equal SITUATION-1e

Semantic intersects with RESPONSE-2b


Semantic superset of ACCESS-3j
Functional intersects with SITUATION-2b

Functional intersects with ARCHITECTURE-3m
Functional intersects with SITUATION-2b
Semantic intersects with ARCHITECTURE-3m

Functional intersects with ARCHITECTURE-3j
Semantic intersects with ARCHITECTURE-3m
Semantic subset of THREAT-1c
Semantic subset of THREAT-1f
Semantic intersects with WORKFORCE-3b

Functional intersects with SITUATION-2c
Semantic intersects with SITUATION-2i
Semantic intersects with THREAT-2h
Functional intersects with SITUATION-2c

Semantic superset of RESPONSE-3b
Semantic equal RESPONSE-3e

Semantic intersects with THREAT-1i

Semantic intersects with THREAT-1i
Functional intersects with THREAT-1m
Semantic intersects with THREAT-2h

Semantic subset of RESPONSE-2b
Semantic subset of RISK-4d

Semantic intersects with THREAT-1l
Semantic intersects with THREAT-1m

Semantic superset of THREAT-1d
Semantic intersects with RISK-2i
Semantic subset of RESPONSE-3h

Semantic intersects with RESPONSE-4p
Semantic subset of RESPONSE-3h

semantic intersects with RESPONSE-3b
Functional intersects with RESPONSE-4i


Functional intersects with RESPONSE-4p

Reference Document Element Description Fulfilled By (Y/N)
IT and OT assets that are important to the delivery of the function

are inventoried, at least in an ad hoc manner Y
The IT and OT asset inventory includes assets within the function
that may be leveraged to achieve a threat objective Y
The IT and OT asset inventory is complete (the inventory includes all
assets within the function) Y
The IT and OT asset inventory is current, that is, it is updated
periodically and according to defined triggers, such as system N
changes
periodically and according to defined triggers, such as system Y
changes
A documented cybersecurity architecture is established and
maintained that includes IT and OT systems and networks and aligns N
with system and asset categorization and prioritization
changes
Information assets that are important to the delivery of the function
(for example, SCADA set points and customer information) are N
inventoried, at least in an ad hoc manner
The information asset inventory includes information assets within
the function that may be leveraged to achieve a threat objective N
The information asset inventory is complete (the inventory includes
all assets within the function) N
Inventoried IT and OT assets are prioritized based on defined criteria
that include importance to the delivery of the function N
Prioritization criteria include consideration of the degree to which an
asset within the function may be leveraged to achieve a threat N
objective
Inventoried information assets are categorized based on defined
criteria that includes importance to the delivery of the function N
Categorization criteria include consideration of the degree to which

an asset within the function may be leveraged to achieve a threat N
objective
Third parties are prioritized according to established criteria (for
example, importance to the delivery of the function, impact of a
compromise or disruption, ability to negotiate cybersecurity N
requirements within contracts)
Responsibility, accountability, and authority for the performance of

activities in the ASSET domain are assigned to personnel N

activities in the THREAT domain are assigned to personnel N

activities in the RISK domain are assigned to personnel N

activities in the ACCESS domain are assigned to personnel N

activities in the SITUATION domain are assigned to personnel N

activities in the RESPONSE domain are assigned to personnel N

activities in the THIRD-PARTIES domain are assigned to personnel N
Personnel are made aware of their responsibilities for protection and

acceptable use of IT, OT, and information assets Y
Cybersecurity responsibilities for the function are identified, at least

in an ad hoc manner Y
Cybersecurity responsibilities are assigned to specific people, at least

Cybersecurity responsibilities are assigned to specific roles, including

external service providers Y
Cybersecurity responsibilities are documented

Y

activities in the WORKFORCE domain are assigned to personnel N

activities in the ARCHITECTURE domain are assigned to personnel N
The cybersecurity program strategy defines the structure and

organization of the cybersecurity program N
Responsibility for the cybersecurity program is assigned to a role

with sufficient authority N
activities in the PROGRAM domain are assigned to personnel N
Cyber risk identification considers risks that may arise from or impact
critical infrastructure or other interdependent organizations N
Important IT and OT third-party dependencies are identified (that is,

internal and external parties on which the delivery of the function
depends, including operating partners), at least in an ad hoc manner N
The cybersecurity program strategy and priorities are documented

and aligned with the organization's mission, strategic objectives, and N
risk to critical infrastructure


The organization has a cybersecurity program strategy, which may be
developed and managed in an ad hoc manner N
The cybersecurity program strategy defines goals and objectives for
the organization's cybersecurity activities N
The assets and activities necessary to sustain minimum operations of

the function are identified and documented in continuity plans N
Continuity plans address IT, OT, and information assets that are
important to the delivery of the function, including the availability of
backup data and replacement, redundant, and spare IT and OT N
assets

Predefined states of operation are documented and can be
implemented based on the cybersecurity state of the function or N
when triggered by activities in other domains
Continuity plans are developed to sustain and restore operation of
the function if a cybersecurity event or incident occurs, at least in an N
ad hoc manner
assets
Recovery time objectives (RTOs) and recovery point objectives

(RPOs) for assets that are important to the delivery of the function N
are incorporated into continuity plans
The cybersecurity architecture establishes and maintains
cybersecurity requirements for the organization's assets N
The cybersecurity architecture is guided by the organization's risk

analysis information (RISK-3d) and threat profile (THREAT-2e) N
Up-to-date policies or other organizational directives define

requirements for activities in the ASSET domain Y
activities in the ASSET domain are assigned to personnel Y
requirements for activities in the THREAT domain Y
activities in the THREAT domain are assigned to personnel Y
Governance for the cyber risk management program is established
and maintained N
requirements for activities in the RISK domain Y
activities in the RISK domain are assigned to personnel Y
requirements for activities in the ACCESS domain Y
activities in the ACCESS domain are assigned to personnel Y
requirements for activities in the SITUATION domain Y
activities in the SITUATION domain are assigned to personnel Y
requirements for activities in the RESPONSE domain Y
activities in the RESPONSE domain are assigned to personnel Y
requirements for activities in the THIRD-PARTIES domain Y
activities in the THIRD-PARTIES domain are assigned to personnel Y
Cybersecurity awareness objectives are established and maintained

Y
requirements for activities in the WORKFORCE domain Y
activities in the WORKFORCE domain are assigned to personnel Y
requirements for activities in the ARCHITECTURE domain Y
activities in the ARCHITECTURE domain are assigned to personnel Y
The cybersecurity program strategy defines the organization's

approach to provide program oversight and governance for N
cybersecurity activities
The cybersecurity program strategy identifies standards and
guidelines intended to be followed by the program N
The cybersecurity program is established according to the
cybersecurity program strategy N
Senior management sponsorship is provided for the development,
maintenance, and enforcement of cybersecurity policies N
The cybersecurity program addresses and enables the achievement
of legal and regulatory compliance, as appropriate N
requirements for activities in the PROGRAM domain Y
activities in the PROGRAM domain are assigned to personnel Y
Cybersecurity incident response personnel are identified, and roles
are assigned, at least in an ad hoc manner N

external service providers N
Cybersecurity responsibilities and job requirements are reviewed
and updated periodically and according to defined triggers, such as N
system changes and changes to organizational structure

with sufficient authority N
Stakeholders for cybersecurity program management activities are
identified and involved N
requirements for activities in the ASSET domain N


requirements for activities in the THREAT domain N


requirements for activities in the RISK domain N


requirements for activities in the ACCESS domain N

requirements for activities in the SITUATION domain N

Reporting of incidents is performed (for example, internal reporting,

ICS-CERT, relevant ISACs), at least in an ad hoc manner N

requirements for activities in the RESPONSE domain N


requirements for activities in the THIRD-PARTIES domain N


in an ad hoc manner N


requirements for activities in the WORKFORCE domain N

The cybersecurity architecture establishes and maintains

cybersecurity requirements for the organization's assets N

requirements for activities in the ARCHITECTURE domain N


guidelines intended to be followed by the program Y
The cybersecurity program strategy identifies any applicable
compliance requirements that must be satisfied by the program (for
example, NERC CIP, TSA Pipeline Security Guidelines, PCI DSS, ISO, Y
DoD CMMC)
of legal and regulatory compliance, as appropriate Y

requirements for activities in the PROGRAM domain N

The organization has a strategy for cyber risk management, which

may be developed and managed in an ad hoc manner N
The cyber risk management program is established and maintained
to perform cyber risk management activities according to the cyber N
risk management strategy
Information from RISK domain activities is communicated to relevant
stakeholders N
and maintained N
The cyber risk management program aligns with the organization's
mission and objectives N
The cyber risk management program is coordinated with the
organization's enterprise-wide risk management program N
Cyber risks are identified, at least in an ad hoc manner
N
Risk responses (such as mitigate, accept, avoid, or transfer) are
implemented to address cyber risks, at least in an ad hoc manner N
requirements for activities in the RISK domain N
Governance for cybersecurity architecture (such as an architecture
review process) is established and maintained that includes
provisions for periodic architectural reviews and an exceptions N
process
The cybersecurity program strategy defines the organization's

approach to provide program oversight and governance for N
cybersecurity activities
Information sources to support cybersecurity vulnerability discovery

are identified, at least in an ad hoc manner N
Cybersecurity vulnerability information is gathered and interpreted
for the function, at least in an ad hoc manner N
Cybersecurity vulnerability assessments are performed, at least in an
ad hoc manner N
Cybersecurity vulnerability information sources that collectively
address higher priority assets are monitored N
Cybersecurity vulnerability assessments are performed periodically
and according to defined triggers, such as system changes and N
external events
address all IT and OT assets within the function are monitored N
are identified, at least in an ad hoc manner N
address all IT and OT assets within the function are monitored N
Mechanisms are established and maintained to receive and respond
to reports from the public or external parties of potential
vulnerabilities related to the organization's IT and OT assets, such as N
public-facing websites or mobile applications
Internal and external information sources to support threat

management activities are identified, at least in an ad hoc manner Y
Information about cybersecurity threats is gathered and interpreted
for the function, at least in an ad hoc manner Y
Threat information is exchanged with stakeholders (for example,
executives, operations staff, government, connected organizations,
vendors, sector organizations, regulators, Information Sharing and Y
Analysis Centers [ISACs])
Secure, near-real-time methods are used for receiving and sharing

threat information to enable rapid analysis and action N
Relevant information from outside the organization is collected and
made available across the organization to enhance situational Y
awareness
A capability is established and maintained to aggregate, correlate,
and analyze the outputs of cybersecurity monitoring activities and
provide a near-real-time understanding of the cybersecurity state of Y
the function

for the function, at least in an ad hoc manner Y
Threat objectives for the function are identified, at least in an ad hoc
manner N
Threats that are relevant to the delivery of the function are
addressed, at least in an ad hoc manner Y
A threat profile for the function is established that includes threat
objectives and additional threat characteristics (for example, threat Y
actor types, motives, capabilities, and targets)
made available across the organization to enhance situational N
awareness
provide a near-real-time understanding of the cybersecurity state of N
the function
A defined method is used to identify cyber risks N

Cyber risks are prioritized based on estimated impact, at least in an
ad hoc manner N
Defined criteria are used to prioritize cyber risks (for example, impact
to the organization, impact to the community, likelihood, N
susceptibility, risk tolerance)
A defined method is used to estimate impact for higher priority cyber
risks (for example, comparison to actual events, risk quantification) N
Defined methods are used to analyze higher priority cyber risks (for
example, analyzing the prevalence of types of attacks to estimate
likelihood, using the results of controls assessments to estimate N
susceptibility)
Continuity plans address potential impacts from cybersecurity N

incidents
Threats that are relevant to the delivery of the function are
addressed, at least in an ad hoc manner N
Identified threats are analyzed and prioritized and are addressed
accordingly N
A defined method is used to identify cyber risks
N
Vulnerability management information from THREAT domain
activities is used to update cyber risks and identify new risks (such as
risks arising from vulnerabilities that pose an ongoing risk to the Y
organization or newly identified vulnerabilities)
Threat management information from THREAT domain activities is

used to update cyber risks and identify new risks Y
Cyber risks are prioritized based on estimated impact, at least in an

ad hoc manner Y
to the organization, impact to the community, likelihood, Y
risks (for example, comparison to actual events, risk quantification) Y
likelihood, using the results of controls assessments to estimate Y
susceptibility)

implemented to address cyber risks, at least in an ad hoc manner N
A defined method is used to select and implement risk responses
based on analysis and prioritization Y
may be developed and managed in an ad hoc manner Y
A strategy for cyber risk management is established and maintained
in alignment with the organization's cybersecurity program strategy N
(PROGRAM-1b) and enterprise architecture
and maintained Y
The cyber risk management program aligns with the organization's
mission and objectives Y
A defined method is used to identify cyber risks
Y
Cyber risk identification activities are performed periodically and
according to defined triggers, such as system changes and external Y
events
risks (for example, comparison to actual events, risk quantification) Y
likelihood, using the results of controls assessments to estimate Y
susceptibility)
A defined method is used to select and implement risk responses

based on analysis and prioritization Y
Documented procedures are established, followed, and maintained
for activities in the RISK domain Y
requirements for activities in the RISK domain Y
A defined method is followed to identify risks arising from suppliers
and other third parties Y
may be developed and managed in an ad hoc manner N
in alignment with the organization's cybersecurity program strategy N
Senior management sponsorship for the cyber risk management
program is visible and active Y
to the organization, impact to the community, likelihood, N
may be developed and managed in an ad hoc manner Y
in alignment with the organization's cybersecurity program strategy Y
program is visible and active N
critical infrastructure or other interdependent organizations Y

program is visible and active N
Information from THIRD-PARTIES domain activities is used to update

cyber risks and identify new risks N

for activities in the RISK domain N

for activities in the THIRD-PARTIES domain N

requirements for activities in the THIRD-PARTIES domain N
The effectiveness of activities in the THIRD-PARTIES domain is

evaluated and tracked N

depends, including operating partners), at least in an ad hoc manner Y
Third parties that have access to, control of, or custody of any IT, OT,
or information assets that are important to the delivery of the Y
function are identified, at least in an ad hoc manner
Third parties are prioritized according to established criteria (for
example, importance to the delivery of the function, impact of a
compromise or disruption, ability to negotiate cybersecurity Y
requirements within contracts)
Prioritization of suppliers and other third parties is updated

changes and external events
A defined method is followed to evaluate and select suppliers and
other third parties Y
Suppliers and other third parties periodically attest to their ability to

meet cybersecurity requirements Y
Cybersecurity requirements (for example, vulnerability notification,
incident-related SLA requirements) are formalized in agreements
with suppliers and other third parties Y
Cybersecurity requirements for suppliers and other third parties

include secure software and secure product development
requirements where appropriate N
Suppliers and other third parties periodically attest to their ability to

meet cybersecurity requirements
N
Selection criteria for higher priority assets include evaluation of any

associated third-party hosting environments and source data
N
Cybersecurity incident response plan exercises are conducted

Cybersecurity incident responses are coordinated with vendors, law
enforcement, and other external entities as appropriate, including N
support for evidence collection and preservation
Cybersecurity incident response personnel participate in joint
cybersecurity exercises with other organizations N
Recovery time objectives (RTOs) and recovery point objectives
(RPOs) for assets that are important to the delivery of the function N
are incorporated into continuity plans
Continuity plans are tested through evaluations and exercises
Identities are provisioned, at least in an ad hoc manner, for

personnel and other entities such as services and devices that
require access to assets (note that this does not preclude shared Y
identities)
Credentials (such as passwords, smartcards, certificates, and keys)

are issued for personnel and other entities that require access to Y
assets, at least in an ad hoc manner
Identities are deprovisioned, at least in an ad hoc manner, when no
longer required Y
Password strength and reuse restrictions are defined and enforced
Y
Identity repositories are reviewed and updated periodically and
according to defined triggers, such as system changes and changes to Y
organizational structure
Identities are deprovisioned within organization-defined time
thresholds when no longer required Y
Stronger credentials, multifactor authentication, or single use
credentials are required for higher risk access (such as privileged Y
accounts, service accounts, shared accounts, and remote access)
Identities are disabled after a defined period of inactivity, where
feasible Y
Logical access privileges are revoked when no longer needed, at least
Physical access privileges are revoked when no longer needed, at
least in an ad hoc manner Y
Physical access controls (such as fences, locks, and signage) are
implemented, at least in an ad hoc manner Y
least in an ad hoc manner Y
Physical access logs are maintained, at least in an ad hoc manner Y
Physical access requirements are established and maintained (for
example, rules for who is allowed to access an asset, how access is Y
granted, limits of allowed access)
Physical access requirements incorporate the principle of least
privilege Y
Physical access requirements incorporate the principle of separation
of duties Y
Physical access requests are reviewed and approved by the asset
owner Y
Physical access privileges that pose higher risk to the function
receive additional scrutiny and monitoring Y
Physical access privileges are reviewed and updated Y
Physical access is monitored to identify potential cybersecurity
events Y
Network protections are implemented, at least in an ad hoc manner
N
Logical and physical access controls are implemented to protect
assets that are important to the delivery of the function, where Y
feasible, at least in an ad hoc manner
Cybersecurity controls are implemented for all assets within the
function either at the asset level or as compensating controls where N
asset-level controls are not feasible
The physical operating environment is controlled to protect the
operation of assets within the function Y
credentials are required for higher risk access (such as privileged Y
accounts, service accounts, shared accounts, and remote access)
Logical access controls are implemented, at least in an ad hoc
manner Y
Logical access requirements are established and maintained (for
example, rules for which types of entities are allowed to access an
asset, limits of allowed access, constraints on remote access, Y
authentication parameters)
Logical access privileges that pose higher risk to the function receive
additional scrutiny and monitoring Y
assets that are important to the delivery of the function, where N
Network protections are defined and enforced for selected asset
types according to asset risk and priority (for example, internal
assets, perimeter assets, assets connected to the organization's Wi- N
Fi, cloud assets, remote access, and externally owned devices)
The use of privileged credentials is limited to processes for which

they are required Y
manner Y
Logical access requirements incorporate the principle of least
privilege Y
Logical access requirements incorporate the principle of separation
of duties Y
Logical access requests are reviewed and approved by the asset
owner Y
additional scrutiny and monitoring Y
Logical access privileges are reviewed and updated to ensure
conformance with access requirements periodically and according to
defined triggers, such as changes to organizational structure, and Y
after any temporary elevation of privileges
Physical access requirements incorporate the principle of least

privilege N
of duties N
Physical access requests are reviewed and approved by the asset
owner N
receive additional scrutiny and monitoring N
Physical access privileges are reviewed and updated
N
Network protections incorporate the principles of least privilege and
least functionality N
The principle of least privilege (for example, limiting administrative
access for users and service accounts) is enforced N
N
The organization's IT systems are separated from OT systems
through segmentation, either through physical means or logical Y
means, at least in an ad hoc manner
assets, perimeter assets, assets connected to the organization's Wi- Y
Assets that are important to the delivery of the function are logically
or physically segmented into distinct security zones based on asset Y
cybersecurity requirements
least functionality Y
Network protections include monitoring, analysis, and control of
network traffic for selected security zones (for example, firewalls, Y
allowlisting, intrusion detection and prevention systems (IDPS))
All assets are segmented into distinct security zones based on
cybersecurity requirements Y
Separate networks are implemented, where warranted, that logically
or physically segment assets into security zones with independent Y
authentication
OT systems are operationally independent from IT systems so that
OT operations can be sustained during an outage of IT systems Y
Device connections to the network are controlled to ensure that only
authorized devices can connect (for example, network access control Y
(NAC))
Identities are provisioned, at least in an ad hoc manner, for
personnel and other entities such as services and devices that
require access to assets (note that this does not preclude shared Y
identities)
Credentials (such as passwords, smartcards, certificates, and keys)

are issued for personnel and other entities that require access to Y
assets, at least in an ad hoc manner
manner Y
credentials are required for higher risk access (such as privileged
accounts, service accounts, shared accounts, and remote access) Y
Multifactor authentication is required for all access, where feasible

N
manner
Y

authorized devices can connect (for example, network access control
(NAC)) N

assets that are important to the delivery of the function, where
feasible, at least in an ad hoc manner N
Personnel performing activities in the ASSET domain have the skills

and knowledge needed to perform their assigned responsibilities Y
Personnel performing activities in the THREAT domain have the skills
Personnel performing activities in the RISK domain have the skills

Personnel performing activities in the ACCESS domain have the skills
Personnel performing activities in the SITUATION domain have the

skills and knowledge needed to perform their assigned Y
responsibilities
Personnel performing activities in the RESPONSE domain have the
responsibilities
Personnel performing activities in the THIRD-PARTIES domain have
the skills and knowledge needed to perform their assigned Y
responsibilities
Cybersecurity awareness activities occur, at least in an ad hoc
manner Y
Cybersecurity awareness activities are conducted periodically N
Cybersecurity training is made available to personnel with assigned
cybersecurity responsibilities, at least in an ad hoc manner Y
Cybersecurity training is provided as a prerequisite to granting access
to assets that are important to the delivery of the function Y
Training programs include continuing education and professional
development opportunities for personnel with significant Y
cybersecurity responsibilities
Personnel performing activities in the WORKFORCE domain have the
responsibilities
Personnel performing activities in the ARCHITECTURE domain have
the skills and knowledge needed to perform their assigned Y
responsibilities
Personnel performing activities in the PROGRAM domain have the
responsibilities

Cybersecurity responsibilities are documented Y


Y
Key management infrastructure (that is, key generation, key storage,
key destruction, key update, and key revocation) is implemented to N
support cryptographic controls

identified and involved Y
Cybersecurity responsibilities are documented Y

with sufficient authority Y

Y

Data is destroyed or securely removed from IT and OT assets prior to

redeployment and at end of life Y
Cybersecurity controls protecting backup data are equivalent to or
more rigorous than controls protecting source data N
Data backups are logically or physically separated from source data
N
Sensitive data is protected at rest, at least in an ad hoc manner Y
All data at rest is protected for selected data categories Y
Cryptographic controls are implemented for data at rest and data in
transit for selected data categories Y
key destruction, key update, and key revocation) is implemented to Y
Controls to restrict the exfiltration of data (for example, data loss
prevention tools) are implemented Y
The cybersecurity architecture includes protections (such as full disk
encryption) for data that is stored on assets that may be lost or Y
stolen
The cybersecurity architecture includes protections against
unauthorized changes to software, firmware, and data Y
All data in transit is protected for selected data categories N
transit for selected data categories N
key destruction, key update, and key revocation) is implemented to N
prevention tools) are implemented N
encryption) for data that is stored on assets that may be lost or N
stolen
unauthorized changes to software, firmware, and data N
are inventoried, at least in an ad hoc manner N
assets within the function) N
changes
redeployment and at end of life N
Information assets that are important to the delivery of the function
(for example, SCADA set points and customer information) are N
inventoried, at least in an ad hoc manner
The information asset inventory is complete (the inventory includes
all assets within the function) N
The information asset inventory is current, that is, it is updated
changes
Information assets are sanitized or destroyed at end of life using
techniques appropriate to their cybersecurity requirements N
Changes to assets are evaluated and approved before being
implemented, at least in an ad hoc manner N
Changes to assets are documented, at least in an ad hoc manner
N
Documentation requirements for asset changes are established and
maintained N
Changes and updates are implemented in a secure manner
N
Change management practices address the full lifecycle of assets (for
example, acquisition, deployment, operation, retirement) Y
Maintenance and capacity management activities are performed for
all assets within the function N
Data backups are available and tested, at least in an ad hoc manner
N
IT and OT assets requiring spares are identified, at least in an ad hoc
manner N
assets
Spares for selected IT and OT assets are available N

Escalated prioritization is assigned to suppliers and other third

parties whose compromise or disruption could cause significant
consequences (for example, single-source suppliers, suppliers with N
privileged access)

all assets within the function Y
techniques appropriate to their cybersecurity requirements Y
manner N
acceptable use of IT, OT, and information assets N
Sensitive data is protected at rest, at least in an ad hoc manner N
All data at rest is protected for selected data categories N
All data in transit is protected for selected data categories N
transit for selected data categories N
prevention tools) are implemented Y
encryption) for data that is stored on assets that may be lost or N
stolen
example, acquisition, deployment, operation, retirement) N
Acceptance testing of procured assets includes consideration of
Configuration of and changes to firmware are controlled throughout
the asset lifecycle N
The authenticity of all software and firmware is validated prior to
deployment Y
unauthorized changes to software, firmware, and data Y
Software developed in-house for deployment on higher priority
assets is developed using secure software development practices Y
The selection of procured software for deployment on higher priority
assets includes consideration of the vendor's secure software Y
development practices
All software developed in-house is developed using secure software
development practices Y
The selection of all procured software includes consideration of the
vendor's secure software development practices Y
Acceptance testing of procured assets includes consideration of
cybersecurity requirements N
Configuration baselines are established, at least in an ad hoc manner

Y
Configuration baselines incorporate applicable requirements from
the cybersecurity architecture (ARCHITECTURE-1f) N
Configuration baselines are reviewed and updated periodically and

the cybersecurity architecture
Endpoint protections (such as secure configuration, security
applications, and host monitoring) are implemented to protect
The principle of least privilege (for example, limiting administrative

access for users and service accounts) is enforced Y
The principle of least functionality (for example, limiting services,

limiting applications, limiting ports, limiting connected devices) is Y
enforced
Secure configurations are established and maintained as part of the
asset deployment process where feasible Y
Secure software configurations are required as part of the software

deployment process for both procured software and software Y
developed in-house
redeployment and at end of life N
techniques appropriate to their cybersecurity requirements N
Asset configurations are monitored for consistency with baselines
throughout the assets' lifecycles N
Changes to higher priority assets are tested prior to being deployed

N
the asset lifecycle N
All software developed in-house is developed using secure software
development practices N
Configuration baselines are established, at least in an ad hoc manner
Y
Configuration baselines are used to configure assets at deployment
and restoration Y
the cybersecurity architecture (ARCHITECTURE-1f) Y
Configuration baselines are reviewed and updated periodically and
the cybersecurity architecture
Asset configurations are monitored for consistency with baselines
throughout the assets' lifecycles Y

implemented, at least in an ad hoc manner Y
Changes to assets are documented, at least in an ad hoc manner Y
maintained N
Changes to higher priority assets are tested prior to being deployed Y
Changes and updates are implemented in a secure manner N
The capability to reverse changes is established and maintained for
assets that are important to the delivery of the function N
example, acquisition, deployment, operation, retirement) Y
Changes to higher priority assets are tested for cybersecurity impact
prior to being deployed N
Change logs include information about modifications that impact the
cybersecurity requirements of assets N
the asset lifecycle Y
Y
Physical access requirements are established and maintained (for
example, rules for who is allowed to access an asset, how access is N
granted, limits of allowed access)
of duties N
requirements for activities in the ACCESS domain N
operation of assets within the function N
requirements for activities in the ARCHITECTURE domain N
guidelines intended to be followed by the program N
example, NERC CIP, TSA Pipeline Security Guidelines, PCI DSS, ISO, N
DoD CMMC)
of legal and regulatory compliance, as appropriate N
techniques appropriate to their cybersecurity requirements Y
The effectiveness of activities in the ASSET domain is evaluated and N
tracked
The effectiveness of activities in the THREAT domain is evaluated and
tracked N
Cybersecurity controls are evaluated to determine whether they are
designed appropriately and are operating as intended to mitigate N
identified cyber risks
Results from cyber risk impact analyses and cybersecurity control
evaluations are reviewed together by enterprise leadership to
determine whether cyber risks are sufficiently mitigated, and risk N
tolerances are not exceeded

reviewed periodically by leadership to determine whether they are N
still appropriate
The effectiveness of activities in the RISK domain is evaluated and N
tracked
The effectiveness of activities in the ACCESS domain is evaluated and
tracked N
The effectiveness of activities in the SITUATION domain is evaluated
and tracked N
Cybersecurity incident declaration criteria are updated periodically
and according to defined triggers, such as organizational changes, N
lessons learned from plan execution, or newly identified threats
Cybersecurity incident lessons-learned activities are performed and
corrective actions are taken, including updates to the incident N
response plan
Cybersecurity incident root-cause analysis is performed and
response plan
The effectiveness of activities in the RESPONSE domain is evaluated
and tracked N
The effectiveness of activities in the THIRD-PARTIES domain is
The effectiveness of activities in the WORKFORCE domain is
The effectiveness of activities in the ARCHITECTURE domain is
Cybersecurity program activities are periodically reviewed to ensure
that they align with the cybersecurity program strategy N
Cybersecurity activities are independently reviewed to ensure
conformance with cybersecurity policies and procedures, periodically
and according to defined triggers, such as process changes N
The effectiveness of activities in the PROGRAM domain is evaluated
and tracked N
Information from RISK domain activities is communicated to relevant
stakeholders N
determine whether cyber risks are sufficiently mitigated, and risk N
Cybersecurity activities are independently reviewed to ensure

conformance with cybersecurity policies and procedures, periodically
and according to defined triggers, such as process changes N
Criteria for declaring cybersecurity incidents are established, at least

Cybersecurity incident declaration criteria are formally established

based on potential impact to the function Y

and according to defined triggers, such as organizational changes, Y
Cybersecurity incident response plans that address all phases of the
incident lifecycle are established and maintained Y

corrective actions are taken, including updates to the incident Y
response plan
response plan
the function if a cybersecurity event or incident occurs, at least in an Y
ad hoc manner
Continuity plans address potential impacts from cybersecurity
incidents N

the function are identified and documented in continuity plans Y
assets
Cybersecurity incident criteria that trigger the execution of

continuity plans are established and communicated to incident Y
response and continuity management personnel
The results of continuity plan testing or activation are compared to
recovery objectives, and plans are improved accordingly Y
Continuity plans are periodically reviewed and updated

Y
for activities in the RESPONSE domain Y

Cybersecurity incident response personnel participate in joint
cybersecurity exercises with other organizations Y
Continuity plan exercises address higher priority risks N
Identities are deprovisioned, at least in an ad hoc manner, when no
longer required N
Identity repositories are reviewed and updated periodically and
according to defined triggers, such as system changes and changes to N
organizational structure
Identities are deprovisioned within organization-defined time
thresholds when no longer required N
Identities are disabled after a defined period of inactivity, where
feasible N
least in an ad hoc manner N
Personnel vetting (for example, background checks, drug tests) is
performed at hire, at least in an ad hoc manner Y
Personnel separation procedures address cybersecurity, at least in an
ad hoc manner Y
Personnel vetting is performed at hire and periodically for positions
that have access to assets that are important to the delivery of the Y
function
Personnel separation and transfer procedures address cybersecurity,
including supplementary vetting as appropriate Y
Vetting is performed for all positions (including employees, vendors,
and contractors) at a level commensurate with position risk Y
A formal accountability process that includes disciplinary actions is

implemented for personnel who fail to comply with established Y
security policies and procedures
Y
and updated periodically and according to defined triggers, such as Y
Assigned cybersecurity responsibilities are managed to ensure
adequacy and redundancy of coverage, including succession planning Y
Cybersecurity training is made available to personnel with assigned

cybersecurity responsibilities, at least in an ad hoc manner Y
Cybersecurity knowledge, skill, and ability requirements and gaps are
identified for both current and future operational needs, at least in Y
an ad hoc manner
Identified cybersecurity knowledge, skill, and ability gaps are
addressed through training, recruiting, and retention efforts Y
Training programs include continuing education and professional
development opportunities for personnel with significant Y
cybersecurity responsibilities
for activities in the WORKFORCE domain Y
for activities in the THREAT domain Y
requirements for activities in the THREAT domain Y

Changes to assets are documented, at least in an ad hoc manner
N
maintained N
Changes to higher priority assets are tested prior to being deployed
N
Changes to higher priority assets are tested for cybersecurity impact
prior to being deployed N
Change logs include information about modifications that impact the
cybersecurity requirements of assets N
asset, limits of allowed access, constraints on remote access, N
additional scrutiny and monitoring N
Physical access logs are maintained, at least in an ad hoc manner

N
Logging is occurring for assets that are important to the delivery of
the function, at least in an ad hoc manner Y
Logging is occurring for assets within the function that may be
leveraged to achieve a threat objective, wherever feasible Y
Logging requirements are established and maintained for IT and OT
assets that are important to the delivery of the function and assets
within the function that may be leveraged to achieve a threat Y
objective
Logging requirements are established and maintained for network

and host monitoring infrastructure (for example, web gateways,
endpoint detection and response software, intrusion detection and Y
prevention systems)
More rigorous logging is performed for higher priority assets

Y
Periodic reviews of log data or other cybersecurity monitoring
activities are performed, at least in an ad hoc manner Y
Data and alerts from network and host monitoring infrastructure
assets are periodically reviewed, at least in an ad hoc manner Y
The use of removeable media is controlled (for example, limiting the
use of USB devices, managing external hard drives) Y
encryption) for data that is stored on assets that may be lost or Y
stolen
requirements for activities in the ARCHITECTURE domain Y
the cybersecurity architecture (ARCHITECTURE-1f) Y
The principle of least functionality (for example, limiting services,
limiting applications, limiting ports, limiting connected devices) is Y
enforced
Secure configurations are established and maintained as part of the
asset deployment process where feasible Y
Controls (such as allowlists, blocklists, and configuration settings) are
implemented to prevent the execution of unauthorized code N
Y
The organization's IT systems are separated from OT systems
through segmentation, either through physical means or logical Y
means, at least in an ad hoc manner
assets, perimeter assets, assets connected to the organization's Wi- Y
Assets that are important to the delivery of the function are logically
or physically segmented into distinct security zones based on asset Y
cybersecurity requirements
Web traffic and email are monitored, analyzed, and controlled (for
example, malicious link blocking, suspicious download blocking, Y
email authentication techniques, IP address blocking)
All assets are segmented into distinct security zones based on
Separate networks are implemented, where warranted, that logically
or physically segment assets into security zones with independent Y
authentication
OT systems are operationally independent from IT systems so that
OT operations can be sustained during an outage of IT systems Y
(NAC))
The cybersecurity architecture enables the isolation of compromised
assets Y
Cybersecurity incident responses leverage and trigger predefined
states of operation (SITUATION-3g) N

ad hoc manner
N
IT and OT assets requiring spares are identified, at least in an ad hoc
manner N

assets

Spares for selected IT and OT assets are available
N
Indicators of anomalous activity are evaluated and updated

A documented cybersecurity architecture is established and
maintained that includes IT and OT systems and networks and aligns N
with system and asset categorization and prioritization
Event information is correlated to support incident analysis by
identifying patterns, trends, and other common features N
Cybersecurity incidents are correlated to identify patterns, trends,
and other common features across multiple incidents N
response plan
Log data are being aggregated within the function Y
assets are periodically reviewed, at least in an ad hoc manner N
Monitoring data are aggregated to provide an understanding of the
operational state of the function N
Relevant information from across the organization is available to
enhance situational awareness N
the function

Cybersecurity incidents are correlated to identify patterns, trends,
and other common features across multiple incidents N
Cybersecurity events are analyzed to support the declaration of
cybersecurity incidents, at least in an ad hoc manner N
Cybersecurity events are declared to be incidents based on
established criteria Y
Situational awareness reporting requirements have been defined
and address timely dissemination of cybersecurity information to Y
organization-defined stakeholders
Internal and external stakeholders (for example, executives,
attorneys, government agencies, connected organizations, vendors,
sector organizations, regulators) are identified and notified of
incidents based on situational awareness reporting requirements Y
(SITUATION-3d)

Anomalous logical access attempts are monitored as indicators of

cybersecurity events N
Logging is occurring for assets that are important to the delivery of
the function, at least in an ad hoc manner Y
Periodic reviews of log data or other cybersecurity monitoring
activities are performed, at least in an ad hoc manner Y
More rigorous monitoring is performed for higher priority assets N
the function
Situational awareness for the function is monitored to support the

identification of cybersecurity events N
example, malicious link blocking, suspicious download blocking, N
events N
More rigorous monitoring is performed for higher priority assets
N
the function

events N
the function

example, malicious link blocking, suspicious download blocking, N
the function

Security applications are required as an element of device

configuration where feasible (for example, endpoint detection and Y
response, host-based firewalls)
implemented to prevent the execution of unauthorized code Y
the function


N
the function

cybersecurity events Y
events Y
assets are periodically reviewed, at least in an ad hoc manner Y
Y
the function

identification of cybersecurity events Y
(NAC))
The use of removeable media is controlled (for example, limiting the

use of USB devices, managing external hard drives) N
ad hoc manner Y
Cybersecurity vulnerability assessments are performed periodically
and according to defined triggers, such as system changes and Y
external events
Monitoring and analysis requirements are established and

maintained for the function and address timely review of event data N

N
and updated periodically and according to defined triggers, such as N
maintained for the function and address timely review of event data Y
Criteria are established for cybersecurity event detection (for
example, what constitutes a cybersecurity event, where to look for N
cybersecurity events)
Cybersecurity events are documented based on the established
criteria N
example, NERC CIP, TSA Pipeline Security Guidelines, PCI DSS, ISO, Y
DoD CMMC)
of legal and regulatory compliance, as appropriate Y
ad hoc manner Y
Cybersecurity controls are evaluated to determine whether they are
designed appropriately and are operating as intended to mitigate Y
identified cyber risks
maintained for the function and address timely review of event data Y
Indicators of anomalous activity are evaluated and updated

vendors, sector organizations, regulators, Information Sharing and N

Detected cybersecurity events are reported to a specified person or
role and documented, at least in an ad hoc manner Y
(SITUATION-3d)

maintained for the function and address timely review of event data N
The effectiveness of activities in the SITUATION domain is evaluated
and tracked N
Cybersecurity event detection activities are adjusted based on
identified risks and the organization's threat profile (THREAT-2e) N
response plan
response plan
The effectiveness of activities in the RESPONSE domain is evaluated
and tracked N
Responses to cybersecurity incidents are executed, at least in an ad

hoc manner, to limit impact to the function and restore normal N
operations
Cybersecurity incident response is executed according to defined
plans and procedures Y
response plan
ad hoc manner
for activities in the RESPONSE domain N

are assigned, at least in an ad hoc manner Y
Personnel performing activities in the RESPONSE domain have the
responsibilities
N
Detected cybersecurity events are reported to a specified person or
role and documented, at least in an ad hoc manner N
Cybersecurity events are documented based on the established
criteria N
There is a repository where cybersecurity events and incidents are
documented and tracked to closure N
(SITUATION-3d)

ICS-CERT, relevant ISACs), at least in an ad hoc manner Y
Information on discovered cybersecurity vulnerabilities is shared
with organization-defined stakeholders N
Methods of communicating the current state of cybersecurity for the
function are established and maintained N
(SITUATION-3d)

enforcement, and other external entities as appropriate, including Y
(SITUATION-3d)

Information on discovered cybersecurity vulnerabilities is shared
with organization-defined stakeholders Y
vulnerabilities related to the organization's IT and OT assets, such as N

vendors, sector organizations, regulators, Information Sharing and Y

made available across the organization to enhance situational N
awareness
(SITUATION-3d)


Cybersecurity events are analyzed to support the declaration of
cybersecurity incidents, at least in an ad hoc manner Y
response plan
determine whether cyber risks are sufficiently mitigated, and risk Y

response plan
Continuity plans address potential impacts from cybersecurity Y
incidents
incident lifecycle are established and maintained N
response plan
plans and procedures N
continuity plans are established and communicated to incident N
are identified, at least in an ad hoc manner
N
Cybersecurity vulnerability information is gathered and interpreted

for the function, at least in an ad hoc manner
Y

address higher priority assets are monitored
N
Identified cybersecurity vulnerabilities are analyzed and prioritized,
and are addressed accordingly
Y

address all IT and OT assets within the function are monitored
N
Vulnerability monitoring activities include review to confirm that

actions taken in response to cybersecurity vulnerabilities were
effective Y

vulnerabilities related to the organization's IT and OT assets, such as Y
Internal and external information sources to support threat

management activities are identified, at least in an ad hoc manner
N

for the function, at least in an ad hoc manner
Y

for activities in the THREAT domain
Y

made available across the organization to enhance situational
awareness Y

the function

hoc manner, to limit impact to the function and restore normal Y
operations
The cybersecurity architecture enables the isolation of compromised
assets Y
hoc manner, to limit impact to the function and restore normal N
operations
plans and procedures N
Cybersecurity vulnerabilities that are relevant to the delivery of the
function are mitigated, at least in an ad hoc manner Y
Identified cybersecurity vulnerabilities are analyzed and prioritized,
and are addressed accordingly N
Vulnerability management information from THREAT domain
activities is used to update cyber risks and identify new risks (such as
risks arising from vulnerabilities that pose an ongoing risk to the Y
organization or newly identified vulnerabilities)

and according to defined triggers, such as organizational changes, Y
response plan
response plan
Continuity plans are periodically reviewed and updated Y
incident lifecycle are established and maintained N
response plan
response plan
incidents N
hoc manner, to limit impact to the function and restore normal Y
operations
the function if a cybersecurity event or incident occurs, at least in an Y
ad hoc manner
for activities in the RESPONSE domain N

response plan
response plan
response plan
response plan
incidents N
Cybersecurity incident response plans include a communications
plan for internal and external stakeholders N
plan for internal and external stakeholders N
(SITUATION-3d)

plan for internal and external stakeholders Y
Group Identifier Strength of Relationship
Comments (optional)
(optional) (optional)
ID.AM-1:G1 6
ID.AM-1:G1 7
ID.AM-1:G1 7
ID.AM-2:G1 6
ID.AM-2:G1 7
ID.AM-2:G1 7
ID.AM-2:G1 7
ID.AM-4:G1 6
ID.AM-4:G1 7
ID.AM-4:G1 7
ID.AM-4:G1 7
6
3
ID.AM-6:G1 5
ID.AM-6:G1 8
ID.AM-6:G1 5
ID.AM-6:G1 6
ID.AM-6:G1 6
5
5
6
4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 3
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
ID.GV-1:G1 6
ID.GV-1:G1 4
7
5
3
4
ID.GV-3:G1 6
ID.GV-3:G1 6
ID.GV-3:G1 6
8
6
ID.RA-2:G1 8
ID.RA-2:G1 7
ID.RA-2:G1 9
ID.RA-2:G1 7
ID.RA-3:G1 6
ID.RA-3:G1 6
ID.RA-3:G1 5
4
6
ID.RA-5:G1 4
ID.RA-5:G1 4
ID.RA-5:G1 8
ID.RA-5:G1 6
ID.RA-5:G1 8
ID.RA-5:G1 8
7
ID.RM-1:G1 6
ID.RM-1:G1 6
ID.RM-1:G1 5
ID.RM-1:G1 5
ID.RM-1:G1 4
ID.RM-1:G1 4
ID.RM-1:G1 4
ID.RM-1:G1 4
ID.RM-1:G1 4
ID.RM-1:G1 6
ID.RM-1:G1 6
ID.RM-1:G1 6
ID.RM-3:G1 6
ID.RM-3:G1 4
4
ID.RM-3:G1 4
ID.RM-3:G1 6
ID.SC-2:G1 7
ID.SC-2:G1 7
ID.SC-2:G1 7
ID.SC-2:G1 5
ID.SC-2:G1 5
10
PR.AC-1:G1 9
PR.AC-1:G1 9
PR.AC-1:G1 9
PR.AC-1:G1 9
PR.AC-1:G1 7
PR.AC-1:G1 7
PR.AC-1:G1 7
PR.AC-1:G1 5
PR.AC-1:G1 4
PR.AC-1:G1 4
PR.AC-2:G1 9
PR.AC-2:G1 6
PR.AC-2:G1 7
PR.AC-2:G1 5
PR.AC-2:G1 5
PR.AC-2:G1 5
PR.AC-2:G1 5
PR.AC-2:G1 6
PR.AC-2:G1 6
PR.AC-2:G1 5
PR.AC-2:G1 5
PR.AC-2:G1 6
PR.AC-3:G1 6
PR.AC-3:G1 7
3
PR.AC-3:G1 7
PR.AC-3:G1 6
PR.AC-4:G1 6
PR.AC-4:G1 8
PR.AC-4:G1 4
PR.AC-4:G1 6
PR.AC-4:G1 9
PR.AC-4:G1 6
PR.AC-4:G1 3
PR.AC-4:G1 6
7
2
PR.AC-5:G1 6
PR.AC-5:G1 4
PR.AC-5:G1 6
PR.AC-5:G1 6
PR.AC-5:G1 7
PR.AC-5:G1 5
PR.AC-5:G1 4
PR.AC-5:G1 4
PR.AC-5:G1 7
PR.AC-6:G1 7
PR.AC-6:G1 6
PR.AC-6:G1 6
PR.AC-6:G1 4
10
8
PR.AC-7:G1 8
PR.AC-7:G1 8
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 6
PR.AT-1:G1 8
9
PR.AT-1:G1 7
PR.AT-1:G1 4
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-1:G1 5
PR.AT-2:G1 7
PR.AT-2:G1 7
PR.AT-2:G1 7
PR.AT-2:G1 7
PR.AT-2:G1 7
PR.AT-2:G1 6
PR.AT-2:G1 5
PR.AT-2:G1 5
PR.AT-2:G1 6
PR.AT-2:G1 5
PR.AT-2:G1 7
PR.AT-2:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 6
PR.AT-3:G1 5
PR.AT-3:G1 6
PR.AT-3:G1 5
PR.AT-3:G1 7
PR.AT-3:G1 7
PR.AT-3:G1 3
PR.AT-3:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 6
PR.AT-4:G1 5
PR.AT-4:G1 6
PR.AT-4:G1 5
PR.AT-4:G1 7
PR.AT-4:G1 7
PR.AT-4:G1 6
PR.AT-4:G1 3
PR.AT-4:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 6
PR.AT-5:G1 5
PR.AT-5:G1 6
PR.AT-5:G1 3
PR.AT-5:G1 7
PR.AT-5:G1 7
PR.AT-5:G1 4
PR.AT-5:G1 7
PR.DS-1:G1 4
7
PR.DS-1:G1 8
PR.DS-1:G1 8
PR.DS-1:G1 6
PR.DS-1:G1 7
PR.DS-1:G1 7
PR.DS-1:G1 6
PR.DS-1:G1 7
8
6
4
3
PR.DS-5:G1 4
PR.DS-5:G1 6
6
6
6
6
6
7
PR.DS-5:G1 10
PR.DS-6:G1 3
PR.DS-6:G1 7
PR.DS-6:G1 6
PR.DS-7:G1 5
PR.DS-7:G1 5
PR.DS-7:G1 5
PR.DS-7:G1 5
PR.IP-1:G1 8
7
PR.IP-1:G1 6
PR.IP-1:G1 7
PR.IP-1:G1 6
PR.IP-1:G1 6
PR.IP-1:G1 7
PR.IP-3:G1 4
PR.IP-3:G1 4
PR.IP-3:G1 4
PR.IP-3:G1 4
PR.IP-3:G1 6
PR.IP-3:G1 6
PR.IP-3:G1 6
4
PR.IP-3:G1 5
4
2
PR.IP-3:G1 5
PR.IP-3:G1 6
10
PR.IP-6:G1 8
PR.IP-6:G1 8
4
4
PR.IP-9:G1 5
PR.IP-9:G1 3
PR.IP-9:G1 5
PR.IP-9:G1 8
PR.IP-9:G1 8
PR.IP-9:G1 8
PR.IP-9:G1 7
PR.IP-9:G1 5
PR.IP-9:G1 8
PR.IP-9:G1 8
PR.IP-9:G1 8
PR.IP-9:G1 7
PR.IP-9:G1 8
PR.IP-10:G1 3
PR.IP-10:G1 8
PR.IP-10:G1 8
PR.IP-10:G1 7
6
6
PR.IP-11:G1 5
PR.IP-11:G1 6
PR.IP-11:G1 5
PR.IP-11:G1 5
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 6
PR.IP-11:G1 7
PR.IP-12:G1 5
PR.IP-12:G1 6
6
4
PR.PT-1:G1 9
PR.PT-1:G1 9
PR.PT-1:G1 9
PR.PT-1:G1 8
PR.PT-1:G1 6
PR.PT-1:G1 7
PR.PT-1:G1 4
PR.PT-2:G1 7
PR.PT-2:G1 6
PR.PT-2:G1 5
PR.PT-3:G1 8
PR.PT-3:G1 4
PR.PT-3:G1 8
PR.PT-3:G1 6
5
PR.PT-4:G1 2
PR.PT-4:G1 6
PR.PT-4:G1 5
PR.PT-4:G1 6
PR.PT-4:G1 4
PR.PT-4:G1 7
PR.PT-4:G1 7
PR.PT-4:G1 5
PR.PT-4:G1 7
PR.PT-4:G1 7
PR.PT-4:G1 7
PR.PT-4:G1 7
5
5
10
6
5
DE.AE-4:G1 6
DE.AE-4:G1 9
DE.AE-5:G1 6
DE.AE-5:G1 6
DE.AE-5:G1 6
DE.AE-5:G1 6
DE.CM-1:G1 8
DE.CM-1:G1 8
7
7
DE.CM-1:G1 8
5
7
DE.CM-4:G1 5
DE.CM-4:G1 6
DE.CM-4:G1 5
DE.CM-5:G1 5
DE.CM-5:G1 5
DE.CM-7:G1 7
DE.CM-7:G1 7
DE.CM-7:G1 7
DE.CM-7:G1 5
DE.CM-7:G1 5
DE.CM-7:G1 5
DE.CM-7:G1 7
DE.CM-7:G1 7
DE.CM-7:G1 6
DE.CM-8:G1 7
DE.CM-8:G1 7
DE.DP-1:G1 8
DE.DP-1:G1 8
DE.DP-1:G1 4
DE.DP-1:G1 4
DE.DP-2:G1 8
5
DE.DP-2:G1 8
DE.DP-2:G1 8
DE.DP-2:G1 8
DE.DP-3:G1 7
DE.DP-3:G1 7
DE.DP-3:G1 6
DE.DP-3:G1 7
DE.DP-3:G1 6
DE.DP-4:G1 7
DE.DP-4:G1 7
DE.DP-4:G1 7
6
5
10
RS.CO-1:G1 6
RS.CO-1:G1 7
RS.CO-1:G1 7
RS.CO-1:G1 6
RS.CO-1:G1 7
4
5
RS.CO-2:G1 7
RS.CO-2:G1 7
RS.CO-2:G1 7
RS.CO-2:G1 7
RS.CO-3:G1 7
RS.CO-3:G1 7
RS.CO-3:G1 7
RS.CO-3:G1 7
RS.CO-3:G1 7
RS.CO-4:G1 5
RS.CO-4:G1 5
RS.CO-4:G1 6
RS.CO-4:G1 7
RS.CO-4:G1 7
RS.CO-5:G1 3
RS.CO-5:G1 7
RS.CO-5:G1 7
RS.CO-5:G1 5
RS.CO-5:G1 7
RS.CO-5:G1 7
3
6
RS.AN-2:G1 7
RS.AN-2:G1 4
RS.AN-2:G1 7
RS.AN-5:G1 7
4
RS.AN-5:G1 6
RS.AN-5:G1 7
RS.AN-5:G1 6
RS.AN-5:G1 7
RS.AN-5:G1 7
RS.AN-5:G1 7
RS.AN-5:G1 7
RS.MI-1:G1 8
RS.MI-1:G1 5
RS.MI-1:G1 6
8
5
RS.MI-3:G1 7
RS.MI-3:G1 7
RS.IM-1:G1 5
RS.IM-1:G1 8
RS.IM-1:G1 8
RS.IM-1:G1 7
RS.IM-1:G1 8
RS.IM-1:G1 2
RS.IM-2:G1 8
RS.IM-2:G1 8
RS.IM-2:G1 7
RS.IM-2:G1 8
RS.IM-2:G1 5
RC.RP-1:G1 7
RC.RP-1:G1 7
RC.RP-1:G1 7
RC.IM-1:G1 3
RC.IM-1:G1 7
RC.IM-1:G1 7
RC.IM-1:G1 7
RC.IM-1:G1 5
RC.IM-1:G1 2
RC.IM-2:G1 7
RC.IM-2:G1 7
RC.IM-2:G1 7
RC.IM-2:G1 7
RC.IM-2:G1 3
6
RC.CO-3:G1 6
RC.CO-3:G1 6
RC.CO-3:G1 8
RC.CO-3:G1 6

Doe c2m2v2 1 CSF Mapping

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Doe c2m2v2 1 CSF Mapping

Uploaded by

Copyright:

Available Formats

Informative Reference Submission Form

Informative Reference Name

Focal Document Version

Target Audience (Community)

Reference Document Author

Reference Document Date

Reference Document URL

The National Institute of Standards and Technology (NIST)

A mapping of the United States Department of Energy

Energy sector entities seeking to evaluate their cybersecurity

The United States Department of Energy

The United States Department of Energy Cybersecurity Capability

ID.AM-2 Software platforms and applications within the organization are

ID.AM-3 Organizational communication and data flows are mapped

ID.AM-4 External information systems are catalogued

ID.AM-4 External information systems are catalogued

ID.AM-4 External information systems are catalogued

ID.AM-4 External information systems are catalogued

ID.AM-4 External information systems are catalogued

ID.AM-4 External information systems are catalogued

ID.AM-4 External information systems are catalogued

ID.AM-5 Resources (e.g., hardware, devices, data, time, personnel, and

ID.BE-1 The organization’s role in the supply chain is identified and

ID.BE-1 The organization’s role in the supply chain is identified and

ID.BE-1 The organization’s role in the supply chain is identified and

ID.BE-2 The organization’s place in critical infrastructure and its industry

ID.BE-2 The organization’s place in critical infrastructure and its industry

ID.BE-2 The organization’s place in critical infrastructure and its industry

ID.BE-3 Priorities for organizational mission, objectives, and activities are

ID.BE-4 Dependencies and critical functions for delivery of critical services

ID.BE-4 Dependencies and critical functions for delivery of critical services

ID.BE-4 Dependencies and critical functions for delivery of critical services

ID.BE-5 Resilience requirements to support delivery of critical services are

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-1 Organizational cybersecurity policy is established and communicated

ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned

ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned