Sector Mapping Chart - Nov11

Source: FDD's Transformative Cyber Innovation Lab. For more information visit https://www.fdd.
org/analysis/2021/07/22/
FDD NIST Cybe
CCTI/ TCIL Product Recommendation Controls Function
SBOM
Cyber Hygiene 101 for Small- and Medium-Sized Businesses
Access Control all AC
Access Control all AC
SBOM
SBOM
SBOM
SBOM
IDENTIFY (ID)
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
Avoiding Email Scams AT-2
Cyber Hygiene 101 for Small- and Practicing Good Physical at-3, pe-6
Medium-Sized
Cyber Hygiene Businesses
101 for Small- and Security
PracticingHabits
Good Physical at-3, pe-6
Medium-Sized Businesses
Secure the Data, Not the Device Security Habits
Medium-Sized Businesses; Security Habits
Medium-Sized
101 for Small- and Medium-Sized
Security Businesses
Habits
Firewalls, Intrusion Prevention
AC-3,
System,
SC-7,
and Endpoint Protection Platforms,
Secure the Data, Not the Device Anticipating and Preventing Attacks
SC-28, SA-
11
Secure Socket Layer (SSL) Certificates
SC-8
Access Control and all AC, SC-
Firewalls, 7, SI-4
Secure the Data, Not the Device

Cyber Hygiene 101 for Small- and Medium-Sized
Firewalls, Businesses
Intrusion SA-8, SA-11
Secure the Data, Not the Device Prevention System, and
Endpoint Protection
Platforms,
Backing upBusinesses
Data au-9, cp-9
PROTECT (PR)

Access Control all AC, SI-4

Updating Software, Data ma-3, MA-2
Sanitization Tools
Cyber Hygiene 101 for Small- and Access Control all AC

Cyber Hygiene 101 for Small- and Access Control all AC, SC-7,
Medium-Sized
101 for Small- and Security Information and si-4,
Medium-Sized
101 for Small- and Event Management
Security Information(SIEM)
and si-4,
Cyber Hygiene 101 for Small- and Event
Management and si-4,
Medium-Sized
101 for Small- and Event Management
and si-4,
Medium-Sized
Secure Businesses
the Data, Not the Device Event Management (SIEM)
Cyber Hygiene 101 for Small- and Medium-Sized Businessesand
Security Information si-4, SC-7
Secure the Data, Not the Device Event Management (SIEM),
Cyber Hygiene 101 for Small- and Anti-Malware, si-3, SI-4

Secure the Data, Not the Device Security Information and
Event Management (SIEM)
Security Information si-4
Security Businesses
Information and si-4
Event Businesses
Management (SIEM)
Security Information and si-4

DETECT (DE)
Anti-Malware, si-3, SI-4

Security Information and si-4
Event
Security Businesses
Management (SIEM)
Information and si-4

RESPOND (RS)
RecoveringBusinesses
from Attacks cp-2
from Attacks cp-2

from Attacks cp-2
RECOVER
(RC)
https://www.fdd.org/analysis/2021/07/22/comparison-of-cybersecurity-guidance-for-critical-infrastructure-sectors/
NIST Cybersecurity Framework
NIST SP 800-
Category Subcategory 53, Revision 5
Control
ID.AM-1: CM-8, PM-5

Asset Management (ID.AM): The data, personnel, devices, systems, and Physical
ID.AM-2:devices CM-8
facilities that enable the organization to achieve business purposes are and systems
Software
ID.AM-3: AC-4, CA-3, CA-
identified and managed consistent with their relative importance to within
platforms
ID.AM-4: the and
Organizational 9, PL-8,PM-5,
AC-20, SA-17
organizational objectives and the organization’s risk strategy. applications
communication CP-2,
External
ID.AM-5: SA-9 RA-2, RA-
and data flows
information
Resources
ID.AM-6: (e.g.,are 9, SA-20,
CP-2, SC-6
PS-7, PM-
systems
hardware, are
Cybersecurity
ID.BE-1: The devices, 2, PM-29
SR-1, SR-3
Business Environment (ID.BE): The organization’s mission, objectives, roles data, time,
and The
organization’s
ID.BE-2: PM-8
stakeholders, and activities are understood and roles, responsibilities, and role
responsibilities
in the supply PM-11
organization’s
ID.BE-3:
risk management decisions. chain
place is identified
in critical
Priorities
ID.BE-4: for CP-2, CP-8, PE-
infrastructure
organizationaland
Dependencies
ID.BE-5: and CP-2,
9, PE-11, PM-8,
CP-11, RA-
mission,
critical
Resilience
ID.GV-1: functions RA-9,
9, SA-8,SA-20,
SA-20
-1 controls from
Governance (ID.GV): The policies, procedures, and operational for delivery ofto all
requirements
Organizational
ID.GV-2: SR-2
PS-7,security
PS-9, PM-
requirements are understood and inform the management of cybersecurity cybersecurity
support delivery
Cybersecurity control
1,-1PM-2, families
PM-29
risk. ID.GV-3: Legal controls from
policy
roles
ID.GV-4: is
and
and regulatory all security
PM-3, PM-7,
responsibilities
requirements
Governance
ID.RA-1: control
and PM-9,
Asset families
CA-2, PM-10,
CA-5,
regarding
risk
ID.RA-2: Cyber PM-15, PM-28,
management
vulnerabilities are PM-11,
CA-7, CA-8,
PM-16,PM-
Risk Assessment (ID.RA): The organization understands the cybersecurity threat
processes
identified address
and
intelligence RA-1,
4, RA-2,
PM-15,
RA-10,
ID.RA-3: Threats, PM-12, PM-16, SI-5 RA-
RA-3,
risk to organizational operations (including mission, functions, image, or isdocumented
received from
both internal and CP-2, RA-5, SA-5,
RA-3, PM-9, SA-
RA-10,PM- SI-
reputation), organizational assets, and individuals. ID.RA-4:
information
external,
Potential are
ID.RA-5: Threats, 5CA-2,
business 11, RA-2, RA-3,
CA-7,
identified
impacts
ID.RA-6: andand
vulnerabilities,
Risk RA-9
PM-16,PM-4,
CA-5, PM-28,PM-
likelihoods
likelihoods,
responses
ID.RM-1: are
areand 9,
Risk RA-2, RA-3
PM-28,
PM-9, PM-28RA-7
Risk Management Strategy (ID.RM): tolerances, and assumptions are impacts
identified
management
ID.RM-2: areandused PM-9
established and used to support operational risk decisions. prioritized
processes
ID.RM-3: are
OrganizationalThe PM-8, PM-9, PM-
established,
risk tolerance
organization’s is PM-30,
11, RA-9SA-9,
ID.SC-1: Cyber
determined
Supply Chain Risk Management (ID.SC): The organization’s priorities, determination
supply chain and of SR-1, SR-2, SR-
risk
ID.SC-2:
risk tolerance is PM-9, RA-3, SA-
constraints, risk tolerances, and assumptions are established and used to management 3, SR-5
Suppliers
ID.SC-3: and 15, SR-2,
SA-4, SA-9, SR-3,
SR-
support risk decisions associated with managing supply chain risk. The processes
third partyare
Contracts with SR-5,
2, SR-3,SR-6
SR-5
implemented the processes to identify, assess and manage supply chain ID.SC-4:of AU-6, CA-2,
partners
suppliers and
risks. Suppliers and CA-7, PS-7, IR-3,
SA-
ID.SC-5:
third-party CP-2, CP-4,
third-party
Response and 9, SA-11
IR-4,
PR.AC-1:
partners are IA-1, IR-8,
IA-2, IR-9
IA-3,
recovery
Identities planning
and IA-4,
PR.AC-2:
and testing areare PE-1, PE-2,IA-7,
IA-5, PE-3,
credentials
Physical
PR.AC-3: Remote PE-4,
access to IA-8,
AC-1,IA-9,
PE-5,
AC-17,IA-
PE-6,
issued,
assets ismanaged,
managed
access is managed
PR.AC-4: 10,
PE-8,
Access AC-19, IA-11,
PE-9 IA-12
AC-20,
AC-1, AC-2, AC-
and protectedand SC-15
permissions 3, AC-5, AC-6,
Access Control (PR.AC): Access to assets and associated facilities is
limited to authorized users, processes, or devices, and to authorized authorizations are AC-14, AC-16,
activities and transactions. managed, AC-24
PR.AC-5: AC-4, AC-10,
Network
PR.AC-6:integrity SC-7, AC-16,SC-10, SC-
IA-1, IA-
is protected
Identities are(e.g., 2,20IA-4, IA-5, IA-
PR.AC-7:
network and Users, AC-14, IA-1, IA-
proofed 8, IA-12, PE-2,
devices, and other 2, IA-3, IA-5, IA-
bound to PS-3
assets are 8, IA-9, IA-10,
authenticated IA-11
Awareness and Training (PR.AT): The organization’s personnel and PR.AT-1: All AT-2, PM-13,
users are
partners are provided cybersecurity awareness education and are adequately PR.AT-2: informed PM-14
AT-3, PM-13
trained to perform their information security related duties and and trained
Privileged users
PR.AT-3: Third- AT-3, PS-7, SA-9
responsibilities consistent with related policies, procedures, and understand their AT-3, PM-13
party stakeholders
PR.AT-4: Senior
agreements. roles
(e.g., and
suppliers,
executives
PR.AT-5: AT-3, CP-3, IR-2,
customers,
understand
Physical
PR.DS-1: andtheir MP-2,
Data-at- PM-13MP-3, MP-
roles and
cybersecurity
rest
PR.DS-2: Data-in- 4, MP-5,
is protected SC-8, MP-6,
SC-11
personnel
transit is protected MP-7, MP-8, SC-
PR.DS-3: Assets 28 CM-8, MP-6, PE-
Data Security (PR.DS): Information and records (data) are are formally
PR.DS-4: 16, PE-20
AU-4, CP-2, PE-
managed consistent with the organization’s risk strategy to protect managed
Adequate capacity 11, SC-5
the confidentiality, integrity, and availability of information. throughout
to ensure
PR.DS-5: AC-4, AC-5, AC-
availability
Protections
PR.DS-6: is 6, AU-13,
SI-7, SI-10PE-19,
against
Integrity data
PR.DS-7: The leaks
checking PS-6,
CM-2 SC-7, SI-4
are implemented
mechanisms are
development and SA-10
PR.DS-8:
used
testing to verify
Integrity checking
PR.IP-1: A
environment(s) CM-1, CM-2,
mechanisms
baseline are CM-3, CM-4,
PR.IP-2:
used A
to verify SA-3, SA-4, SA-
configuration
System
PR.IP-3: of 8, CM-5, CM-6,
SA-10,
CM-3, SA-11
CM-4,
information
Development
Configuration Life CM-7,
SA-10 CM-9,
PR.IP-4: Backups CP-4, CP-6, CP-
Cycle
change tocontrol
manage
of information
PR.IP-5: Policyare 9PE-1
Information Protection Processes and Procedures (PR.IP): Security
processes
conducted, are inis MP-6, SR-12
and regulations
policies (that address purpose, scope, roles, responsibilities, management PR.IP-6: Data
maintained,
regarding theand CA-2, CA-7, CA-
destroyed
commitment, and coordination among organizational entities), processes, PR.IP-7:
and procedures are maintained and used to manage protection of physical
PR.IP-8: operating
according
Protection to 8, CP-2,CA-7,
AC-21, CP-4,
information systems and assets. policy
processes
Effectiveness are
PR.IP-9: of IR-3,
CP-2, PL-2,
CP-1, CP-2,SI-4
IR-8, CP-
improved
protection PM-6
Response plans 7, CP-10, IR-1,
technologies
(Incidentis
PR.IP-10: IR-7, IR-3,
CP-4, IR-8, PM-
IR-9
Response
Response and
PR.IP-11: and 14 PS-2, PS-3,
PS-1,
recovery
Cybersecurity
PR.IP-12: A plans are
is PS-4,
RA-1,PS-5,
RA-3,PS-6,
RA-
tested
included
vulnerabilityin human PS-7,
5, PS-8,
SI-2 PS-9,
Maintenance (PR.MA): Maintenance and repairs of system components PR.MA-1: MA-1, MA-2,
are performed consistent with policies and procedures. resources
management
PR.MA-2: plan
Maintenance SA-21
and MA-3,
MA-4 MA-5,
is developed
repair
Remote
PR.PT-1: of and MA-6
AU-1, AU-2, AU-
organizational
maintenance
PR.PT-2: of
Audit/log records MP-1, 3, AU-6, AU-7,
MP-2, MP-
Protective Technology (PR.PT): Technical security solutions are organizational
are determined,
Removable
PR.PT-3: Themedia 3, AU-12,
MP-4,
AC-3, AU-13,
MP-5,
CM-7
managed to ensure the security and resilience of systems and assets, documented,
is protected
principle
PR.PT-4: least AU-14,
of and MP-7, AU-16
AC-12,MP-8
AC-17,
consistent with related policies, procedures, and agreements. its use restricted
functionality
Communications is AC-18, CP-8,CP-
SC-
PR.PT-5: CP-7, CP-8,
incorporated
and control by 5, SC-7,
Mechanisms (e.g., 11, CP-12, CP- SC-10,
networksload
failsafe, are SC-11, SC-20,
13, PE-11, PL-8,
DE.AE-1:
balancing, A hot AC-4, SC-6
CA-3, CM-
baseline of
DE.AE-2: 2, SC-16,
AU-6, SI-4RA-
CA-7,
Anomalies and Events (DE.AE): Anomalous activity is detected in a network
Detected events 5, IR-4, SI-4
DE.AE-3: Event AU-6, CA-7, CP-
timely manner, and the potential impact of events is understood. operations
are analyzed andto
data are collected
DE.AE-4: Impact 2, IR-4,
CP-2, IR-5,
IR-4, IR-
RA-3,
understand
and correlated
of events is
DE.AE-5: attack 8, SI-4
SI-4
IR-4, IR-5, IR-8
from
DE.CM-1:multiple
determined
Incident alert
The AU-12, CA-7,
thresholds
network
DE.CM-2: is are
The CM-3, PE-6,
CA-7, SC-5,PE-
SC-
established
monitored
physical
DE.CM-3: to 7,
20 SI-4
AC-2, AU-12,
Security Continuous Monitoring (DE.CM): The information system and Personneldetect
DE.CM-4: potential
environment is
activity AU-13, CA-7,SI-4,
SC-44, SI-3,
assets are monitored at discrete intervals to identify cybersecurity events monitored
is monitored to to
Malicious code is SC-18, CM-10, CM-11SI-
SI-8 SC-44,
and verify the effectiveness of protective measures. DE.CM-5:
detect
detected
DE.CM-6: potential
Unauthorized 4
CA-7, PS-7, SA-
mobile
Externalcode
DE.CM-7: is
service 4, SA-9,CA-7,
AU-12, SI-4
detected
provider activity
Monitoring
DE.CM-8: for CM-3,
RA-5 CM-8, PE-
is monitored
unauthorized
Vulnerability
DE.DP-1: Rolesto 6, PE-20,
CA-2, SI-4PM-
CA-7,
personnel,
scans
and
DE.DP-2: are 14
CA-1, CA-2, CA-
Detection Processes (DE.DP): Detection processes and procedures are
maintained and tested to ensure timely and adequate awareness of performed
responsibilities
Detection
DE.DP-3: 7, PM-14,
CA-2, SI-1,
CA-7, SI-
anomalous events. for detection
activities
Detection complyare SI-4, SR-1,
3, SI-4, SR-9,
PM-14
with all applicable
processes are SR-10, all -1
tested
maintained and tested to ensure timely and adequate awareness of
anomalous events. DE.DP-4: Event AU-6, CA-2, CA-
detection
DE.DP-5: 7, RA-5,
CA-2, SI-4PL-
CA-7,
information
Detection
RS.RP-1: is 2, RA-5, SI-4,
CP-2, CP-10, IR-
communicated
processes
Response are
RS.CO-1: plan is PM-14
4, IR-8CP-3, IR-3,
CP-2,
Response Planning Communications (RS.CO): Response activities are executed
continuously
Personnelduring
RS.CO-2: know IR-8 AU-6, IR-6, IR-8
coordinated with internal and external stakeholders, as appropriate, to or after
their anare
roles
Incidents and
include external support from law enforcement agencies. RS.CO-3: CP-2, IR-4, IR-8
order of
reported
Information
RS.CO-4: is CP-2, PE-6, IR-4,
consistent
shared
RS.CO-5: withwith IR-8
consistent
Coordination SI-5, PM-15
with response
stakeholders
Voluntary
RS.AN-1: AU-6, CA-7, IR-
occurs
RS.AN-2:consistent
information
Notifications Thefrom 4, IR-5,
CP-2, PE-6,
IR-4, RA-3
Analysis (RS.AN): Analysis is conducted to ensure adequate response and detection
sharing occurs
systems RA-5,
impact of
RS.AN-3: the AU-7, SI-4
IR-4
support recovery activities. are investigated
incident isare
Forensics
RS.AN-4: CP-2, IR-4, IR-5,
understood
performed
Incidents
RS.AN-5: are IR-8,
CA-1,RA-3
CA-2, RA-
categorized
Processes
RS.MI-1: are 1, PM-4, PM-15,
IR-4
Mitigation (RS.MI): Activities are performed to prevent expansion of an established
consistent with
to RA-7,
Incidents are
RS.MI-2: IR-4 SI-5, SR-6
event, mitigate its effects, and eradicate the incident. receive,
contained analyze
Incidents are
RS.MI-3: Newly CA-2, CA-7, RA-
Improvements (RS.IM): Organizational response activities are improved RS.IM-1:
mitigated
identified 3, RA-5,
CP-2, RA-7
IR-4, IR-8
by incorporating lessons learned from current and previous vulnerabilities
Response plans are
detection/response RS.IM-2: CP-2, IR-4, IR-8
Recovery Planning activities.
(RC.RP): Recovery processes and procedures are mitigated
RC.RP-1: or
incorporate
Response CP-10, IR-4, IR-8
executed and lessons learned
strategies are
Improvements (RC.IM): incorporating lessons learned into future Recovery
RC.IM-1: plan is CP-2, IR-4, IR-8
activities. updated
executed
Recoveryduring
RC.IM-2: plans CP-2, IR-4, IR-8
or after a Public IR-4
incorporate
Recovery
RC.CO-1:
Communications (RC.CO): coordinating centers, Internet Service
Providers, owners of attacking systems, victims, other Computer Security lessons
relations
RC.CO-2: learned
strategies are
are IR-4
Incident Response Teams (CSIRTs), and vendors. updated
managed
Reputation
RC.CO-3: is CP-2, IR-4
repaired after an
Recovery
incident are
activities
communicated to
ructure-sectors/
Chemical Sector Commercial Facilities Sector
Chemical Sector: Cybersecurity Framework Implementation Commercial Facilities Sector: Cybersecurity
Guidance Framework Implementation Guidance 2020
https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/chemical-framework-implementation-guide-2015-50
https://www.cisa.gov/sites/default/files/publications/Comm
2015 2020
Chemical Facilities Anti- Chemical American Chemical Payment Card Stadium ISO27001/ COBIT
Terrorism Standards Security Council (ACC) Industry Data Guide 2
(CFATS) Risk-Based Assessment Responsible Care Security Security
Performance Standard 8 Tool (CSAT) Code (RCSC): Standards (PCI-
(RBPS-8) Cybersecurity Guidance DSS)
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X
X X X X X
X X X X
X X X X
X X
X X X X
X X X
X X X X X X
X X X X X X
X X X X X
X X X X
X X X X X X X
X X X
X X X X X
X X X X X
X X X X X
X X X
X X X X X
X X X
X
X X X
X X X
X X X
X X
X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X
X X X X
X X X X X X X
X X X X X X
X X X X X
X X X X
X X X X X X
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X X
X X X X X X
X X X X
X X
X X X X X
X X X X X
X X X X X X X
X X X X X
X X X X X X X
X X X X X
X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X X X
X X X X X X
X X X X
X X X X
X X X X X
X X X X X
X X X X X
X X X X X X
X X X
X X X X X
X X X X X
X X X X
X X X X
X X X X X
X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X
X X X
X X X X X X
X X X X X
X X X
X X
X X X X X
X X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X
X X X X X
X X X X
X X X
X X X X
X X
X X X
X X
X X X
X X X
X X
X X
X X
X X
X
X
X X
Communications Sector Critical Manufacturing Sector Dams Sector
The Communications Critical Manufacturing Sector: Cybersecurity Dams Sector: Cybersecurity Framework Imple
Security, Reliability Framework Implementation Guidance. May
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf Guidance. May 2020
https://www.cisa.gov/publication/critical-manufacturing-cybersecurity-framework-implementation
https://www.cisa.gov/sites/default/files/publicati
and Interoperability
2015 2020 2020 2020
Council IV Working
Communication NISTIR 8183 ANSI/ISA 62443 Series of Dams Sector
Cybersecurity Standards on the Cybersecurity
Framework Cybersecurity of Industrial Capability Maturity
Manufacturing Automation and Control Systems Model (Dams-
Profile C2M2)
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X
X X
X X
X X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X X
X
X X X X
X X X X
X X X
X X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X
Dams Sector Defense Industrial Base Sector Emergency Services Sector
ms Sector: Cybersecurity Framework Implementation NIST SP 800-171 Emergency Services Sector: Cybersecurity Framework
Guidance. May 2020 Implementation Guidance. May 2020
www.cisa.gov/sites/default/files/publications/Dams_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
https://www.cisa.gov/sites/default/files/publications/DIB_Guide_to_Imple
https://www.cisa.gov/sites/default/files/publications/Em
2020 2020
North American Electric Electricity Subsector Controlled Emergency Emergency Services
Reliability Corporation Cybersecurity Risk Unclassified Services Sector Sector Roadmap to
(NERC) Critical Infrastructure Management Process Information Cyber Risk Secure Voice and Data
Protection (CIP) Reliability (RMP) Assessment (ESS- Systems (Roadmap)
Standards CRA)
X X X X
X X X X X
X X X X X
X X
X X X
X X X
X X X X
X X
X X X
X X X
X
X X
X X
X
X X X
X X X X X
X X X X
X X X X X
X X X X
X X X X X
X X X
X X X X
X X
X X
X X
X
X
X
X
X X X X X
X X X X
X X X X X
X X X
X X
X X X
X X
X X X X
X X X
X X
X X
X X X
X X
X X
X X X X
X
X
X X X
X X X
X X X
X X X
X X
X X
X X X X X
X X X X
X X X X
X X X
X X
X X
X X
X X
X X X
X X X X
X X X
X X
X X X
X X
X X
X
X X X X
X X X X
X
X X
X
X
X X X X
X X X X
X
X
X X X
X X
X X X X
X X X
X
X X
X X X X
X
X X X X
X X X
X X
X X X X
X X
X X X
X
X X X
X X X X
X X X X
X X X X
X X X X
X X
Services Sector Energy Sector Financial Services
Food andSector
Agriculture
Healthcare Sector
and Public Health Sector
or: Cybersecurity Framework Energy Sector: Cybersecurity Federal FinNational HPH_Framework_Implement
Guidance. May 2020 Framework implantation Restaura https://us-cert.cisa.gov/sites/default/files/c3vp/
/default/files/publications/Emergency_Services_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implementation-
https:// https://www.nist.gov/cyberframework/critical-infrastructu
2020 Guidance. Jan 2015
2015 2015 nt 2017
www.ffie 2016
Energy Sector c.gov/ Associati
Cybersecurity Capability Maturity FFIEC Restaurant Supporting HIPAA
Cybersecurity Maturity Model Practices
Maturity Maturity
cyberasse Industry HITRUST CSF Security
Capability Maturity Level 1 Level 2 Level 3 Controls Rule
Model (C2M2)
Program
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X
X
X
X
X
X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X
X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X
X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
Nuclear Reactors,Transportation
Materials,Water
andSystems
Waste
and Wastewater
Sector
Sector Systems Sector
Nuclear Sector: Transport American
Cybersecurity https://www.cisa.gov/sites/default/files/publications/tss-cybersecurity-framework-implementation-guide
ation Water
https://www.cisa.gov/sites/default/files/publications/Nuclear_Sector_Cybersecurity_Framework_Implementation_Guidan
https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.p
Framework
2020 Systems
2015 Works2019
Implementation
U.S. Nuclear
Sector
Sector
Associati
Water
Power Reactor Strategy
Practices
X X
X X
X X
X
X X
X X
X X
X
X
X X
X X
X X
X X
X X
X
X X
X X
X X
X X
X X
X
X X
X X
X X
X
X X
X
X X
X
X X CSF v1.1 addition
X X
X
X X
X X
X X
X X
X
X X
CSF v1.1 addition

X X
X X
X X X
X X
X X
X X
X X
X X
X X X
X X
X X
X X
CSF v1.1 addition
X X
X X
X X
X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X
X X
X X
X X
X X
X X X
CSF v1.1 addition
X
X X
X X
X X
X X
X X
X X
X X
X X
X
X X
X X
X X
X X
X X
X X
X X X
X
X X
X X
X X X
X X
X X
X X X
X X
X X
X X
X X
X X X
X X
X X
X X X
X X
X X
X
X X
X X X
X
X
X
X
X X
X
NIST Cybersecurity Framework
Function Category
Asset Management (ID.AM): The data, personnel, devices, systems, and

facilities that enable the organization to achieve business purposes are
identified and managed consistent with their relative importance to
organizational objectives and the organization’s risk strategy.
Business Environment (ID.BE): The organization’s mission, objectives,

stakeholders, and activities are understood and roles, responsibilities, and
risk management decisions.
Governance (ID.GV): The policies, procedures, and operational

requirements are understood and inform the management of cybersecurity
risk.
(ID)
Governance (ID.GV): The policies, procedures, and operational
requirements are understood and inform the management of cybersecurity
risk.
IDENTIFY (ID)
Risk Assessment (ID.RA): The organization understands the cybersecurity

risk to organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals.
Risk Management Strategy (ID.RM): tolerances, and assumptions are

established and used to support operational risk decisions.
Supply Chain Risk Management (ID.SC): The organization’s priorities,

constraints, risk tolerances, and assumptions are established and used to
support risk decisions associated with managing supply chain risk. The
implemented the processes to identify, assess and manage supply chain risks.
Access Control (PR.AC): Access to assets and associated facilities is
limited to authorized users, processes, or devices, and to authorized activities
and transactions.
Awareness and Training (PR.AT): The organization’s personnel and

partners are provided cybersecurity awareness education and are adequately
trained to perform their information securityrelated duties and
responsibilities consistent with related policies, procedures, and agreements.
Data Security (PR.DS): Information and records (data) are managed

consistent with the organization’s risk strategy to protect the
confidentiality, integrity, and availability of information.
(PR)
Data Security (PR.DS): Information and records (data) are managed
consistent with the organization’s risk strategy to protect the
confidentiality, integrity, and availability of information.
PROTECT (PR)
Information Protection Processes and Procedures (PR.IP): Security

policies (that address purpose, scope, roles, responsibilities,management
commitment, and coordination among organizational entities), processes,
and procedures are maintained and used to manage protection of information
systems and assets.
Maintenance (PR.MA): Maintenance and repairs of system components are

performed consistent with policies and procedures.
Protective Technology (PR.PT): Technical security solutions are managed
to ensure the security and resilience of systems and assets, consistent with
related policies, procedures, and agreements.
Anomalies and Events (DE.AE): Anomalous activity is detected in a timely

manner, and the potential impact of events is understood.
DETECT (DE)
Security Continuous Monitoring (DE.CM): The information system and

assets are monitored at discrete intervals to identify cybersecurity events and
verify the effectiveness of protective measures.
maintained and tested to ensure timely and adequate awareness of
anomalous events.
Response Planning Communications (RS.CO): Response activities are

coordinated with internal and external stakeholders, as appropriate, to
include external support from law enforcement agencies.
RESPOND (RS)
Analysis (RS.AN): Analysis is conducted to ensure adequate response and

support recovery activities.
Mitigation (RS.MI): Activities are performed to prevent expansion of an
event, mitigate its effects, and eradicate the incident.
Improvements (RS.IM): Organizational response activities are improved

by incorporating lessons learned from current and previous
detection/response activities.
Recovery Planning (RC.RP): Recovery processes and procedures are

executed and
Improvements (RC.IM): incorporating lessons learned into future

RECOVER (RC)
activities.
Communications (RC.CO): coordinating centers, Internet Service

Providers, owners of attacking systems, victims, other Computer Security
Incident Response Teams (CSIRTs), and vendors.
Chemical Sector Commercial Facilities Se
Chemical Sector: Cybersecurity Commercial Facilities Sector:
ty Framework Framework Implementation Guidance Cybersecurity Framework
Implementation Guidance 2020
https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/chemical-framework-implementati
https://www.cisa.gov/sites/default/files/publi
2015 2020
Chemical
American
Facilities Anti- Payment
Chemical
Terrorism Card
Chemical Council (ACC)
Standards Industry
Security Responsible Stadium
Subcategory (CFATS) Risk-
Assessment Care Security
Data
Guide
Based Security
Tool (CSAT) Code (RCSC):
Performance Standards
Cybersecurity
Standard 8 (PCI-DSS)
Guidance
(RBPS-8)
ID.AM-1: Physical devices and systems within the X X X X X
organization are inventoried
ID.AM-2: Software platforms and applications within X X X X X

the organization are inventoried
ID.AM-3: Organizational communication and data X X X X X

flows are mapped
ID.AM-4: External information systems are X X X

catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, X X X

time, personnel, and software) are prioritized based on
their classification, criticality, and business value
ID.AM-6: Cybersecurity roles and responsibilities for X X X
the entire workforce and third-party stakeholders (e.g.,
suppliers, customers, partners) are established
ID.BE-1: The organization’s role in the supply chain X X
is identified and communicated
ID.BE-2: The organization’s place in critical X X

infrastructure and its industry sector is identified and
communicated
ID.BE-3: Priorities for organizational mission, X
objectives, and activities are established and
communicated
ID.BE-4: Dependencies and critical functions for X X X
delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery X

of critical services are established for all operating
states (e.g. under duress/attack, during recovery,
normal
ID.GV-1: operations)
Organizational cybersecurity policy is X X X X
established and communicated
ID.GV-2: Cybersecurity roles and responsibilities are X X X X
coordinated and aligned with internal roles and
external partners
ID.GV-3: Legal and regulatory requirements X X X
regarding cybersecurity, including privacy and civil
liberties obligations, are understood and managed
ID.GV-4: Governance and risk management processes X X X
address cybersecurity risks
ID.RA-1: Asset vulnerabilities are identified and X X X X X

documented
ID.RA-2: Cyber threat intelligence is received from X X

information sharing forums and sources
ID.RA-3: Threats, both internal and external, are X X X X

identified and documented
ID.RA-4: Potential business impacts and likelihoods X X X X

are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and X X X

impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized X X
ID.RM-1: Risk management processes are established, X X X X

managed, and agreed to by organizational
stakeholders
ID.RM-2: Organizational risk tolerance is determined X X
and clearly expressed
ID.RM-3: The organization’s determination of risk X

tolerance is informed by its role in critical
infrastructure and sector specific risk analysis
ID.SC-1: Cyber supply chain risk management X
processes are identified, established, assessed,
managed, and agreed to by organizational
stakeholders
ID.SC-2: Suppliers and third party partners of X
information systems, components, and services are
identified, prioritized, and assessed using a cyber
supply
ID.SC-3:chain risk assessment
Contracts process
with suppliers and third-party X
partners are used to implement appropriate measures
designed to meet the objectives of an organization’s
cybersecurity program
ID.SC-4: Suppliers andand Cyber Supply
third-party Chain
partners are Risk X
routinely assessed using audits, test results, or other
forms of evaluations to confirm they are meeting their
contractual obligations.
ID.SC-5: Response and recovery planning and testing
are conducted with suppliers and third-party providers
PR.AC-1: Identities and credentials are issued, X X X X X
managed, verified, revoked, and audited for
authorized devices, users and processes
PR.AC-2: Physical access to assets is managed and X X X X X
protected
PR.AC-3: Remote access is managed X X X X X
PR.AC-4: Access permissions and authorizations are X X X X X

managed, incorporating the principles of least
privilege and separation of duties
PR.AC-5: Network integrity is protected (e.g., X X X X X
network segregation, network segmentation)
PR.AC-6: Identities are proofed and bound to X X

credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are X X

authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction (e.g.,
individuals’
PR.AT-1: Allsecurity
users areandinformed
privacy risks and other
and trained X X X X X
PR.AT-2: Privileged users understand their roles and X X X X

responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, X X X

customers, partners) understand their roles and
responsibilities
PR.AT-4: Senior executives understand their roles and X X X
responsibilities
PR.AT-5: Physical and cybersecurity personnel X X X X

understand their roles and responsibilities
PR.DS-1: Data-at-rest is protected X X X
PR.DS-2: Data-in-transit is protected X X X
PR.DS-3: Assets are formally managed throughout X X X

removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is X X X

maintained
PR.DS-5: Protections against data leaks are X X X X

implemented
PR.DS-6: Integrity checking mechanisms are used to X X X X
verify software, firmware, and information integrity
PR.DS-7: The development and testing X X X

environment(s) are separate from the production
environment
PR.DS-8: Integrity checking mechanisms are used to X
verify hardware integrity
PR.IP-1: A baseline configuration of information X X X

technology/industrial control systems is created and
maintained incorporating security principles (e.g.
concept
PR.IP-2:ofAleast functionality)
System Development Life Cycle to X X X
manage systems is implemented
PR.IP-3: Configuration change control processes are X X X X X

in place
PR.IP-4: Backups of information are conducted, X X X X

maintained, and tested
PR.IP-5: Policy and regulations regarding the physical X X X X X

operating environment for organizational assets are
met
PR.IP-6: Data is destroyed according to policy X X X
PR.IP-7: Protection processes are improved X X X
PR.IP-8: Effectiveness of protection technologies is X X X

shared
PR.IP-9: Response plans (Incident Response and X X X X X

Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and
managed
PR.IP-10: Response and recovery plans are tested X X X X X
PR.IP-11: Cybersecurity is included in human X X X

resources practices (e.g., deprovisioning, personnel
screening)
PR.IP-12: A vulnerability management plan is X X X X X
developed and implemented
PR.MA-1: Maintenance and repair of organizational X X X X

assets are performed and logged, with approved and
controlled tools
PR.MA-2: Remote maintenance of organizational X X X
assets is approved, logged, and performed in a manner
that prevents unauthorized access
PR.PT-1: Audit/log records are determined, X X X X
documented, implemented, and reviewed in
accordance with policy
PR.PT-2: Removable media is protected and its use X X X X
restricted according to policy
PR.PT-3: The principle of least functionality is X X X X X

incorporated by configuring systems to provide only
essential capabilities
PR.PT-4: Communications and control networks are X X X X X
protected
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, X

hot swap) are implemented to achieve resilience
requirements in normal and adverse situations
DE.AE-1: A baseline of network operations and X X X X
expected data flows for users and systems is
established and managed
DE.AE-2: Detected events are analyzed to understand X X X
attack targets and methods
DE.AE-3: Event data are collected and correlated X X X X

from multiple sources and sensors
DE.AE-4: Impact of events is determined X X
DE.AE-5: Incident alert thresholds are established X X X
DE.CM-1: The network is monitored to detect X X X X X

potential cybersecurity events
DE.CM-2: The physical environment is monitored to X X X X X

detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect X X X X

potential cybersecurity events
DE.CM-4: Malicious code is detected X X X X X
DE.CM-5: Unauthorized mobile code is detected X X
DE.CM-6: External service provider activity is X X

monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, X X X X X

connections, devices, and software is performed
DE.CM-8: Vulnerability scans are performed X X X X
DE.DP-1: Roles and responsibilities for detection are X X X

well defined to ensure accountability
DE.DP-2: Detection activities comply with all X X

applicable requirements
DE.DP-3: Detection processes are tested X X X
DE.DP-4: Event detection information is X X X X

communicated
DE.DP-5: Detection processes are continuously X X X

improved
RS.RP-1: Response plan is executed during or after an X X

incident
RS.CO-1: Personnel know their roles and order of X X

operations when a response is needed
RS.CO-2: Incidents are reported consistent with X X X

established criteria
RS.CO-3: Information is shared consistent with X X X

response plans
RS.CO-4: Coordination with stakeholders occurs X X

consistent with response plans
RS.CO-5: Voluntary information sharing occurs with X

external stakeholders to achieve broader cybersecurity
situational awareness
RS.AN-1: Notifications from detection systems are X X X
investigated
RS.AN-2: The impact of the incident is understood X X X
RS.AN-3: Forensics are performed X X
RS.AN-4: Incidents are categorized consistent with X X X

response plans
RS.AN-5: Processes are established to receive, X

analyze and respond to vulnerabilities disclosed to the
organization from internal and external sources (e.g.
internal testing, security bulletins, or security
RS.MI-1: Incidents are contained X X X
RS.MI-2: Incidents are mitigated X X
RS.MI-3: Newly identified vulnerabilities are X X X

mitigated or documented as accepted risks
RS.IM-1: Response plans incorporate lessons learned X X X
RS.IM-2: Response strategies are updated X X
RC.RP-1: Recovery plan is executed during or after a X X

cybersecurity incident
RC.IM-1: Recovery plans incorporate lessons learned X X
RC.IM-2: Recovery strategies are updated X X
RC.CO-1: Public relations are managed X
RC.CO-2: Reputation is repaired after an incident X
RC.CO-3: Recovery activities are communicated to X X

internal and external stakeholders as well as executive
and management teams
mercial Facilities Sector Communications Sector
Critical Manufacturing Sector Dams Sector
ial Facilities Sector: The Communications Critical Manufacturing Sector: Dams Sector: Cybersecurity
urity Framework Security, Reliability and Cybersecurity Framework Framework Implementaion
ntation Guidance 2020 Interoperability Council Implementation Guidance. May Guidance. May 2020
IV Working Group 4 2020
cisa.gov/sites/default/files/publications/Commercial_Facilities_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
https://www.cisa.gov/publication/critical-manufacturing-cybersecurity-framework-implementation-guidance
https://www.cisa.gov/sites/default/files/publications/Dams_
North
2020 2015 2020 2020
American
Dams Electric
ANSI/ISA 62443 Sector Reliability Electricity
NISTIR 8183 Series of Cybersecur Corporatio Subsector
Cybersecurity Standards on the ity n (NERC) Cybersecur
ISO27001/2 COBIT Communication Framework Cybersecurity of Capability Critical ity Risk
Manufacturing Industrial Maturity Infrastruct Manageme
Profile Automation and Model ure nt Process
Control Systems (Dams- Protection (RMP)
C2M2) (CIP)
X X Operational X X X Reliability X
Requirement(s): Standards
Appropriate and adequate
X X Operations
Operationalstaff may be X X X X X
Requirement(s):
Appropriate and adequate
X X Operations
Operationalstaff should be X X X X X
Requirement(s): The
organization can determine
X X "who ‐internally" needs to X
Technology X X
Requirement(s):
Organizational staff
X X assigned to catalog
Operational X X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X X X X
Requirement(s):
X X operations
Operationaland engineering X X X X
Requirement(s):
X X operations
Operationaland engineering X X
Requirement(s):Organizatio
nal leadership, operations
X and engineering staff may X
Operational X X X
Requirement(s):
X operations
Operationaland engineering X X X
Requirement(s):
X X operations
Operationaland engineering X X
Requirement(s): Once the
organizational leadership,
X X operations
Operationaland engineering X X X X X
Requirement(s): An
organization's executive
and technical leadership
X X Operational X X X X X
Requirement(s): Once the
information security
X X policies are established
Operational X X X X
Requirement(s): An
organization's executive
X and technical leadership
Operational X X X X X
Requirement(s): Once an
organization creates an
X X ongoing Threats/Risk
Requirement(s): Technical
staff may research publicly
X available information and X
Operational X X X
Requirement(s):Technical
Operational X X X X
Requirement(s): Technical
Operational X X X
Requirement(s):
X X operations
Requirement(s): The
organization may build a
X list, chart or table to
Operational X X X
Requirement(s): Once an
organization creates an
X ongoing Threats/Risk
Requirement(s): The
appropriate cyber risk
X management
Operational responses, X X X X
Requirement(s): The
appropriate cyber risk
management
Operational responses, X X X
Requirement(s):
X X operations and engineering X X X X
X X X X X
X X X X X
X X X X
X X X X
Requirement(s): The
Operational X X X X
Requirement(s): The
organization should
X X determine
Operationalwhom within, X X X X X
Requirement(s): The
organization should
X X determine
Operationalwhom within, X X X X X
Requirement(s):
Organization may
X X implement
Operationalan Access‐ X X X X
Requirement(s):The
organization's technical and
X X operations staff may design X X X X
X X X X X
X X Operational X X X X
Requirement(s):
X X operations
Requirement(s): * The
organization may determine
Operational X X
Requirement(s):* The
X "who ‐internally" needs to X
Operational X X X
Operational X X X
Operational X X X
Requirement(s): *
Organizations may consider
X X deploying
Operationalvarious tools and X X X X
Requirement(s):
*
X X Organizations
Operational may consider X X X X
ns can monitor and control
X X critical infrastructure asset X
Operational X X
Requirement(s):
Organizations should
X X ensure that bandwidth,
Operational X X X X
Requirement(s): *
deploying various tools and
X X Operational X X X X
Requirement(s): *
X deploying
Operationalvarious tools and X X X
Requirement(s):
X ensure that all critical X X X
Requirement(s): *
Organizations may monitor
X X and establish BASELINE X
Operational X X
Requirement(s):
Organizations using a
X X systems ‐software
Requirement(s):
Organizations can monitor
X and control critical
Requirement(s):
Organizations may
X X establish a critical
Operational X X X
Requirement(s):
Organizations can consider
X X building a Security Team of X
Operational X X X
ns can monitor and control
X X critical infrastructure asset X
Operational X X
Requirement(s):
Organizations can strive to
X X identify a cyber incident as X
Operational X
Requirement(s):
Organizations may share
X X what they learn about
Requirement(s): *
Organizations may
X X develop/document
Operational a X X X X
Requirement(s): *
Organizations may TEST
X formalized
OperationalIncident X X X X X
Requirement(s):
Organizations, sub‐
X organizations
Operational and all data X X X
Requirement(s):
Organizations may
establish and document a
Operational X X X X
Requirement(s):
X and control critical
Operational X X X X
Requirement(s):
and control critical
X Operational X X X X
Requirement(s):
Organizations may collect
X data and track all activities X
Operational X X X
Requirement(s):
Organizations may identify
all possible threats and
Operational X X X
X "who ‐internally" needs to X
Operational X X X
Requirement(s):
Organizations may protect
X X critical infrastructure X X X
Requirement(s): The
organization and
X X appropriate
Operational staff can X X X X X
Requirement(s): The
organization and
appropriate
Operational staff can X X X X
Requirement(s): The
organization and
X X appropriate
Operational staff can X X
Requirement(s): The
organization and
X X appropriate
Operational staff can X X X
Requirement(s): When
organizations employ
X monitoring,
Operational scanning and X X X X
Requirement(s): The
organization and
X X appropriate
Operational staff monitors X X X X
Requirement(s): For critical
infrastructure, the
X X organization
Operational and X X X
Requirement(s): The
organization and
X X appropriate
Operational staff may X X X X
infrastructure, the
X X organization
infrastructure, the
X organization
Operational and X X
infrastructure,
X organizations
Operational may require X X X
infrastructure, the
organization and
infrastructure, the
organization
Requirement(s): The
organization and
appropriate
Operational staff develops a X X X
infrastructure, the
X X organization
Requirement(s): The
organization and
X appropriate
Operational staff may test X X X X
Requirement(s): The
organization and
X appropriate
Operational staff may share X X X
Requirement(s): The
organization and
X appropriate
Requirement(s): The
organization and
X appropriate
Requirement(s): The
organization and supporting
X staff may develop an
Operational X X X X
Requirement(s): The
organization and
X appropriate
Operational staff require the X X X X
Requirement(s): The
organization and
X X appropriate
Requirement(s): The
organization and
appropriate
Operational staff may X X X
Requirement(s): The
organization and
X X appropriate
Operational staff establish X X X X
Requirement(s): The
organization and
X appropriate
Requirement(s):
Organization can determine
X the consequences of various X
Operational X X
Requirement(s): The
organization and
X appropriate
Requirement(s): The
organization and
X appropriate staff can track X X X
Operational X X X
Requirement(s): An
organization and
appropriate
Operational staff can X X X
infrastructure, appropriate
and adequate Operations
Operational X X
infrastructure, the
organization
Operational and X X X X
Requirement(s): The
organization and
appropriate
Operational staff should not X X X
Requirement(s): The
organization and
appropriate
Requirement(s): The
organization provides for
the recover and
Operational X X X X
Requirement(s): The
organization and
appropriate
Operational staff should not X X X
infrastructure, appropriate
and adequate Operations
Operational X X
infrastructure, the
organization
Operational and supporting X X
infrastructure, the
organization
Operational and supporting X X X
Requirement(s): The
appropriate staff and
organization leaders may
Defense Industrial Emergency
Base SectorServices Sector Energy Sector Financial Services Sector
NIST SP 800-171 Emergency Services Sector: Energy Sector: Cybersecurity Federal Financial I
Cybersecurity Framework Framework implantation
Implementation Guidance. May Guidance. Jan 2015
2020
https://www.cisa.gov/sites/default/files/publications/DIB_Guide_to_Implementing_the_Cybersecurity_Framework_S508C.PDFhttps://csrc.nist.gov/publications/detail/sp/80
https://www.cisa.gov/sites/default/files/publications/Emergency_Services_Sector_Cybersecurity_Framework_Implementation_Guidance_FI
https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implem
https://www.ffiec.gov/
cyberassessmenttool.ht
m
https://www.nist.gov/
2020 2015 2015
cyberframework/critical-
infrastructure-resources
Emergency
Services Cybersecurity Capability Maturity
Emergency Energy Sector
Sector Model Practices
Services Cybersecurity
Roadmap
Controlled Unclassified Sector Capability
to Secure FFIEC
Information Cyber Risk Maturity Model
Voice and Maturity Maturity Maturity
Assessment (C2M2)
Data Level 1 Level 2 Level 3
(ESS-CRA) Program
Systems
(Roadmap)
3.4.1Establish and mainta X X X ACM-1a ACM-1c ACM-1e, D1.G.IT.B.1: An
ACM-1f inventory of
organizational assets
3.4.13.4.1Establish and m X X X ACM-1a ACM-1c ACM-1e, (e.g., hardware,
D1.G.IT.B.1: An
ACM-1f inventory of
3.1.3 Control the flow of X X X RM-2g ACM-1e (e.g., hardware,Data
D4.C.Co.B.4:
CUI in accordance with flow diagrams are in
approved authorizations. place and document
3.13.1
3.1.20 Monitor,
Verify andcontrol, X EDM-1a EDM-1c, EDM-1g, information flowAto
D4.RM.Dd.B.2:
and protect
control/limit connections EDM-1e RM-1c list of third-party
communications (i.e.,
to and use of external service providers is
information
systems. transmitted maintained.
X X X ACM-1a, ACM-1c D1.G.IT.B.2:
ACM-1b ACM-1d Institution assets
(e.g., hardware,
X X WM-1a, WM-1c systems, data, and
D1.R.St.B.1:
WM-1b Information security
roles and
X X X EDM-1b EDM-1d EDM-1g responsibilities
D1.G.SP.A.3: The have
EDM-1f RM-1c cybersecurity
strategy identifies
X X X EDM-1b EDM-1d, EDM-1g and communicates
D1.G.SP.Inn.1: The
EDM-1f, RM-1c cybersecurity
CPM-1c strategy identifies
X X X RM-3b RM-1c and communicates
D1.G.SP.E.2: The
institution has a
formal cybersecurity
X X X ACM-1a, ACM-1c , ACM-1e, program that isThe
D4.C.Co.B.1:
ACM-1b, ACM-1d, ACM-1f, critical business
EDM-1a EDM-1c , RM-1c , processes that are
X X IR-4a, IR- EDM-1e
IR-4e EDM-1g dependent on A
D5.IR.Pl.B.5:
4b, IR-4c formal backup and
recovery plan exists
X CPM-2g CPM-5d for all critical The
D1.G.SP.B.4:
RM-3e institution has
board-approved
policies
X WM-1a, WM-1c, WM-1e , D1.G.SP.B.7: All
WM-1b WM- WM-1f, elements of the
2d,WM- WM-1g information security
X 5b, ISC-2b CPM-2k, program are
D1.G.Ov.E.2:
IR-3n, Management is
RM-3f, responsible for
X X RM-2a ACM-4f,
RM-2h, ensuring compliance
D1.G.Ov.B.1:
RM-2b RM-3e, Designated
RM-1c, members of
3.11.1 Periodically X X X TVM-2a, TVM-2d, RM-1e
RM-1c , management
D2.TI.Ti.B.2:are
assess the risk to TVM-2b TVM-2e, RM-2j, Threat information
organizational operations TVM-2f TVM-2i, is used to monitor
(including
3.14.1 mission,
Identify, X X X TVM-1a, TVM-2d TVM-2j, threats and The
D2.TI.Ti.B.1:
report, and correct TVM-1b, institution belongs
information and system TVM-2a, or subscribes to a
flaws
3.11.1in a Periodically
timely manner. X X X TVM-2b
TVM-1a, TVM-1d, RM-2j threat and
D3.DC.An.B.1: The
assess the risk to TVM-1b TVM-1e TVM-1j institution is able to
organizational operations detect anomalous
(including
3.11.1 mission,
Periodically X X X TVM-1d RM-1c activities through
D5.RE.Re.B.1:
assess the risk to TVM-1f TVM-1i Appropriate steps
organizational operations are taken to contain
(including mission,assess X
3.11.1Periodically X X RM-1c and control an A
D1.RM.RA.B.1:
RM-2j risk assessment
TVM-2m focused on
X X X RM-2e RM-1c safeguarding
D5.IR.Pl.B.1: The
TVM-1d RM-2j institution has
IR-3m documented how it
X X X RM-2a RM-1a RM-1c will react and
D1.G.Ov.B.1:
RM-2b RM-1b RM-1d Designated
RM-2c RM-1e members of
X X RM-2d RM-2h
RM-1c management areThe
D1.G.Ov.Int.3:
RM-1e institution has a
cyber risk appetite
X X RM-1b RM-1c statement approved
D1.G.SP.A.4: The
risk appetite is
informed by the
X institution’s role in
X
3.5.1Identify system X X X IAM-1a IAM-1d RM-1c D3.PC.Im.B.7:
users, processes acting on IAM-1b IAM-1e IAM-1g Access to make
behalf of users, and IAM-1c IAM-1f changes to systems
devices.
3.10.1 Limit physical X X IAM-2a IAM-2d IAM-2g configurations
D3.PC.Am.B.11:
access to organizational IAM-2b IAM-2e Physical security
systems, equipment, and IAM-2c IAM-2f controls are used to
the respective
3.1.1 operating
Limit system X X X IAM-2a IAM-2d IAM-2g prevent
D3.PC.Am.B.15:
access to authorized IAM-2b IAM-2e Remote access to
users, processes acting on IAM-2c IAM-2f critical systems by
behalf
3.1.1 of authorized
Limit system X IAM-2d employees,
D3.PC.Am.B.1:
access to authorized Employee access is
users, processes acting on granted to systems
behalf of authorized
3.1.3Control the flow of X CPM-3a CPM-3b CPM-3d and confidential
D3.DC.Im.B.1:
CUI in accordance with CPM-3c Network perimeter
approved authorizations. defense tools (e.g.,
3.13.1 Monitor, X X border router and
control, and protect
communications (i.e.,
information transmitted
X X
3.2.1Ensure that X X X WM-3a WM-3b WM-3g D1.TC.Tr.B.2:

managers, systems WM-4a WM-3c WM-3h Annual information
administrators, and users WM-3d WM-3i security training
of organizational
3.2.1Ensure that systems X X WM-1a WM-1c WM-1e includes incident
D1.TC.Tr.E.3:
managers, systems WM-1b WM-1d WM-1f Employees with
administrators, and users WM-1g privileged account
of organizational systems X WM-1a WM-1c WM-1e permissions
D1.TC.Tr.B.4:receive
WM-1b WM-1d WM-1f Customer awareness
WM-1g materials are readily
3.2.1Ensure that X WM-1a WM-1c WM-1e available (e.g.,
D1.TC.Tr.E.2:
managers, systems WM-1b WM-1d WM-1f Management is
administrators, and users WM-1g provided
of organizational
3.2.1Ensure that systems X WM-1a WM-1c WM-1e cybersecurity
D1.TC.Tr.E.3:
managers, systems WM-1b WM-1d WM-1f Employees with
administrators, and users WM-1g privileged account
of organizational
3.1.19 Encryptsystems
CUI X X TVM-1c permissions
D1.G.IT.B.13:receive
on mobile devices and TVM-2c Confidential data is
mobile computing identified on the
platforms.
3.1.13 Employ X TVM-1c institution's
D3.PC.Am.B.13:
cryptographic TVM-2c Confidential data is
mechanisms to protect encrypted when
the confidentiality
3.4.1Establish and of X ACM-3a ACM-3c ACM-3f transmitted
D1.G.IT.E.3:across
The
maintain baseline ACM-3b ACM-3d ACM-4e institution
configurations and ACM-4a ACM-4f proactively manages
inventories of X TVM-1c ACM-4b
CPM-3b ACM-4g system end-of-life
D5.IR.Pl.B.5: A
TVM-2c formal backup and
3.1.4Separate the duties X X X TVM-1c CPM-3b TVM-2n for all critical
D3.PC.Am.B.15:
of individuals to reduce TVM-2c Remote access to
the risk of malevolent critical systems by
activity without employees,
X SA-2e SA-2i D3.PC.Se.Int.3:
Software code
executables and
X ACM-3c ACM-3e scripts are digitally
D3.PC.Am.B.10:
Production and non-
production
X X X environments are
3.4.1Establish and X ACM-2a ACM-2c ACM-2d D3.PC.Im.B.5:

maintain baseline ACM-2b ACM-2e Systems
configurations and configurations (for
inventories of X ACM-3d servers, desktops,
D3.PC.Se.B.1:
Developers working
for the institution
3.4.3Track, review, X ACM-3a ACM-3c ACM-3e follow secure A
D1.G.IT.B.4:
approve or disapprove, ACM-3b ACM-3d ACM-3f change management
and audit changes to ACM-4a ACM-4e process is in place to
organizational systems. X X IR-4a IR- request and approve
D5.IR.Pl.B.5: A
4b formal backup and
X ACM-4f for all critical
D3.PC.Am.B.11:
RM-3f Physical security
controls are used to
3.8.3Sanitize or destroy s X ACM-3d prevent
D1.G.IT.B.19: Data
is disposed of or
destroyed according
X X X CPM-1g to documented
D1.RM.RMP.E.2:
Management
reviews and uses the
X ISC 1a ISC-1c ISC-1h results of audits to
D2.IS.Is.B.1:
ISC-1b ISC-1d ISC-1i Information security
ISC-1e ISC-1j threats are gathered
3.6.1Establish an X X X IR-4c ISC-1f
IR-3f ISC-1k
IR-3k and shared with
D5.IR.Pl.B.1: The
operational incident- IR-4d ISC-1l
IR-3m institution has
handling capability for IR-4f IR-4i documented how it
organizational systems X
3.6.3Test the organization X X IR-5a
IR-3e IR- IR-4j
IR-3k will react and
D5.IR.Te.B.1:
4f IR-4i Scenarios are used
IR-4j to improve incident
3.9.1Screen individuals X X WM-2a WM-2c WM-2e detection and
D1.R.St.E.4:
prior to authorizing WM-2b WM-2d WM-2f Employment
access to organizational WM-2g candidates,
systems
3.11.2 containing
Scan for CUI. X X TVM-3a WM-2h
TVM-3e contractors, and
D3.CC.Re.Ev.2:
vulnerabilities in Formal processes
organizational systems are in place to
and applications
3.7.3Ensure equipment X ACM-3b ACM-4c ACM-3f resolve weaknesses
D3.CC.Re.Int.5:
removed for off-site The maintenance
maintenance is sanitized and repair of
of any CUI. multifactor
3.7.5Require X SA-1a IAM-2d IAM-2g organizational
D3.PC.Im.B.7:assets
authentication to IR-1c IAM-2e IAM-2h Access to make
establish nonlocal IAM-2a IAM-2f changes to systems
maintenance sessions via IAM-2b configurations
IAM-2c
3.3.1Create and retain X SA-1a SA-1b SA-1d D1.G.SP.B.3: The
system audit records to SA-2a SA-1c SA-1e institution has
the extent needed to SA-2e 3dSA-4e policies
enable the monitoring,
3.8.1Protect (i.e., X IAM-2a SA-4a SA-4f
IAM-3e commensurate
D1.G.SP.B.4: Thewith
physically control and IAM-2b IAM-3f institution has
securely store) system IAM-2c board-approved
media
3.1.1 containing CUI,
Limit system X X X IAM-2a IAM-2d IAM-2g policies
D3.PC.Am.B.7:
access to authorized IAM-2b IAM-2e IAM-2h Access controls
users, processes acting on IAM-2c IAM-2f IAM-2i include password
behalf
3.1.16 of authorized
Authorize X X X CPM-3a CPM-3b CPM-3d complexity and
D3.PC.Im.B.1:
wireless access prior to CPM-3c Network perimeter
allowing such defense tools (e.g.,
connections. X X border router and
X X SA-2a D3.DC.Ev.B.1: A
normal network
activity baseline is
3.3.1Create and retain X IR-1f established.
D5.IR.Pl.Int.4:
system audit records to IR-2i Lessons learned
the extent needed to IR-3h from real-life cyber
enable the monitoring,
3.3.5Correlate audit revie X IR-1e IR-1f IR-2i risk incidents and
D3.DC.Ev.E.1: A
process is in place to
correlate event
3.11.1Periodically assess X X IR-2b IR-2d IR-2g RM- information
D5.IR.Te.E.1:from
TVM-1d 2j Recovery scenarios
include plans to
3.6.1Establish an X IR-2a IR-2d IR-2g RM- recover from data
D5.DR.De.B.1:
operational incident- TVM-1d 2j Alert parameters are
handling capability for SA-2d set for detecting
organizational
3.13.1 systems
Monitor, X X X SA-2a SA- SA-2e SA-2g SA- information
D3.DC.An.B.2:security
control, and protect 2b SA-2f 2i Customer
communications (i.e., TVM-1d transactions
information
3.10.2 transmitted
Protect and X X X SA-2a SA- SA-2e SA-2i generating
D3.PC.Am.E.4:
monitor the physical 2b Physical access to
facility and support high-risk or
infrastructure
3.1.12 for and
Monitor X SA-2a SA- SA-2e SA-2i confidential
D3.DC.An.A.3:systems
A
control remote access 2b system is in place to
sessions. monitor and analyze
3.3.1Create,
3.14.1 protect, and
Identify, X SA-2a SA- SA-2e SA-2i employee behavior
D3.DC.Th.B.2:
retain system audit
report, and correct 2b CPM-4a Antivirus and anti-
records to the
system flaws in extent
a timely malware tools are
needed
manner. to enable the
3.13.13 Control and X SA-2a SA- SA-2e SA-2h SA- used to detect
D3.PC.De.E.5:
monitor the use of mobile 2b 2i Antivirus and anti-
code. malware tools are
3.14.6 Monitor X EDM-2a SA-2e EDM-2j deployed on end-
D4.RM.Om.Int.1:
organizational systems, SA-2a EDM-2n Third-party
including inbound and SA-2b employee access to
outbound
3.1.12 Monitor and X X X SA-2a SA- SA-2e SA-2g SA- the institution's
D3.DC.Ev.B.3:
control remote access 2b SA-2f 2i Processes are in
sessions. TVM-1d place to monitor for
3.3.1Create, protect, and the presence of
retain system audit
records to the extent
needed to enable the
3.11.2 Scan for X X X TVM-2e TVM-2i D3.DC.Th.E.5:
vulnerabilities in TVM-2j Vulnerability
organizational systems TVM-2k scanning is
and applications X WM-1a WM-1d RM-1c
WM-1f conducted and
D3.DC.Ev.B.4:
Responsibilities for
monitoring and
3.12.1 Periodically X IR-1d IR-1g reporting suspicious
D1.G.Ov.E.2:
assess the security IR-5a IR-5f Management is
controls in organizational TVM-1d RM-1c responsible for
systems
3.10.4 toMaintain
determineaudit
if X IR-3e RM-2j
IR-3j ensuring compliance
D3.DC.Ev.Int.2:
logs of physical access. Event detection
3.12.1 Periodically processes are proven
assess the security X X X IR-1b ISC-1c IR-3n reliable
D3.DC.Ev.B.2:
controls in organizational IR-3c ISC-1d ISC-1h Mechanisms (e.g.,
systems to determine if ISC-1a ISC-1j antivirus alerts, log
X X X IR-3h IR- event alerts) are in
D5.IR.Pl.Int.3:
3k Lessons learned
from real-life cyber
3.6.2Track, document, X X X IR-3d incidents and attacks
D5.IR.Pl.B.1: The
and report incidents to institution has
appropriate documented how it
organizational officials
3.6.2Track, document, X X IR-3a IR-5b will react and Roles
D5.IR.Pl.B.3:
and report incidents to and responsibilities
appropriate for incident
organizational officials X IR-1a IR- response team
D5.IR.Pl.B.2:
1b Communication
channels exist to
3.6.1Establish an operatio X ISC-1a IR-3d IR-3i provide employees a
D5.ER.Es.B.2:
ISC-1b ISC-1c IR-3l Procedures exist to
ISC-1c ISC-1d notify customers,
3.6.1Establish an X X X IR-3d regulators, andAlaw
D5.ER.Is.B.1:
operational incident- IR-5b process exists to
handling capability for contact personnel
organizational systems X ISC-1a ISC-1c ISC-1h who are responsible
D2.IS.Is.B.3:
ISC-1d ISC-1i Information about
ISC-1e ISC-1j threats is shared
3.3.5Correlate audit X X X ISC-1f
IR-1e ISC-1k
IR-1f with law
D5.DR.De.B.3:
review, analysis, and Tools and processes
reporting processes for are in place to
investigation and assess X
3.11.1Periodically X X IR-2d IR-2g RM- detect, alert, and
D1.RM.RMP.A.4:
TVM-1d 2j A process is in place
to analyze the
X IR-3d IR-3h IR- financial impact
D3.CC.Re.Int.3:
3i Security
investigations,
3.6.1Establish an X IR-2a IR-1d forensic analysis,
D5.ER.Es.B.4:
operational incident- IR-1e Incidents are
handling capability for classified, logged
organizational systems X X X and tracked.
3.6.1Establish an X X IR-3b D5.DR.Re.B.1:
operational incident- Appropriate steps
handling capability for are taken to contain
organizational systems
3.6.1Establish an X X X IR-3b and control an
D5.DR.De.B.1:
operational incident- Alert parameters are
handling capability for set for detecting
organizational
3.11.1 systems
Periodically X TVM-2c TVM-2f RM-2j information
D1.RM.RA.E.1:security
assess the risk to TVM-2g TVM-2m Risk assessments
organizational operations TVM-2n are used to identify
(including mission,
3.6.1Establish an X X IR-3h the cybersecurity
D5.IR.Pl.Int.4:
operational incident- Lessons learned
handling capability for from real-life cyber
3.6.2Track, document, X X X IR-3h IR- incidents and attacks
D5.IR.Pl.Int.4:
and report incidents to 3k Lessons learned
appropriate from real-life cyber
organizational officials
3.6.1Establish an X X X IR-3b IR-3d IR-3o IR- incidents and attacks
D5.IR.Pl.B.6: The
operational incident- 4k institution plans to
handling capability for use business
3.6.1Establish an X X X IR-3h continuity, disaster
D5.IR.Pl.Int.4:
operational incident- IR-4i Lessons learned
handling capability for IR-3k from real-life cyber
3.6.1Establish an X X X IR-3h IR- incidents and attacks
D5.IR.Pl.Int.4:
operational incident- 3k Lessons learned
handling capability for from real-life cyber
organizational systems X RM-1c incidents and attacks
D5.ER.Es.Int.3: An
external
communication plan
X IR-3d is used for notifying
D5.IR.Pl.Int.1: A
strategy is in place
to coordinate and
3.6.1Establish an X IR-3d communicate
D5.ER.Is.B.1:with
A
operational incident- process exists to
handling capability for contact personnel
organizational systems who are responsible
Food and Agriculture
Government
Sector Facilities
Healthcare
Sector
and Public Health
Information
SectorTechnology Sector
National Restaurant HPH_Framework_Implementa
Association:
Cybersecurity 201
https://www.nist.gov/cyberframework/critical-infrastructure-resourceshttps://www.restaurant.org/downloads/pdfs/advocacy/cybersecurity201.pdf
https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidanc
2017 2016
Supporting
HITRUST HIPAA Security
Restaurant Industry
CSF Rule
Controls
How to apply in your 07.a 164.308(a)(1)(ii)(A)

restaurant: Inventory 164.310(a)(2)(ii)
1) Develop a tagging of Assets 164.310(d)
system
How to for all physical
apply in your 07.a 164.308(a)(1)(ii)(A)
IT
restaurant: including a
devices, Inventory 164.308(a)(7)(ii)(E)
simple system for
1) Develop of Assets
documentation
How to apply inoryour
use 01.m 164.308(a)(1)(ii)(A)
third-party
restaurant: secure Segregatio 164.308(a)(3)(ii)(A)
database software
1) Map your to
restaurant’s n in 164.308(a)(8)
communication
How to apply inand
yourdata Networks
01.i Policy 164.310(d)
164.308(a)(4)(ii)(A)
flow requirements,
restaurant: and on the Use 164.308(b)
draft network diagrams.
1) Document all external of Network 164.314(a)(1)
systems, and code
How to apply the
in your Services
07.a 164.314(a)(2)(i)(B)
164.308(a)(7)(ii)(E)
systems for
restaurant: tracking, Inventory
including
1) Create atype of system,
scoring of Assets
system
How to to identify
apply the
in your 07.b
02.a Roles 164.308(a)(2)
most critical
restaurant: to least Ownership
and 164.308(a)(3)
critical technology
1) Develop roles and of Assets 164.308(a)(4)
Responsibi
responsibilities
How to apply infor your
your lities
05.d 164.308(b)(1)
164.308(a)(1)(ii)(A)
employees
restaurant: and third Authorizati 164.308(a)(4)(ii)
parties regarding
1) Identify and on Process 164.308(a)(7)(ii)(C)
understand
How to applyyour
in your for
05.a 164.308(a)(7)(ii)(E)
164.308(a)(1)(ii)(A)
restaurant’s
restaurant: and vendor Manageme 164.308(a)(4)(ii)
partners’ role and
1) Document in each nt 164.308(a)(7)(ii)(C)
communicate
How to apply the
in your Commitme
03.a Risk 164.308(a)(7)(ii)(E)
164.308(a)(7)(ii)(B)
infrastructure
restaurant: that Manageme 164.308(a)(7)(ii)(C)
supports the critical
1) Document and nt Program 164.308(a)(7)(ii)(D)
prioritize yourinbusiness
How to apply your Developme
08.h 164.308(a)(7)(ii)(E)
164.308(a)(7)(i)
activities
restaurant: determine
to nt
Supporting 164.308(a)(7)(ii)(E)
processes,
1) Create atechnology
list of Utilities 164.310(a)(2)(i)
services that are
How to apply in critical
your 12.b
12.a 164.312(a)(2)(ii)
164.308(a)(1)(ii)(B)
to running
restaurant: your business. Business
Including 164.308(a)(6)(ii)
1) Document your Continuity
Informatio 164.308(a)(7)
requirements Manageme
How to applyfor in your n04.a
Security 164.308(a)(8)
164.308(a)(1)(i)
delivery of critical
restaurant: Informatio 164.316
services, including
1) Determine the hours n Security
regulatory and legal Policy
requirements for the
restaurant’s security and
How to apply in your 05.b 164.308(a)(1)(i)
restaurant: Informatio 164.308(a)(2)
1) The IT subject matter n Security 164.308(a)(3)
expert
How toinapply
partnership
in your Coordinati
01.a 164.308(a)(4)
164.306
with
restaurant: functional
HR and Access 164.308(b)
164.308
areas (i.e., finance,
1) IT subject matterlegal, Control 164.31
experts
How to should
apply inbeyour
well Policy
0.a 164.312
164.308(a)(1)
informed of
restaurant: ever- Informatio 164.308(b)
changing industry
1) Meet with your board n Security
and/or
How tomanagement
apply in yourteam Manageme
03.b 164.308(a)(1)(ii)(A)
at least annually
restaurant: to Performing 164.308(a)(7)(ii)(E)
discuss risks to the
1) Review the network Risk 164.308(a)(8)
diagrams to assess
How to apply and
in your Assessmen
05.g 164.310(a)(1)
document
restaurant:vulnerabilities Contact
(see ID.AM-3).
1) Review ID.AM-1 and with
ID.AM-2 to identify
How to apply in your Special
03.b 164.308(a)(1)(ii)(A)
threatprotection
restaurant: systems Performing 164.308(a)(1)(ii)(D)
available to the
1) Determine sources of Risk 164.308(a)(3)
information
How to applyabout threats
in your Assessmen
03.b 164.308(a)(4)
164.308(a)(1)(i)
(industry resources
restaurant: like Performing 164.308(a)(1)(ii)(A)
the National Restaurant
1) IT subject matter Risk 164.308(a)(1)(ii)(B)
experts
How to review
apply inthe
your Assessmen
03.b 164.308(a)(6)
164.308(a)(1)(ii)(A)
network diagrams to
restaurant: Performing 164.308(a)(1)(ii)(B)
identify potential
1) IT subject matter Risk 164.308(a)(1)(ii)(D)
experts
How to rank
applythe
in your Assessmen
03.c Risk 164.308(a)(7)(ii)(D)
164.308(a)(1)(ii)(B)
identified
restaurant:business Mitigation 164.314(a)(2)(i)(C)
impacts and likelihoods
1) IT subject matter 06.g 164.314(b)(2)(iv)
experts
How to identify
apply inthe
yourrisk Complianc
03.a Risk 164.308(a)(1)(ii)(B)
responses
restaurant:and prioritize eManageme
with
them based on
1) Establish their
a schedule Security
nt Program
for
ow leadership
to apply into review
your Developme
03.a Risk 164.308(a)(1)(ii)(B)
risk assessment
restaurant: details nt
Manageme
whenever
1) Reviewthey are
the risk nt Program
responses (ID.RA-6)
How to apply in your Developme
03.a Risk 164.308(a)(1)(ii)(B)
according
restaurant:to the nt
Manageme 164.308(a)(6)(ii)
schedule
1) As partand process
of your nt Program 164.308(a)(7)(i)
overall risk-management Developme 164.308(a)(7)(ii)(C)
strategy, regularly nt
consult with peers in
How to apply in your 01.b User 164.308(a)(3)(ii)(B)
restaurant: Registratio 164.308(a)(3)(ii)(C)
1) Require unique n 164.308(a)(4)(i)
accounts for each
How to apply in your 01.d
01.g User 164.308(a)(4)(ii)(B)
164.308(a)(1)(ii)(B)
individual
restaurant: who accesses Password
Unattended 164.308(a)(7)(i)
a1)POS
Keepterminal.
an inventory of Manageme
User 164.308(a)(7)(ii)(A)
unused nt
How to devices
apply ininyour
a Equipment
01.j Policy 164.310(a)(1)
164.308(a)(4)(i)
secure
restaurant: on the Use 164.308(b)(1)
1) Manage and log all of Network 164.308(b)(3)
remote access
ow to apply in of your
your Services
01.b User 164.310(b)
164.308(a)(3)
systems
restaurant: Registratio 164.308(a)(4)
1) Limit access n 164.310(a)(2)(iii)
privileges to the
How to apply in least
your 01.c
01.m 164.310(b)
164.308(a)(4)(ii)(B)
necessary
restaurant:to Privilege
Segregatio 164.312(a)(1)
164.310(a)(1)
1) Use physical or Manageme
n in 164.310(b)
virtual firewalls to nt
Networks 164.312(a)(1)
separate critical 164.312(b)
How to apply in your 02.d 164.308(a)(5)

restaurant: Manageme
1) Disseminate security nt
policies to all applicable
How to apply in your Responsibi
02.d 164.308(a)(2)
restaurant: Manageme 164.308(a)(3)(i)
1) Perform a risk nt 164.308(a)(5)(i)
analysis to determine
How to apply in your the Responsibi
02.d 164.308(a)(5)(ii)(A)
164.308(b)
scope of
restaurant: Manageme 164.308(a)(5)(ii)(B)
164.314(a)(1)
1) Create and approve a nt 164.314(a)(2)(i)
third-party
How to applysecurity
in your Responsibi
02.d 164.314(a)(2)(ii)
164.308(a)(2)
policy.
1) Prepare an executive nt 164.308(a)(5)(i)
overview of in
ow to apply allyour
polices Responsibi
02.d 164.308(a)(5)(ii)(A)
164.308(a)(2)
in
1) Include physical and nt 164.308(a)(5)(i)
information
ow to apply insecurity
your Responsibi
01.x 164.308(a)(5)(ii)(A)
164.308(a)(1)(ii)(D)
personnel
restaurant: all levels of
in Mobile 164.308(a)(5)(ii)(B)
164.308(b)(1)
information
1) Limit datasecurity.
storage Computing 164.310(d)
amounts and retention
How to apply in your and
09.m 164.312(a)(1)
164.308(b)(1)
times to
restaurant: Network 164.308(b)(2)
1) Identify all locations Controls 164.312(e)(1)
where
How tocritical
apply indata
your 09.u
01.y 164.312(e)(2)(i)
164.308(a)(1)(ii)(A)
(credit
restaurant: Physical
Teleworkin 164.310(a)(2)(ii)
1) Identify, inventory Media
g in 164.310(a)(2)(iii)
and Transit
Howlabel all critical
to apply in your 07.a
09.h 164.310(a)(2)(iv)
164.308(a)(1)(ii)(A)
assets,
restaurant: Inventory
Capacity 164.308(a)(1)(ii)(B)
1) Determine capacity of Assets 164.308(a)(7)
Manageme
requirements
How to apply(storage,
in your nt
01.c 164.310(a)(2)(i)
164.308(a)(1)(ii)(D)
restaurant: Privilege 164.308(a)(3)
1) Create a data Manageme 164.308(a)(4)
classification policy that nt 164.310(b)
defines
How to apply in your 09.z 164.308(a)(1)(ii)(D)
restaurant: Publically 164.312(b)
1) Deploy technologies Available 164.312(c)(1)
to
Howassure the integrity
to apply in your of Informatio
09.d 164.312(c)(2)
164.308(a)(4)
restaurant: Separation
1) Separate of
development/test Developme
environments from
How to apply in your 01.i Policy 164.308(a)(8)

restaurant: on the Use 164.308(a)(7)(i)
1) Separate of Network 164.308(a)(7)(ii)
development/test
How to apply in your Services
10.a 164.308(a)(1)(i)
environments
restaurant: from Security
1) Establish a system Requireme
development
How to applylife cycle
in your nts
09.b 164.308(a)(8)
for the
restaurant: Change
1) Ensure that Manageme
configuration
How to apply change
in your nt
09.l Back- 164.308(a)(7)(ii)(A)
control processes are in
restaurant: up 164.308(a)(7)(ii)(B)
place for allahardware
1) Develop 164.308(a)(7)(ii)(D)
comprehensive
How to apply inbackup
your 08.d 164.310(a)(2)(i)
164.308(a)(7)(i)
strategy as part
restaurant: Protecting 164.308(a)(7)(ii)(C)
1) Keep your back-of- Against 164.310 164.316(b)
house
How tofile server
apply in a
in your External
08.l Secure (2)(iii)
164.310(d)(2)(i)
place that
restaurant: Disposal or 164.310(d)(2)(ii)
1) During a POS or Re-use of
back-office-system
How to apply in your Equipment
0.a 164.306(e)
refresh,
restaurant: Informatio 164.308(a)(7)(ii)(D)
1) Review and improve n Security 164.308(a)(8)
your
How protection
to apply in your Manageme
05.h 164.316(b)(2)(iii)
164.308(a)(6)(ii)
processes
restaurant: Independe
1) Share with nt Review
appropriate
How to applyparties the
in your of
11.c 164.308(a)(6)
extent to which
restaurant: Responsibi 164.308(a)(7)
1) Create a response and lities and 164.310(a)(2)(i)
recovery plan in
How to apply with
your Procedures
12.e 164.312(a)(2)(ii)
164.308(a)(7)(ii)(D)
procedures
restaurant: and points of Testing,
contact fora responding
1) Create to
recovery plan Maintainin
with
How procedures
to apply in and
your g02.a
andRoles 164.308(a)(1)(ii)(C)
points
restaurant: and 164.308(a)(3)
1) Screen new hires to Responsibi
determine
How to applyan in your lities
03.c Risk 164.308(a)(1)(i)
individual’s
restaurant: Mitigation 164.308(a)(1)(ii)(A)
1) Conduct vulnerability 06.h 164.308(a)(1)(ii)(B)
scans
How to(internal
apply inand
your Technical
08.j 164.308(a)(3)(ii)(A)
external
restaurant: Complianc
Equipment 164.310(a)(2)(iv)
1) Vet your IT eMaintenan
Checking
equipment service
How to apply in your ce
08.j 164.308(a)(3)(ii)(A)
providers
restaurant: confirm
to Equipment 164.310(d)(1)
1) Allow only Maintenan 164.310(d)(2)(ii)
preapproved, authorized ce 164.310(d)(2)(iii)
vendors to
How to apply in your 06.c 164.308(a)(1)(ii)(D)
restaurant: Protection 164.308(a)(5)(ii)(C)
1) Collect security event of 164.310(a)(2)(iv)
logs
Howfrom network
to apply in your Organizati
01.h Clear 164.310(d)(2)(iii)
164.308(a)(3)(i)
devices, servers
restaurant: and Desk and 164.312(b)
164.308(a)(3)(ii)(A)
endpoint devices.
1) Identify, label and Clear 164.310(d)(1)
monitor USB-connected
How to apply in your Screen
01.i Policy 164.310(d)(2)
164.308(a)(3)
devices
restaurant: data leakage
for on the Use 164.308(a)(4)
(unauthorized transfer of
1) Require individual of Network 164.310(a)(2)(iii)
user
Howaccounts
to apply for access
in your Services
01.j Policy 164.310(b)
164.308(a)(1)(ii)(D)
to your systems.
restaurant: Never on the Use 164.312(a)(1)
use shared
1) Limit accounts
access to for of Network 164.312(b)
network technologies Services 164.312(e)
such as MPLS, DSL and
cable connections to
How to apply in your 01.m 164.308(a)(1)(ii)(D)

restaurant: Segregatio 164.312(b)
1) Establish baseline n in
configurations
How to apply inforyour Networks
09.ab 164.308(6)(i)
information
restaurant: systems and Monitoring
system components,
1) Configure alert System
systems to identify
How to apply in your Use
09.ab 164.308(a)(1)(ii)(D)
security-related
restaurant: attacks Monitoring 164.308(a)(5)(ii)(B)
and alert a designated
1) Use security System 164.308(a)(5)(ii)(C)
information
How to applyandin event
your Use
11.d 164.308(a)(6)(ii)
164.308(a)(6)(ii)
management
restaurant: (SIEM) Learning
tools to aggregate
1) Prepare, your
maintain and from
test
Howplans that in
to apply document
your Informatio
12.d 164.308(a)(6)(i)
restaurant: Business
1) Respond in a timely Continuity
manner with effective
How to apply in your Planning
01.j Policy 164.308(a)(1)(ii)(D)
measures
restaurant:to limit the on the Use 164.308(a)(5)(ii)(B)
magnitude
1) Monitor of lossnetwork
your from of Network 164.308(a)(5)(ii)(C)
to
Howdetect potential
to apply in your Services
08.a 164.308(a)(8)
164.310(a)(2)(ii)
cybersecurity
restaurant: events. Physical 164.312(b)
164.310(a)(2)(iii)
Segment
1) Developthea network
continuous Security
monitoring
How to applystrategy
in yourand Perimeter
01.b User 164.308(a)(1)(ii)(D)
implement
restaurant: a continuous Registratio 164.308(a)(3)(ii)(A)
monitoring program.
1) Record user activities, n 164.308(a)(5)(ii)(C)
exceptions,
How to apply faults and
in your 01.c
09.ab 164.312(a)(2)(i)
164.308(a)(1)(ii)(D)
information
restaurant: security Privilege
Monitoring 164.312(b)
164.308(a)(5)(ii)(B)
events in a log,
Use malware and
detection Manageme
System
tools to apply
detect in
malicious nt
Use
How to your 09.k 164.308(a)(1)(ii)(D)
code and alert
restaurant: security Controls 164.308(a)(5)(ii)(B)
personnel.
Use malware detection Against
tools
How toto apply
detect in your Mobile
02.d 164.308(a)(1)(ii)(D)
unauthorized
restaurant: code on Manageme
mobile
Monitordevices, and alert
contractor nt
access
How toand credentials
apply in your to Responsibi
06.g 164.308(a)(1)(ii)(D)
your company’s
restaurant: Complianc 164.308(a)(5)(ii)(B)
network, applications
Monitor and detect e with 164.308(a)(5)(ii)(C)
foreign devices on credit Security 164.310(a)(1)
terminals. If
unauthorized devices,
How to apply in your 06.h 164.308(a)(1)(i)
restaurant: Technical 164.308(a)(8)
Perform scans to detect Complianc
medium-to-low
How to apply inrisk
yourand e02.a
Checking
Roles 164.308(a)(2)
high-risk
restaurant:vulnerabilities and 164.308(a)(3)(ii)(A)
to
1) the system.
Install a malware Responsibi 164.308(a)(3)(ii)(B)
detection system
How to apply for
in your lities
06.d Data 164.308(a)(4)
164.308(a)(1)(i)
your organization.
restaurant: Protection 164.308(a)(8)
1) Develop and and
implement
How to applya detection
in your Privacy
08.b of 164.306(e)
process.
restaurant: Physical
Have a trained security Entry
administrator
How to apply in your Controls
05.b 164.308(a)(6)(ii)
periodically
restaurant: test your Informatio 164.314(a)(2)(i)(C)
defenses.
As part ofVary
an your n Security 164.314(a)(2)(iii)
information
How to applysecurity
in yourrisk Coordinati
10.m 164.306(e)
plan, document
restaurant: how you Control of 164.308(a)(8)
plan to communicate
1) Upgrade your a Technical
software and firmware Vulnerabili
11.c 164.308(a)(6)(ii)
so you are using the Responsibi 164.308(a)(7)(i)
latest releases. lities and 164.308(a)(7)(ii)(A)
How to apply in your Procedures
11.c 164.308(a)(7)(ii)(B)
164.308(a)(2)
restaurant: Responsibi 164.308(a)(7)(ii)(A)
Notify your security lities and 164.308(a)(7)(ii)(B)
team
How and managers
to apply when
in your Procedures
05.f 164.308(a)(7)(ii)(C)
164.308(a)(5)(ii)(B)
an event occurs.
restaurant: Ensure Contact 164.308(a)(5)(ii)(C)
that
Haveyour team
a plan in knows
place that with 164.308(a)(6)(ii)
spells
How toout whatinneeds
apply your to Authorities
05.f 164.314(a)(2)(i)(C)
164.308(a)(5)(ii)(B)
be communicated,
restaurant: and to Contact 164.308(a)(5)(ii)(C)
whom, when an
Develop a crisis event with 164.308(a)(6)(ii)
communications plan,
How to apply in your Authorities
11.c 164.314(a)(2)(i)(C)
164.308(a)(6)
and follow
restaurant: it during an Responsibi 164.308(a)(7)
incident. Share the
Consistently update your lities and 164.310(a)(2)(i)
stakeholders
How to applysointhey
yourcan Procedures
05.g 164.312(a)(2)(ii)
164.308(a)(6)
help reduce
restaurant: the impact Contact
of an incident.
Periodically share risk with
trends
How toand security
apply in your Special
08.b 164.308(a)(1)(i)
information
restaurant: with Physical 164.308(a)(1)(ii)(D)
stakeholders.
Review alerts Entry 164.308(a)(5)(ii)(B)
immediately
How to applywith your
in your Controls
11.d 164.308(a)(5)(ii)(C)
164.308(a)(6)(ii)
personnel/vendors
restaurant: from Learning 164.308(a)(7)(ii)(B)
any systems that send
Understand that as an from 164.308(a)(7)(ii)(C)
event
How tobegins,
apply your first
in your Informatio
11.c 164.308(a)(7)(ii)(E)
164.308(a)(6)
discoveries
restaurant: may not be Responsibi
the source of the
In the event of a major lities and
breach
How toof yourinsystems,
apply your Procedures
11.c 164.308(a)(6)(ii)
perform
restaurant:forensics
a Responsibi
audit.
FollowConsult
your response lities and
plan to ensure clear Procedures
thinking and that
appropriate actions are
How to apply in your 11.c 164.308(a)(6)(ii)
restaurant: Responsibi
Contain incidents to lities and
lessen
How totheir
applyimpact on
in your Procedures
11.c 164.308(a)(6)(ii)
your restaurant.
restaurant: For Responsibi
example, if a foreign
Collect evidence lities and
concerning
How to apply theinincident,
your Procedures
03.a Risk 164.308(a)(1)(ii)(A)
and follow
restaurant: your response Manageme 164.308(a)(1)(ii)(B)
plan
Apply toyour
mitigate or
learning nt Program 164.308(a)(6)(ii)
from
How evidence
to apply incollection
your Developme
11.c 164.308(a)(7)(ii)(D)
and
restaurant: any
perform nt
Responsibi 164.308(a)(8)
migration/corrective
Having a meeting after lities and 164.316(b)(2)(iii)
every
How toincident toyour
apply in discuss Procedures
11.c 164.308(a)(7)(ii)(D)
lessons learned.
restaurant: Responsibi 164.308(a)(8)
Learning how to respond lities and
starts
How to with a plan
apply rather
in your Procedures
11.d 164.308(a)(7)
than the
restaurant:experience Learning 164.310(a)(2)(i)
itself.
Carry Always
out yourupdate
recovery from
plan
Howto tolimit
applythe
in impact
your Informatio
11.d 164.308(a)(7)(ii)(D)
of your event.
restaurant: Learning 164.308(a)(8)
Your recovery plan from 164.316(b)(2)(iii)
should
How toincorporate
apply in your Informatio
11.d 164.308(a)(7)(ii)(D)
lessons learned from
restaurant: Learning 164.308(a)(8)
responding
Learn from to thesecurity
real from
incidents, and in
How to apply useyour
those Informatio
11.d 164.308(a)(6)(i)
lessons to
restaurant:update your Learning
response
Implement plan. Annually
a crisis from
communications plan to
How to apply in your Informatio
11.d 164.308(a)(6)(i)
manage the
restaurant: public Learning
relations
Take stepsfallout fromyour
to repair the from
reputation
How to applyafterinayour Informatio
11.d 164.308(a)(6)(ii)
security incident.
restaurant: For Learning 164.308(a)(7)(ii)(B)
example, if email
Keep managing partners, from 164.308(a)(7)(ii)(C)
owners and other key Informatio 164.310(a)(2)(i)
stakeholders informed of
your recovery process.
Nuclear Reactors, Materials,
Transportation
and Waste
Systems
Water
Sector
and
Sector
Wastewater Systems Sector
Nuclear Sector: Transportation American Water
Cybersecurity Framework Systems Sector Works
Implementation Cybersecurity Association
Guidance. May 2020 Framework Cybersecurity
https://www.cisa.gov/sites/default/files/publications/Nuclear_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
https://www.cisa.gov/sites/default/files/publications/tss-cybersecurity-framework-implementation-guide-2016-508v2_0.pdfhttps://ww
https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=201
2020 2015 2019
U.S. Nuclear Power Reactor

Sector Strategy Water
Practices
A-3.1.3 Goal 1: Define PM-2

D-5.4 Conceptual
E-10.3, E-10.9 Environment
D-5.4 PM-2
E-10.3, E-10.9
D-1.4, D-1.18 PM-2

E.3.4
A-3.1.3 MA-3
D-1.22
A-3.1.3 PM-5
D-3.5
E-8.1
A-4.8, A-4.11 PE-4, PS-2
E-8.1
Goal 5: Ensure RA-2, PS-2, CM-5

Sustained Coordination
and Strategic
Implementation MA-2
IR-2
E-11.2 IR-2
A-4.6, A-4.7 IR-3

E-8.1, E-8.6
A Goal 5: Ensure IR-2, AU-2

and Strategic
Implementation
Goal 5: Ensure
and Strategic
A-4.11 Implementation PS-2, AU-4, AU-6
A-2.1, A-2.2 IR-3
A-4.9 AU-3, AU-5, CM-6
A-3.1.5, A-4.4.3.2 Goal 1: Define AU-5, RA-1, IR-2

D-5.5 Conceptual
E-3.2, E-3.5, E-11.5, E-11.6, Environment
E12
A-4.9.1 AU-5, PM-3, IR-2
E-3.5, E-9.8
A-2.1, A-4.9.1 AU-5, RA-1, IR-2

E-3.5
A-3.1.3 AU-5, RA-1, IR-2
A-4.9.1, A-4.9.4 AU-5
A-4.2, A-4.9.4 IR-1
Goal 1: Define IR-2

Conceptual
Environment
SA-4
SC-4
Plant Cyber Security Teams SU1 , SU2

establish processes that
address cyber supply chain
risk management
Suppliers in their
and partners are
identified, vetted, and
validated through the nuclear
procurement
Baseline cyberprocess.
security SU2
requirements are integrated
into the procurement
process. Plants
The nuclear implement
industry SU1
implements a graded
approach based upon the
component risk.
To the extent Plant Cyber
practicable,
plants also utilize third-party
security alert notification
services and vendor security
D-1.2, D-1.11 Goal 1: Define IA-1, RA-1, SC-19
D-4.2, D-4.3, D-4.5, D-4.6, Conceptual
D4.7 Environment
D-4.4 PE-1, PE-2, PE-3
E-5.4, E-5.5
A-4.3 IA-7, SC-12, SC-

D-1.1 18, SC-21, RA-2
E-6
D-1.5, D-1.6, D-5.3 IA-3, SC-22,SC-15,
SC-16, SC-17, SC-
20, SC-25
A-4.3, SC-8, SC-9, SC-14,
D-1.4
E-6
A-4.8 Goal 3: Maintain AT-1, AT-2

E-9.1, E-9.2, E-9.3 Continuous
Cybersecurity
A-4.8, A-4.11 Awareness AT-1, AT-2
E-7.2, E-8.3, E-9.1, E-9.3
A-4.8, A-4.11 AT-2

E-11.1, E-11.2, E-11.3
A-4.8, A-4.11 AT-1

E-9.1, E-9.3
A-4.8, A-4.11 PS-4, AT-1

E-9.1, E-9.3
D-3.19 Goal 4: Enhance PM-5, MP-2

Intelligence and
Security Information
D-3.6, D-3.7 Sharing PM-4, SC-14,
SC23, SC-24
E-1.6, E-10.9 PM-1
D-3.4 MA-1, CM-7
D-1.4, D-1.5, D-1.6, D-1.15, IA-4

D-3.7, D-3.9, D-4.9, D-5.3
E-6
E-3.7 IR-3
D-5.4 CM-4
E-10.3
A-3.1.3, A-3.1.5, Goal 1: Define SA-3

A-4.4.1, A-4.4.2, A-4.5 Conceptual
D-1.18, D-5.4 Environment
E- 10.3, E-10.7
A-4.5 CM-1, CM-6
E-11.3, E-11.4, E-11.5, E-
11.6
A-4.4.1 SA-3
D-1.18, D-4.1, D-4.7,
D-5.1, D-5.3
E- 10.4,E-8.5
E-8.2, E-10.5, E-10.6, E- SA-5
10.7,
A-4.12 PE-4
E-5.1
E-1.6 MP-1
A-4.12 AU-6
E-9.8
A-4.12 AU-7
A-4.6, A-4.7 ANSI/AWWA

E-7.1, E-7.6, E-8.1 J100/G440/M19
E-7.3, E-8.2 PS-4
E-2.1, E-2.2, E-5.2 AT-2
A-4.9 AU-5
D-5.5
E-3.2, E-11.6, E-12
E-4.2, E-4.3 Goal 1: Define MA-1
Conceptual
Environment
Remote maintenance to MA-1
critical safety, security, and
reliability systems is
prohibited by the defensive
D-2.1, D-2.2, D-2.3, D-2.6, Goal 3: Maintain PM-3
D-2.7, D-2.12 Continuous
Cybersecurity
D-1.2, D-1.19 Awareness MP-1
E- 1.4, E-1.5
D-1.2, D-1.3, D-1.11, D- SC-10, SC-19

1.16,
D-5.1, D-5.4
E-10.8
A-4.3 IA-7
E-6
D-2.6 Goal 4: Enhance

Intelligence and
D-2.6 Sharing SC-5
E-7.4, E-7.5
E-7.4
D-5.2 PM-3
E-3.4
D-5.2 CM-7
E-3.4, E-6
D-4.4 Goal 4: Enhance CM-7

E-5.6, E-5.7, E-5.8 Intelligence and
E-2.1 Sharing PE-1, CM-7
E-3.3 CM-7, SA-5
D-3.13 SC-5
D-5.2 SA-4
E-3.4, E-5.2
D-1.2, D-1.17, D-1.19 IA-2

D-4.4, D-5.2, D-5.3
E- 3.4, E-5.6, E-5.7, E-5.8,
E-6,
E-12E-10.5 PS-1
A-4.6 IR-2
E-3.4
A-4.6 Goal 4: Enhance PS-2

Intelligence and
D-5.2 Sharing IR-3
E-3.4
A-4.6 ANSI/AWWA
D-2.6 G430, G440
A-4.6, A-4.12 IA-2

E-12
A-4.6 SC-4
E-8.1, E-8.6
A-4.6, A-4.8 Goal 1: Define AT-1

E-7.1, E-7.6, E-8.1 Conceptual
Environment
A-4.6 Goal 2: Improve and ANSI/AWWA
Expand Voluntary G430, G440
Participation
A-4.6 G430
E-8.1
A-4.6 SC-6
E-8.1
A-4.6 ANSI/AWWA
E-3.5, E-9.8 G430, G440
D-2.6 MA-2
E-7.4 Goal 4: Enhance SC-5

Intelligence and
E-7.4 Sharing ANSI/AWWA J100
E-8.1 AT-3
A-4.6 AT-3
E-7.4
A-4.7 Goal 4: Enhance IR-1
E-7.4 Intelligence and
A-4.9.1 Sharing IR-1
E-12
AA-4.9.3, A-4.9.4 IR-2

E-3.11, E-8.1, E-7.4, E-12
A-4.9.4 Goal 3: Maintain ANSI/AWWA

E-7.1, E-7.4, E-7.6 Continuous G430, G440
Cybersecurity
A-4.7 Awareness ANSI/AWWA
E-8.1 G430, G440
A-4.7, A-4.9.3, A-4.9.4 Goal 1: Define AU-7

E-3.11, E-7.4, E-8.1, E-12 Conceptual
Environment
Goal 3: Maintain ANSI/AWWA
Continuous G430, G440
Cybersecurity
Awareness ANSI/AWWA
G430, G440
Goal 2: Improve and ANSI/AWWA

Expand Voluntary G430, G440
Participation
ANSI/AWWA
G430, G440
ANSI/AWWA
G430, G440
Chemical Sector
Source: Chemical Sector: Cybersecurity Framework Implementation Guidance
URL: https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/chemical-framework-implementation-gui
Cyber Resilience Cybersecurity Chemical Security

Subcateg
Function Category Review (CRR, Evaluation Tool Assessment Tool
ory
Assessment) (CSET) (CSAT)
Asset ID.AM-1: X X X
Managem ID.AM-2:
Physical X X X
ent ID.AM-3:
Software
devices and X X X
(ID.AM): ID.AM-4:
Organizati
platforms
systems X X
The data, ID.AM-5:
External
onal
and X X
personnel, ID.AM-6:
Resources
informatio
communica X X
Business ID.BE-1:
Cybersecur
(e.g.,
n systems X X X
Environm ID.BE-2:
The
ity roles
hardware, X X X
ent ID.BE-3:
The
organizatio
and X X
(ID.BE): ID.BE-4:
Priorities
organizatio
n’s role in X X
The ID.BE-5:
Dependenc
for
n’s place in X X
IDENTIFY (ID)
Governan ID.GV-1:
Resilience
ies and
organizatio X X X
ce ID.GV-2:
Organizati
requiremen
critical X X
(ID.GV): ID.GV-3:
Cybersecur
onal
ts to X X
The ID.GV-4:
Legal
ity and
roles
cybersecuri X X
Risk ID.RA-1:
Governanc
regulatory
and X X X
Assessmen ID.RA-2:
Asset
erequiremen
and risk X X
t (ID.RA): ID.RA-3:
Cyber
vulnerabilit
manageme X X X
The ID.RA-4:
Threats,
threat
ies are X X
organizatio ID.RA-5:
Potential
both
intelligence X X X
n ID.RA-6:
Threats,
business
internal X X
Risk ID.RM-1:
Risk
vulnerabilit
impacts X X X
Managem ID.RM-2:
Risk
responses
ies, X X
ent ID.RM-3:
Organizati
manageme
are X X
Supply
Strategy ID.SC-1:
The
onal
nt risk
Chain ID.SC-2:
Cyber
organizatio
tolerance is
Risk ID.SC-3:
Suppliers
supply
n’s
Managem ID.SC-4:
Contracts
and
chainthird
risk
ent ID.SC-5:
Suppliers
with
party
Access PR.AC-1:
Response
and third-
suppliers X X X
Control PR.AC-2:
Identities
and
party X X X
(PR.AC): PR.AC-3:
Physical
and
recovery X X X
Access to PR.AC-4:
Remote
access to
credentials X X X
assets and PR.AC-5:
Access
access
assets isis X X X
associated PR.AC-6:
Network
permission
managed
facilities is PR.AC-7:
Identities
integrity
s and is
Awareness PR.AT-1:
Users,
are proofed
protected X X X
and PR.AT-2:
All
and users
devices,
bound X X
Training PR.AT-3:
Privileged
are
and other X X
(PR.AT): PR.AT-4:
Third-party
users
informed X X
The PR.AT-5:
Senior
stakeholder
understand X X
Data PR.DS-1:
Physical
executives
s (e.g., X X
Security PR.DS-2:
Data-at-
and
understand X X
X X
(PR.DS): PR.DS-3:
Data-in-
rest is
cybersecuri
X X
PR.DS-4:
Assets
transit
protectedare
is
PROTECT (PR)
Informati PR.DS-5:
Adequate X X
formally
protected
on and PR.DS-6:
Protections
capacity
managedto X X X
records PR.DS-7:
Integrity
against
ensure X X
(data) are PR.DS-8:
The
checking
data leaks
Informatio PR.IP-1:
Integrity
developme
mechanism A X X
n PR.IP-2:
nt and A
baseline
checking X X
Protection PR.IP-3:
System
configurati
mechanism X X X
Processes Configurati
Developme
on of
and on change
nt Life
Procedure control
s (PR.IP):
Security
PROTECT
Informatio
n
Protection
Processes PR.IP-4: X X
and PR.IP-5:
Backups of X X X
Procedure PR.IP-6:
Policy
informatio and X X
X X
s (PR.IP): PR.IP-7:
Data
n are is
regulations
PR.IP-8:
Protection
destroyed
regarding X X
Security X X X
policies PR.IP-9:
Effectivene
processes
according
PR.IP-10:
Response
ss
areof X X X
(that PR.IP-11: X X
Response
plans
protection
address PR.IP-12:
Cybersecur X X X
and
(Incident
purpose,
Maintenan PR.MA-1:
A
ity is X X
recovery
ce PR.MA-2:
Maintenan
vulnerabilit
included in X X
Protective
(PR.MA): PR.PT-1:
Remote
ce
y and X X
Maintenan PR.PT-2:
Technolog Audit/log
maintenanc
repair of X X X
y (PR.PT): PR.PT-3:
Removable
records
e of are X X X
Technical PR.PT-4:
The
media
determined is X X X
security PR.PT-5:
Communic
principle
protected of
Anomalies DE.AE-1:
Mechanism
ations
least and X X
and DE.AE-2:
A baseline
scontrol
(e.g., X X X
Events DE.AE-3:
Detected
of network
failsafe, X X
(DE.AE): DE.AE-4:
Event
events
operations data
are X
Anomalous DE.AE-5:
Impact
are
analyzed ofto X X X
Security DE.CM-1:
Incident
events
collected is X X X
DETECT (DE)
Continuou DE.CM-2:
The
alert
determined X X X
s DE.CM-3:
The
network
thresholds is X X X
Monitorin DE.CM-4:
Personnel
physical
monitored X X X
g DE.CM-5:
Malicious
activity
environme is X X
(DE.CM): DE.CM-6:
Unauthoriz
code
monitored is X X
DE.CM-7:
External
ed mobile
detected X X X
The
X X X
informatio DE.CM-8:
Monitoring
service
code is
X X
Detection DE.DP-1:
Vulnerabili
for
provider
Processes DE.DP-2:
Roles
ty scans
unauthoriz and are X X
(DE.DP): DE.DP-3:
Detection
responsibili
performed X X X
Detection DE.DP-4:
Detection
activities
ties for X X X
processes DE.DP-5:
Event
processes
comply X X X
Response RS.RP-1:
Detection
detection
are tested X X
Planning RS.CO-1:
Response
processes
informatio X X
Communi RS.CO-2:
Personnel
plan
are is X X X
cations RS.CO-3:
Incidents
know
executed their X X
X X
RESPOND (RS)
(RS.CO): RS.CO-4:
Informatio
are
roles and
Response RS.CO-5:
Coordinati
nreported
is shared X X
Analysis RS.AN-1:
Voluntary
on with
consistent X X X
(RS.AN): RS.AN-2:
Notificatio
informatio
stakeholder X X
Analysis is RS.AN-3:
The
ns impact
from
n sharing X X
conducted RS.AN-4:
Forensics
of the
detection X X X
to ensure RS.AN-5:
Incidents
are
incident is
Mitigation RS.MI-1:
Processes
are
performed X X
(RS.MI): RS.MI-2:
Incidents
are
categorized X X
Activities RS.MI-3:
Incidents
are
established X X X
Improvem
are RS.IM-1:
Newly
are
contained X X
RECOVER (RC)
ents RS.IM-2:
Response
identified
mitigated X X
Recovery
(RS.IM): RC.RP-1:
Response
plans
vulnerabilit X X
Improvem
Organizati RC.IM-1:
Planning Recovery
strategies
incorporate X X
(RC.RP): RC.IM-2:
ents Recovery
plan is
are updated X X
Communi
Recovery RC.CO-1:
(RC.IM): Recovery
plans
executed X X
incorporati RC.CO-2:
cations Public
strategies
incorporate X X
(RC.CO): RC.CO-3:
Reputation
relations
are updated X X
coordinatin Recovery
is
arerepaired
activities
after an
are
al-framework-implementation-guide-2015-508.pdf
Chemical Facilities Anti-

American Chemical Council
Terrorism Standards
(ACC) Responsible Care
(CFATS) Risk-Based
Security Code (RCSC):
Performance Standard 8
Cybersecurity Guidance
(RBPS-8): Cyber
X X
X X
X X
X X
X
X
X
X
X
X X
X X
X X
X X
X
X X
X
X X
X X
X
X
X X
X
X X
X X
X X
X X
X X
X X
X X
X
X
X X
X
X
X
X
X X
X
X
X
X
X X
X X
X X
X
X
X
X X
X X
X
X X
X X
X
X X
X
X X
X X
X X
X
X X
X
X
X X
X X
X X
X X
X
X
X X
X X
X X
X
X
X X
X
X
X
X
X X
X
X
X
X X
X
X
X X
X
X
X X
X
X
X
X
X
X
X
Commercial Facilities Sector
Source: Commercial Facilities Sector: Cybersecurity Framework Implementation Guidance 2020
URL: https://www.cisa.gov/sites/default/files/publications/Commercial_Facilities_Sector_Cybersecurity_Framework_
Baldrige
Payment
Cyber Cybersecurit
Card Industry Cybersecurit
Subcateg Resilience y Excellence
Function Category Data Security y Evaluation
ory Review (CRR, Builder
Standards Tool (CSET)
Assessment) (BCEB),
(PCI-DSS)
Asset Management ID.AM-1: X X X Version
X 1.1
(ID.AM): The data, Physical
ID.AM-2: X X X X
personnel, devices, devices
Software
ID.AM-3: and X X X X
systems, and facilities Organizati
systems
platforms
ID.AM-4: X X X X
that enable the and
onal
External
ID.AM-5:
organization to achieve informatio X X X X
communica
Resources
ID.AM-6: X X X X
business purposes are n systems
Business (e.g.,
Cybersecur
ID.BE-1: X X X
Environment hardware,
ity
The roles
ID.BE-2: X X X
(ID.BE): The and
organizatio
The
ID.BE-3: X X X
organization’s mission, organizatio
n’s
ID.BE-4:role in
Priorities X X X
objectives, n’s
for place in
Dependenc
stakeholders, and ID.BE-5: X X X X
Governance (ID.GV): organizatio
ies and
Resilience
ID.GV-1: X X X X
IDENTIFY (ID)
The policies, critical

requiremen
Organizati
ID.GV-2: X X X X
procedures, and ts
onal to
Cybersecur
ID.GV-3: X X X X
operational cybersecuri
ity
Legal roles
ID.GV-4: and X X X X
requirements are and
regulatory
Governanc
Risk Assessment ID.RA-1: X X X X
(ID.RA): The erequiremen
and risk
Asset
ID.RA-2: X X X X
organization manageme
vulnerabilit
Cyber
ID.RA-3: X X X X
understands the ies
threatare
Threats,
ID.RA-4: X X X X
cybersecurity risk to intelligence
both
Potential
organizational ID.RA-5: X X X X
internal
business
Threats,
ID.RA-6: X X X X
operations (including impacts
Risk Management vulnerabilit
Risk
ID.RM-1: X X X X
Strategy (ID.RM): ies,
responses
Risk
ID.RM-2: X X X X
tolerances, and are
manageme
Organizati
ID.RM-3: X X X X
assumptions are
Supply Chain Risk nt
onal
The
ID.SC-1: risk X X X
Management (ID.SC): Cyber tolerance
ID.SC-2: is
organizatio X X X
The organization’s n’s
supply
Suppliers
ID.SC-3: X X
priorities, constraints, and
chain
Contracts
ID.SC-4: risk
third X X X
risk tolerances, and party
with
Suppliers
assumptions are ID.SC-5: X X
Access Control suppliers
and
Response
PR.AC-1:third- X X X X
(PR.AC): Access to party
and
Identities
PR.AC-2: X X X X
assets and associated and recovery
Physical
PR.AC-3: X X X X
facilities is limited to access
credentials
Remoteto
PR.AC-4: X X X X
authorized users, assets
access isis
Access
PR.AC-5:
processes, or devices, managed X X X X
permission
Network
PR.AC-6: X X X X
and to authorized sIdentities
and
activities and integrity
PR.AC-7: is X
Awareness and protected
are
Users,proofed
PR.AT-1: X X X X
Training (PR.AT): and bound
devices,
All users
PR.AT-2: X X X X
The organization’s and
are other
Privileged
PR.AT-3: X X X X
personnel and partners informed
users
Third-party
PR.AT-4: X X X X
are provided understand
stakeholder
Senior
cybersecurity PR.AT-5: X X X X
sPR.DS-1:
(e.g.,
executives
Physical X X X X
Data Security
understand
and
Data-at-
(PR.DS): PR.DS-2: X X X X
Information and cybersecuri
rest is
Data-in-
PR.DS-3: X X X X
records (data) are protected
transit is
Assets are
managed consistent protectedformally
CT (PR)
with the managed

organization’s risk
strategy to protect
Data Security
(PR.DS):
Information and
records (data) are PR.DS-4: X X X X
PROTECT (PR) managed consistent Adequate
PR.DS-5: X X X X
with the capacity
PR.DS-6:to
Protections X X X X
organization’s risk ensure
against
Integrity
PR.DS-7: X X X X
strategy to protect data
The leaks
checking
PR.DS-8: X X X
the confidentiality,
Information mechanism
developme
Integrity
PR.IP-1: A X X X X
Protection Processes nt and
checking
baseline
PR.IP-2: A X X X X
and Procedures mechanism
configurati
System
PR.IP-3: X X X X
(PR.IP): Security on of
Developme
Configurati
PR.IP-4: X X X X
policies (that address on nt Life
changeof
Backups
purpose, scope, roles, PR.IP-5: X X X X
control
informatio
Policy and X X X X
responsibilities,manage PR.IP-6:
n are is
regulations
Data
ment commitment, and PR.IP-7: X X X X
coordination among regarding
destroyed
Protection
PR.IP-8: X X X X
according
processes
organizational entities), Effectivene
PR.IP-9: X X X X
processes, and are
ss of
Response
PR.IP-10: X X X X
procedures are protection
plans
Response X X X X
PR.IP-11:
maintained and used to (Incident
and
Cybersecur X X X X
manage protection of PR.IP-12:
recovery
Maintenance ity
A is
PR.MA-1: X X X X
(PR.MA): included
vulnerabilit
Maintenan
PR.MA-2: in X X X X
Maintenance
Protective and y
ce and
Remote
PR.PT-1: X X X
repairs of system
Technology repair
(PR.PT): maintenanc
Audit/log
PR.PT-2: of X X X
Technical security ePR.PT-3:
of
records
Removable are X X X
solutions are managed determined
media is
The
PR.PT-4: X X X X
to ensure the security protected
principle
and resilience of PR.PT-5: of
Communic X X X
Anomalies and least
ations
Mechanism
DE.AE-1: and X X X X
Events (DE.AE): control
s (e.g.,
A baseline
DE.AE-2: X X X X
Anomalous activity is of failsafe,
network
Detected
DE.AE-3: X X X X
detected in a timely operations
eventsdata
Event
DE.AE-4: are X X X X
manner, and the analyzed
are
Impact ofto
potential impact of DE.AE-5: X X X X
collected
events
Security Continuous Incident
DE.CM-1: is X X X X
determined
alert
Monitoring (DE.CM): DE.CM-2:
The
DETECT (DE)
X X X X
The information thresholds
network
The
DE.CM-3: is X X X X
system and assets are physical
monitored
Personnel
DE.CM-4: X X X X
monitored at discrete environme
activity is
Malicious
intervals to identify DE.CM-5: X X X X
monitored
code is
Unauthoriz
DE.CM-6: X X X X
cybersecurity events detected
and verify the ed mobile
External
DE.CM-7: X X X X
effectiveness of code
serviceis
Monitoring
DE.CM-8: X X X X
provider
for
Vulnerabili
Detection Processes DE.DP-1: X X X X
(DE.DP): Detection unauthoriz
ty scans
Roles
DE.DP-2:and are X X X X
processes and performed
responsibili
Detection
DE.DP-3: X X X X
procedures are ties for
activities
Detection
DE.DP-4: X X X X
maintained and tested processes
comply
Event
to ensure timely and DE.DP-5: X X X X
Response Planning are tested
detection
Detection
RS.RP-1: X X X X
Communications informatio
processes
Response
RS.CO-1: X X X
(RS.CO): Response are
plan is
Personnel
RS.CO-2: X X X
activities are executed
know
RS.CO-3:their
Incidents X X X X
coordinated with roles
are and
Informatio
internal and external RS.CO-4: X X X X
reported
RESPOND (RS)
n is shared
Coordinati
RS.CO-5: X X X
stakeholders, as consistent
Analysis (RS.AN): on with
Voluntary
RS.AN-1: X X X X
stakeholder
informatio
Analysis is conducted RS.AN-2:
Notificatio X X X X
to ensure adequate n
nssharing
Thefrom
impact
RS.AN-3: X X X X
response and support Forensics
detection
of the
RS.AN-4: X X X X
recovery activities. incident
Incidentsis
are
RS.AN-5: X X X X
performed
are
Processes
categorized
are
established
RESPOND
Mitigation (RS.MI): RS.MI-1: X X X X
Activities are Incidents
RS.MI-2: X X X X
performed to prevent are
Incidents
RS.MI-3: X X X X
expansion of an event,
Improvements contained
are
Newly
RS.IM-1: X X X X
(RS.IM): mitigated
identified
Response
RS.IM-2: X X X X
RECOVER (RC)
Organizational
Recovery Planning vulnerabilit
plans
Response
RC.RP-1: X X X X
response
(RC.RP): activities
Recovery
Improvements are incorporate
strategies
Recovery
RC.IM-1: X X X X
processes and
(RC.IM): are
planupdated
is
Recovery
RC.IM-2: X X X X
procedures are
incorporating
Communications lessons executed
plans
Recovery
RC.CO-1: X X X
learned
(RC.CO):into future incorporate
strategies
Public
RC.CO-2: X X X
are updated
coordinating centers, relations
Reputation
RC.CO-3: X X X X
Internet Service are
is repaired
Recovery
after an
activities
are
ector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Stadium
ISO27001/2 COBIT
Guide
X X X
X X X
X X X
X X
X X X
X X X
X X
X X
X
X X
X X
X X
X X X
X X
X X
X X X
X
X
X X
X X
X
X
X
X X
X X
X X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X
X X
X X
X X
X
X X
X X X
X X
X X
X
X X
X X
X X
X X X
X X
X X X
X X
X
X X
X
X X
X
X
X
X
X
X
X X
X X
X
X
X
X
Communications Sector
Source: The Communications Security, Reliability and Interoperability Council IV Working Group 4 Final Report : CYBERS
URL: https://www.cisa.gov/publication/nipp-ssp-communications-2015
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
Function Category Subcategory
Asset Management ID.AM-1:

ID.AM-2:devices
personnel, devices, and systems
Software
systems, and facilities ID.AM-3:
within the and
platforms
Organizational
that enable the ID.AM-4:
applications
organization to achieve communication
External
ID.AM-5:
and data flows
business purposes are information
Resources (e.g.,
identified and managed ID.AM-6:
systems are
hardware,
Cybersecurity
Business Environment ID.BE-1:
devices, The
(ID.BE): The roles anddata,
organization’s
ID.BE-2: The
responsibilities
organization’s mission, role in the
organization’s
objectives, stakeholders, ID.BE-3:
supply
place inchain
Prioritiescritical
for
is
and activities are ID.BE-4:
infrastructure
understood and roles, organizational
Dependencies
ID.BE-5:
mission,
responsibilities, and riskand critical
Resilience
Governance (ID.GV): ID.GV-1:
functions for to
requirements
IDENTIFY (ID)
The policies, procedures, Organizational

ID.GV-2:
and operational support delivery
cybersecurity
Cybersecurity
ID.GV-3: Legal
requirements are policy
roles is
and
understood and inform and regulatory
ID.GV-4:
responsibilities
requirements
the
Riskmanagement
Assessmentof Governance
ID.RA-1: and
Asset
regarding
risk
(ID.RA): The vulnerabilities
ID.RA-2: Cyber
organization understands management
are identified
threat
the cybersecurity risk to ID.RA-3:
and documented
intelligence
organizational operations Threats,
ID.RA-4: bothis
received
internal from
and
(including mission, Potential
ID.RA-5:
functions, image, or external,
business are
impacts
Threats,
ID.RA-6: Risk
reputation), and likelihoods
vulnerabilities,
Risk Management responses
ID.RM-1: are
Risk
likelihoods,
identified and and
Strategy (ID.RM): management
ID.RM-2:
tolerances, and prioritized
processes are
Organizational
ID.RM-3: The
assumptions are established,
risk tolerance is
Supply Chain Risk organization’s
ID.SC-1: Cyber
determined and
Management (ID.SC): determination
supply
ID.SC-2: chain of
The organization’s risk
risk tolerance is
Suppliers
ID.SC-3: and
priorities, constraints, management
third partywith
risk tolerances, and Contracts
ID.SC-4:
partners
suppliers ofand
assumptions are Suppliers
ID.SC-5: and
third-party
established and used to third-party
Access Control Response
PR.AC-1: and
partners
recovery are
(PR.AC): Access to Identities
PR.AC-2: and
assets and associated planning
credentials and are
Physical
PR.AC-3: access
facilities is limited to issued,
to assetsaccess
is
authorized users, Remote
PR.AC-4:
managed
is managed and
processes, or devices, Access
PR.AC-5:
and to authorized permissions
Network and
activities and PR.AC-6:
authorizations
integrity
Identities isare
transactions. PR.AC-7:
protected Users,
(e.g.,
proofed
devices, and
and
Awareness and PR.AT-1:to All
boundassets
Training (PR.AT): The other
users are are
organization’s personnel authenticated
informed and
and partners are trained
provided cybersecurity
awareness education and
Awareness and
Training (PR.AT): The PR.AT-2:
organization’s personnel Privileged users
and partners are PR.AT-3: Third-
understand
party their
provided cybersecurity PR.AT-4:
roles and
awareness education and stakeholders
Senior
PR.AT-5:
(e.g., suppliers,
are adequately trained to executives
Physical and
Data Security PR.DS-1:
understand Data-
their
cybersecurity
at-rest is
(PR.DS): Information PR.DS-2:
personnel Data-
and records (data) are protected
in-transit
PR.DS-3:isAssets
managed consistent protected
are formally
with the PR.DS-4:
managed
Adequate
organization’s risk PR.DS-5:
throughout
capacity to
PROTECT (PR)
strategy to protect the Protections

PR.DS-6:
ensure
confidentiality, against
Integrity data
PR.DS-7:
leaks are The
integrity, and checking
development
PR.DS-8:
mechanisms
availability of and testing are
Information Protection Integrity
PR.IP-1: A
environment(s)
Processes and checking
baseline
PR.IP-2:
mechanisms A are
Procedures (PR.IP): configuration
System of
Security policies (that PR.IP-3:
information
Development
address purpose, scope, Configuration
PR.IP-4:
Life Cycle to
roles, change
Backups control
of
PR.IP-5:
processes Policy
are in
responsibilities,manage information
and regulations are
PR.IP-6:
ment commitment, and conducted, Data is
regarding
destroyed the
coordination among PR.IP-7:
physical to
organizational entities), according
Protection
PR.IP-8:
processes, and policy
processes are of
Effectiveness
PR.IP-9:
procedures are improved
protectionplans
maintained and used to Response
PR.IP-10:
technologies is
manage protection of (Incident
Response and
PR.IP-11:
information systems and Response
recovery and
plans
Cybersecurity
PR.IP-12: is
assets. are testedinA
included
vulnerability
Maintenance (PR.MA): PR.MA-1:
human resources
Maintenance and repairs management
Maintenance
PR.MA-2:
of system components plan and is
repair
Remote of
Protective Technology PR.PT-1:
are performed consistent organizational
(PR.PT): Technical maintenance
Audit/log of
PR.PT-2:
organizational
security solutions are records
Removable are
managed to ensure the PR.PT-3:
determined,
media
The
is of least
principle
security and resilience of PR.PT-4:
protected
functionality andisits
systems and assets, Communication
PR.PT-5:
consistent with related incorporated
s and control by
Anomalies and Events Mechanisms
DE.AE-1:
networks A
are
(DE.AE): Anomalous (e.g., failsafe,
baseline of
DE.AE-2:
activity is detected in a load balancing,
network
Detected events
DE.AE-3:
timely manner, and the operations Event
and
are
dataanalyzed
are to
potential impact of DE.AE-4:
understand
events is understood. collected
Impact ofand
events
DE.AE-5:
correlated from
is determined
Incident alert
Security Continuous DE.CM-1: The
Monitoring (DE.CM): thresholds
network
DE.CM-2: is are
The
established
DETECT (DE)
The information system monitored

physical to
and assets are monitored DE.CM-3:
detect potential
environment is
at discrete intervals to Personnel
DE.CM-4:
monitored
activity is to
identify cybersecurity Malicious
DE.CM-5: code
events and verify the monitored
is detected to
Unauthorized
DE.CM-6:
effectiveness of mobile code is
protective measures. External
DE.CM-7: service
detected
provider activity
Monitoring
DE.CM-8: for
is monitored to
unauthorized
Detection Processes Vulnerability
DE.DP-1: Roles
personnel,
scans
(DE.DP): Detection and are
processes and procedures performed
responsibilities
are maintained and for detection are
tested to ensure timely
and adequate awareness
of anomalous events.
DE
Detection Processes
(DE.DP): Detection DE.DP-2:
processes and procedures Detection
are maintained and DE.DP-3:
activities
tested to ensure timely Detection
DE.DP-4:
comply with Event
and adequate awareness processes
detection areall
DE.DP-5:
tested
of anomalous events. information is
Detection
Response Planning RS.RP-1:
communicated
Communications processes
Response are
plan is
RS.CO-1:
continuously
(RS.CO): Response executed during
Personnel know
activities are coordinated RS.CO-2:
or after
their an and
roles
with internal and Incidents
RS.CO-3: are
order of
reported
external stakeholders, as Information
RS.CO-4: with is
appropriate, to include consistent
shared
Coordination
RS.CO-5:
RESPOND (RS)
external support from consistent

with with
Analysis (RS.AN): Voluntary
RS.AN-1:
stakeholders
Analysis is conducted to information
Notifications
RS.AN-2: The
ensure adequate response sharing occurs
from detection
impact of the
and support recovery RS.AN-3:
systems are
incident
Forensics isare
activities. RS.AN-4:
understood
performed
Incidents
RS.AN-5:are
categorized
Processes are
Mitigation (RS.MI): RS.MI-1:
consistent with
established
Activities are performed Incidents areto
RS.MI-2:
receive, analyze
to prevent expansion of contained
Incidents
an event, mitigate its RS.MI-3: are Newly
mitigated
identified
Improvements RS.IM-1:
(RS.IM): Organizational vulnerabilities
Response
RS.IM-2: plans
response activities are are mitigated or
incorporate
Response
RECOVER (RC)
Recovery
improved by Planning RC.RP-1:
lessons learned
(RC.RP): Recovery strategies
Recovery are
plan is
Improvements RC.IM-1:
updated
processes and procedures executed
(RC.IM): incorporating Recovery during
plans
are executed andinto RC.IM-2:
or after a
lessons learned incorporate
Recovery
Communications
future activities. RC.CO-1:
lessons learned
strategies
(RC.CO): coordinating Public are
relations
RC.CO-2:
updated
centers, Internet Service are managed
Reputation
Providers, owners of RC.CO-3: is
repaired
Recoveryafter an
incident
activities are
communicated
rity, Reliability and Interoperability Council IV Working Group 4 Final Report : CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICE
blication/nipp-ssp-communications-2015
pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
Require
Operational Requirement(s): Appropriate and adequate Operations staff may be assigned to locate, track, count, and document all critical inf
mobile devices, receivers, transmitters, antennas, optical systems, transportation systems and any system or device that has computing, storag
Operational Requirement(s): The organization can determine "who‐internally" needs to know "what" information, "when" and "how" will th
ops centers, engineering,
Technology Requirement(s): technical management,
Organizational staffprogram/project
assigned to catalog management,
externally customer service,
facing critical IT, sales, Csuite
infrastructure officials,
information billing,servers,
systems, accounti vi
access controls
externally facing ‐ business
resources process
that arerules within
inventoried. various
This systems
externally to allow
facing authorized
catalog systempersonnel
can be to
madereach their
secure required
to prevent information,
corruption when
of theynen
critical
Operational
conveyed Requirement(s):
through ongoing training,Organizational
to those leadership,
the effected operations
personnel. When and engineering determine
organizations staff may determine
"who‐externally" the primary needs ‐critical
to know infrastructure
"what" inform fu
system catalog
continue to operateis extremely
our business limited andtobusiness with a need
plan(s)?" ‐to‐example
An know basis.
of this exercise staff
may can be similar to: "If we(by lostjob
ourfunction)
<website>, could we s
Operational Requirement(s): Organizational leadership, operations and engineering determine who needs to know
organization,
can be assigned. thenThese
everylevels
function can be prioritized
of cybersecurity based on criticality
responsibilities will include andbut business value.to:*Security
not limited Once theseofhow critical
entire functions are prioritized, grot
Operational
identified and Requirement(s):
prioritized as Organizational
well, based on leadership,
their criticality operations
and and engineering
business value. * Anstaff can determine
organization may identifytheinfrastructure,
organization
the critical
security
fits into aof
information suppl
syste
of
be internal
defined?and Does external communications
the organization turn raw channels.
materials The cybersecurity
into a product? leadership can then develop cybersecurity policies andresources
procedures, then
Operational Requirement(s):Organizational leadership, operations andDoes the organization
engineering staff mayprovidedetermine a service
how the where human
organization fits into and exp
a Critic
organization
infrastructure earn revenue
that supports the from it's customers?
functioning ofleadership, How does the
our societyoperations sales
or economy? function
Does get what it needs
this organization to sell a product
supply a product or service to
or service missioncustomers?
to the government * T
Operational
staff. * TheRequirement(s):
sub ‐ organizations Organizational
that are deemed critical to operating andthe engineering
business staff be
must canprioritized
determine the organization's
such that key decision makers andareitsvery
pri
criticality
such that keywithin a Critical
decision makers Infrastructure
are very aware ecosystem
of theirtoresponsibilities
its entire staff. and Theavailable
sub‐organizations
human and that are deemed
physical resources. critical* to operating
This the busine
Operational
suborganization Requirement(s):
prioritization Organizational
can also be conveyed leadership,to the operations
entire andinengineering
staff such a way staff
that can
every determine
person know criticalwhom functions forsub
(internally
‐organization
delivery of critic
and externally)
direction
depend from.
upon *
obtaining Once
from the organizational
3rd party entities. prioritization
An example exercise
would beis completed,
similar to a the critical
telecom dependencies
network operator of
whoall sub ‐organizations
depends on a diesel and outsid
fuel sup
Operational
externally to Requirement(s):
the main Once the
organization. An organizational
organization leadership,
can identify operations
the critical and engineering
information systemstaffcomponents
has determined and critical
their functionsforfordevelop
functions delive
operator
materials. canThiskeep its critical
may include but network systems operating on back ‐up generator power. * Dependencies supporting critical functions can incl
Operational
components, Requirement(s):
emergency Annot
responders,
limited to redundant
organization's
vendor executive
‐crisis response
circuits
and teams
for communications,
technical leadership can
and outlines
equipment,
alternate
determine
government
secondary suppliers of
which information
agencies etc. and fuel,
datasecondary
types thatsupplican b
responders.
privacy * An
considerations. organization
Other typesmay of develop
information a contingency
may be plan
allowed that
to reach the
certain process
people for
on arestoring
need ‐to ‐information
know basis, systems,
in order and
to implement
perform their
Operational
coordinates Requirement(s):
with external Onceproviders.
service the information security policies are established within an organization, these policies can be conveyed to
areinformation.
of determined, the amount
External of security
policies and and security
procedures for controls
protecting applied to eachcan
information information
also be type can beThese
developed. determined.
externally * facing
Frominformation
here, an organiz secur
Operational
established, Requirement(s): An organization's executive and technical leadership can include
these policies can be conveyed to the appropriate levels of staffing, and external entities such that everyone knows their responsi the organization's legal counsel and/or legal st
organization.
protection
Operational Requirement(s): Once an organization creates an ongoing Threats/Risk catalog, they may progress to developing the appropriatei
policies conform to and do not violate privacy laws and civil liberties obligations. Once the legal details of the cybersecurity and
acceptance
appropriate of these cybersecurity andbut information protection 5policies may need to bemanagement;
obtained. Non ‐acceptanceMitigation,
by certain Preparedness,
individuals, may Resod
Operational responses,
Requirement(s): may include,
Technical not be
staff maylimited
researchto the phases
publicly of emergency
available information and vendor Prevention,
proprietary information to learn of all
These
staff responses
may also can include
research cyberevery‐criminal sub‐elements
organizationvulnerabilities
from the top executives allpublic
the way or through to the
the vendors.
most remote member of an andorganizati
Operational Requirement(s):Technical staff mayfor research publicly that are not
available information known
and vendor by proprietaryOnce documented
information to learn ofkey all or
of
spreading
staff may details
also of
research found
cybertechnical
‐criminal vulnerabilities
elements for over the
vulnerabilitiesInternet. that Anare organization
not public ormay
known outline by what
the systems
vendors. should
All of be
these monitored,
vulnerabilities the freca
Operational
assessment ofRequirement(s):
riskpurpose
by taking Technical
into account staff may
the magnituderesearch publicly available
of harm vulnerabilities
caused from the information
breach and vendor
of the information proprietary information
system. This includesto learn
takingof all
intoo
exist
staff for the
may also sole of spreading
research cyber‐Organizational details
criminal elements of found technical
for vulnerabilities that over the Internet. * An organization may outline what syste
Operational
An organization Requirement(s):
may conduct of an spreading
assessmentdetails leadership,
of riskofby operations
taking and are
into account
not publicstaff
engineering
the magnitude
or known
may
of harm
by the vendors.
determine
caused the
from
All of
primary
the breach
these vulnerabilities
‐critical of functions
the informationand se sh
that exist
operate for the
our business sole purpose
and business plan(s)?" Anmay example found of technical
this chart
exercisevulnerabilities
may to over
be identify
similar to: the Internet.
"If we * An organization should outline wha
Operational
findings. An Requirement(s):
organization may Theconduct
organization ancriticality
assessment build arisk
list,
ofbusiness by taking or table
into account thethreats
magnitude andlost our <website>,
vulnerabilities
ofareharm causedtofrom
could
the the
we still
critical deliver
business
breach thefun
of applic
s
in
every
decreasefunction can be
riskRequirement(s): prioritized
occurrences. AnOnce based
example on
would list network, and hardware, value. Once these critical functions prioritized, then the systems,
Operational
well,threat
basedinformation
on their criticality an organization
and business value. creates
* can an ongoingand
An organization
software resources
Threats/Risk catalog, you may
they needprogress
to accomplish a business
tocomponents
developing thetask. * T
appropriate
this
appropriate responses, is established,
may include, thenot
but organization
be limited to theprioritize
5 phases theofidentifies
criticality
emergency
the critical
riskinformation
of management;
each to the business
PREVENTION,
system operations and the
MITIGATION,
and their functi
urgency
PREPAR and
Operational
efficient action.Requirement(s):
An example, The appropriate
organizations cyber
often risk management
develop plans to responses,
respond to may include,
physical threats, but
such notas be limited to
malicious the 5tophases
access buildingsof emergenc
or equip
in the risk"Who
describe catalog.
doesThese What,responses
and When" mayforinclude
every every sub‐risk
identified organization
in the risk from the top
catalog. executives
These responses all should
the wayinclude through to the most remote mem
Operational Requirement(s): The appropriate cyber risk management responses, may include, but not be limited to every suborganization
the 5 phases of emergenc fro
timeliness
describe "Whoof each response,
does What, and to include,
When" for everybut not limited
identified to immediate
risk in the responses through, timelines needed based on dependencies.
Operational Requirement(s): Organizational leadership, operations andrisk catalog. These
engineering responses
staff may determinecan include
how theevery sub‐organization
organization fits into afromCriti
each response, to include, but not limited to immediate response through, timelines needed
infrastructure that supports the functioning of our society or economy? Does this organization supply a product or service to the government based on dependencies. * Organizations, suborg
implementing
criticality within cybersecurity best practices.
a Critical Infrastructure * Organization
ecosystem to its entire may determine
staff. The sub the consequencesthat
‐organizations of various
are deemed cyber incidents.
critical These consequenc
to operating the busine
suborganization prioritization must also be conveyed to the entire staff in such a way that every person know whom (internally and externall
Operational Requirement(s): The organization can determine "who‐internally" needs to know "what" information, "when" and "how" will th
infrastructure related operations,
Operational Requirement(s): Thenetwork ops centers,
organization engineering,
should determine technical
whom within, management,
internal andprogram/project management,
external to the entire customer
organization, can beservice,
alloweI
determined
spaces, the organization
data Requirement(s): can set
centers, wiring closets, access controls
servers rooms, ‐ business
devices, process
tools,whom rules
vehicles within
etc. that various
allow systems to
theexternal allow
organization authorized personnel to reach the
Operational
must be documented and The organization
conveyed through should
ongoing determine
training, to the within,
effected internal
personnel. and The to the to
organization
be an
entire
can
on‐going concern.
organization,
determine "whocan
‐ be These
allowec
externally"
software
spaces, cabinets,
data locked
centers, wiringfencing,
closets,biometric
serversmaylocks to
rooms, shared tools,
devices, technical areas,etc.
vehicles locked vehicles,
thatpolicy
allow the locked property
organization to beand even building/landscaping
Operational Requirement(s): Organization implement an Access ‐Permission based on Separation of an on‐going
duties concern.
and Least These Sc
Privilege.
USERNAME/PASSWORDs,
harm mult ‐ factor identification, access control lists, scheduling limits, VPN access, LAN/WAN access, biometrics, e
Operational Requirement(s):The organization's technical and operations staff may design their critical infrastructure networks, such thatcollab
an organization without the cooperation of others. In general, employees are less likely to engage in malicious acts if they should they
these processes
so if an anomalythrough
occurs technical and nontechnical
at one location means.
or node, it can The separation
be isolated of duties
and not take down policy alsonetwork.
the entire requires Itimplementation of least
is understood that privilege, m
segmentation w
ongoing process, particularly when employees move through the organization as a result of promotions, transfers,
network integrity. Alternatives to network segmentation may be explored in order to achieve comparable levels of resiliency. relocations, demotions, an
Operational Requirement(s): Organizational leadership, operations and engineering staff should determine who (by job function) needs to kn
can be assigned. These levels of cybersecurity responsibilities will include but not limited to: Security of entire infrastructure, security of gro
of internal and external communications channels. The cybersecurity leadership can then develop cybersecurity policies and procedures, then
organization, these policies should be conveyed to the appropriate levels of executives, management, and staffing, such that everyone knows
Operational Requirement(s): * The organization may determine "who‐internally" needs to know "what" information, "when" and "how" wil
infrastructure related operations,
Operational Requirement(s):* Thenetwork ops centers,
organization engineering,
may determine "whotechnical
‐internally" management,
needs to know program/project
"what" information, management, "when" customer
and "how" service,
willI
been determined
infrastructure the organization
related operations, can
network set access controls
ops centers, ‐ business
engineering, process
technical rules within
management, various systems to allow authorized personnel to reac
Operational
whatwhen ‐ howRequirement(s):
can be * The
documented organization
and conveyed may
through determine
ongoing "who ‐internally"
training, to the needs
effected to program/project
know
personnel. "what" information,
*
management,
The "when"
organization
customerand
should
service,
"how" determwilI
been determined
related operations, can
network set access controls
ops centers, ‐ business
technical rules within
management, various systems to allow authorized personnel to reac
Operational
whatwhen ‐how Requirement(s):
should * The
be documented organization
and conveyed maythrough
determine "who
ongoing ‐training,
internally" to needs
the to program/project
effected know "what" information,
personnel.
management,
* allow "when"
The authorized
organization
customerandmay service,
"how" wilI
determ
been determined
related operations, should
network set
ops access
centers, controls ‐ business
technical rules
management, within various
program/projectsystems to management, customer personnelservice, to Ir
Operational
whatwhen ‐how Requirement(s):
may be documented* Organizations
andset conveyedmay consider deploying
through‐ business
ongoing varioustotools
training, and technologies
thewithin
effected personnel. to PREVENT
* allow / MITIGATE
The organization can/ RESPON
determine
been
Centers determined
should the organization
establish a benchmark must of what access controls
applicationsmay reside process
in the datacenter. rules various
This benchmark systems to authorized personnel to re
Operational
whatwhen ‐ howRequirement(s):
can be *
documented and Organizations
conveyed through ongoing considertraining,deploying
to the various
effected tools
personnel.and may *
include, but
technologies The
not limited/ to:
to PREVENT
organization may
File acti
MITIGATE
determine
in use / VM
(Cloud) quantities and activity.
DataRequirement(s):Organizations
Centers should establish a* benchmark
of what classify, compartmentalize
applications reside in the datacenter. and segment their critical
This benchmark may assets and data.
include, but not Establish
limitea
Operational
default trust is allowed for any entity, user, can monitor
device, and control
application, or critical
packet infrastructure
regardless of what assetit configuration
is and its location andin installation
the network. changes.* Only
Organiza
ports
databases / Protocols in use / VM
and stored data. * Organizations quantities and
Organizationsshould activity.
can also * Organizations
track andbandwidth, may
document physical classify,
the decommissioning compartmentalize of circuits,
equipment,and segment
systems, their critical
servers, networking assets and
Operational
Zones mean Requirement(s):
no default trust is allowed for any entity, ensure
user,thatdevice, application, circuits,
or packet virtual
regardless of what available
it is and its frequencies,
location incomputing the netwo
that failed critical
Operational infrastructure
Requirement(s): assets can have
* Organizations may their functions
consider shifted various
deploying to working toolsassets in order to maintain
and technologies to PREVENT maximum / MITIGATEdesired availability.
/ RESPON
Centers should establish a benchmark of what applications reside in the datacenter.
Operational Requirement(s): * Organizations may consider deploying various tools and technologies to PREVENT / MITIGATE / RESPON This benchmark may include, but not limited to: File acti
in use
Centers / VM
should quantities and activity.
establish a benchmark * Organizations
of what applications can classify,
reside in compartmentalize
the datacenter. and segment
Thisdevelopment
benchmark may their critical assets
include,systems, and
but not limited data. Establish “Z
Operational
default trust Requirement(s):
is allowed for anyOrganizations
entity, user, should
device, ensure
application,that all
or critical
packet infrastructure
regardless of what it is and andlocation
its testing in the servers,*to:
network.
File acti
storage
Organiza and
in use / VM
serving networksquantities and activity. * Organizations can classify, compartmentalize and segment their critical assets and data. Establish “Z
and systems.
default trust is allowed for any entity, user, device, application, or packet regardless of what it is and its location in the network. * Organiza
Operational Requirement(s): * Organizations may monitor and establish BASELINE critical infrastructure network traffic, file access, datab
breaches
Operational andRequirement(s):
attacks. * Organizations Organizations canusingscan and certify‐software
a systems all new networkdevelopment connected lifecycle and (SDLC)
mobile devices approach, beforemaythey can be placed
incorporate security intointose
in
in the datacenter. This
security functions and procedures benchmark may include,
before, can duringbut not limited
and after to: File
they implement activity / Authorized
any of the following Access Accounts
next‐gen technologies; / Data flow activity
Software / Software
Defined N
Operational
monitor and Requirement(s):
control critical asset Organizations
configuration monitor
and and control
installation changes. criticalOnly infrastructure
authorized staff assetand configuration
departments and may installation
be allowed changes.
to change Only th
databases
Operational and stored data. * Organizations
Requirement(s): Organizationsmay mayestablish
also track and document
a critical infrastructure the decommissioning
data and systemsofbackup equipment, policy, systems,
and required servers,procedures.
networking
Backups of critical data, system configurations, critical server images, virtual machine
Operational Requirement(s): Organizations can consider building a Security Team of staff or use external security resources with the followi images, emails, documents, files, videos, content and
decision
Legal based
Professional on the life expectancy of the
/ Security Operations *canOrganizations critical data and the impact
can monitor to the
and organization
control critical if such data
infrastructure was lost,
asset stolen or compromised.
Operational Requirement(s):Organizations monitor and control critical infrastructure asset configuration andconfiguration
installation changes. and installatio
Only a
software,
databases applications,
and stored databases
data. * and stored
Organizations data.
can also* Organizations
track and document can scan
the and certify
decommissioning all new ofnetwork
equipment, connected
systems, and mobile
servers, devices bef
networking
Operational Requirement(s): Organizations can strive to identify a cyber incident as rapidly as possible and reach incident containment withi
acceptable
can strive tolife expectancy
identify a cyber and usefulness
incident of critical
as rapidly data, then establish policies and proceduresand to destroy data within
that is no 1 tolonger relevant * to t
Operational Requirement(s): Organizations mayas possible
share what and theyachieve
learn about full business
Threats, recovery Attacks, Signatures, remediation and remediation/recovery 24 hours. informa Org
learned from
security everydivulge
and Requirement(s):
never cyber incident.
critical This lessons
details of theirlearned
cyber catalog canand
protection, include,
recovery but not limited to:
procedures and malware
technologies behaviors in public/ attacker activities during
fora. Technology
Operational
artifacts / compromised system * Organizations
accounts. * may develop/document
Organizations should bea vigilant formalized againstIncident
Advance Response Plan.Threats
Persistent This Incident
(APTs)Response by constantly Plan Reqsho
mo
procedures.
/Operational
Recovery / Requirement(s):
and Lessons Learned. * Organizations may TEST formalized Incident Response Plans on a regular and frequent basis. This IncidentaR
This Incident Response Plan may be approved by the highest levels of organizational leadership and by
Recovery(DR)
Incident ‐Threat Plan. This Business
Eradication Continuity/Disaster
/ Organizations,
Recovery / andsub Lessons Recovery
Learned. ThisPlan may contain,
Incident Response but TESTING
not limitedmay to the befollowing
coordinated areas: with / Equipment
all levels assets offailu
orga
Operational
Software Requirement(s):
(Viruses, Worms, Trojan horses) attack ‐organizations
/ HackingInternet and allattacks
data owners/ terrorist who manage
attacks / and/ maintain
Fire Natural information
disasters (Flood, technology
Earthquake, Hc
Continuity(BC)/Disaster
destroy all account Recovery(DR)
privilegesOrganizations
for employeesmay Plans on a regular
that establish
have departed and frequent basis.
the organization. This Business Continuity/Disaster
* Organizationsmanagement may develop Recovery
andasimplement TESTING a Mobile may D
Operational
procedures Requirement(s):
/control
and Lessons Learned. Thisconnections
Business Continuity/Disaster and document a Threats/Vulnerabilities
Recovery TESTING may be coordinated plan
with levels it relates to critical
of organizational in
Encryption
limited to: Unauthorized / Authorized
Access system
/ Data Breaches / / Mobile/ DDoS
Malware Device/ Threats
Advanced / Mobile
Persistent Device Threats Security
/ Zero testing
‐ day / Mobile
Attacks / device
Phishing patching
/ SQL and
Injec
Operational
Organizations Requirement(s):
may deploy Organizations maycontinuous
monitor and control critical infrastructure asset configuration and installation changes.
but notOnly
network,
databases system,
and storeddata, and ENDPOINT
data. storage
* Organizations
device
information. can * Organizations
classify,
monitoring
compartmentalizemayand security
consider
and
management
executing
segment penetration
their
functions.
critical testing
assets
ENDPOINTs
and and vulnerability
data.
include
Establish scanning
“Zones”
lim
ofexev
Operational
assets are Requirement(s):
created and exposed Organizations
to attackers may
for the monitor
purpose and
of control
learning critical
attack infrastructure
signatures and asset
attack configuration
behaviors forand use installation
in protecting changes.
“Real” Only
criti
allowed
databases forand any entity, user, device,
stored data. * Organizations application,
Organizations or packet
cancollect
classify, regardless
compartmentalize of what it is and
and segment its location in
their critical the network.
assets and *
data. Organizations
Establish may
“Zones” on
Operational
suborganizations. Requirement(s):
* Organizations may may
collect data and data
trackandall track all activities
activities with with critical
critical assets. infrastructure
Thisinmay assets.
include, but Thisnot may
limited include, butofn
to logging
is
theseallowed for any
events Requirement(s): entity,
occurred and who user, device, application,
conducted these or packet regardless of what it is and its location the network. * Organizations may o
Operational
suborganizations. * OrganizationsOrganizations may collectmayactivities.
identify
data andall possible
track threats and
all activities withvulnerabilities
critical assets.toThis theirmay infrastructure
include, butassets, not limitedincluding, but n
to logging
Injections
Operational / USB injected bots* / The
Requirement(s): and False alarms.can
organization * determine
Organizations "whomay deploy ENDPOINT
‐internally" needs to know device
"what" continuous
information, monitoring"when"and andsecurity
"how" will man
drives ‐ devices
infrastructure / Bluetooth
related operations, devices / hubs
network ops / any devices
centers, that connects
engineering, to the public
technical management, Internet and external
program/project (Cloud) data
management, centers. customer service, I
Operational Requirement(s): Organizations may protect critical infrastructure related physical and virtual circuits, networks and communicat
business process rules within various systems to allow authorized personnel to
the latest cyber/network security best practices. * Organizations can stay abreast of the latest types of attacks against communications reach their required information, when they need it to perform
prot
the direct connection to a public network. * The Organization can implement an Access‐Permission policy based on Separation of duties an
Operational Requirement(s): The organization and appropriate staff can develop, document, and maintain under configuration control, a curr
system
Operational components (e.g. standard
Requirement(s): software packages
The organization installed on
and appropriate staffworkstastions,
can correlatenotebook computers, servers,
incident information and individualnetworkincident components, responses or mobi
to a
organizational
automated informational
mechanisms to systems
integrate change
audit review,over time.
analysis, * The
and organization
reporting may
processes determine
to support "who ‐internally"
organization needs
processes to forknow "what"
investigation informat
and ref
Operational
Tiers I,II,III Requirement(s):
of operations, The organization
network ops centers, and appropriate
engineering, staff canmanagement,
technical properly track and document management,
program/project information system customer security
service, incidents
IT, sale
organization
analysis ‐wide
of incident situational
information. awareness.
Also, * Organizations
the organization should
and appropriate conduct staff frequent
may develop correlation
an incident of threat intelligence
response to plan with
that defines collected network
the resource
Operational
attacker to wipe Requirement(s):
maliciousnetwork Thefiles
code, organization
and toolsets andfrom appropriate
compromised staff can coordinate
systems with
–ormodifications,
‐ to external
monitor the organizations
attacker’s activity correlate
in order andto share
gain incident
further
and
may establish
also employ BASELINE
automatic tools totraffic,
support file access,
near real ‐ database
time analysisactivity,
of software
events. * The organization stored data
may access,
also identifyand overall
critical assets
information behavis
Operational
system, data, Requirement(s):
and storage When organizations
information collection, employ
and monitoring,
alertBreaches
upon deviations scanning from and
normal collection
BASELINE functions, assetand baselines
behavior. have
*/ Zero been set for
Organizations can'norco
including,
aOperational but not
minimum. Requirement(s): limited to:
This can be an iterative Unauthorized process and Access / Data
theappropriate
thresholds staff should / Malware
be adjusted / DDoS / Advanced
as the organization Persistent
learns Threats
more details of ‐day Attacks
'normal' of / Ph
behavio
The organization and monitors the
incidents. These consequences may include, but not limited to degradation of public trust / financial and market losses / degradation of brandinformation system to detect attacks and indicators poten
local, network,
Operational and remote connections.
Requirement(s): For critical To accomplish the
infrastructure, thisorganization
organizationand mayappropriate
deploy monitoring staff maydevices establish strategically
procedureswithin the information
for monitoring and al
transactions
complement of
the interests
cyber to the
security organization.
measures taken * to Organizations
protect assets may
that continuously
are part of the monitor
information and establish
system. BASELINE
When developing network a traffic,for
program filephys
acc
Operational
unauthorized Requirement(s):
access, breaches The
and organization
attacks. * and appropriatemay
Organizations staffconsider
may identify executing and select the proper
penetration testing typesand ofvulnerability
critical infrastructurescanning inform
exercise
*information
Organizations accounts,can monitor
establish and control critical asset and configuration and installation changes. Only authorized staff and departments may be
Operational
organization Requirement(s):
may determine Foraccount
whom critical
within,
privileges,
infrastructure,
internal and the
monitor
external
the use
organization
to the entire
of
andinformation
appropriate
organization,
system
staff
may
accounts,
employs
be allowed
including
malicious
"PHYSICAL"
deleting
code protectionaccounts
accessthese
promptl
mechanism
to critical
logging
code of all logins, applications
protection to perform periodic used, files accessed/copied/downloaded,
scansinfrastructure,
of the information system at a defined all doors opened,
frequency andInternet
realdefineconnections/URLs
‐time scans of files /
from timesexternal sources eventsn
Operational
the threat of Requirement(s):
an insider cyberattack. For critical * The organization the organization
can carefullyand audit appropriate
user access staff may
permissions whenacceptable
an employee and unacceptable
changes roles mobil
in th
acceptable
Operational Requirement(s): For critical infrastructure, organizations may require that service providers of external information system withi
mobile code and mobile code technologies. * The organization may authorize, monitor, and control the use of mobile code servi
and
an Securitybasis.
ongoing Plan‐Policy. This plan may
* Organizations include but
can monitor and not limited
control to: Authorized
critical assetand access control
configuration and / VPN Access
installation changes. control*/ Encryption Organizations controlcan /claA
Operational
device patching Requirement(s):
and update For critical
frequency / infrastructure,
Loss of Device the organization
procedures / Employee appropriate
termination staff may develop
procedures / a monitoring
Employee mobile strategy
device and implem
responsibil
for the most
metrics. critical
TheRequirement(s):
organizationdata and cannetwork
analyze assets. Zerothe
andinfrastructure,
assess ‐Trust Zones mean
information thatno default trust
is generated byisthis allowed
monitoring for any entity, user, device, application, or pa
Operational
network access and andapplications For tocritical
only authorized usersthe andorganization
authorized and appropriate
suborganizations. staff * can scanprogram
Organizations
for any
for vulnerabilities
mayand collect
anomalies
indata
theand or security
information
track all as
stored data
identified andaccess, overall
reported. The process assets behavior,
may include in order to better detect anomalies, unauthorized access, breaches attacks.
Operational Requirement(s): The organization andanalyzing
appropriate the staff
scansdevelops
and correcting a security legitimate
assessment vulnerabilities.
plan that describes * Organizations
the scope ofmay cons
the asses
infrastructure assets. Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organization
where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organization they are ser
operations and engineering staff should determine who (by job function) has various levels of cybersecurity responsibilities and leadership sh
Operational Requirement(s): For critical infrastructure, the organization and appropriate staff should develop a plan to monitor the informatio
are in accordance
Operational with applicable
Requirement(s): federal laws, and
The organization privacy considerations,
appropriate staff may Executive
test critical Orders, directives,
infrastructure policies,
intrusion or regulations.
‐monitoring tools at a defined fre
objectives
Operational Requirement(s): The organization and appropriate staff may share information obtained from the vulnerabilityexercises
of the organization. * Organizations may consider executing penetration testing and vulnerability scanning scanningon a perio
process
systems.
Operational ThisRequirement(s):
could include automatic
The organization alerts from andthe information
appropriate staffsystem itself that
may analyze conveys the information
communication traffic/eventtopatternsthe appropriate staff. infrastr
for the critical * Org
and overall
system ‐ assets behavior,
monitoring devices inreduce
to order tothe better
number detectof anomalies,
false positivesunauthorized
and the access,ofbreaches
number false and attacks.
negatives. In * Organizations
addition, the organization can conduct
may usefrst
Operational
share and used Requirement(s):
learn Threat, Attack,The organization
Signature, and appropriate
and remediation staff maywith
information provide the capability
andempirical
from trusted to restore critical
organizations, infrastructure
government entitiesinformation
andusetrusted
activities
identify classes in continuous
of incidents and monitoring
the process
appropriateand need
responsesto be modified
to these based on data. * Organizations may consider the of “S
Operational
signatures Requirement(s):
and attack behaviors The fororganization
use in protecting supporting
“Real” staffincidents
critical may
assets. developto ensure
*
a response
an incident
Organizations can
plan plan
response strive
can be
to
carefully
that provides
identify a
carried
cyber a roadmap out. for
incident
* imple
as
Organ
rapidl
should track and
organization; and measure performance
defines reportable times and
incidents etc. seeksplan waysmay to reduce time totocontainment. * Organizations can strive to identifyas it arelate
cybe
Operational
measure Requirement(s):
performance times Theseeks
and organization
ways to andThis
reduceappropriate
time to
be require
staff
Recovery.
provided
* the organization
reporting
Organizations
‐defined
of can
suspect
catalog
incident
security
lessons
response
incidents
learned
personnel
within
from a specified
every cyber time
inci
may
chain contain,
for but not limited
information systems toorthe following areas:
information system Preparation
components / Incident
related toIdentification
the incident. / Incident
* Containment
Organizational / Incidentoperations
leadership, ‐Threat Eradication
and eng
Operational
all Requirement(s):
data/system/network The organization
owningresponsibilities and appropriate staff may incorporate into their critical
business units.and leadership should be assigned. The cybersecurity leadership may then develop cybersecur infrastructure information system mon
various levelsdeploys
organization of cybersecurity
near realThe time analysis of and events and anomalies that coordinate
occur within
Operational
are established Requirement(s):
within an organization,organization
theseinformation
policies appropriate
may be and staff may
conveyed to the appropriate its the information
contingency
levels plan system.
of executives, with the This analysis may
contingency
management, andplansnotofonly
staffing,externin
suc
Threat,
Signature, Attack, Signature, and remediation with from trusted organizations, government entities and trusted peers.
Operationaland remediation information
Requirement(s): The organization with and andfrom trusted organizations,
appropriate staff establishgovernment entities contact
and institutionalize and trusted withpeers.
selected * groups
The organization
and associatio can
take
and into account "all" external
directives from these organizations communicationson an ongoing with: vendors/suppliers,
basis. * staff Organizations emergency responders, government officials, peers, customers, pub
Operational
eCommerce Requirement(s):
interfaces, mobile/remoteThe organizationemployees andetc.
appropriate
* Once these may reviewmay
communication andshare
analyzesand learn
paths and criticalThreat,
flows
Attack, Signature,
infrastructure information
have been determined
and remediatio
thesystem audit
organizatio
information system provides the capability to centrally review and analyze audit records from
Operational Requirement(s): Organization can determine the consequences of various cyber incidents as it relates to critical infrastructure. T multiple components within the system. Auto
Organizations
degradation of may
brandconduct frequent
reputation correlation of infrastructure.
threat intelligence with collected network, system, data, staffand storage incident
information. * Orga
Operational
should track Requirement(s):
and measure The/ impact
performance organizationto critical
times andseek
and appropriate
ways to staff
reduce
*may Thedeploy
organization
timewith a critical
to containment.
and appropriate
infrastructure
* Organizations
correlates
information may system
decidechain. which information
whether provides
to respoa
also
such coordinate
information incident
in a handling
summary activities
format that involving
is more supply
meaningful chain
to events
analysts. * other organizations
Organizations may involved
consider in the
building supply
a Security *
Team Organiz
of staf
Operational
behaviors Requirement(s):
/ attacker activities The
duringorganization
compromise and /appropriate
network staff ‐can
‐system datatrack and document
anomalies andconduct criticalfrom
deviations infrastructure
the BASELINE information system securit
/ Applications and s
Compliance Auditor / Legal Professional / Security Operations * Organizations can
Organizations may catalog lessons learned from every cyber incident. This lessons learned catalog may include, but not limited to: malware frequent correlation of threat intelligence with
This lessons
software thatlearned catalog should
can be disabled / artifactsinclude, but not limited
/ compromised systemto:accounts.
malware behaviors* Organizations/ attacker may activities
share and during
learncompromise
Threat, Attack, / network ‐system
Signature, an
Operational Requirement(s): An organization and appropriate staff can coordinate incident handling activities with contingency planning act
officials,
Operational andRequirement(s):
physical and personnel For critical security offices. *appropriate
infrastructure, Organizations can striveOperations
and adequate to identify staff a cybercanincident
implement as rapidly
incidentashandling
possible measures
and reach
containment.
may include Requirement(s):
lessons learned from ongoing incident handling activities. These measures should alsodevelop
be incorporated into monitoring
training andstrategytesting
Operational For critical infrastructure, the organization and appropriate staff may a continuous
remediation
which within
to monitor 1 to 24
them, and thehours. Organizations may track and measure performance times and seek ways to reduce time to Recovery.
Operational Requirement(s): Thefrequency
organization in which to employ such
and appropriate staff monitoring.
should not only * incorporate
The organization lessonsand appropriate
learned from withinstaff can the update this r
organization
threats
aligned and vulnerabilities
withRequirement(s): to their assets,
the organization.The* organization including,
Organizations but
can not limited
catalog lessons to: Unauthorized
learned from Access / Data
every cyberresponse Breaches
incident.strategies / Malware
This lessons / DDoS / Advanced P
Operational
lessons learned from every cyber incident. This and appropriate
lessons learned staff
catalogmay revisit
may the developed
include, but not limited to: malware on a learned
behaviorsscheduled
/
catalog
attacker
can
andinc
basisactiviti r
the BASELINE
catalog lessons / Applications
learned from everyand cyber
software that can
incident. be lessons
This disabledlearned
/ artifacts / compromised
catalog may include, system accounts.
but critical
not limited to: malware behaviorssystem / attacker
Operational Requirement(s): The organization provides for the recover and reconstitution of the infrastructure information to
disabled /
organizational artifacts / compromised
information systems system
to fully accounts.
operational states. * Organizations can strive to identify a cyber incident as rapidly as possible
Operational Requirement(s): The organization and appropriate staff should not only incorporate lessons learned from within the organization
and seekwith
aligned ways thetoorganization.
reduce time to *Recovery. Organizations can catalog lessons
Operational Requirement(s): For critical infrastructure, appropriate andlearned
adequate from every cyber
Operations staffincident and how the
may implement business
incident functions
handling measure wer
behaviors
should /
include attacker activities
lessons learnedFor during
from compromise
ongoing / network
incident handling ‐system ‐data
activities.and anomalies
These and
measures deviations
may also from the BASELINE
be incorporated / Applications
into training and testing as
and
Operational Requirement(s): critical infrastructure, the organization supporting staff can identify external compliance requirements
lessons learned
requirements arecatalog
addressed mayandinclude, but not limited * to: Business Continuity(BC) /the
Disaster Recoveryof(DR) / malware behaviorsThese / attacker ac
Operational
disabled Requirement(s):
/ artifacts / compromised Forcommunicated.
critical
systeminfrastructure,
accounts.
Organization
the organization may determine
and supporting consequences
staff may identify various
externalcyber incidents.
compliance conseq
requirements
critical infrastructure.
requirements *
are addressed and Organizations may have appropriate press releases and official notifications prepared and delivered in a timely ma
Operational
adoption andRequirement(s): Thecommunicated.
adaptation.* Organizations appropriate staff* and Organization
leaders may the consequences
identify of variousand
essential missions cyber incidents.
business Theseand
functions consequ
their
critical infrastructure. can have appropriate press releases and official notifications
individuals. Once finalized, the organization may distribute copies of this plan, update the plan as need be, and protect the plan from unautho prepared and delivered in a timely man
adoption and adaptation.
"how" will that information be delivered. The organization can take into account "all" internal communications with: Tiers I,II,III of operatio
billing, accounting, human resources, security offices etc. * Once these communication paths and flows have been determined the organi
Critical Manufacturing Sector
Source: Critical Manufacturing Sector: Cybersecurity Framework Implementation Guidance. May 2020
URL: https://www.cisa.gov/publication/critical-manufacturing-cybersecurity-framework-implementation-guidance#
ANSI/ISA 62443 Series

NISTIR 8183
of Standards on the
Cybersecurity
Function Category Subcategory Cybersecurity of
Framework
Industrial Automation
Manufacturing Profile
and Control Systems
Asset Management ID.AM-1: X X
ID.AM-2:devices X X
personnel, devices, systems, and systems
Software
and facilities that enable the ID.AM-3:
within
platformsthe and X X
organization to achieve Organizational
ID.AM-4:
applications X
business purposes are communication
External
identified and managed ID.AM-5:
and data flows X X
information
consistent with their relative Resources
ID.AM-6:
systems are
(e.g.,
X X
hardware,
importance to organizational Cybersecurity
Business Environment ID.BE-1:
devices, The X
(ID.BE): The organization’s roles anddata,
organization’s
ID.BE-2: The
responsibilities X
mission, objectives, role in the supply
organization’s
stakeholders, and activities are ID.BE-3:
chain
place is critical
in
X X
understood and roles, Priorities
ID.BE-4: for
infrastructure and X
responsibilities, and risk organizational
Dependencies
management decisions. ID.BE-5:
mission, X
and critical
Governance (ID.GV): The Resilience
ID.GV-1:
functions for to X X
policies, procedures, and requirements
Organizational
IDENTIFY (ID)
ID.GV-2: X X
operational requirements are support delivery
cybersecurity
Cybersecurity
understood and inform the ID.GV-3:
policy is Legal X X
rolesregulatory
and
management of cybersecurity and ID.GV-4:
responsibilities X X
risk. requirementsand
Risk Assessment (ID.RA): Governance
ID.RA-1:
regarding Asset X X
The organization understands risk management
vulnerabilities
ID.RA-2: Cyber
processes address X X
the cybersecurity risk to are identified
threat and
organizational operations ID.RA-3:
documented X X
intelligence
bothis
(including mission, functions, Threats,
ID.RA-4:
received from X X
image, or reputation), internal
Potential and
organizational assets, and ID.RA-5:
external, are X
business
Threats, impacts
individuals. ID.RA-6:
and Risk
likelihoods X
vulnerabilities,
responses
ID.RM-1: are
Risk Management Strategy likelihoods, Risk
and X X
(ID.RM): tolerances, and identified
management and
ID.RM-2: X X
assumptions are established prioritized
processes
Organizationalare
and used to support ID.RM-3:
established, The X
risk tolerance
organization’s is
operational risk
Supply Chain Risk decisions. ID.SC-1: Cyber
determined and X
Management (ID.SC): The determination
supply
ID.SC-2: chain riskof
risk tolerance is X
organization’s priorities, management
Suppliers
constraints, risk tolerances, ID.SC-3: and
processes X
third partyare
Contracts with
and assumptions are ID.SC-4:
partners ofand X
established and used to suppliers
Suppliers
support risk decisions ID.SC-5: and
third-party X
third-party
Response and
Access Control (PR.AC): PR.AC-1:
partners are X X
Access to assets and recovery
Identities and
PR.AC-2:and X X
associated facilities is limited planning
credentials
Physical access are
to authorized users, processes, PR.AC-3:
issued, managed,
to assetsaccess
is
X X
or devices, and to authorized Remote
PR.AC-4:
managed Access
and
is
X X
activities and transactions. managed
permissions
PR.AC-5: and X X
authorizations
Network
PR.AC-6:
are managed, X
integrity
Identitiesisare
protected
proofed and (e.g.,
bound to
to authorized users, processes,
or devices, and to authorized
activities and transactions.
PR.AC-7: Users, X
Awareness and Training devices,
PR.AT-1:and All X X
(PR.AT): The organization’s other
users assets
are are
PR.AT-2:
authenticated X X
personnel and partners are informed
Privileged andusers
trained Third- X X
understand
party their
awareness education and are PR.AT-4:
roles and Senior X X
adequately trained to perform stakeholders
executives
their information PR.AT-5:
(e.g., suppliers, X X
understand
Physical and their
Data Security (PR.DS): PR.DS-1:
roles and Data- X X
cybersecurity
at-rest is Data-
Information and records PR.DS-2:
personnel X X
(data) are managed protected
in-transit
PR.DS-3:isAssets X X
consistent with the protected
are formally
organization’s risk strategy PR.DS-4: X X
managed
Adequate
to protect the PR.DS-5:
throughout X X
confidentiality, integrity, capacity
Protectionsto
PROTECT (PR)
PR.DS-6:
ensure X X
and availability of against
Integritydata leaks
information. PR.DS-7:
are The
implemented X
checking
development and
PR.DS-8:
mechanisms are X
testing
Integrity
Information Protection PR.IP-1: A
environment(s) X X
Processes and Procedures checking
baseline
PR.IP-2:
mechanisms A are X X
(PR.IP): Security policies configuration
System of
(that address purpose, scope, PR.IP-3:
information X X
Development
Configuration
roles, PR.IP-4:
Life Cycle to X X
responsibilities,management change
Backups control
of
commitment, and PR.IP-5:
processes Policy
arearein X X
information
and regulations
coordination among PR.IP-6:
conducted, Data is X X
organizational entities), regarding
destroyed the
PR.IP-7:
physical X X
processes, and procedures are according to
Protection
PR.IP-8:
maintained and used to policy X
processes
Effectivenessare of
manage protection of PR.IP-9: X X
improved
protection
information systems and Response plans
assets. PR.IP-10:
technologies is X X
(Incident
Response and
PR.IP-11:
Response and X X
recovery plans
Cybersecurity is
PR.IP-12:
are testedinA X
included
vulnerability
Maintenance (PR.MA): PR.MA-1:
human resources X X
Maintenance and repairs of management
Maintenance plan
and
PR.MA-2:
is developed and X X
system components are repair
Remote of
Protective Technology
performed consistent with PR.PT-1:
organizational X X
(PR.PT): Technical security maintenance
Audit/log of
records
PR.PT-2:
organizational X X
solutions are managed to are determined,
Removable
ensure the security and PR.PT-3:
documented, The X X
media is of least
principle
resilience of systems and PR.PT-4:
protected andisits X X
assets, consistent with related functionality
Communications
PR.PT-5:
incorporated X
policies, procedures, and and control by
Mechanisms
Anomalies and Events DE.AE-1:
networks A
are X X
(DE.AE): Anomalous activity (e.g., failsafe,
baseline of
DE.AE-2:
load balancing, X X
is detected in a timely network
Detected events
manner, and the potential DE.AE-3:
operations Event
and X X
are
dataanalyzed
are to
collected
impact of events is DE.AE-4:
understand Impact
attack X
understood. and
of correlated
events is
DE.AE-5:
from multiple X X
determined
Incident alert
Security Continuous DE.CM-1: The X X
Monitoring (DE.CM): The thresholds
network is are
DE.CM-2:
established The X X
information system and assets monitored to
DETECT (DE)
physical
DE.CM-3:
are monitored at discrete detect potential X X
environment
Personnel is
intervals to identify DE.CM-4:
monitored to X X
cybersecurity events and activity
Malicious is code is
verify the effectiveness of DE.CM-5:
monitored to X X
detected
Unauthorized
protective measures.
mobile code is
detected
information system and assets
DETECT (DE
are monitored at discrete
intervals to identify
cybersecurity events and
verify the effectiveness of
protective measures. DE.CM-6: X
External
DE.CM-7: service
X
provider
Monitoring activity
for
DE.CM-8:
is monitored to X X
unauthorized
Vulnerability
Detection Processes DE.DP-1:
personnel, Roles X X
(DE.DP): Detection processes scansand are
DE.DP-2:
performed X X
and procedures are maintained responsibilities
Detection
and tested to ensure timely DE.DP-3:
for detection are X X
activities
Detection comply
and adequate awareness of DE.DP-4:
with all are Event X X
anomalous events. processes
detection
DE.DP-5:
tested X X
information
Detection is
communicated X X
Communications (RS.CO): processes Response
RS.CO-1:
are
plan is
continuously X X
Response activities are executed
Personnel during
know
coordinated with internal and or RS.CO-2:
after an and X X
their roles
Incidents are
external stakeholders, as RS.CO-3:
order of X X
appropriate, to include reported
Information is
external support from law RS.CO-4:
consistent with X X
shared consistent
Coordination
enforcement agencies. RS.CO-5:
with response X
RESPOND (RS)
with stakeholders
Voluntary
Analysis (RS.AN): Analysis RS.AN-1:
occurs consistent X X
is conducted to ensure information
Notifications
RS.AN-2: The X X
adequate response and support sharing
from
impact
occurs
detection
of the
recovery activities. RS.AN-3:
systems are X X
incident
Forensics isare
RS.AN-4:
understood X X
performed
Incidents
RS.AN-5:are
categorized
Processes are
consistent with X X
Activities are performed to established
Incidents areto
RS.MI-2: X X
prevent expansion of an event, receive,
contained
Incidents
analyze
are
mitigate its effects, and RS.MI-3: Newly X
mitigated
identified
eradicate the incident.
Improvements (RS.IM): RS.IM-1: X X
Organizational response vulnerabilities
Response plans
RS.IM-2:
are mitigated or X
activities are improved by incorporate
Response
Recovery Planning
incorporating lessons RC.RP-1:
lessons learned X
RECOVER (RC)
(RC.RP): Recovery processes strategies

Recovery are
plan is
Improvements (RC.IM): RC.IM-1:
updated X X
and procedures are executed executed
incorporating lessons learned Recovery during
plans
and RC.IM-2:
or after a X
into future activities. incorporate
Communications (RC.CO): Recovery RC.CO-1:
lessons Public
learned X
coordinating centers, Internet strategies
relations
RC.CO-2:
are
are
X
Service Providers, owners of updated
managed
Reputation
attacking systems, victims, RC.CO-3: is X
repaired
Recoveryafter an
other Computer Security incident
activities are
communicated to
. May 2020
k-implementation-guidance#:~:text=The%20Critical%20Manufacturing%20Sector%20Cybersecurity%20Framework%20Implementation%
Baldrige Cybersecurity
Cyber Resilience Cybersecurity Excellence Builder
Review (CRR) Evaluation Tool (CSET) (BCEB),
Version 1.1
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Framework%20Implementation%20Guidance,Institute%20of%20Standards%20and%20Technology%20%28NIST%29%20in%202014.
28NIST%29%20in%202014.
DAM Sector
Source: Dams Sector: Cybersecurity Framework Implementaion Guidance. May 2020
URL: https://www.cisa.gov/sites/default/files/publications/Dams_Sector_Cybersecurity_Framework_Implementatio
North American Electric

Dams Sector Reliability Corporation
Cybersecurity (NERC) Critical
Capability Maturity Infrastructure
Model (Dams-C2M2) Protection (CIP)
Reliability Standards
Asset ID.AM-1: X
Management ID.AM-2:
Physical devices X X
(ID.AM): The ID.AM-3:
and systems
Software X X
data, personnel, ID.AM-4:
within the and
platforms
Organizational X X
devices, applications
communication
External
ID.AM-5: X X
systems, and and data flows
information
Resources
ID.AM-6: (e.g., X X
Business systems are
hardware,
Cybersecurity
ID.BE-1: The X X
devices,
roles
Environment ID.BE-2: anddata,
organization’s
The X
responsibilities
(ID.BE): The ID.BE-3:
role in the
organization’s X
organization’s ID.BE-4:
supplyinchain
place
Priorities for is
critical X X
mission, infrastructure
organizational
Dependencies
ID.BE-5: X
IDENTIFY (ID)
Governance mission,
and critical
Resilience
ID.GV-1: X X
functions for to
requirements
(ID.GV): The ID.GV-2:
Organizational X X
policies, support delivery
cybersecurity
Cybersecurity
ID.GV-3: Legal X
procedures, and ID.GV-4:
policy
roles
and is
and
regulatory X X
Risk responsibilities
requirements
Governance
ID.RA-1: and
Asset X X
Assessment regarding
risk
vulnerabilities
ID.RA-2: Cyber X
management
(ID.RA): The ID.RA-3:
are identified
threat X X
organization and documented
intelligence
Threats,
ID.RA-4: bothis X
understands the ID.RA-5:
receivedand
internal
Potential from X X
cybersecurity ID.RA-6:
external, are
business
Threats, Risk X
Risk impacts
ID.RM-1: and
vulnerabilities,
responses are
Risk X X
likelihoods,
identified
Management ID.RM-2:
management and and X
Strategy prioritizedare
processes
Organizational
ID.RM-3: The X
(ID.RM):
Supply established,
risk tolerance
organization’s
Chain ID.SC-1: Cyber is X X
Risk determined
supply
ID.SC-2: chainandof
determination X X
risk tolerance
Management ID.SC-3:
Suppliers and is X X
(ID.SC): The ID.SC-4:
management
third partywith
Contracts X X
organization’s ID.SC-5:
partners ofand
suppliers
Suppliers and X X
third-partyand
Response
Access Control PR.AC-1: X X
(PR.AC): partners are
recovery
Identities
PR.AC-2: and X X
planning access
Access to assets PR.AC-3:
credentials
Physical and are X X
and associated PR.AC-4:
issued,
to assetsaccess
Remote is X X
facilities is managed
is managed
Access
PR.AC-5: and X X
limited to permissions and
Network
PR.AC-6: X X
authorized authorizations
integrity
Identities
PR.AC-7: isare X X
protected
proofed
Users,
Awareness and PR.AT-1: and(e.g.,
devices,
All X X
Training bound
and
users to assets
other
are
PR.AT-2: X X
are
(PR.AT): The PR.AT-3:
informed
Privileged andusers X
organization’s PR.AT-4:
trained
understand
Third-party their X
personnel and PR.AT-5:
roles and
stakeholders
Senior X X
(e.g., suppliers,
executives
Physical
Data Security PR.DS-1: and
Data- X X
(PR.DS): understand
cybersecurity
at-rest
PR.DS-2:is Data-their X X
Information personnel
protected
in-transit
PR.DS-3: is X
protected
Assets
and records PR.DS-4: are X
PROTECT (PR)
formally
Adequate
PR.DS-5: X X
(data) are
managedto
capacity
Protections
PR.DS-6: X X
managed ensure
against
Integritydata
PR.DS-7: The X X
consistent leaks are
checking
development
PR.DS-8: X X
with the
Information mechanisms
and A are
testing
Integrity
PR.IP-1: X X
Protection environment(s)
checking
baseline
mechanisms are
Processes and configuration of
Procedures information
(PR.IP):
Security
PROTECT (P
Information
Protection PR.IP-2: A X
Processes and System
PR.IP-3: X X
Procedures Development
Configuration
PR.IP-4: X X
(PR.IP): Life Cycle
change
Backups
PR.IP-5: of to
control
Policy X
Security processes
information
and areare
regulations
PR.IP-6: Data inis X X
policies (that conducted,
regarding
PR.IP-7: the
destroyed X
address physical to
according
Protection
PR.IP-8: X
purpose, scope, policy
processes
Effectiveness
PR.IP-9: are of X X
roles, improved plans
protection
Response
PR.IP-10: X X
responsibilities, technologies
(Incident
Response
PR.IP-11: andis X X
management Response
recovery
Cybersecurity
PR.IP-12: and
plans
A is X X
Maintenance are testedin
included
vulnerability
PR.MA-1: X X
(PR.MA): human
management
Maintenance
PR.MA-2: X X
Maintenance
Protective planrepair
and
Remote is
PR.PT-1: of X X
and repairs of
Technology organizationalof
maintenance
Audit/log
PR.PT-2: X X
(PR.PT): organizational
records areThe
Removable
PR.PT-3: X
Technical determined,
media
principle
PR.PT-4: is of X X
security protected and its
least
Communication
PR.PT-5: X X
Anomalies and sfunctionality
and control
Mechanisms
DE.AE-1: A is X X
Events networks
(e.g.,
baseline
DE.AE-2: ofare
failsafe, X X
(DE.AE): load balancing,
network
Detected
DE.AE-3: events
Event X
Anomalous operations
are
data are and
analyzed
DE.AE-4: to X
activity is understand
collected
Impact
DE.AE-5: ofand
events X
Security correlated
is determined
Incident
DE.CM-1: from
alert
The X X
DETECT (DE)
Continuous thresholds
network
DE.CM-2: is are
The X X
Monitoring establishedto
monitored
physical
DE.CM-3: X
(DE.CM): The detect potential
environment
Personnel
DE.CM-4: is X X
information monitored
activity
Malicious
DE.CM-5: to
is code X
system and monitored
is detected to
Unauthorized
DE.CM-6: X
assets are mobile code
External
DE.CM-7: is
service X X
monitored at detected activity
provider
Monitoring
DE.CM-8: for X X
Detection is monitored
unauthorized
Vulnerability
DE.DP-1: to
Roles X
Processes personnel,
scans
and
DE.DP-2:are X
(DE.DP): performed
responsibilities
Detection
DE.DP-3: X
Detection for detection
activities
Detection
DE.DP-4: are
Event X X
processes and comply with
processes
detection
DE.DP-5: areall X
Response tested
information
RS.RP-1: is
Detection X X
Planning communicated
processes
Response
RS.CO-1: are
plan X X
Communicatio continuously
is executedknow
Personnel
RS.CO-2: X X
ns (RS.CO): during
their or are
roles
Incidents
RS.CO-3: after
and X X
Response order of
reported
Information
RS.CO-4: is X X
RESPOND (RS)
activities are consistent

shared
Coordination
RS.CO-5: with X X
Analysis consistent with
with
Voluntary
RS.AN-1: X X
(RS.AN): stakeholders
information
Notifications
RS.AN-2: The X
Analysis is sharing
from
impact
RS.AN-3: occurs
detection
of the X
conducted to systems are
incident
Forensics
RS.AN-4: isare X X
ensure adequate understood
performedare
Incidents
RS.AN-5: X X
Mitigation categorizedare
Processes
RS.MI-1: X
(RS.MI): consistentare
established
Incidents
RS.MI-2: with
to X
Activities are receive, analyze
contained
Incidents
RS.MI-3: are X
performed to
Improvements mitigated
Newly
RS.IM-1: X X
RECOVER (RC)
(RS.IM): identified plans

Response
RS.IM-2: X X
Organizational
Recovery vulnerabilities
incorporate
Response
RC.RP-1: X X
response
Planning
Improvements lessons learned
strategies
Recovery
RC.IM-1: are
plan X X
(RC.RP):
(RC.IM): updated
is executedplans
Recovery
RC.IM-2: X X
Recovery
incorporating
Communicatio during or after a
incorporate
Recovery
RC.CO-1: X
lessons
ns learned
(RC.CO): lessonsrelations
strategies
Public
RC.CO-2: learned
are X
coordinating updated
are managedis
Reputation
RC.CO-3: X X
centers, Internet repaired after an
Recovery
incident are
activities
communicated
ybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Electricity Subsector Baldrige Cybersecurity

Cybersecurity Risk Cyber Resilience Cybersecurity Excellence Builder
Management Process Review (CRR) Evaluation Tool (CSET) (BCEB),
(RMP) Version 1.1
X X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X
X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X
X X X
X X X X
X X X
X X X X
X X X X
X X X
X X X
X X X
X X X
X X X X
X X X
X X X X
X X X
X X X
X X X
X X
X X
X X
X X X
X X X
X X X
X X X X
X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Defense Industrial Base Sector
Source: NIST SP 800-171
URL: https://www.cisa.gov/sites/default/files/publications/DIB_Guide_to_Implementing_the_Cybersecurity_Frame
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-
CUI
Function Category CSF Subcategory
Requirement
Asset Management (ID.AM): The ID.AM-1 3.4.1

data, personnel, devices, systems, ID.AM-2 3.4.1
and facilities that enable the ID.AM-3 3.1.3
organization to achieve business ID.AM-3 3.13.1
purposes are identified and managed
consistent with their relative ID.AM-4 3.1.20
importance to organizational ID.AM-4 3.1.21
objectives and the organization’s ID.AM-5
risk strategy. ID.AM-6
Business Environment (ID.BE):
The organization’s mission, ID.BE-1
objectives, stakeholders, and ID.BE-2
activities are understood and roles, ID.BE-3
responsibilities, and risk ID.BE-4
management decisions. ID.BE-5
Governance (ID.GV): The policies, ID.GV-1
procedures, and operational ID.GV-2
requirements are understood and
inform the management of ID.GV-3
IDENTIFY (ID)
cybersecurity risk. ID.GV-4

ID.RA-1 3.11.1
ID.RA-1 3.11.2
ID.RA-1 3.12.1
ID.RA-1 3.12.3
ID.RA-1 3.14.1
Risk Assessment (ID.RA): The ID.RA-1 3.14.3
organization understands the ID.RA-1 3.14.6
cybersecurity risk to organizational ID.RA-1 3.14.7
operations (including mission,
functions, image, or reputation), ID.RA-2 3.14.1
organizational assets, and ID.RA-2 3.14.3
individuals. ID.RA-3 3.11.1
ID.RA-3 3.14.1
ID.RA-3 3.14.3
ID.RA-4 3.11.1
ID.RA-5 3.11.1
RiskChain
Management Strategy ID.RA-6
Supply Risk Management ID.RM-1
(ID.SC):(ID.RM): tolerances, and
The organization’s
assumptions
priorities, are established
constraints, risk and ID.RM-2
used to support operational
tolerances, and assumptions are risk ID.RM-3
established and decisions.
used to support risk
decisions associated with managing PR.AC-1 3.5.1
supply chain risk. The implemented PR.AC-1 3.5.2
the processes to identify, assess and
manage supply chain risks. PR.AC-1 3.5.5
PR.AC-1 3.5.6
PR.AC-1 3.5.7
PR.AC-1 3.5.8
PR.AC-1 3.5.9
PR.AC-1 3.5.10
PR.AC-1 3.5.11
PR.AC-2 3.10.1
PR.AC-2 3.10.2
PR.AC-2 3.10.3
PR.AC-2 3.10.4
PR.AC-2 3.10.5
PR.AC-3 3.1.1
PR.AC-3 3.1.2
PR.AC-3 3.1.14
PR.AC-3 3.1.15
Access Control (PR.AC): Access PR.AC-3 3.1.18
to assets and associated facilities is PR.AC-3 3.1.20
limited to authorized users,
PR.AC-3 3.13.9
processes, or devices, and to
authorized activities and PR.AC-3 3.13.12
transactions. PR.AC-4 3.1.1
PR.AC-4 3.1.2
PR.AC-4 3.1.4
PR.AC-4 3.1.5
PR.AC-4 3.1.6
PR.AC-4 3.1.7
PR.AC-4 3.1.8
PR.AC-4 3.1.10
PR.AC-4 3.1.11
PR.AC-4 3.5.3
PR.AC-4 3.5.4
PR.AC-4 3.13.3
PR.AC-4 3.13.4
PR.AC-5 3.1.3
PR.AC-5 3.13.1
PR.AC-5 3.13.2
PR.AC-5 3.13.5
PR.AC-5 3.13.6
PR.AC-5 3.13.7
PR.AT-1 3.2.1
Awareness and Training (PR.AT): PR.AT-1 3.2.2
The organization’s personnel and PR.AT-1 3.2.3
partners are provided cybersecurity PR.AT-2 3.2.1
awareness education and are PR.AT-2 3.2.2
adequately trained to perform their
information securityrelated duties PR.AT-3
and responsibilities consistent with PR.AT-4 3.2.1
related policies, procedures, and PR.AT-4 3.2.2
agreements. PR.AT-5 3.2.1
PR.AT-5 3.2.2
PR.DS-1 3.1.19
PR.DS-1 3.8.1
PR.DS-1 3.8.9
PR.DS-1 3.13.10
PR.DS-1 3.13.16
PR.DS-2 3.1.13
PR.DS-2 3.1.17
PR.DS-2 3.8.5
PR.DS-2 3.13.8
PR.DS-2 3.13.10
PR.DS-3 3.4.1
PR.DS-3 3.8.1
Data Security (PR.DS): PR.DS-3 3.8.2
Information and records (data) PR.DS-3 3.8.3
are managed consistent with the PR.DS-3 3.8.5
organization’s risk strategy to
PR.DS-4
protect the confidentiality,
integrity, and availability of PR.DS-5 3.1.4
information. PR.DS-5 3.1.13
PROTECT (PR)
PR.DS-5 3.2.3
PR.DS-5 3.9.2
PR.DS-5 3.13.1
PR.DS-5 3.13.5
PR.DS-5 3.13.6
PR.DS-5 3.13.7
PR.DS-5 3.13.8
PR.DS-5 3.13.11
PR.DS-5 3.13.16
PR.DS-5 3.14.6
PR.DS-6
PR.DS-7
PR.IP-1 3.4.1
PR.IP-1 3.4.2
PR.IP-1 3.4.6
PR.IP-1 3.4.7
PR.IP-1 3.4.8
PR.IP-2
PR.IP-3 3.4.3
PR.IP-3 3.4.4
PR.IP-3 3.4.5
Information Protection Processes
and Procedures (PR.IP): Security PR.IP-4
policies (that address purpose, PR.IP-5
scope, roles, PR.IP-6 3.8.3
responsibilities,management PR.IP-7
commitment, and coordination
among organizational entities), PR.IP-8
processes, and procedures are PR.IP-9 3.6.1
maintained and used to manage PR.IP-9 3.6.2
protection of information systems PR.IP-10 3.6.3
and assets. PR.IP-11 3.9.1
PR.IP-11 3.9.2
PR.IP-12 3.11.2
PR.IP-12 3.11.3
PR.IP-12 3.12.2
PR.IP-12 3.12.3
PR.IP-12 3.14.1
PR.IP-12 3.14.2
PR.IP-12 3.14.3
PR.MA-1 3.7.1
Maintenance (PR.MA): PR.MA-1 3.7.2
Maintenance and repairs of system PR.MA-1 3.7.3
components are performed
consistent with policies and PR.MA-1 3.7.4
procedures. PR.MA-1 3.7.6
PR.MA-2 3.7.5
PR.PT-1 3.3.1
PR.PT-1 3.3.2
PR.PT-1 3.3.3
PR.PT-1 3.3.4
PR.PT-1 3.3.5
PR.PT-1 3.3.6
PR.PT-1 3.3.7
PR.PT-1 3.3.8
PR.PT-1 3.3.9
PR.PT-2 3.8.1
PR.PT-2 3.8.2
PR.PT-2 3.8.3
PR.PT-2 3.8.4
Protective Technology (PR.PT):
Technical security solutions are PR.PT-2 3.8.5
managed to ensure the security and PR.PT-2 3.8.6
resilience of systems and assets, PR.PT-2 3.8.7
consistent with related policies, PR.PT-2 3.8.8
procedures, and agreements.
PR.PT-3 3.1.1
PR.PT-3 3.1.2
PR.PT-3 3.4.6
PR.PT-3 3.4.7
PR.PT-3 3.4.8
PR.PT-4 3.1.16
PR.PT-4 3.1.17
PR.PT-4 3.13.1
PR.PT-4 3.13.2
PR.PT-4 3.13.5
PR.PT-4 3.13.6
PR.PT-4 3.13.7
PR.PT-4 3.13.15
DE.AE-1
DE.AE-2 3.3.1
DE.AE-2 3.3.2
DE.AE-2 3.3.5
Anomalies and Events (DE.AE): DE.AE-2 3.6.1
Anomalous activity is detected in a
DE.AE-2 3.14.6
timely manner, and the potential
impact of events is understood. DE.AE-2 3.14.7
DE.AE-3 3.3.5
DE.AE-4 3.11.1
DE.AE-5 3.6.1
DE.AE-5 3.6.2
DE.CM-1 3.13.1
DE.CM-1 3.14.6
DE.CM-1 3.14.7
DE.CM-2 3.10.2
DE.CM-2 3.10.3
DE.CM-3 3.1.12
DE.CM-3 3.3.1
DE.CM-3 3.3.2
DE.CM-3 3.4.9
DE.CM-4 3.14.1
DETECT (DE)
Security Continuous Monitoring

(DE.CM): The information system DE.CM-4 3.14.2
and assets are monitored at discrete DE.CM-4 3.14.3
intervals to identify cybersecurity DE.CM-4 3.14.4
events and verify the effectiveness DE.CM-4 3.14.5
of protective measures.
DE.CM-5 3.13.13
DE.CM-6 3.14.6
DE.CM-6 3.14.7
DE.CM-7 3.1.12
DE.CM-7 3.3.1
DE.CM-7 3.10.2
DE.CM-7 3.10.3
DE.CM-7 3.14.6
DE.CM-7 3.14.7
DE.CM-8 3.11.2
DE.DP-1
DE.DP-2 3.12.1
DE.DP-2 3.12.3
Detection Processes (DE.DP): DE.DP-2 3.14.6
Detection processes and procedures DE.DP-2 3.14.7
are maintained and tested to ensure
timely and adequate awareness of DE.DP-3 3.10.4
anomalous events. DE.DP-3 3.12.1
DE.DP-3 3.12.3
DE.DP-4
DE.DP-5
Response Planning
Communications (RS.CO): RS.CO-1 3.6.3
Response activities are coordinated RS.CO-2 3.6.2
with internal and external RS.CO-3
stakeholders, as appropriate, to RS.CO-4 3.6.1
include external support from law RS.CO-5
enforcement agencies.
RS.AN-1 3.3.5
RS.AN-1 3.6.1
Analysis (RS.AN): Analysis is RS.AN-1 3.6.2
conducted to ensure adequate
RS.AN-2 3.11.1
response and support recovery
activities. RS.AN-3
RS.AN-4 3.6.1
RS.AN-4 3.6.2
RS.MI-1 3.6.1
RS.MI-1 3.6.2
RS.MI-2 3.6.1
Mitigation (RS.MI): Activities are RS.MI-2 3.6.2
performed to prevent expansion of RS.MI-3 3.11.1
an event, mitigate its effects, and
Mitigation (RS.MI): Activities are
performed to prevent expansion of
an event, mitigate its effects, and RS.MI-3 3.11.2
eradicate the incident. RS.MI-3 3.11.3
RS.MI-3 3.12.2
RS.MI-3 3.12.4
Improvements (RS.IM): RS.MI-3 3.14.1
Organizational response activities RS.IM-1 3.6.1
are improved by incorporating
RS.IM-1 3.6.2
lessons learned from current and
previous detection/response RS.IM-2 3.6.2
Recovery Planning (RC.RP): RC.RP-1 3.6.1
activities.
Recovery processes and procedures
are executed and RC.RP-1 3.6.2
RC.IM-1 3.6.1
RECOVER (RC)
Improvements (RC.IM): RC.IM-1 3.6.2

incorporating lessons learned into
future activities. RC.IM-2 3.6.1
Communications (RC.CO): RC.IM-2 3.6.2
coordinating centers, Internet RC.CO-1
Service Providers, owners of RC.CO-2
attacking systems, victims, other
Computer Security Incident RC.CO-3 3.6.1
Response Teams (CSIRTs), and RC.CO-3 3.6.2
vendors.
CSF to SP 800-171 Mapping Disclaimer
This documents provides a mapping between the Cybersecurity Framework (CSF) Subcategories and the Controlled Unclassifie
mappings included in this document show an equivalency of requirements (in whole or in part) between the two publicatio
reviewing and using this mapping.
NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems
The requirements recommended for use in SP 800-171 are derived from FIPS Publication 200 and the moderate security contr
2002, Controlled Unclassified Information). The tailoring criteria applied to the FIPS Publication 200 security requirements and
of those requirements and controls—rather, the tailoring criteria focuses on the protection of CUI from unauthorized disclos
Since the security requirements are derivative from the NIST publications listed above, organizations should not assume that s
controls in FIPS Publication 200 and Special Publication 800-53. In addition to the security objective of confidentiality, the obje
establishing and maintaining a comprehensive information security program. While the primary purpose of SP 800-171 is to de
confidentiality and integrity since many of the underlying security mechanisms at the system level support both security objec
Some SP 800-171 security requirements are not mapped to any CSF subcategories due to the scoping of SP 800-171 which is f
requirements supporting availability and integrity are not addressed in SP 800-171) and assumes some security best practices
171 Appendix E). Note also that some CSF subcategories are not mapped to SP 800-171 CUI security requirements for similar r
needed to protect CUI. The following are the SP 800-171 security requirements that could not logically be mapped to CSF subc
_Guide_to_Implementing_the_Cybersecurity_Framework_S508C.PDF **
1/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-mapping.xlsx
CUI Requirement Description
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and docum
throughout themaintain
Establish and respective systemconfigurations
baseline development life
and cycles.
inventories of organizational systems (including hardware, software, firmware, and docum
throughout the respective system development life cycles.
Control the flow of CUI in accordance with approved authorizations.
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries
internal boundaries of organizational systems.
Verify and control/limit connections to and use of external systems.
Limit use of organizational portable storage devices on external systems.
No mapping; see Mapping Disclaimer.
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and indivi
from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting the system are identif
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Identify, report, and correct information and system flaws in a timely manner.
Monitor system security alerts and advisories and take actions in response.
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
Identify unauthorized use of organizational systems.
from the operation
Periodically assess of
theorganizational systems operations
risk to organizational and the associated processing,
(including storage, orimage,
mission, functions, transmission of CUI. organizational assets, and indivi
or reputation),
Identify system users, processes acting on behalf of users, and devices.

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Prevent reuse of identifiers for a defined period.
Disable identifiers after a defined period of inactivity.
Enforce a minimum password complexity and change of characters when new passwords are created.
Prohibit password reuse for a specified number of generations.
Allow temporary password use for system logons with an immediate change to a permanent password.
Store and transmit only cryptographically-protected passwords.
Obscure feedback of authentication information.
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Protect and monitor the physical facility and support infrastructure for organizational systems.
Escort visitors and monitor visitor activity.
Maintain audit logs of physical access.
Control and manage physical access devices.
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Route remote access via managed access control points.
Authorize remote execution of privileged commands and remote access to security-relevant information.
Control connection of mobile devices.
Verify and control/limit connections to and use of external systems.
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Use non-privileged accounts or roles when accessing nonsecurity functions.
Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
Limit unsuccessful logon attempts.
Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity.
Terminate (automatically) a user session after a defined condition.
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Separate user functionality from system management functionality.
Prevent unauthorized and unintended information transfer via shared system resources.
Control the flow of CUI in accordance with approved authorizations.
internal
Employ boundaries
architecturalofdesigns,
organizational systems.
software development techniques, and systems engineering principles that promote effective information secur
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some
connection
Ensure that to resourcessystems
managers, in external networks. (i.e.
administrators, andsplit
userstunneling).
of organizational systems are made aware of the security risks associated with their
of the applicable policies, standards, and procedures related to the security of those systems.
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their
Encrypt CUI on mobile devices and mobile computing platforms.
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
Protect the confidentiality of backup CUI at storage locations.
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Protect the confidentiality of CUI at rest.
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Protect wireless access using authentication and encryption.
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternati
safeguards.
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Limit access to CUI on system media to authorized users.
Sanitize or destroy system media containing CUI before disposal or release for reuse.
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfe
connection to resources inmechanisms
Implement cryptographic external networks. (i.e.unauthorized
to prevent split tunneling).
disclosure of CUI during transmission unless otherwise protected by alternati
safeguards.
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Protect the confidentiality of CUI at rest.
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Restrict, disable, and prevent the use of nonessential, functions, ports, protocols, or services.
Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) polic
execution of authorized software.
Track, review, approve or disapprove, and audit changes to organizational systems.
Analyze the security impact of changes prior to implementation.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational system.
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, r
user response activities.
Track, document, and report incidents to appropriate organizational officials and/or authorities.
Test the organizational incident response capability.
Screen individuals prior to authorizing access to organizational systems containing CUI.
Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfe
Remediate vulnerabilities in accordance with assessments of risk.
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Identify, report, and correct system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational systems.
Perform maintenance on organizational systems.
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Supervise the maintenance activities of maintenance personnel without required access authorization.
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connectio
nonlocal
Create maintenance
and is complete.
retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unau
inappropriate system activity.
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Review and update audited events.
Alert in the event of an audit process failure.
Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusua
Provide audit reduction and report generation to support on-demand analysis and reporting.
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for a
Protect audit information and audit tools from unauthorized access, modification, and deletion.
Limit management of audit functionality to a subset of privileged users.
Limit access to CUI on system media to authorized users.
Mark media with necessary CUI markings and distribution limitations.
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport outside of controlled area
otherwise protected by alternative physical safeguards.
Control the use of removable media on system components.
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Restrict, disable, and prevent the use of nonessential, functions, ports, protocols, or services.
Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) polic
execution of authorized software.
Authorize wireless access prior to allowing such connections.
Protect wireless access using authentication and encryption.
internal boundaries
Employ architecturalofdesigns,
organizational
softwaresystems.
development techniques, and systems engineering principles that promote effective information secur
connection to resources in external networks. (i.e. split tunneling).
Protect the authenticity of communications sessions.
Create and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unau
inappropriate system activity.
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, r
user response activities.
from the operation
Establish of organizational
an operational systems
incident-handling and the associated
capability processing,
for organizational storage,
systems that or transmission
includes of preparation,
adequate CUI. detection, analysis, conta
recovery, and user response activities.
Monitor and control remote access sessions.
Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlaw
unauthorized, or inappropriate system activity.
Control and monitor user-installed software.
Identify, report, and correct system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational systems.
Update malicious code protection mechanisms when new releases are available.
Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or execu
Control and monitor the use of mobile code.
Monitor and control remote access sessions.
Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlaw
unauthorized, or inappropriate system activity.
Maintain audit logs of physical access.
Test the organizational incident response capability.
Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, conta
Remediate vulnerabilities in accordance with assessments of risk.
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how
requirements are implemented, and the relationships with or connections to other systems.
ork (CSF) Subcategories and the Controlled Unclassified Information (CUI) Requirements in NIST Special Publication (SP) 800-171. The int
ents (in whole or in part) between the two publications. It is important to consider the different scope between the two publications w
Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve tha
FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (3
to the FIPS Publication 200 security requirements and the NIST Special Publication 800-53 security controls is not an endorsement for the
es on the protection of CUI from unauthorized disclosure in nonfederal systems and organizations.
s listed above, organizations should not assume that satisfying those particular requirements will automatically satisfy the security require
on to the security objective of confidentiality, the objectives of integrity and availability remain a high priority for organizations that are co
ram. While the primary purpose of SP 800-171 is to define requirements to protect the confidentiality of CUI, there is a close relationship
anisms at the system level support both security objectives.
categories due to the scoping of SP 800-171 which is focused solely on protecting the confidentiality of CUI in nonfederal systems (i.e., sec
P 800-171) and assumes some security best practices to be routinely satisfied by nonfederal organizations as part of conducting business
d to SP 800-171 CUI security requirements for similar reasons or because the SP 800-171 requirements are aligned with specific federal req
ements that could not logically be mapped to CSF subcategories: 3.1.22; 3.10.6; and 3.13.14.
Emergency Services Sector
Source: Emergency Services Sector: Cybersecurity Framework Implementation Guidance. May 2020
URL: https://www.cisa.gov/sites/default/files/publications/Emergency_Services_Sector_Cybersecurity_Framewor
Emergency Services
Emergency Services
Sector Roadmap to Secure
Function Category Subcategory Sector Cyber Risk
Voice and Data Systems
Assessment (ESS-CRA)
(Roadmap)
Asset Management ID.AM-1: X X
ID.AM-2: X X
personnel, devices, devices
Softwareand
ID.AM-3: X X
systems, and facilities systems
platforms within
Organizational
ID.AM-4: and
that enable the applications
communication
External
organization to achieve ID.AM-5: X X
and data flows
information
Resources
ID.AM-6: (e.g., X
business purposes are systems are
Business Environment hardware,
Cybersecurity
ID.BE-1: The X X
(ID.BE): The devices,
roles anddata,
organization’s
ID.BE-2: The X X
organization’s mission, responsibilities
role in
ID.BE-3: the
organization’s X X
objectives, stakeholders, supply
place inchain
Priorities
ID.BE-4: for is
critical X X
and activities are infrastructure
organizational
Dependencies
understood and roles, ID.BE-5: X
Governance (ID.GV): mission,
and critical
Resilience
ID.GV-1:
IDENTIFY (ID)
The policies, procedures, functions

ID.GV-2: for to
requirements
Organizational
and operational support
cybersecurity
Cybersecurity
ID.GV-3: Legal
roles
ID.GV-4: is
and
and regulatory X
understood and inform responsibilities
requirements
Governance
Risk Assessment ID.RA-1: Asset X X
(ID.RA): The regarding
and risk
vulnerabilities
ID.RA-2: X X
organization understands management
are
Cyberidentified
ID.RA-3: threat X X
the cybersecurity risk to and
intelligence
Threats, bothis
ID.RA-4: X X
organizational operations received
internal
Potentialandfrom
(including mission, ID.RA-5: X X
external,
business are
Threats,
ID.RA-6: Risk X X
functions, image, or impacts and
Risk Management vulnerabilities,
responses
ID.RM-1: are Risk X X
Strategy (ID.RM): likelihoods,
identified
ID.RM-2: and
management and X
processes
ID.RM-3: are
OrganizationalThe X
assumptions
Supply Chain areRisk established,
risk tolerance
organization’s
ID.SC-1: Cyber is
Management (ID.SC): ID.SC-2: determined
determination
supply chain and
The organization’s of
riskrisk and
Suppliers
ID.SC-3:
priorities, constraints, risk management
third partywith
Contracts
ID.SC-4:
tolerances, and partners
assumptions are ID.SC-5:ofand
suppliers
Suppliers and
Access Control third-party
Response and
PR.AC-1: X X
(PR.AC): Access to partners
Identitiesare
recovery
PR.AC-2: and X
assets and associated planning
credentials
Physical
PR.AC-3: andare
access X X
to assets
Remote
PR.AC-4: is
access
authorized users, managed
is managed
Access and
processes, or devices, and PR.AC-5:
permissions
to authorized activities Network
PR.AC-6: X
and
integrity
Identitiesisare
PR.AC-7: X
and transactions.
Awareness and Training proofedprotected (e.g.,
and
Users, devices,
PR.AT-1: All X X
(PR.AT): The bound
and other
users
PR.AT-2: to
are assets X
organization’s personnel are informed
PR.AT-3:and
Privileged users
and partners are provided Third-party
trained
understand
PR.AT-4:
cybersecurity awareness stakeholders
their
Senior roles and
education and are PR.AT-5:
(e.g.,
PR.DS-1:suppliers,
executives
Physical and
Data- X
Data Security
understand
cybersecurity
at-rest is Data-
(PR.DS): Information PR.DS-2:
and records (data) are personnel
protected
in-transit
PR.DS-3:is
managed consistent protected
Assets are
with the organization’s formally
CT (PR)
risk strategy to protect managed

integrity, and
Data Security
(PR.DS): Information
and records (data) are
managed consistent PR.DS-4:
with the organization’s Adequate
PR.DS-5: X X
PROTECT (PR) risk strategy to protect capacity
PR.DS-6:to
Protections
the confidentiality, ensure
against
Integritydata
PR.DS-7: The
integrity, and leaks
checking are
development
PR.DS-8: X X
availability of
Information Protection mechanisms
and testing
Integrity
PR.IP-1: A are
Processes and environment(s)
checking
baseline
PR.IP-2: A
Procedures (PR.IP): mechanisms
configuration
System
PR.IP-3: are
Security policies (that of information
Development
Configuration
PR.IP-4: X
address purpose, scope, change
Life
Backups Cycle
control
of to
roles, PR.IP-5: Policy
processes
information
and regulations are in
are
responsibilities,managem PR.IP-6:
conducted,
Data
ent commitment, and regarding
is destroyed
PR.IP-7: the X X
coordination among physical
according
PR.IP-8: to
Protection
policy
processes
PR.IP-9: are of
organizational entities), Effectiveness X X
improved
processes, and procedures protection
Response plans
PR.IP-10: X X
are maintained and used (Incident
technologies
Response andis X
PR.IP-11:
to manage protection of Response
recovery plans and
Cybersecurity X
information systems and PR.IP-12:
are tested
A
Maintenance (PR.MA): PR.MA-1: in
is included
vulnerability
human
management
Maintenance and repairs Maintenance
PR.MA-2:
of
Protective Technology and
system components are plan
Remote is
repair
PR.PT-1: of
performed consistent
(PR.PT): Technical with organizational
maintenance
Audit/log of
PR.PT-2:
security solutions are organizational
records
Removable
PR.PT-3: areThe X X
managed to ensure the determined,
media is of
principle
PR.PT-4: X X
security and resilience of protected
systems and assets, PR.PT-5: and
least
Communication X X
sfunctionality
Anomalies and Events Mechanisms and control
DE.AE-1: A is X
(DE.AE): Anomalous networks
(e.g., are
failsafe,
baseline of
DE.AE-2:
activity is detected in a load
networkbalancing,
Detected
DE.AE-3: events
timely manner, and the operations
Event
DE.AE-4: data and
are analyzed areto X
potential impact of events understand
collected
Impact of and
is understood. DE.AE-5:
Security Continuous correlated
events
Incident
DE.CM-1: from
is alertThe X X
Monitoring (DE.CM): DE.CM-2: determined
thresholds
network is are
DETECT (DE)
The X X
established
DE.CM-3: to
physical
and assets are monitored environment
detect
Personnel
DE.CM-4: potential is
at discrete intervals to monitored
activity is code
Malicious to
identify cybersecurity DE.CM-5:
monitored
is detected to
Unauthorized
DE.CM-6:
events and verify the
mobile
effectiveness of protective External
DE.CM-7: code is
service X X
measures. detected
provider
Monitoring for
DE.CM-8: X X
Detection Processes activity
unauthorizedis
Vulnerability
DE.DP-1:
(DE.DP): Detection personnel,
scans are
Roles
DE.DP-2: and
processes and procedures performed
responsibilities
Detection
DE.DP-3:
are maintained and tested Detection
for detection
activities
DE.DP-4: X X
to ensure timely and comply
processes with
Event detection areall
adequate awareness of DE.DP-5: X X
Response Planning tested
information
Detection is
RS.RP-1: X X
Communications communicated
processes
Response are
RS.CO-1: plan X
(RS.CO): Response continuously
is executedknow
Personnel
RS.CO-2:
activities are coordinated during
their or are
roles
Incidents
RS.CO-3: after
and
with internal and external Information
order
reportedof
stakeholders, as RS.CO-4: is X X
consistent with
RESPOND (RS)
shared
Coordination
RS.CO-5:
appropriate, to include consistent
Analysis (RS.AN): Voluntary with
with
RS.AN-1: X X
Analysis is conducted to stakeholders
informationThe
Notifications
RS.AN-2: X X
ensure adequate response sharing
from
impact
RS.AN-3: occurs
detection
of the
and support recovery systems
incident
Forensics
RS.AN-4: are are
is
activities. understood
performed
Incidents are
RS.AN-5: X X
categorized
Processes are
consistent with
established to
receive, analyze
RESPOND
Mitigation (RS.MI): RS.MI-1: X
Activities are performed Incidents
RS.MI-2: are X X
to prevent expansion of contained
Incidents
RS.MI-3: are
an event, mitigate
Improvements its
(RS.IM): mitigated
Newly
RS.IM-1: X
Organizational response identified
Response plans
RS.IM-2: X X
RECOVER (RC)
activities are
Recovery improved by vulnerabilities
Planning incorporate
Response
RC.RP-1: X X
incorporating
Improvements (RC.IM): lessons
(RC.RP): lessons
Recovery Recovery
RC.IM-1: learned
strategies are
plan X X
processes and lessons
incorporating updated
procedures Recovery
is executed
RC.IM-2: plans X X
are executed
learned into
Communications and
future during or after a
incorporate
Recovery
RC.CO-1:
activities. lessons learned
strategies
(RC.CO): coordinating RC.CO-2: are
Public relations
updated
centers, Internet Service are managed
Reputation is
RC.CO-3:
Providers, owners of repaired after
Recovery
an incident
activities are
communicated
ybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Energy Sector
Cybersecurity Capability Cyber Resilience Review Cybersecurity Evaluation
Maturity Model (C2M2) (CRR) Tool (CSET)
Program
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Baldrige Cybersecurity
Excellence
Builder (BCEB), Version 1.1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Energy Sector
Source: Energy Sector: Cybersecurity Framework implantation Guidance. Jan 2015
URL: https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implementation-guidance
https://www.cisa.gov/publication/nipp-ssp-energy-2015
Cybersecurity Capability Maturity Model Pra
Function Category Subcategory Maturity Level 1
Asset Management (ID.AM): ID.AM-1: ACM-1a

The data, personnel, devices, Physical
ID.AM-2:devices ACM-1a
systems, and facilities that and systems
Software
ID.AM-3:
enable the organization to within
platformsthe and
Organizational
achieve business purposes are ID.AM-4:
applications
communication
EDM-1a
identified and managed External
ID.AM-5: ACM-1a, ACM-1b
and data flows
information
Resources (e.g., WM-1a, WM-1b
consistent with their relative ID.AM-6:
importance to organizational systems
hardware, are
Cybersecurity
Business Environment ID.BE-1: The EDM-1b
(ID.BE): The organization’s devices,
roles anddata,
organization’s
ID.BE-2: The EDM-1b
mission, objectives, responsibilities
role in the
organization’s supply
ID.BE-3:
stakeholders, and activities are chain
place is critical
in
Priorities for
understood and roles, ID.BE-4: ACM-1a, ACM-1b, EDM-1a
infrastructure
organizational
Dependencies and
responsibilities, and risk ID.BE-5: IR-4a, IR-4b, IR-4c
mission,
and critical
Resilience
Governance (ID.GV): The ID.GV-1:
IDENTIFY (ID)
policies, procedures, and functions

requirements
Organizationalfor to
ID.GV-2: WM-1a, WM-1b
operational requirements are support delivery
cybersecurity
Cybersecurity
ID.GV-3: Legal
understood and inform the policy is
rolesregulatory
and and
management of cybersecurity ID.GV-4:
responsibilities
requirements
RM-2a
Risk Assessment (ID.RA): Governance
ID.RA-1: Assetand RM-2b
TVM-2a, TVM-2b
The organization understands risk regarding
management
vulnerabilities
ID.RA-2: Cyber TVM-1a, TVM-1b, TVM-2a,
the cybersecurity risk to processes
are identified
threat address
and TVM-2b
ID.RA-3: TVM-1a, TVM-1b
organizational operations documented
intelligence
Threats, both is
ID.RA-4:
(including mission, functions, internal
received from
image, or reputation), ID.RA-5:and
Potential
external,
business are
organizational assets, and ID.RA-6:impacts
Threats, Risk
and likelihoods
Risk Management Strategy vulnerabilities,
individuals. responses
ID.RM-1: are
Risk RM-2a
(ID.RM): tolerances, and likelihoods,
identified
management and and RM-2b
ID.RM-2:
prioritized
assumptions are established and processes
Organizationalare
ID.RM-3: The
used to support operational risk risk
established,
tolerance
organization’s is
Supply Chain Risk ID.SC-1: Cyber
Management (ID.SC): The determined
determination
supply and
chain risk of
ID.SC-2:
organization’s priorities, risk tolerance
management
Suppliers and is
ID.SC-3:
constraints, risk tolerances, and third
processes
partyare
Contracts with
assumptions are established and ID.SC-4:
partners
suppliers ofand
Suppliers
used to support risk decisions ID.SC-5: and
third-party
third-party
Response and
Access Control (PR.AC): PR.AC-1: IAM-1a
Access to assets and associated partners
recovery
Identities
PR.AC-2:
are
and IAM-1b
IAM-2a
facilities is limited to planning
credentials
Physical and are
access IAM-2b
PR.AC-3: IAM-2a
authorized users, processes, or toissued,
assets managed,
is
Remote access is IAM-2b
devices, and to authorized PR.AC-4: Access
managed
managed
permissions and
activities and transactions. PR.AC-5: and CPM-3a
authorizations
Network
PR.AC-6:
are managed,
integrity
PR.AC-7:isare
Identities Users,
protected
proofed
devices, and(e.g.,
and
Awareness and Training PR.AT-1: All WM-3a
(PR.AT): The organization’s other bound to are WM-4a
users assets
are
PR.AT-2: WM-1a
personnel and partners are authenticated
informed
Privileged and
PR.AT-3: Third- WM-1b
users WM-1a
provided cybersecurity trained
understand
party their WM-1b
awareness education and are PR.AT-4: Senior WM-1a
roles and
stakeholders
executives WM-1b
adequately trained to perform (e.g., suppliers, WM-1a
PR.AT-5:
understand
Physical andtheir WM-1b
roles and
cybersecurity
personnel
Data Security (PR.DS): PR.DS-1: Data- TVM-1c
Information and records at-rest
PR.DS-2: is Data- TVM-2c TVM-1c
(data) are managed protected
in-transit isAssets TVM-2c
PR.DS-3: ACM-3a
consistent with the protected
are formally
PR.DS-4: ACM-3b
TVM-1c
organization’s risk strategy managed
Adequate
PR.DS-5: TVM-2c
TVM-1c
PROTECT (PR)
to protect the throughout

capacity
Protections to TVM-2c
PR.DS-6:
confidentiality, integrity, ensure
against
Integrity data leaks
PR.DS-7: The
and availability of are implemented
checking
development
PR.DS-8: and
information. mechanisms
testing are
Information Protection Integrity
PR.IP-1: A ACM-2a
Processes and Procedures environment(s)
checking
baseline ACM-2b
PR.IP-2: A
(PR.IP): Security policies (that mechanisms
configuration
System
PR.IP-3:
are
of ACM-3a
address purpose, scope, roles, information
Development
Configuration ACM-3b
responsibilities,management PR.IP-4: IR-4a IR-4b
Life
changeCycle
Backups to
control
of
commitment, and coordination PR.IP-5:
processes
Policy
areare in
among organizational entities), information
and regulations
PR.IP-6: Data is
conducted,
regarding
processes, and procedures are destroyed the
PR.IP-7:
maintained and used to manage physical
according
PR.IP-8: to
Protection ISC 1a ISC-1b
protection of information policy
processes are of IR-4c
Effectiveness
PR.IP-9:
systems and assets. improved
protection
Response
PR.IP-10: plans
technologies
Response andis WM-2a
(Incident
PR.IP-11:
Response
recovery and is WM-2b
PR.IP-12:plans
Cybersecurity A
are tested
included
vulnerability in
Maintenance (PR.MA): PR.MA-1: ACM-3b
Maintenance and repairs of human
managementresources
Maintenance plan
and SA-1a
PR.MA-2:
system components are is developed
repair
Remote of and IR-1c
Protective Technology PR.PT-1: SA-1a
performed consistent with
(PR.PT): Technical security organizational
maintenance
Audit/log of SA-2a
PR.PT-2: records IAM-2a
organizational
solutions are managed to ensure are determined,
Removable IAM-2b
PR.PT-3: The IAM-2a
the security and resilience of documented,
media
principleis of least IAM-2b
systems and assets, consistent PR.PT-4:
protected
functionality and its
is
CPM-3a
with related policies, Communications
PR.PT-5:
incorporated
and controlA by SA-2a
Mechanisms
networks
(e.g.,
(DE.AE): Anomalous activity baseline ofare
failsafe,
DE.AE-2:
load
is detected in a timely manner, networkbalancing,
Detected events
DE.AE-3: Event
and the potential impact of operations
are
dataanalyzed
are and
collectedto IR-2b
events is understood. DE.AE-4: Impact
understand
and
of correlated
events is attack
DE.AE-5: IR-2a
from multiple
determined
Incident alert
Security Continuous DE.CM-1: The SA-2a SA-2b
Monitoring (DE.CM): The thresholds
network
DE.CM-2: is are
The SA-2a SA-2b
DETECT (DE)
information system and assets established

monitored
physical to
DE.CM-3: SA-2a SA-2b
are monitored at discrete detect potential
environment
Personnel is
intervals to identify DE.CM-4: SA-2a SA-2b
monitored
activity to is
is code
cybersecurity events and verify Malicious
DE.CM-5:
monitored to
SA-2a SA-2b
the effectiveness of protective detected
Unauthorized
DE.CM-6: EDM-2a
measures. mobile
External
DE.CM-7: code
service is SA-2a
SA-2a SA-2b
detected
provider
Monitoring activity
for
DE.CM-8:
is monitored to
Detection Processes (DE.DP): unauthorized
Vulnerability
DE.DP-1: Roles WM-1a
Detection processes and personnel,
scans
and are
DE.DP-2:
procedures are maintained and performed
responsibilities
Detection
DE.DP-3:
tested to ensure timely and for detection are
activities
adequate awareness of DE.DP-4:comply
Detection Event IR-1b
with all
processes
anomalous events. DE.DP-5: are
detection IR-3c
tested
information
Detection is
Communications (RS.CO): processescommunicated
RS.CO-1: are
Response plan is IR-3a
Response activities are continuously
executed
Personnel during
RS.CO-2: know IR-1a IR-1b
coordinated with internal and their
or after
Incidents anare
roles and
external stakeholders, as RS.CO-3: ISC-1a
order
reportedof
Information is ISC-1b
appropriate, to include external RS.CO-4:
consistent with
shared consistent
POND (RS)
support from law enforcement Coordination

agencies. with stakeholders
with response
occurs consistent
Communications (RS.CO):
Response activities are
coordinated with internal and
external stakeholders, as
appropriate, to include external
RESPOND (RS)
support from law enforcement RS.CO-5: ISC-1a
agencies.
Analysis (RS.AN): Analysis is Voluntary
RS.AN-1:
conducted to ensure adequate information
Notifications
RS.AN-2: The
response and support recovery sharing
from
impact occurs
detection
of the
RS.AN-3:
activities. systems
incident
Forensics are
isare
RS.AN-4: IR-2a
understood
performed
Incidents are
RS.AN-5:
categorized
Mitigation (RS.MI): Activities Processes
RS.MI-1: are IR-3b
consistent
established with
are performed to prevent RS.MI-2: areto
Incidents IR-3b
receive,
Incidentsanalyze
expansion of an event, mitigate contained are
RS.MI-3: Newly TVM-2c
its effects, and eradicate the identified
mitigated
Improvements (RS.IM): RS.IM-1:
Response plans
RS.IM-2:
activities are mitigated or
Recovery Planning (RC.RP): incorporate
are improved by
RECOVER (RC)
Response
RC.RP-1: IR-3b
incorporating lessons learned lessons learned
strategies
Recovery processes
Improvements and
(RC.IM): RC.IM-1: are
Recovery plan is
procedures are executed and updated
executed
incorporating lessons learned RC.IM-2: during
Recovery plans
into future activities. or after a
incorporate
Communications (RC.CO): Recovery RC.CO-1: Public
lessons learned
strategies
coordinating centers, Internet relations are
RC.CO-2:are
updated
Service Providers, owners of managed
Reputation is
RC.CO-3:
attacking systems, victims, repaired after an
Recovery
incident
activities are
communicated to
rsecurity-framework-implementation-guidance
Cybersecurity Capability Maturity Model Practices
Maturity Level 2 Maturity Level 3
ACM-1c ACM-1e, ACM-1f

ACM-1c ACM-1e, ACM-1f
RM-2g ACM-1e
EDM-1c, EDM-1e EDM-1g, RM-1c
ACM-1c ACM-1d
WM-1c
EDM-1d EDM-1f EDM-1g RM-1c
EDM-1d, EDM-1f, CPM-1c EDM-1g RM-1c
RM-3b RM-1c
ACM-1c , ACM-1d, EDM-1c , ACM-1e, ACM-1f, RM-1c ,
EDM-1e
IR-4e EDM-1g
CPM-2g CPM-5d RM-3e
WM-1c, WM-2d,WM-5b, ISC-2b WM-1e , WM-1f, WM-1g
CPM-2k, IR-3n, RM-3f, ACM-4f,
IAM-3f, TVM-3fRM-1c,
RM-2h, RM-3e, , SA-4f,RM-1e
ISC-2f,
TVM-2d, TVM-2e, TVM-2f IR-5f, EDM-3f, WM-5f
RM-1c , RM-2j, TVM-2i, TVM-
TVM-2d 2j, TVM-2k, TVM-2l,TVM-2m
TVM-1d, TVM-1e RM-2j TVM-1j
TVM-1d TVM-1f RM-1c TVM-1i
RM-1c
RM-2e TVM-1d RM-2j
RM-1c
RM-1a RM-2j
RM-1c
RM-1b RM-1d
RM-1c RM-1e
RM-1b RM-1c
IAM-1d RM-1c IAM-1g

IAM-1e
IAM-2d IAM-2g
IAM-2e
IAM-2d IAM-2g
IAM-2e
IAM-2d
CPM-3b CPM-3c CPM-3d
WM-3b WM-3g
WM-3c
WM-1c WM-1d WM-3h
WM-1e
WM-1c WM-1d WM-1f
WM-1e
WM-1c WM-1d WM-1f
WM-1e
WM-1c WM-1d WM-1f
WM-1e
WM-1f
ACM-3c ACM-3f
ACM-3d
CPM-3b ACM-4e
CPM-3b TVM-2n
SA-2e SA-2i
ACM-3c ACM-3e
ACM-2c ACM-2d
ACM-3d ACM-2e
ACM-3c ACM-3e
ACM-3d ACM-3f
ACM-4f RM-3f
ACM-3d
CPM-1g
ISC-1c ISC-1h
ISC-1d
IR-3f ISC-1i
IR-3k
IR-4d
IR-3e IR-4f IR-3m
IR-3k
WM-2c WM-2d IR-4i
WM-2e
TVM-3a WM-2f
TVM-3e
ACM-4c ACM-3f
IAM-2d IAM-2g
IAM-2e
SA-1b IAM-2f IAM-2h
SA-1d
SA-1c SA-1e
IAM-3e IAM-3f
IAM-2d IAM-2g
IAM-2e
CPM-3b CPM-3c IAM-2h
CPM-3d
IR-1f
IR-1e IR-2i
IR-1f IR-2i
IR-2d IR-2g RM-2j
TVM-1d
IR-2d IR-2g RM-2j
TVM-1d
SA-2e SA-2g SA-2i
SA-2f
SA-2e SA-2i
SA-2e SA-2i
SA-2e CPM-4a SA-2i
SA-2e SA-2h SA-2i
SA-2e EDM-2j EDM-2n
SA-2e SA-2g SA-2i
SA-2f
TVM-2e TVM-2i
WM-1d TVM-2j
WM-1f
IR-1d IR-1g
IR-5a
IR-3e IR-5f
IR-3j
ISC-1c ISC-1d IR-3n
ISC-1h
IR-3h IR-3k
IR-3d
IR-5b
IR-3d IR-3i
ISC-1c
IR-3d IR-3l
IR-5b
ISC-1c ISC-1h
ISC-1d
IR-1e ISC-1i
IR-1f
IR-2d IR-2g RM-2j
TVM-1d
IR-3d IR-3h IR-3i
IR-1d
IR-1e
TVM-2f TVM-2g RM-2j

TVM-2m
IR-3h
IR-3h IR-3k
IR-3d IR-3o IR-4k
IR-3h
IR-4i
IR-3h IR-3k
RM-1c
IR-3d
IR-3d
Finance Sector
Source: Federal Financial Institutions Examination Council (FFIEC),Cybersecurity Assessment Tool
URL: https://www.cisa.gov/publication/nipp-ssp-financial-services-2015
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
Asset Management ID.AM-1: Physical

(ID.AM): The data, devices
ID.AM-2: andSoftware
systems
personnel, devices, within the
platforms and
systems, and facilities that ID.AM-3:
organization
applications within are
enable the organization to Organizational
ID.AM-4:
the organizationExternal are
achieve business purposes communication
information and
systems
are identified and ID.AM-5:
data flows are
are catalogued
managed consistent with Resources
ID.AM-6: (e.g.,
their relative importance hardware, devices,
Business Environment Cybersecurity
ID.BE-1:
data, time, The roles
(ID.BE): The and responsibilities
organization’s
ID.BE-2:
for the The role
entire
organization’s mission, in the supply
organization’s chain
place
is
in identified
critical
Priorities
and
and activities are for organizational
ID.BE-4:
infrastructure
mission, and
objectives,
understood and roles, Dependencies and
responsibilities, and risk andID.BE-5: Resilience
activities are for
critical functions
requirements to
delivery of critical
support
The policies, procedures, Organizational delivery of
IDENTIFY (ID)
ID.GV-2:
critical services are
and operational cybersecurity
Cybersecurity policy
roles
requirements are ID.GV-3:
is established Legal andand
and responsibilities
understood and inform the regulatory
ID.GV-4:
are coordinated and
management of requirements
Governance and
Risk Assessment ID.RA-1:
regarding Asset
(ID.RA): The risk management
vulnerabilities are
ID.RA-2: Cyber
organization understands processes
identified address
and
threat intelligence
the cybersecurity risk to ID.RA-3:
documented Threats, is
received from
organizational operations both internal
ID.RA-4:
information
and
Potential
(including mission, external,
business are sharing
impacts
functions, image, or ID.RA-5:
identified Threats,
and are
and likelihoods
reputation), organizational vulnerabilities,
ID.RA-6:
identified Risk
assets, and individuals. likelihoods,
responses and
are
Risk Management ID.RM-1:
impacts are Risk
Strategy (ID.RM): identified
management and to
used
ID.RM-2:
prioritized
tolerances, and processes
Organizational are risk
assumptions are ID.RM-3:
established, The
tolerance
organization’sis
established
Supply andRisk
Chain used to ID.SC-1:
determined Cyber
andof
supply
ID.SC-2: chain risk
Suppliers
The organization’s risk tolerance is
management
and third party
priorities, constraints, risk ID.SC-3:
processes
partners
Contracts
ofare and
tolerances, and with suppliers
ID.SC-4: Suppliers
information
third-party partners
assumptions are and third-party
established and used to ID.SC-5:
are used Response
to
partners are
Access Control (PR.AC): and recovery
PR.AC-1:
routinely Identities
assessed
Access to assets and planning
and and
credentials testing
are
PR.AC-2:
are conducted Physical
with
associated facilities is issued,
access managed,
to assets is
limited to authorized PR.AC-3:
verified, Remote
revoked,
managed
access and
is managed
users, processes, or PR.AC-4:
protected Access
devices, and to authorized permissions and
activities and transactions. PR.AC-5:
authorizations
Network
are
integrity
PR.AC-6: is Identities
managed,
protected (e.g.,
are proofed and
network
bound to credentials
and asserted in
limited to authorized
users, processes, or
devices, and to authorized
activities and transactions.
PR.AC-7: Users,
Awareness and Training devices,
PR.AT-1:and Allother
users
(PR.AT): The assets
are are
informed and
PR.AT-2:
organization’s personnel authenticated
trained
Privileged
(e.g.,
users
PR.AT-3:
and partners are provided understand their Third-
cybersecurity awareness partyPR.AT-4:
roles
stakeholders
and Senior
education and are (e.g., suppliers,
executives
adequately trained to PR.AT-5:
customers, Physical
partners)
understand
and their
cybersecurity
roles and Data-at-
personnel
(PR.DS): Information rest is protected
PR.DS-2:
understand Data-in-
their
and records (data) are transit is protected
PR.DS-3: Assets
managed consistent are formally
with the organization’s PR.DS-4:
managed
Adequate
capacity
risk strategy to protect PR.DS-5: to ensure
throughout
availability removal,
is
the confidentiality, Protections against
PROTECT (PR)
PR.DS-6: Integrity
maintained
integrity, and data leaks
checking are
availability of PR.DS-7: The
implemented
mechanisms
development are
and
information. PR.DS-8:
used to Integrity
verify
testing
Information Protection checking
PR.IP-1: A baseline
environment(s) are
Processes and mechanisms
configuration are
of
PR.IP-2:
used A
to verify System
Procedures (PR.IP): information
Development Life
Security policies (that PR.IP-3:
technology/industri
Cycle to manage
address purpose, scope, Configuration
PR.IP-4:
systems isBackups
roles, change
of control
information are
responsibilities,manageme PR.IP-5:
processes
conducted,
Policy
are in and
nt commitment, and regulations
PR.IP-6: Data is
maintained,
regarding theand
coordination among destroyed according
PR.IP-7: operating
Protection
organizational entities), physical
to policy are
processes
processes, and procedures PR.IP-8:
improved
are maintained and used Effectiveness
PR.IP-9: Response of
to manage protection of protection
plans (Incident
information systems and PR.IP-10:
technologies
Response
Response
andis
assets. and recovery
PR.IP-11: plans
Business
are tested
Cybersecurity
PR.IP-12: A is
included in human
Maintenance (PR.MA): vulnerability
PR.MA-1:
resources practices
Maintenance
PR.MA-2:
plan
and is
Remote
developed
of system components are repair of and
Protective consistent
Technology maintenance
PR.PT-1: Audit/log of
performed with organizational
organizational
(PR.PT): Technical records
PR.PT-2: are
security solutions are assets is approved,
determined,
Removable
PR.PT-3: Themedia is
managed to ensure the documented,
protected and its
security and resilience of principle
PR.PT-4:
use
of least
restricted
systems and assets, functionality
Communications is
consistent with related PR.PT-5:
incorporated by
and control (e.g.,
DE.AE-1:
networks A
are
(DE.AE): Anomalous failsafe,
baseline load
of network
DE.AE-2:
balancing, Detected
hot
activity is detected in a operations
events and
are analyzed
timely manner, and the DE.AE-3:
expected Event
data flows
to understand attack
potential impact of events data are
DE.AE-4:
targets
collected
Impact
and methods of
is understood. and correlated
events is from
DE.AE-5:sources
multiple Incident
determined
alert
Security Continuous DE.CM-1: The are
thresholds
Monitoring (DE.CM): established
network
DE.CM-2: is The
The information system monitored to detect
DETECT (DE)
physical
DE.CM-3:
and assets are monitored potential
environment is is
at discrete intervals to Personnel
DE.CM-4: activity
monitored
monitored to
to detect
detect
identify cybersecurity Malicious code is
events and verify the DE.CM-5:
potential
detected
Unauthorized
effectiveness of protective
measures. mobile code is
detected
The information system
DETECT (DE
and assets are monitored
at discrete intervals to
identify cybersecurity
events and verify the
effectiveness of protective DE.CM-6: External
measures. service provider
DE.CM-7:
activity
Monitoringis for
DE.CM-8:
monitored to detect
unauthorized
Vulnerability scans
Detection Processes DE.DP-1:
personnel, Roles
(DE.DP): Detection are
and performed
responsibilities
DE.DP-2: Detection
processes and procedures for detection
activities complyare
are maintained and tested DE.DP-3:
well
with defined Detection
to
all applicable
to ensure timely and processes
DE.DP-4: are tested
Event
requirements
adequate awareness of detection
anomalous events. DE.DP-5: Detection
information
processes areis
communicated Response
Communications continuously
plan is executed
RS.CO-1:
improved Personnel
(RS.CO): Response during
know or after
their rolesan
activities are coordinated RS.CO-2:
incident
andreported
order of
Incidents
with internal and external are
RS.CO-3:
operations when a
stakeholders, as consistent
Information with
is
appropriate, to include RS.CO-4:
established criteria
shared consistent
Coordination with
external support from law RS.CO-5:
with responseoccurs
plans
RESPOND (RS)
enforcement agencies. stakeholders

Voluntary
Analysis (RS.AN): RS.AN-1:
consistent with
Analysis is conducted to information
Notifications
RS.AN-2:
sharing
The from
occurs
ensure adequate response detection with external
systems
impact
RS.AN-3: of the
Forensics
and support recovery are investigated
incident is
activities. are performed
RS.AN-4:
understoodIncidents
are categorized
RS.AN-5: Processes
consistent
are with to
established
Mitigation (RS.MI): RS.MI-1: Incidents
responseanalyze
plans
Activities are performed receive,
are contained
RS.MI-2: Incidents
and
respond
to prevent expansion of an are mitigatedto
event, mitigate its effects, RS.MI-3: Newly
and eradicate the
Improvements (RS.IM): identified
RS.IM-1: Response
plans incorporate
RS.IM-2:
are
Response
mitigated
activities are improved by lessons or
learned
Recovery Planning strategies
RC.RP-1: are Recovery
incorporating lessons
RECOVER (RC)
(RC.RP): Recovery updated

plan is executed
Improvements (RC.IM): RC.IM-1: Recovery
incorporating procedures during
plans or after a
incorporate
are executed and RC.IM-2:
cybersecurity Recovery
learned into future lessons
strategieslearned
are
Communications
activities. RC.CO-1: Public
(RC.CO): coordinating updatedrelations
RC.CO-2:are
centers, Internet Service managed
Reputation is
Providers, owners of RC.CO-3: Recovery
repaired
activities are an
after
attacking systems, incident
communicated to
internal and
xamination Council (FFIEC),Cybersecurity Assessment Tool
tion/nipp-ssp-financial-services-2015
bersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
FFIEC Cybersecurity Assessment Tool
D1.G.IT.B.1: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
D1.G.IT.B.1: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
D4.C.Co.B.4: Data flow diagrams are in place and document information flow to external parties.
D4.C.Co.Int.1:
D4.RM.Dd.B.2:AAvalidated asset inventory
list of third-party serviceisproviders
used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, an
is maintained.
D4.C.Co.B.3: A networkassets
D1.G.IT.B.2: Institution diagram is in
(e.g., place and
hardware, identifies
systems, all and
data, external connections.
applications) are prioritized for protection based on the data classification
D1.R.St.B.1: Information security roles and responsibilities have been identified.
D1.TC.Cu.B.1: Management
D1.G.SP.A.3: The holds
cybersecurity employees
strategy accountable
identifies for complying
and communicates the with the information
institution’s role as a security program.
component of critical infrastructure in the fin
D1.G.SP.Inn.1: The cybersecurity strategy identifies and communicates its role as it relates to other critical infrastructures.
D1.G.SP.E.2: The institution has a formal cybersecurity program that is based on technology and security industry standards or benchmarks.
D1.G.Ov.Int.5: Thecritical
D4.C.Co.B.1: The board business
or an appropriate
processesboard committee
that are dependentensures management’s
on external annual
connectivity cybersecurity
have self-assessment
been identified. evaluates
D1.G.IT.B.2: the insti
Organizational
standards.
applications)
D5.IR.Pl.B.5:are prioritized
A formal for protection
backup based
and recovery planonexists
the data classification
for all and business
critical business lines. value.
D5.IR.Pl.E.3:
D1.G.SP.B.4: Alternative processes
The institution have been
has board-approved policies commensurate with its risk and complexity that address information security.
D1.G.SP.B.7: All elements of the information security program are coordinated enterprise-wide.
D4.RM.Co.B.2: Contracts acknowledge
D1.G.Ov.E.2: Management is responsiblethat
forthe third party
ensuring is responsible
compliance for the
with legal andsecurity of the
regulatory institution’s
requirements confidential
related data that it possesse
to cybersecurity.
D1.G.Ov.B.1: Designated members of management are held accountable by the board or an appropriate board committee for implementing a
continuity programs.
D2.TI.Ti.B.2: Threat information is used to monitor threats and vulnerabilities.
D3.DC.Th.B.1: Independent
D2.TI.Ti.B.1: The institutiontesting
belongs(including penetration
or subscribes testing
to a threat and and vulnerability
vulnerability scanning) is conducted
information-sharing according
source(s) to the information
that provides risk assessment
on t
network.
D3.DC.An.B.1: The institution is able to detect anomalous activities through monitoring across the environment. D2.MA.Ma.E.1: A process
discover emerging
D5.RE.Re.B.1: threats. steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer in
Appropriate
D5.ER.Er.Ev.1:
D1.RM.RA.B.1:Criteria have been established
A risk assessment focused on for escalating customer
safeguarding cyber incidents or vulnerabilities
information to the board
identifies reasonable andand senior management
foreseeable internal andbased on
external
threats, and theThe
D5.IR.Pl.B.1: sufficiency of has
institution policies, procedures
documented howand customer
it will information
react and respond tosystems.
cyber incidents.
D5.DR.Re.E.1: The incident
D1.G.Ov.B.1: Designated response
members ofplan is designed
management aretoheld
prioritize incidents,
accountable enabling
by the a rapid
board or response for
an appropriate significant
board committeecybersecurity incidenta
for implementing
plan and process
continuity outlines
programs. the mitigating actions, resources, and time parameters.
D1.G.Ov.Int.3: The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.
D1.G.SP.A.4: The risk appetite is informed by the institution’s role in critical infrastructure.
D3.PC.Im.B.7: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
D3.PC.Am.B.6:
D3.PC.Am.B.11:Identification and authentication
Physical security are to
controls are used required
preventand managed for
unauthorized access
access to to systems, applications,
information systems and and hardware.
telecommunication systems.
D3.PC.Am.B.17:
D3.PC.Am.B.15: Administrative,
Remote access tophysical, or technical
critical systems controls arecontractors,
by employees, in place to and
prevent
thirdusers without
parties uses encrypted connections and multifactor a
D3.PC.De.E.7: The institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A
D3.PC.Am.B.1: Employee access is granted to systems and confidential data based on job responsibilities and theifprinciples
mobile devices areprivileg
of least not us
D3.PC.Am.B.2: Employee
D3.DC.Im.B.1: Network access todefense
perimeter systemstools
and (e.g.,
confidential data provides
border router for separation
and firewall) are used.of duties.
D3.DC.Im.Int.1: The enterprise network is segmented in multiple, separate trust/security zones with defense-in- depth strategies (e.g., logica
to mitigate attacks.
D1.TC.Tr.B.2: Annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social e
issues.
D1.TC.Tr.E.3: Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of re
D1.TC.Tr.B.4: Customer awareness materials are readily available (e.g., DHS’ Cybersecurity Awareness Month materials).
D1.TC.Tr.Int.2: Cybersecurity
D1.TC.Tr.E.2: Management is awareness information is
provided cybersecurity provided
training to retail
relevant customers
to their and commercial clients at least annually.
job responsibilities.
D1.TC.Tr.E.3: Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of re
D1.R.St.E.3:
D1.G.IT.B.13:Staff with cybersecurity
Confidential responsibilities
data is identified has the requisite
on the institution's qualifications to perform the necessary tasks of the position.
network.
D3.PC.Am.B.14:
D3.PC.Am.B.13: Mobile devices
Confidential (e.g.,
data laptops, tablets,
is encrypted and removable
when transmitted media)
across publicare
or encrypted
untrusted if used to (e.g.,
networks store confidential
Internet). data. (*N/A if mobi
contracts that
D3.PC.Am.E.5: address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential d
D1.G.IT.E.3: TheControls are proactively
institution in place to prevent
managesunauthorized access to
system end-of-life cryptographic
(e.g., replacement)keys.
to limit security risks. D1.G.IT.E.2: The institution h
considers whether
D5.IR.Pl.B.5: assetsbackup
A formal to be acquired have appropriate
and recovery security
plan exists for safeguards.
all critical business lines.
D5.IR.Pl.B.6:
D3.PC.Am.B.15:TheRemote
institution plans
access to to use business
critical systemscontinuity, disaster
by employees, recovery,and
contractors, andthird
dataparties
backupuses
programs to recover
encrypted operations
connections following aa
and multifactor
D3.PC.Am.Int.1: The institution
D3.PC.Se.Int.3: Software has implemented
code executables toolsare
and scripts to digitally
prevent unauthorized accessthe
signed to confirm to software
or exfiltration
authorofand
confidential
guaranteedata.
that the code has not
D3.PC.De.Int.2:
D3.PC.Am.B.10:Mobile device
Production andmanagement includes
non-production integrity scanning
environments (e.g., jailbreak/rooted
are segregated detection).
to prevent unauthorized (*N/A
access if mobiletodevices
or changes are notasse
information us
institution or the institution’s third party.)
D3.PC.Im.B.5: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
D3.PC.Se.B.1: Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SD
D3.PC.Se.E.1:
D1.G.IT.B.4: ASecurity testing occursprocess
change management at all post-design
is in place phases of the
to request andSDLC forchanges
approve all applications,
to systemsincluding mobile applications.
configurations, (*N/A ifappli
hardware, software, ther
D5.IR.Pl.B.5: A formal backup and recovery plan exists for all critical business lines.
D5.IR.Te.E.3:
D3.PC.Am.B.11:Information backupscontrols
Physical security are tested
areperiodically to verify
used to prevent they are accessible
unauthorized and readable.systems and telecommunication systems.
access to information
D1.G.IT.B.19: Data is disposed of or destroyed according to documented requirements and within expected time frames.
D1.RM.RMP.E.2: Management reviews and uses the results of audits to improve existing policies, procedures, and controls.
D1.G.Ov.A.2: Management
D2.IS.Is.B.1: Information has a formal
security threatsprocess to continuously
are gathered and sharedimprove cybersecurity
with applicable oversight.
internal employees.
D2.IS.Is.E.2:
D5.IR.Pl.B.1:AThe
representative from
institution has the institution
documented howparticipates
it will reactin law
and enforcement
respond or incidents.
to cyber information-sharing organization meetings.
D5.IR.Te.B.1: Scenarios are used to improve incident detection and response.

D5.IR.Te.B.3: Systems, applications,
D1.R.St.E.4: Employment candidates,and data recovery
contractors, is tested
and third at least
parties annually.
are subject to background verification proportional to the confidentiality
acceptable risk. Formal processes are in place to resolve weaknesses identified during penetration testing.
D3.CC.Re.Ev.2:
D3.CC.Re.Int.5: The maintenance and repair of organizational assets are performed by authorized individuals with approved and controlled t
D3.CC.Re.Int.6: The maintenance
D3.PC.Im.B.7: Access and repair
to make changes of organizational
to systems assets
configurations are logged
(including in a machines
virtual timely manner.
and hypervisors) is controlled and monitored.
D1.G.SP.B.3: The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing.
D2.MA.Ma.B.1:
D1.G.SP.B.4: TheAudit log records
institution and other security
has board-approved eventcommensurate
policies logs are reviewed
withand retained
its risk in a secure manner.
and complexity D2.MA.Ma.B.2:
that address Computer ev
information security.
has occurred.
D3.PC.De.B.1:
D3.PC.Am.B.7:Controls are in place
Access controls to restrict
include passwordthe use of removable
complexity media
and limits toto authorized
password personnel.
attempts and reuse. D3.PC.Am.B.4: User access review
applications based on the risk to the application or system.
D3.PC.Im.B.1: Network perimeter defense tools (e.g., border router and firewall) are used.
D3.PC.Am.B.11: Physical security controls are used to prevent unauthorized access to information systems, and telecommunication systems
D3.DC.Ev.B.1: A normal network activity baseline is established.

D4.C.Co.B.4:
D5.IR.Pl.Int.4:Data flowlearned
Lessons diagrams arereal-life
from in placecyber
and document information
risk incidents flowon
and attacks to the
external parties.
institution and other organizations are used to improve t
response plan. A process is in place to correlate event information from multiple sources (e.g., network, application, or firewall).
D3.DC.Ev.E.1:
D5.IR.Te.E.1: Recovery scenarios include plans to recover from data destruction, and impacts to data integrity, data loss, and system and dat
established for escalating
D5.DR.De.B.1: cyber incidents
Alert parameters or detecting
are set for vulnerabilities to the board
information andincidents
security senior management
that prompt based on theactions.
mitigating potential impact and criticality
D3.DC.An.E.4:
D3.DC.An.B.2: Thresholds have been established
Customer transactions generating to determineactivity
anomalous activityalerts
within
arelogs that would
monitored and warrant management response.
reviewed.
D3.DC.An.B.3:
D3.PC.Am.E.4: Logs of physical
Physical access toand/or logical
high-risk access are reviewed
or confidential systems following events.
is restricted, logged, and unauthorized access is blocked.
D3.Dc.Ev.B.5:
D3.DC.An.A.3:The physical
A system environment
is in is monitored
place to monitor to detect
and analyze potential
employee unauthorized
behavior access.
(network use patterns, work hours, and known devices) to al
D3.DC.Th.B.2: Antivirus and anti-malware tools are used to detect attacks.
D3.PC.De.E.5: Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices).
D4.RM.Om.Int.1: Third-party employee access to the institution's confidential data is tracked actively based on the principles of least privile
D3.DC.Ev.B.3: Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.
D3.DC.Th.E.5: Vulnerability scanning is conducted and analyzed before deployment/redeployment of new/existing devices.
D3.DC.Ev.B.4: Responsibilities for monitoring and reporting suspicious systems activity have been assigned.
D1.G.Ov.E.2: Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity.
D3.DC.Ev.Int.2: Event detection processes are proven reliable.
D3.DC.Ev.B.2: Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.
D5.ER.Is.B.1:
D5.IR.Pl.Int.3:ALessons
processlearned
exists to contact
from personnel
real-life who are responsible
cyber incidents and attacksfor
on analyzing and responding
the institution to an incident.
and other organizations are used to improve the in
plan.
D5.IR.Pl.B.1: The institution has documented how it will react and respond to cyber incidents.
D5.IR.Pl.B.3: Roles and responsibilities for incident response team members are defined.
D5.IR.Pl.B.2: Communication channels exist to provide employees a means for reporting information security events in a timely manner.
D5.DR.Re.B.4: Incidents are
D5.ER.Es.B.2: Procedures classified,
exist to notifylogged and tracked.
customers, regulators, and law enforcement as required or necessary when the institution becomes
access to or useAofprocess
D5.ER.Is.B.1: sensitive customer
exists information.
to contact personnel who are responsible for analyzing and responding to an incident.
D5.IR.Pl.Int.1: A strategy is in place to coordinate
D2.IS.Is.B.3: Information about threats is shared with andlaw
communicate with
enforcement andinternal and when
regulators external stakeholders
required duringD2.IS.Is.E.2:
or prompted. or following Aa cyber attac
representa
enforcement
D5.DR.De.B.3:or information-sharing
Tools and processes organization meetings.
are in place to detect, alert, and trigger the incident response program. D5.DR.De.Int.3: Incidents are de
include instant alerts
D1.RM.RMP.A.4: A to appropriate
process personnel
is in place who can
to analyze respond. impact cyber incidents have on the institution’s capital.
the financial
D5.IR.Te.E.1: Recovery
D3.CC.Re.Int.3: Securityscenarios includeforensic
investigations, plans toanalysis,
recover and
fromremediation
data destruction, impacts to
are performed bydata integrity,
qualified staffdata loss,parties.
or third and system and data av
D3.CC.Re.Int.4: Generally
D5.ER.Es.B.4: Incidents areaccepted andlogged
classified, appropriate forensic procedures, including chain of custody, are used to gather and present evidence
and tracked.
D5.DR.Re.E.1: The incident response plan is designed to prioritize incidents, enabling a rapid response for significant cybersecurity incident
D5.DR.Re.B.1: Appropriate steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer in
D5.DR.Re.E.4:
D5.DR.De.B.1: Procedures include
Alert parameters arecontainment strategies
set for detecting and notifying
information potentially
security incidents impacted third
that prompt parties. actions.
mitigating
D5.DR.Re.E.3:
D1.RM.RA.E.1:Containment and mitigation
Risk assessments are used tostrategies
identify are
the developed for risks
cybersecurity multiple incident
stemming types
from new(e.g., DDoS,services,
products, malware).or relationships.
D5.IR.Pl.Int.4: Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the in
plan.
plan.
D5.IR.Pl.B.6: The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following a
plan.
plan.
D5.ER.Es.Int.3: An external communication plan is used for notifying media regarding incidents when applicable.
D5.IR.Pl.Int.1: A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber atta
D5.ER.Is.B.1: A process exists to contact personnel who are responsible for analyzing and responding to an incident.
D5.IR.Pl.Int.1: A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber attac
Food and Agriculture Sector
Source: National Restaurant Association: Cybersecurity 201
URL: https://www.cisa.gov/publication/nipp-ssp-food-ag-2015
https://www.nist.gov/cyberframework/critical-infrastructure-resources
https://www.restaurant.org/downloads/pdfs/advocacy/cybersecurity201.pdf
Asset Management ID.AM-1:

(ID.AM): The data, Physical devices
ID.AM-2:
Software
ID.AM-3:
systems, and facilities ID.AM-4:
within the and
platforms
Organizational
that enable the applications
communication
External
ID.AM-5:
organization to achieve ID.AM-6:
and data flows
information
Resources (e.g.,are
systems are
hardware,
Cybersecurity
Business Environment ID.BE-1: The
(ID.BE): The devices,
roles anddata,
organization’s
ID.BE-2: The
responsibilities
organization’s mission, ID.BE-3:
role in the supply
organization’s
chain in
place is identified
Priorities critical
for
and activities are infrastructure and
organizational
Dependencies
ID.BE-5: and
IDENTIFY (ID)
mission,functions
critical
Resilience
The policies, for delivery ofto
requirements
Organizational
ID.GV-2:
procedures, and support delivery
cybersecurity
Cybersecurity
ID.GV-3: Legal
operational policy
roles
and is
and
regulatory
ID.GV-4:
Risk Assessment responsibilities
requirements
Governance
ID.RA-1: Assetand
risk management
vulnerabilities
ID.RA-2: Cyber are
organization processes
identified
threat
ID.RA-3: address
and
intelligence
Threats,
understands the documented
is received
both internal
ID.RA-4: fromand
cybersecurity risk to information
external,
Potential
ID.RA-5: are
business
Threats,
organizational identified
impacts
ID.RA-6:and and
vulnerabilities,
Risk
Risk Management likelihoodsare
likelihoods,
responses
ID.RM-1: are
and
Risk
Strategy (ID.RM): impacts areand
identified
management
ID.RM-2: used
tolerances, and prioritizedare
processes
Organizational
ID.RM-3: The
assumptions
Supply Chain areRisk established,
risk tolerance
organization’s
ID.SC-1: Cyber is
determined
supply chainand
ID.SC-2: of
risk
The organization’s risk tolerance
management
Suppliers
ID.SC-3: and is
priorities, constraints, ID.SC-4:
processes
third partyare
Contracts with
risk tolerances, and partners ofand
suppliers
Suppliers
ID.SC-5: and
Access Control third-partyand
Response
PR.AC-1:
(PR.AC): Access to partners
recoveryare
Identities
PR.AC-2: planning
and
assets and associated and testing
credentials
Physical
PR.AC-3: are to
access
facilities is limited to issued,ismanaged,
assets
Remote
PR.AC-4: managed
access
Access is
authorized users, and protectedand
managed
permissions
PR.AC-5:
processes, or devices, PR.AC-6:
authorizations
Network integrity are
and to authorized managed,
is protected
Identities
PR.AC-7: are(e.g.,
Users,
Awareness and network and
proofed
devices,
PR.AT-1: andAllother
boundare
assets
Training (PR.AT): The PR.AT-2:
users to
are
authenticated
organization’s personnel PR.AT-3:
informed
Privileged and
users
Third-
and partners are trainedstakeholders
understand
party
PR.AT-4: their
Senior
roles and
(e.g., suppliers,
executives
Data Security customers,
understand
Physical
PR.DS-1: and their
Data-
(PR.DS): Information roles
PR.DS-2:and
cybersecurity
at-rest is Data-
personnelisAssets
protected
in-transit
and records (data) are PR.DS-3:
protected
are
managed consistent PR.DS-4: formally
PROTECT (PR)
managed
Adequate
PR.DS-5:
with the
throughout
capacity
Protections
PR.DS-6: to ensure
organization’s risk availability
against
Integrity
PR.DS-7: data isleaks
checking
The
strategy to protect the PR.DS-8:
are implemented
mechanisms
development are
and
confidentiality, used to verify
testing
Integrity checking
environment(s)
mechanisms are
used to verify
PROTECT (PR)
Information PR.IP-1: A
Protection Processes PR.IP-2:
baseline A
and Procedures configuration of
System
PR.IP-3:
(PR.IP): Security information
Development
Configuration
PR.IP-4: Backups Life
policies (that address Cycle
change
of tocontrol
manage
information
PR.IP-5: Policyare
purpose, scope, roles, and processes
conducted, are inis
regulations
PR.IP-6: Data
responsibilities,manage PR.IP-7:
maintained,
regarding
destroyed theand
ment commitment, and PR.IP-8:
physical to
according
Protection
coordination among policy
processes
Effectiveness
PR.IP-9: are of
organizational entities), PR.IP-10:
improved plans
protection
Response
processes, and technologies
Response andis
(Incident
PR.IP-11:
procedures are Responseplans
recovery
Cybersecurity
PR.IP-12: and
A isare
Maintenance tested in
included
vulnerability
PR.MA-1:
human resources
management
(PR.MA): Maintenance PR.MA-2:
Maintenance plan
and
and repairs Technology
Protective of system is developed
repair
Remote
PR.PT-1: of and
components are
(PR.PT): Technical organizational
maintenance
Audit/log
PR.PT-2: of
records
security solutions are organizational
are determined,
Removable
PR.PT-3: Themedia
managed to ensure the PR.PT-4:
documented,
is protected
principle of and
least
security and resilience PR.PT-5:
its use restricted
functionality
Communications is
incorporated
and controlA by
Mechanisms
(DE.AE): Anomalous DE.AE-2:networks
(e.g.,
baseline ofare
failsafe,
load balancing,
activity is detected in a DE.AE-3:
network
Detected events
Event
timely manner, and the DE.AE-4:
operations
are
data analyzed and
are collectedto
Impact
potential impact of understand
and
of is attack
correlated
events
DE.AE-5:
from multiple
determined
Incident
Security Continuous DE.CM-1: alertThe
DETECT (DE)
thresholds
Monitoring (DE.CM): DE.CM-2:
network is are
The
establishedto
The information system DE.CM-3:
monitored
physical
and assets are monitored DE.CM-4:
detect potential
environment
Personnel is
activity
at discrete intervals to DE.CM-5:
monitored
is monitored
Malicious to to is
code
identify cybersecurity DE.CM-6:
detect potential
detected
Unauthorized
events and verify the mobile code
External
DE.CM-7: is
service
effectiveness of detected activity
provider
Monitoring
DE.CM-8: for
Detection Processes is monitored
unauthorized
Vulnerability
DE.DP-1: to
Roles
scans
and
DE.DP-2:are
processes and performed
responsibilities
Detection
DE.DP-3:
procedures are for detection
activities
Detection
DE.DP-4: complyare
Event
maintained and tested to detection
with all are
processes
DE.DP-5:
information
Detection
RS.RP-1: is
Communications communicated
processes
Response
RS.CO-1: are
plan is
executed
Personnel
RS.CO-2: during
know
activities are or after
their anare
roles
Incidents
RS.CO-3: and
coordinated with order
reportedof
Information
RS.CO-4: is
RESPOND (RS)
internal and external consistent

shared withwith
consistent
Coordination
RS.CO-5:
Analysis (RS.AN): with response
stakeholders
Voluntary
RS.AN-1:
occurs consistent
information
Analysis is conducted to RS.AN-2:
Notifications The
ensure adequate sharing
from
impact
RS.AN-3: occurs
detection
of the
response and support systems
incident are
Forensics
RS.AN-4: isare
recovery activities. understood
performed
Incidents
RS.AN-5: are
categorizedare
Processes
consistentare
established
Activities are performed RS.MI-2:
Incidents with
to
receive, analyze
to prevent expansion of RS.MI-3:
contained
Incidents are
Newly
an event, mitigate its RS.IM-1:
Improvements mitigated
identified
RECOVER (RC)
(RS.IM): vulnerabilities
Response
RS.IM-2: plansare
Organizational
Recovery Planning mitigated or
response RC.RP-1:
incorporate
Response
activities are
(RC.RP):
Improvements improved RC.IM-1:
Recovery lessons learned
strategies
Recovery are
plan is
processes and
(RC.IM): updated during
executed
incorporating RC.IM-2:
Recovery plans
procedures
lessons are executed
learned
Communications into or after a Public
incorporate
Recovery
RC.CO-1:
future activities.
(RC.CO): lessons learned
strategies
coordinating RC.CO-2:
relations are
are
updated is
centers, Internet Service RC.CO-3:
managed
Reputation
Providers, owners of repaired after an
Recovery
incident are
activities
communicated to
ation: Cybersecurity 201
ication/nipp-ssp-food-ag-2015
erframework/critical-infrastructure-resources
g/downloads/pdfs/advocacy/cybersecurity201.pdf
Guidance
1) Develop a tagging system for all physical IT devices, including a simple system for identifying type of
physical
1) Developasset, i.e., CPU or or
documentation peripheral.
use third-party secure database software to inventory all software.
1) Map your restaurant’s communication and data flow requirements, and draft network diagrams.
1) Document all external systems, and code the systems for tracking, including type of system, data risk and
locations.
1) Create a scoring system to identify the most critical to least critical technology systems.
1) Develop roles and responsibilities for your employees and third parties regarding information systems and
cybersecurity.
1) Identify andAll information
understand yoursystems
restaurant’s and vendor partners’ role in each step of the supply chain.
1) Document and communicate the infrastructure that supports the critical business activities identified in ID.BE-
1 (above).
1) Document and prioritize your business activities to determine processes, technology and stakeholders that are
keyCreate
1) to achieving
a list ofthe organization’s
services objectives.
that are critical to running your business.
1) Document your requirements for delivery of critical services, including hours required to be available,
maximum
1) Determineamount of time service
the regulatory cannot
and legal be available
requirements forand
the how to deal with
restaurant’s unavailability.
security and include this information in
your
1) Thesecurity policies.
IT subject matter expert in partnership with HR and functional areas (i.e., finance, legal, supply chain,
operations)
1) IT subjectshould
matterestablish the roles
experts should beand
wellresponsibilities of employeesindustry
informed of ever-changing and external partners
standards andfor the use and
regulatory
access
1) Meetofwith
company
requirements, your information
and provide
board and/or systems.
ongoing updates toteam
management the organization.
at least annually to discuss risks to the company, including
cybersecurity
1) Review therisks.
network diagrams to assess and document vulnerabilities (see ID.AM-3).
1) Review ID.AM-1 and ID.AM-2 to identify threatprotection systems available to the organization.
1) Determine sources of information about threats (industry resources like the National Restaurant Association,
external
1) sources
IT subject identified
matter expertsinreview
ID.RA-2, providersdiagrams
the network of threat-protection systems and
to identify potential internal
business subject
impacts andmatter
likelihoods.
experts).
1) IT subject matter experts rank the identified business impacts and likelihoods based on the risk.
1) IT subject matter experts identify the risk responses and prioritize them based on their impact on the business.
1) Establish a schedule for leadership to review risk assessment details whenever they are updated.
1) Review the risk responses (ID.RA-6) according to the schedule and process outlined by ID.RM-1.
1) As part of your overall risk-management strategy, regularly consult with peers in other organizations (if
possible) and industry resources (e.g., the National Restaurant Association) to stay abreast of evolving industry-
specific risks.
1) Require unique accounts for each individual who accesses a POS terminal.
1) Keep an inventory of unused devices in a secure
1) Manage and log all remote access of your systems
1) Limit access privileges to the least necessary to
1) Use physical or virtual firewalls to separate critical
1) Disseminate security policies to all applicable

1) Perform a risk analysis to determine the scope of
1) Create and approve a third-party security policy.
1) Prepare an executive overview of all polices in
1) Include physical and information security personnel in all levels of information security. Provide
1) Limit data storage amounts and retention times to
1) Identify all locations where critical data (credit
1) Identify, inventory and label all critical assets,
1) Determine capacity requirements (storage,
1) Create a data classification policy that defines
1) Deploy technologies to assure the integrity of
1) Separate development/test environments from
1) Separate development/test environments from
1) Establish a system development life cycle for the
1) Ensure that configuration change control processes are in place for all hardware changes (including
1) Develop a comprehensive backup strategy as part
1) Keep your back-of-house file server in a place that
1) During a POS or back-office-system refresh,
1) Review and improve your protection processes
1) Share with appropriate parties the extent to which
1) Create a response and recovery plan with procedures and points of contact for responding to a
1) Create a recovery plan with procedures and points
1) Screen new hires to determine an individual’s
1) Conduct vulnerability scans (internal and external
1) Vet your IT equipment service providers to confirm
1) Allow only preapproved, authorized vendors to
1) Collect security event logs from network devices, servers and endpoint devices.
1) Identify, label and monitor USB-connected devices for data leakage (unauthorized transfer of sensitive data).
These
1) include
Require USB drives,
individual phones, cameras
user accounts for access orto
music
yourplayers
systems.capable
Never of
usestoring
sharedexternal data.
accounts for access to
applications
1) Limit accessor data.
to network technologies such as MPLS, DSL and cable connections to authorized users and
networks.
1) Establish baseline configurations for information systems and system components, including communications
andConfigure
1) connectivity-related
alert systemsaspects of systems.
to identify security-related attacks and alert a designated individual/team or vendor.
1) Use security information and event management (SIEM) tools to aggregate your audit records and consolidate
multiple
1) information
Prepare, maintain andsystem
test components, including file integrity monitoring (FIM), antivirus (AV) attacks,
plans that document
intrusion
1) Respond prevention systems
in a timely manner (IPS)
withand rogue hardware
effective measures detection.
to limit the magnitude of loss from IT-related events.
1) Monitor your network to detect potential cybersecurity events. Segment the network based on the label or
classification
1) level of the monitoring
Develop a continuous informationstrategy
stored on andthe servers. a continuous monitoring program.
implement
1) Record user activities, exceptions, faults and information security events in a log, and regularly review the
logs.
Use malware detection tools to detect malicious code and alert security personnel.
Use malware detection tools to detect unauthorized code on mobile devices, and alert security personnel.
Monitor contractor access and credentials to your company’s network, applications and data — both at your
place of business
Monitor and detect and remotely.
foreign devices on credit terminals. If unauthorized devices, connections or software are
detected,scans
Perform remove the credit
to detect terminals from
medium-to-low riskthe network
and andvulnerabilities
high-risk stop taking credit.
to the system.
1) Install a malware detection system for your organization.
1) Develop and implement a detection process.
Have a trained security administrator periodically test your defenses. Vary your testing methods and times.
As part of an information security risk plan, document how you plan to communicate a security event.
1) Upgrade your software and firmware so you are using the latest releases.
Notify your security team and managers when an event occurs. Ensure that your team knows their roles and how
to respond.
Have a plan in place that spells out what needs to be communicated, and to whom, when an event occurs.
Develop a crisis communications plan, and follow it during an incident. Share the information needed to properly
respond.
Consistently update your stakeholders so they can help reduce the impact of an incident.
Periodically share risk trends and security information with stakeholders.
Review alerts immediately with your personnel/vendors from any systems that send alerts, such as virus and
network-security
Understand that astools.
an event begins, your first discoveries may not be the source of the problem. As an example,
onethe
In person
eventskimming
of a majorinbreach
a restaurant
of yourmay lead toperform
systems, your finding that others
a forensics audit. are involved.
Consult Or you may
immediately withfind that one
a forensics
breached
expert
Follow system
toyour
ensure leads
that
response to are
you
plananother breached
toproperly
ensure system.evidence
maintaining
clear thinking and can mitigate
and that appropriate actionstheare
breach
taken.as soon as possible.
Contain incidents to lessen their impact on your restaurant. For example, if a foreign device is detected on a
credit terminal,
Collect evidenceremove the credit
concerning terminalsand
the incident, at follow
that location and stop plan
your response takingto credit.
mitigate or eliminate the incident. In
the event
Apply of learning
your a foreignfrom
device on a credit
evidence terminal,
collection andstop taking
perform credit,
any take it off the network,
migration/corrective tasks. secure the device and
check alla other
Having meetingdevices. Bringincident
after every in known togood replacement
discuss devices to replace the suspected devices. Store the
lessons learned.
infected device
Learning how tosomewhere thatwith
respond starts is secured. It maythan
a plan rather become legal evidence
the experience and
itself. shouldupdate
Always not be your
tampered
plans.with.
Carry out your recovery plan to limit the impact of your event.
Your recovery plan should incorporate lessons learned from responding to the incident. For example, if an
employee
Learn fromwasrealskimming cards at your
security incidents, and restaurant, review to
use those lessons with youryour
update teamresponse
how theyplan.
handled the incident
Annually review and
yourwhat
plan
improvements
with your security
Implement can team
a crisis be made to yourpartners.
or vendor
communications plan to manage the public relations fallout from the incident. Consider hiring
an outside
Take steps PR consultant
to repair your to help you.after a security incident. For example, if email addresses are the only
reputation
information
Keep managing that partners,
is breached, assure
owners andyour customers
other that no other
key stakeholders personal
informed information
of your recoverywas compromised.
process. Be if a
For example,
very clear
loyalty in yourwas
program communications
compromised and to avoid misunderstandings.
you have shut down this Do not forget
system, to apologize
you should andtonote
continue that you are
communicate and
taking
give steps
daily to ensure
updates that this
to your will team.
internal not happen again. Work with PR partners when available.
Gov Facilites Sector
Source:
URL: https://www.cisa.gov/publication/nipp-ssp-government-facilities-2015
https://www.nist.gov/cyberframework/critical-infrastructure-resources
Healthcare Sector
Source: HPH_Framework_Implementation_Guidance
URL: https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guida
Function Category Subcategory Supporting HITRUST CSF Controls
Asset Management ID.AM-1: 07.a Inventory of Assets

ID.AM-2:devices 07.a Inventory of Assets
Software
ID.AM-3: 01.m Segregation in Networks
systems, and facilities that within
platforms the and
Organizational 05.i
enable the organization to ID.AM-4: 01.i Identification of Risks
Policy on the Use RelatedServices
of Network to Third
applications
communication
External 09.e Inventory
Service Delivery
achieve business purposes ID.AM-5:
and data flows
07.a of Assets
are 07.b Ownership of Assets
are identified and information
Resources
ID.AM-6: (e.g., 02.a Roles and Responsibilities
managed
Business consistent
Environmentwith systems
hardware, aredevices, 02.c Terms and Conditions of Employment
Cybersecurity
ID.BE-1: The 05.d Authorization Process for Information
(ID.BE): The data,
roles time,
and The role 05.a
organization’s Assets and Facilities
ID.BE-2: Management Commitment to
organization’s mission, responsibilities
in the supply
organization’s for Information Security
ID.BE-3: 03.a Risk Management Program
objectives, stakeholders, chain
place is identified
in
Priorities critical
for Development
and activities are ID.BE-4: 08.h Supporting Utilities
infrastructure
organizational
Dependencies and
and 12.b Including
Business Continuity
understood and roles, ID.BE-5: 12.a InformationManagement
Security in the
mission,
critical
Resilience functions Business Continuity Management Process
Governance (ID.GV): ID.GV-1: 04.a Information Security Policy Document
IDENTIFY (ID)
for
The policies, procedures, ID.GV-2:delivery
requirements
Organizational ofto 04.b Information
Review of the Information Security Policy
05.b Security Coordination
and operational support delivery 05.c Allocation of Information Security
cybersecurity
Cybersecurity
ID.GV-3: Legal 01.a Access Control Policy
and andis
rolesregulatory 02.a Roles and Responsibilities
understood and inform the ID.GV-4:
responsibilities
requirements are
0.a Information Security Management
Risk Assessment Governance
ID.RA-1: Assetand 03.b Program
Performing Risk Assessments
risk management
vulnerabilities are 03.d
ID.RA-2: Cyber 05.g Risk Evaluation
Contact with Special Interest Groups
processes
organization understands threat
identified address
and
intelligence 10.m Control of Technical Vulnerabilities
ID.RA-3: Threats, 03.b Performing Risk Assessments
the cybersecurity risk to is documented
received from
both internal and 03.b 03.d Performing
Risk Evaluation
organizational operations ID.RA-4:
information
external, are
Risk Assessments
(including mission, Potential business 03.d Risk Evaluation
ID.RA-5: Threats, 03.b Performing Risk Assessments
identified
impacts andand
vulnerabilities, 03.d Risk
Risk Mitigation
Evaluation
functions, image, or ID.RA-6: Risk 03.c
reputation), organizational likelihoods
likelihoods,
responses are
areand 06.g Compliance with Security
Risk Management ID.RM-1: Risk 03.a Risk Management ProgramPolicies and
Strategy (ID.RM): impacts
identified
management areand used Development
ID.RM-2: 03.a Risk Management Program
processes
Organizational are Development
ID.RM-3: The 03.a Risk Management Program
assumptions are established,
risk tolerance
organization’s is Development
Supply Chain Risk ID.SC-1: Cyber
Management (ID.SC): determinedsupply
ID.SC-2: chainand
determination of
risk
The organization’s risk tolerance
management
Suppliers and is
ID.SC-3:
priorities, constraints, risk processes
third partyare
Contracts with
tolerances, and ID.SC-4:
partners
suppliers
Suppliers andof
and
assumptions are ID.SC-5:
third-party
third-party
Response
Access Control PR.AC-1: and 01.b User Registration
partners
recovery are
(PR.AC): Access to PR.AC-2:planning
Identities and 01.d
01.g User Password
Unattended UserManagement
Equipment
assets and associated and testing
credentials
Physical access are
are to 01.j
08.a Policy
Physical
PR.AC-3: Remote onSecurity Perimeter
the Use of Network Services
assets
access ismanaged,
is managed
managed 01.n Network Connection Control
authorized users, PR.AC-4: Access 01.b User Registration
and protectedand 01.c Privilege Management
permissions
processes, or devices, and PR.AC-5: 01.m Segregation in Networks
to authorized activities authorizations
Network integrity
PR.AC-6: are 01.n Network Connection Control
and transactions. managed,
is protected
Identities are (e.g.,
PR.AC-7: Users,
network
proofed and
devices, and
Awareness and Training PR.AT-1: Allbound
other 02.d Management Responsibilities
(PR.AT): The to credentials
assets
users are
are informedand 02.e Information Security Awareness,
PR.AT-2: 02.d Management Responsibilities
authenticated
organization’s personnel Privileged
and trainedThird-
users 02.e
PR.AT-3: 02.d Information
ManagementSecurity Awareness,
Responsibilities 05.j Addressing
and partners are provided understand
party stakeholderstheir Security When Dealing with Customers
cybersecurity awareness (e.g.,PR.AT-4: Senior 02.d Management Responsibilities
roles and
suppliers,
executives
education and are PR.AT-5: Physical 02.e02.d Information
ManagementSecurity Awareness,
Responsibilities
customers,
understand
and cybersecuritytheir 02.e Information Security Awareness,
Data Security PR.DS-1: Data-at- 01.x Mobile Computing and
roles and
personnel
rest is protected Communications
(PR.DS): Information PR.DS-2: Data-in- 09.m Network Controls
understand their 09.u Physical Media in Transit
and records (data) are transit is protected
managed consistent
with the organization’s
(PR)
risk strategy to protect

Data Security
(PR.DS): Information
and records (data) are PR.DS-3: Assets 01.y Teleworking
managed consistent are formally
PR.DS-4: 07.a
09.h Inventory of Assets
Capacity Management
with the organization’s managed
Adequate capacity 01.c
PR.DS-5: 12.c Privilege
Developing and Implementing
Management
PROTECT (PR)
risk strategy to protect throughout
to ensure
Protections 01.m Segregation in Networks
PR.DS-6: Integrity 09.z Publically Available Information
the confidentiality, availability
against
checking data isleaks 10.b Input Data Validation
PR.DS-7: The 09.d Separation of Development, Test, and
integrity, and are implemented
mechanisms are
development
PR.DS-8: and Operational Environments
Integrity
availability of used to
testing verify
checking
Information Protection PR.IP-1: A 01.i Policy on the Use of Network Services
environment(s)
mechanisms are
Processes and PR.IP-2: A are 01.l
baseline 10.a Remote
SecurityDiagnostic
Requirementsand Analysis
Configuration
and
Procedures (PR.IP): used to verify
configuration
System of Specification
PR.IP-3: 09.b Change Management
Security policies (that information
Development
Configuration Life 10.h Control of Operational Software
address purpose, scope, PR.IP-4:
Cycle
change to
Backups
manage
control
09.l Back-up
roles, of information
PR.IP-5: Policyare 08.d Protecting Against External and
processes are in
responsibilities,manageme conducted,
and
PR.IP-6: Data is Environmental
regulations Threats
08.l Secure Disposal or Re-use of
nt commitment, and maintained,
regarding
destroyed theand Equipment
PR.IP-7: 0.a Information Security Management
coordination among physical
according
Protection operating
to Program
PR.IP-8: 05.h Independent Review of Information
organizational entities), policy
processes are
Effectiveness of Security
processes, and procedures PR.IP-9:
improved
Response 11.c Responsibilities and Procedures
protection
are maintained and used plans (Incident
PR.IP-10: 12.a
12.e Including Informationand
Testing, Maintaining Security in the Business
Reassessing
technologies
Response
Response and and is Continuity Plans
to manage protection of PR.IP-11: 02.a Roles and Responsibilities
information systems and Business
recovery
Cybersecurity
PR.IP-12: A plans are
is 02.b Screening
03.c Risk Mitigation
assets. tested
Maintenance (PR.MA): includedvulnerability
PR.MA-1: in human 08.j 06.h Equipment
Technical Compliance
MaintenanceChecking
resources
Maintenance practices
plan
and
PR.MA-2: Remote 08.j Equipment Maintenance
of system components is developed and
Protective Technologyare maintenance
repair
PR.PT-1:of of 06.c Protection of Organizational Records
(PR.PT): Technical with organizational
organizational
Audit/log records 01.h 06.i Information Systems
PR.PT-2: Clear Desk and ClearAudit Controls
Screen Policy
security solutions are assets
are is approved,
determined,
Removable media 07.e Information Labeling and Handling
PR.PT-3: The 01.i Policy on the Use of Network Services
managed to ensure the documented,
is protected
principle of and
leastits 01.l
PR.PT-4:
security and resilience of functionality 01.j Remote
Policy onDiagnostic
the Use ofand Configuration
Network Services
use restricted
Communications is 01.m Segregation in Networks
systems and assets, PR.PT-5:
incorporated
and controlA by
DE.AE-1: (e.g., 01.m Segregation in Networks
(DE.AE): Anomalous networks
failsafe,
baseline of are
load 01.n Network Connection Control
DE.AE-2: 09.ab Monitoring System Use
activity is detected in a balancing,
network
Detected hot
DE.AE-3: Event 09.ab Monitoring System Use Security Incidents
events 11.d Learning from Information
timely manner, and the operations
are analyzed
data and
are collected to 11.c
potential impact of events DE.AE-4: Impact 11.d Responsibilities and Procedures
Learning from Information Security
understand
and
of correlated
events is attack Incidents
is understood. DE.AE-5: Incident 12.d Business Continuity Planning
from
alert multiple
determined
thresholds Framework
Security Continuous DE.CM-1: The 01.j Policy on the Use of Network Services
Monitoring (DE.CM): network are established
DE.CM-2: Theis 01.n Network Security
08.a Physical Connection Control
Perimeter
DETECT (DE)

physical
DE.CM-3: to 08.b User
01.b Physical Entry Controls
Registration
and assets are monitored detect potential
environment
Personnel is
activity 01.c Privilege Management
at discrete intervals to DE.CM-4: 09.ab Monitoring System Use
monitored
is monitored
Malicious to
codeto is 09.j Controls Against Malicious Code
identify cybersecurity DE.CM-5: 09.k Controls Against Mobile Code
detect
detectedpotential
Unauthorized
events and verify the DE.CM-6: 02.d Management Responsibilities
mobile
effectiveness of protective External
DE.CM-7: code
serviceis 05.k
06.g Addressing
ComplianceSecurity in Third
with Security Party and
Policies
measures. detected
provider activity
Monitoring for is Standards
DE.CM-8: 06.h Technical Compliance Checking 10.m Control of
monitored
unauthorized
Vulnerability to
Detection Processes DE.DP-1: Roles 02.a RolesVulnerabilities
Technical and Responsibilities
scans
and are 02.d
DE.DP-2: 06.d Management
Data ProtectionResponsibilities
and Privacy of
performed
processes and procedures responsibilities
Detection for Covered Information
DE.DP-3: 08.b Physical Entry Controls
are maintained and tested detection
activities are well
to ensure timely and DE.DP-4:comply
Detection Event 05.b Information Security Coordination
with all
processes
detection applicable
are 05.f
adequate awareness of DE.DP-5: 10.mContact
Controlwith Authorities
of Technical Vulnerabilities
tested
information
Detection is
Response Planning RS.RP-1: 11.c Responsibilities and Procedures
communicated
processes
Communications RS.CO-1: are
Response plan is 11.d Learning from Information
11.c Responsibilities Security Incidents
and Procedures
executed during
Personnel know 05.f or 12.c Contact
Developing
RS.CO-2: withand Implementing
Authorities
activities are coordinated their
after an
roles
Incidents incident
and
are 09.ab Monitoring System Use
with internal and external RS.CO-3:
order of
reported
05.f Contact with Authorities
stakeholders, as Information
RS.CO-4: is 08.b Physical Entry Controls
11.c Responsibilities and Procedures
consistent
shared withwith 11.d Learning from Information Security Incidents
consistent
RESPOND (RS)
appropriate, to include Coordination

RS.CO-5: 05.g Contact with Special Interest Groups
external support from law with response
stakeholders
Voluntary 11.c
Analysis (RS.AN): RS.AN-1: 08.b Responsibilities and Procedures
Physical Entry Controls
occurs consistent
information
Analysis is conducted to Notifications from 09.ab Monitoring System Use
sharing occurs
ensure adequate response detection systems
and support recovery are investigated
activities.
RESPOND (RS)
Analysis (RS.AN):
Analysis is conducted to RS.AN-2: The 11.d Learning from Information Security
ensure adequate response impact
RS.AN-3:of the Incidents
and support recovery incident is
Forensics are
activities. RS.AN-4: 11.c Responsibilities and Procedures
understood
performed
Incidents are
RS.AN-5:
Mitigation (RS.MI): categorized
Processes
RS.MI-1: are 11.c Responsibilities and Procedures
consistent
Activities are performed established
Incidents arewith
to 11.d Responsibilities
Learning from Information Security Incidents
RS.MI-2: 11.c and Procedures
to prevent expansion of an receive,
contained
Incidents analyze
RS.MI-3: Newly 03.a Risk Management Program Security Incidents
are 11.d Learning from Information
event, mitigate its effects, identified
Improvements (RS.IM): mitigated
RS.IM-1: Development
vulnerabilities
Organizational response RS.IM-2:
Response plans are 11.d Responsibilities
11.c Learning from Information Security Incidents
and Procedures
activities are improved by mitigated
incorporate or
RECOVER (RC)
Recovery Planning Response

RC.RP-1: 11.d
11.d Learning from Information Security
Learning from Information Security Incidents
incorporating
(RC.RP): Recovery lessons lessons learned
strategies are
Recovery plan is 11.d Incidents
Improvements (RC.IM): RC.IM-1: Learning from Information Security
incorporating updated
procedures executed
Recovery during
plans or Incidents
RC.IM-2: 11.d Learning from Information Security
are executed
learned and
into future after a
incorporate
Recovery
Communications RC.CO-1: Public Incidents
activities. lessons
relationslearned
(RC.CO): coordinating strategies are
are Incidents
RC.CO-2: 11.d Learning from Information Security
centers, Internet Service updated
managed
Reputation
RC.CO-3: is Incidents
Providers, owners of repaired after an Incidents
Recovery
incident are
activities
communicated to
amework_Implementation_Guidance.pdf
HIPAA Security Rule
164.308(a)(1)(ii)(A)
164.310(a)(2)(ii)
164.308(a)(1)(ii)(A)
164.308(a)(7)(ii)(E)
164.308(a)(1)(ii)(A)
164.308(a)(3)(ii)(A)
164.308(a)(4)(ii)(A)
164.308(b)
164.308(a)(7)(ii)(E)
164.308(a)(2)
164.308(a)(3)
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)
164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(C)
164.308(a)(7)(i) 164.308(a)(7)(ii)(D)
164.308(a)(7)(ii)(E)
164.308(a)(1)(ii)(B)
164.308(a)(6)(ii)
164.308(a)(1)(i)
164.316
164.308(a)(1)(i)
164.308(a)(2)
164.306
164.308
164.308(a)(1) 164.308(b)
164.308(a)(1)(ii)(A)
164.308(a)(7)(ii)(E)
None
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(D)
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(A) 164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(1)(ii)(B)
164.314(a)(2)(i)(C)
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(B)
164.308(a)(6)(ii)
164.308(a)(3)(ii)(B)
164.308(a)(3)(ii)(C)
164.308(a)(1)(ii)(B) 164.308(a)(7)(i)
164.308(a)(7)(ii)(A)
164.308(a)(4)(i)
164.308(b)(1)
164.308(a)(3)
164.308(a)(4)
164.308(a)(4)(ii)(B)
164.310(a)(1) 164.310(b)
164.308(a)(5)
164.308(a)(2)
164.308(a)(3)(i) 164.308(a)(5)(i)
164.308(b) 164.314(a)(1)
164.314(a)(2)(i)
164.308(a)(2)
164.308(a)(3)(i)
164.308(a)(2)
164.308(a)(3)(i)
164.308(a)(1)(ii)(D)
164.308(b)(1) 164.310(d)
164.308(b)(1)
164.308(b)(2)
164.308(a)(1)(ii)(A)
164.310(a)(2)(ii)
164.308(a)(1)(ii)(A) 164.308(a)(1)(ii)(B)
164.308(a)(7)
164.308(a)(1)(ii)(D)
164.308(a)(3)
164.308(a)(1)(ii)(D)
164.312(b) 164.312(c)(1)
164.308(a)(4)
164.308(a)(8)
164.308(a)(7)(i)
164.308(a)(1)(i)
164.308(a)(8)
164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(D)
164.308(a)(7)(i)
164.308(a)(7)(ii)(C)
164.310(d)(2)(i)
164.310(d)(2)(ii)
164.306(e)
164.308(a)(7)(ii)(D)
164.308(a)(6)(ii)
164.308(a)(6) 164.308(a)(7)
164.310(a)(2)(i)
164.308(a)(7)(ii)(D)
164.308(a)(1)(ii)(C) 164.308(a)(3)
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
164.308(a)(3)(ii)(A) 164.308(a)(1)(ii)(B)
164.310(a)(2)(iv)
164.308(a)(3)(ii)(A)
164.310(d)(1)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(C)
164.308(a)(3)(i)
164.308(a)(3)(ii)(A)
164.308(a)(3)
164.308(a)(4)
164.308(a)(1)(ii)(D)
164.312(a)(1)
164.308(a)(1)(ii)(D) 164.312(b)
164.308(6)(i)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(6)(ii)
164.308(a)(6)(i)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.310(a)(2)(ii)
164.310(a)(2)(iii)
164.308(a)(1)(ii)(D)
164.308(a)(3)(ii)(A)
164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(1)(i)
164.308(a)(8)
164.308(a)(2)
164.308(a)(3)(ii)(A)
164.308(a)(1)(i)
164.308(a)(8)
164.306(e)
164.308(a)(6)(ii)
164.314(a)(2)(i)(C)
164.306(e) 164.308(a)(8)
164.308(a)(6)(ii)
164.308(a)(7)(i)
164.308(a)(2)
164.308(a)(7)(ii)(A)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.308(a)(6)
164.308(a)(7)
164.308(a)(6)
164.308(a)(1)(i)
164.308(a)(1)(ii)(D)
164.308(a)(6)(ii)
164.308(a)(7)(ii)(B)
164.308(a)(6)
164.308(a)(6)(ii)
164.308(a)(6)(ii)
164.308(a)(6)(ii)
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(B)
164.308(a)(7)(ii)(D)
164.308(a)(8)
164.308(a)(7)(ii)(D) 164.308(a)(8)
164.308(a)(7)
164.310(a)(2)(i)
164.308(a)(7)(ii)(D)
164.308(a)(8)
164.308(a)(7)(ii)(D)
164.308(a)(8)
164.308(a)(6)(i)
164.308(a)(6)(i)
164.308(a)(6)(ii)
164.308(a)(7)(ii)(B)
Information Technology Sector
Source:
URL: https://www.cisa.gov/publication/nipp-ssp-information-technology-2016
Nuclear Sector
Source: Nuclear Sector: Cybersecurity Framework Implementation Guidance. May 2020
URL: https://www.cisa.gov/sites/default/files/publications/Nuclear_Sector_Cybersecurity_Framework_Implemen
Profile (applicable sections of the

Function Category Subcategory Plan and cyber security controls
from NEI 08-09)
Asset ID.AM-1: A-3.1.3

Management Physical
ID.AM-2: devices D-5.4
D-5.4
(ID.AM): The and systems
Software E-10.3, E-10.9
data, personnel, ID.AM-3:
within
platformsthe and D-1.4, D-1.18
devices, Organizational
ID.AM-4: E.3.4
A-3.1.3
applications
communication
systems, and External D-1.22
facilities that ID.AM-5:
and data flows A-3.1.3
information
Resources (e.g., D-3.5
enable the ID.AM-6:
systems are A-4.8, A-4.11
organization to hardware,
Cybersecurity E-8.1
Business ID.BE-1:
devices, The
data,
roles and
Environment organization’s
ID.BE-2: The
(ID.BE): The responsibilities
role in the supply
organization’s
organization’s ID.BE-3:
chain
place is identified
in critical
mission, Priorities
ID.BE-4: for
infrastructure
organizational and E-11.2
objectives, Dependencies
stakeholders, ID.BE-5:
mission, A-4.6, A-4.7
and critical
Resilience E-8.1, E-8.6
Governance ID.GV-1:
functions for to A
requirements
(ID.GV): The Organizational
IDENTIFY (ID)
ID.GV-2:
support delivery A-4.11
policies, cybersecurity
Cybersecurity
procedures, and ID.GV-3:
policy
roles andis Legal A-2.1, A-2.2
operational and regulatory
ID.GV-4:
responsibilities A-4.9
requirements are requirements
Governance and A-3.1.5, A-4.4.3.2
Risk ID.RA-1:
regarding Asset
Assessment risk management
vulnerabilities are D-5.5
ID.RA-2: Cyber A-4.9.1
(ID.RA): The processes
identified
threat
address
and
intelligence E-3.5,
organization ID.RA-3:
documented A-2.1, E-9.8
A-4.9.1
is received from
understands the Threats,
ID.RA-4:
information
both E-3.5
A-3.1.3
cybersecurity internal
Potential and
business
risk to ID.RA-5:
external, are A-4.9.1, A-4.9.4
impacts
Threats, and
organizational ID.RA-6:
likelihoods Risk
are A-4.2, A-4.9.4
operations vulnerabilities,
responses are
Risk ID.RM-1: Risk
likelihoods, and
Management identified
management
ID.RM-2:
and
Strategy prioritized
processes are
Organizational
ID.RM-3: The
(ID.RM): established,
risk tolerance is
tolerances,
Supply Chain and organization’s
ID.SC-1:
determined Cyber
andof Plant Cyber Security Teams establish
Risk determination
supply chain risk processes and
that partners
address cyber supply chain
ID.SC-2:
tolerance is Suppliers are identified,
Management risk management
Suppliers and risk management
vetted, and in
validated their Cyber
through theSecurity
nuclear
(ID.SC): The ID.SC-3:
processes
third party are Baseline
Plans.
procurement
cyber security
process.
requirements are
Contracts
organization’s ID.SC-4: with integrated into the procurement process.
The nuclear industry implements a graded
partners
suppliers ofand Plants implement procedures to facilitate
priorities, Suppliers and approach based upon the component
constraints, risk ID.SC-5:
third-party To
and the extent
maintain practicable,
the procurementplants also risk.
policiesutilize
third-party
Response and Plant Cyber
third-party Security
security Teams
alert collect
notification and
Access Control PR.AC-1:
partners are D-1.2,
documentD-1.11
thevendor
information security
(PR.AC): recovery
Identities and services
D-4.2, and
D-4.3, D-4.5,security alert lists.
D-4.6, D4.7
PR.AC-2:
planning and D-4.4
Plants also include vendor representatives
Access to assets credentials
Physical access are E-5.4,
and associated PR.AC-3:
issued, managed, A-4.3 E-5.5
to assets
Remote is
access is D-1.1
managed Access
and D-1.5, D-1.6, D-5.3
limited to managed
permissions and
authorized PR.AC-5: A-4.3,
authorizations
Network are D-1.4
integrity
users, processes, PR.AC-6:
managed,
or devices, and is protected
Identities are(e.g.,
to authorized network
proofed and
bound to
and associated
facilities is
limited to
authorized
users, processes,
or devices, and
PR.AC-7: Users,
to authorized
Awareness and devices,
PR.AT-1:and All A-4.8
Training other
users assets
are are E-9.1, E-9.2, E-9.3
PR.AT-2: A-4.8, A-4.11
(PR.AT): The authenticated
informed
Privileged and
organization’s PR.AT-3:
trained Third- E-7.2,
users A-4.8, E-8.3,
A-4.11E-9.1, E-9.3
understand their
personnel and party
PR.AT-4:
roles
E-11.1, E-11.2, E-11.3
and Senior A-4.8, A-4.11
partners are stakeholders
executives E-9.1,
provided PR.AT-5:
(e.g., suppliers, A-4.8, E-9.3
A-4.11
understand
Physical and their E-9.1, E-9.3
roles and Data- D-3.19
cybersecurity
at-rest is Data- D-3.6, D-3.7
(PR.DS): PR.DS-2:
personnel
Information protected
in-transit
PR.DS-3:isAssets E-1.6, E-10.9
and records protected
are formally
(data) are PR.DS-4: D-3.4
managed
Adequate
managed PR.DS-5:
throughout D-1.4, D-1.5, D-1.6, D-1.15,
consistent with capacity
Protectionsto ensure D-3.7, D-3.9, D-4.9, D-5.3
PROTECT (PR)
PR.DS-6:
availability E-3.7
the against
Integritydataisleaks
organization’s arePR.DS-7: The
implemented D-5.4
checking
development and E-10.3
risk strategy to PR.DS-8:
mechanisms are
testing
Integrity
protect the
Information PR.IP-1: A
environment(s) A-3.1.3, A-3.1.5,
Protection checking
baseline A-4.4.1,
PR.IP-2: A A-4.5 A-4.4.2, A-4.5
configuration
System
are
of E-11.3,
Procedures PR.IP-3:
information A-4.4.1 E-11.4, E-11.5, E-11.6
Development
Configuration D-1.18, D-4.1, D-4.7,
(PR.IP): PR.IP-4:
Life Cycle Backups
to E-8.2, E-8.5
Security policies change
of control
information
(that address PR.IP-5:
processes Policy
are in A-4.12
are
and conducted,
regulations
purpose, scope, PR.IP-6:
maintained, Data and is E-5.1
E-1.6
roles, regarding
destroyed the
PR.IP-7: A-4.12
responsibilities, physical
according to
Protection
PR.IP-8: E-9.8
A-4.12
management policy
processes
Effectivenessare of
commitment, PR.IP-9: A-4.6, A-4.7
improved
protection
and Response
coordination PR.IP-10: is E-7.1,
technologies
plans E-7.3, E-7.6,
E-8.2 E-8.1
(Incident
Response and
among PR.IP-11:
Responseplansand E-2.1, E-2.2, E-5.2
organizational recovery
Cybersecurity is
entities), PR.IP-12:
are testedinA A-4.9
included
vulnerability D-5.5
Maintenance PR.MA-1:
human resources E-4.2, E-4.3
(PR.MA): management
Maintenance plan
and
PR.MA-2:
is developed and Remote maintenance to critical safety,
Maintenance repair
Remote of security, and reliability systems is
Protective
and repairs of PR.PT-1:
organizational D-2.1, D-2.2, D-2.3, D-2.6,
Audit/log of prohibited by the defensive architecture
PR.PT-2: records D-2.7,
organizational D-1.2, D-2.12
D-1.19
described in the cyber security plan. (A-4.3
(PR.PT): are determined, E- 1.4, E-1.5
Removable
Technical PR.PT-3:
documented, The D-1.2, D-1.3, D-1.11, D-1.16,
media is of least D-5.1, D-5.4
principle
security PR.PT-4:
protected andisits A-4.3
solutions are functionality
Communications E-6
managed to PR.PT-5:
incorporated by
and control
Anomalies and Mechanisms
DE.AE-1:
networks A
are D-2.6
Events (e.g., failsafe,
baseline of
DE.AE-2:
load balancing, D-2.6
(DE.AE): network
Detected events E-7.4,
Anomalous DE.AE-3:
operations Event
and E-7.4 E-7.5
are
dataanalyzed to
are collected
activity is DE.AE-4:
understand Impact
attack D-5.2
detected in a and
of correlated
events is E-3.4
DE.AE-5:
timely manner, from multiple D-5.2
determined
Incident
Security DE.CM-1: The E-3.4,
alert D-4.4 E-6
network are
is The E-5.6,
DE.CM-2:
established E-2.1 E-5.7, E-5.8
Monitoring monitored to
DETECT (DE)
physical
DE.CM-3: E-3.3
(DE.CM): The detect potential
environment is
information Personnel
DE.CM-4: activity
monitored
is monitored to to D-3.13
system and Malicious code is
assets are DE.CM-5:
detect potential D-5.2
detected
Unauthorized E-3.4, E-5.2
monitored at
discrete mobile code is
intervals to detected
identify
cybersecurity
Monitoring
DETECT (DE
(DE.CM): The
information
system and
assets are
monitored at DE.CM-6: D-1.2, D-1.17, D-1.19
discrete External service D-4.4,
DE.CM-7: E-12 D-5.2, D-5.3
intervals to provider activity
Monitoring
DE.CM-8: for
identify is monitored to A-4.6
unauthorized
cybersecurity
Detection Vulnerability
DE.DP-1: Roles E-3.4A-4.6
personnel,
scans are
Processes and
DE.DP-2: D-5.2
(DE.DP): performed
responsibilities
Detection
DE.DP-3: E-3.4
activities complyare A-4.6
processes and Detection
DE.DP-4: Event D-2.6A-4.6, A-4.12
with all are
processes
procedures are detection E-12
maintained and DE.DP-5:
tested A-4.6
information
Detection is E-8.1,
Response RS.RP-1:
communicated A-4.6, E-8.6
A-4.8
Planning processes
Response are
plan is E-7.1, E-7.6, E-8.1
RS.CO-1:
continuously A-4.6
Communicatio executed
Personnel during
know A-4.6
ns (RS.CO): RS.CO-2:
or after an and
their roles
Incidents are E-8.1
Response RS.CO-3:
order of A-4.6
activities are reported
Information is E-8.1
coordinated RS.CO-4:
consistent with A-4.6
shared consistent
Coordination E-3.5,
with internal RS.CO-5:
with response D-2.6 E-9.8
RESPOND (RS)
and external with stakeholders

Voluntary
Analysis RS.AN-1:
occurs consistent E-7.4
(RS.AN): information
Notifications
RS.AN-2:
sharing The
occurs E-7.4
Analysis is from
impactdetection
of the
conducted to RS.AN-3:
systems are E-8.1
incident
Forensics isare
ensure adequate RS.AN-4:
understood A-4.6
response and performed
Incidents are E-7.4
support RS.AN-5:
categorized
Processes are
Mitigation RS.MI-1:
consistent with A-4.7
(RS.MI): established
Incidents areto E-7.4
RS.MI-2:
receive, analyze
Activities are contained
Incidents
performed to RS.MI-3: are Newly A-4.9.1
AA-4.9.3, A-4.9.4
mitigated
identified E-3.11,
prevent
Improvements RS.IM-1: A-4.9.4 E-8.1, E-7.4, E-12
Response are
plans E-7.1, E-7.4, E-7.6
RS.IM-2:
mitigated or
Organizational incorporate
Response
Recovery
response RC.RP-1:
lessons learned A-4.7, A-4.9.3, A-4.9.4
RECOVER (RC)
Planning strategies
Recovery are
plan is E-3.11,
Improvements RC.IM-1:
updated A-4.9.4 E-7.4, E-8.1, E-12
(RC.RP):
(RC.IM): executed
Recovery during
plans E-7.1
Recovery RC.IM-2:
or after a
incorporating incorporate
Recovery
Communicatio
lessons learned RC.CO-1:
lessons Public
learned
ns (RC.CO): strategies
relations are
are
RC.CO-2:
updated A-4.7
coordinating managed
Reputation is E-8.1
centers, Internet RC.CO-3:
repaired
Recovery after an
Service incident
activities are
communicated to
bersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Transportation System Sector
Source: Transportation Systems Sector Cybersecurity Framework Implementation Guidance
URL: https://www.cisa.gov/sites/default/files/publications/tss-cybersecurity-framework-implementation-guide-
https://www.cisa.gov/transportation-systems-sector
Function Category Subcategory TSS Strategy Goals
Asset ID.AM-1:
Management Physical devices
ID.AM-2:
(ID.AM): The and systems
Software
ID.AM-3:
data, personnel, within the and
platforms
Organizational Goal 1:Define Conceptual Environment
devices, systems, ID.AM-4:
applications
communication
External
and facilities that ID.AM-5:
and data flows
information
Resources
enable the ID.AM-6: (e.g.,
organization systems
hardware,
to Cybersecurityare
Business ID.BE-1: The
Environment roles devices,
anddata,
organization’s
ID.BE-2: The
(ID.BE): The responsibilities
role in the
organization’s Goal 5: Ensure Sustained Coordination and
ID.BE-3:
organization’s supply
place chain is
in critical Strategic Implementation
Priorities
ID.BE-4: for
mission, infrastructure
organizational
objectives, Dependencies
ID.BE-5:
mission,
and critical
Resilience
Governance ID.GV-1:
IDENTIFY (ID)
functions
requirements
(ID.GV): The ID.GV-2: for to
Organizational
support delivery Goal 5: Ensure Sustained Coordination and
policies, cybersecurity
Cybersecurity
ID.GV-3: Legal Strategic Implementation
procedures, and policy
roles
and is
and
regulatory
operational ID.GV-4:
responsibilities
requirements
Governance and
Risk ID.RA-1: Asset
Assessment regarding
risk management
vulnerabilities
ID.RA-2: Cyber
(ID.RA): The processes
are identified
threat
ID.RA-3:
organization and documented
intelligence
Threats, bothis Goal 1:Define Conceptual Environment
understands the ID.RA-4:
received
internal from
cybersecurity ID.RA-5:and
Potential
external,
business are
Threats, impacts
risk to ID.RA-6: Risk
organizational and likelihoods
vulnerabilities,
responses
Risk ID.RM-1: are Risk
likelihoods,
identified and
Management ID.RM-2: and
management Goal 1: Define Conceptual Environment
Strategy prioritized
processes
ID.RM-3: are
OrganizationalThe
(ID.RM): established,
risk tolerance is
Supply Chain organization’s
ID.SC-1: Cyber
Risk determined
determination and
supply chain risk of
ID.SC-2:
Management risk tolerance
management
Suppliers is
ID.SC-3: and
(ID.SC): The processes
third partyare
Contracts with
organization’s ID.SC-4:
partners
suppliers of
and
priorities, Suppliers and
ID.SC-5:
third-party
Access Control third-party
Response
PR.AC-1: and
(PR.AC): partners
recovery
Identities are
PR.AC-2:and
planning
Access to assets credentials and
Physical accessare
PR.AC-3:
and associated issued,
to managed,
assetsaccess
Remote is is Goal 1:Define Conceptual Environment
managed
managed
Access and
limited to PR.AC-5:
authorized users, permissions
PR.AC-6: and
Network
authorizations
integrity
processes, or PR.AC-7:isare
Identities Users,
devices, and to protected (e.g.,
Awareness and proofed
devices, and
PR.AT-1: andAll
Training bound
other
users to are
assets
are
PR.AT-2:
authenticated
(PR.AT): The Privileged
informed users Goal 3: Maintain Continuous Cybersecurity
PR.AT-3:and Third-
organization’s understand
trained
party
PR.AT-4: their Awareness
Senior
personnel and roles and
stakeholders
partners are executives
PR.AT-5:
(e.g., suppliers,
understand
Physical andtheir
roles and
cybersecurity
personnel
)
Data Security PR.DS-1: Data-
(PR.DS): at-rest
PR.DS-2: is Data-
Information protected
in-transit isAssets
PR.DS-3:
and records protected
are formally
PR.DS-4: Goal 4: Enhance Intelligence and Security
(data) are managed
Adequate
PR.DS-5: Information Sharing
PROTECT (PR)
managed throughout
capacity
Protections to
PR.DS-6:
consistent with ensure
against
Integrity data
PR.DS-7: The
the leaks
checkingare
development
PR.DS-8: and
organization’s mechanisms
testing are
Information Integrity
PR.IP-1: A
Protection environment(s)
checking
baseline
PR.IP-2: A
configuration
System
PR.IP-3:
are
of
Procedures information
Development
Configuration
(PR.IP): PR.IP-4:
Life
changeCycle to
PR.IP-5:control
Security policies Backups of
Policy
processes
information
and regulationsarearein
(that address PR.IP-6: Data is
conducted,
regarding
purpose, scope, destroyed the Goal 1:Define Conceptual Environment
PR.IP-7:
roles, physical
according
PR.IP-8: to
Protection
responsibilities, policy
processes are of
Effectiveness
PR.IP-9:
management improved
protection
Response
PR.IP-10: plans
commitment,
technologies
Response andis
and coordination (Incident
PR.IP-11:
Response
recovery and is
among PR.IP-12:plans
Cybersecurity A
organizational are tested
included
vulnerability in
Maintenance PR.MA-1:
(PR.MA): human
managementresources
Maintenance and Goal 1: Define Conceptual Environment
PR.MA-2:
Maintenance and plan
repair
Remoteis of
Protective PR.PT-1:
repairs of system organizational
Audit/log of
PR.PT-2:
(PR.PT): organizational
records
Removable are Goal 3: Maintain Continuous Cybersecurity
PR.PT-3: The
Technical media
principle
PR.PT-4: is of least Awareness
determined,
security protected
functionality andisits
solutions are Communications
PR.PT-5:
incorporated
controlA by
Anomalies and and Mechanisms
DE.AE-1:
Events networks
(e.g.,
baseline ofare
failsafe,
DE.AE-2:
(DE.AE): load balancing,
network
Detected events Goal 4: Enhance Intelligence and Security
DE.AE-3: Event
Anomalous operations
are analyzed andto Information Sharing
data are
DE.AE-4:
activity is understand
collected
detected in a Impact
DE.AE-5: ofand events
correlated
is determined
Incident alert from
Security DE.CM-1: The
network
DE.CM-2: The is are
DETECT (DE)
Monitoring established
monitored
physical to
DE.CM-3:
(DE.CM): The environment
detect potential
information DE.CM-4: is Goal 4: Enhance Intelligence and Security
Personnel
monitored
activity
Malicious to
is code
system and DE.CM-5: Information Sharing
monitored
is detected to
Unauthorized
assets are DE.CM-6:
monitored at mobile
External
DE.CM-7: code
serviceis
detected
discrete intervals Monitoring
provider activity
for
DE.CM-8:
to identify is monitored
unauthorized to
Detection Vulnerability
DE.DP-1: Roles
Processes personnel,
scans
and are
DE.DP-2:
(DE.DP): performed
responsibilities
Detection Goal 4: Enhance Intelligence and Security
DE.DP-3:
activities complyare Information Sharing
Detection
DE.DP-4: Event
processes and with all
processes
DE.DP-5: are
procedures are detection
tested
information
Detection is Goal 1: Define Conceptual Environment
Response RS.RP-1:
communicated
processes
Planning RS.CO-1: are
Response plan is
Communication continuously
executed
Personnel
RS.CO-2: know during
s (RS.CO): or after
their anare
roles
Incidents and Goal 2: Improve and Expand Voluntary
Response RS.CO-3:
order
reportedof Participation
activities are Information
RS.CO-4: is
consistent with
coordinated with shared consistent
POND (RS)
Coordination
internal and with
with response
stakeholders
Planning
Communication
s (RS.CO): Goal 2: Improve and Expand Voluntary
Response Participation
activities are
RESPOND (RS)
coordinated with RS.CO-5:
internal
Analysisand Voluntary
RS.AN-1:
(RS.AN): information
Notifications
RS.AN-2: The
Analysis is sharing
from
impact occurs
detection
of the Goal 4: Enhance Intelligence and Security
RS.AN-3:
conducted to systems are
incident isare Information Sharing
Forensics
ensure adequate RS.AN-4:
understood
performed
response and Incidents are
RS.AN-5:
Mitigation categorized
Processes
RS.MI-1: are
consistent
established with Goal 4: Enhance Intelligence and Security
(RS.MI): RS.MI-2: areto
Incidents
receive, Information Sharing
Activities are Incidentsanalyze
contained
RS.MI-3: are
Newly
performed to mitigated
Improvements identified
RS.IM-1: Goal 3: Maintain Continuous Cybersecurity
Response plans Awareness
RS.IM-2:
Organizational are mitigated or
incorporate
RECOVER (RC)
Recovery Response
RC.RP-1: Goal 1
response lessons learned
strategies
Planning RC.IM-1: are
Improvements Recovery plan is Goal 3: Maintain Continuous Cybersecurity
(RC.RP):
(RC.IM): updated
executed
Recoveryduring
plans Awareness
RC.IM-2:
Recovery
incorporating or after a
incorporate
Recovery
Communication RC.CO-1: Public
lessons learned lessons
s (RC.CO): learned
strategies
relations are Goal 2: Improve and Expand Voluntary
RC.CO-2:are
coordinating updated
managed Participation
Reputation is
RC.CO-3:
centers, Internet Recovery
repaired after an
incident
activities are
communicated to
ork-implementation-guide-2016-508v2_0.pdf
Water Sector
Source: American Water Works Association Cybersecurity Guidance 2019
URL: https://www.cisa.gov/publication/nipp-ssp-water-2015
https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=2019-09
Asset Management (ID.AM): The ID.AM-1:

data, personnel, devices, systems, and Physical
ID.AM-2:
facilities that enable the organization Software
devices
ID.AM-3: and
to achieve business purposes are systems
platforms within
Organizational
ID.AM-4: and
identified and managed consistent applications
communication
External
ID.AM-5:
with their relative importance to and data flows
information
Resources
ID.AM-6: (e.g.,
organizational objectives and the systems
hardware, are
Cybersecurity
Business Environment (ID.BE): The ID.BE-1: The
organization’s mission, objectives, devices,
roles anddata,
organization’s
ID.BE-2: The
stakeholders, and activities are responsibilities
role in the
organization’s
ID.BE-3:
understood and roles, responsibilities, ID.BE-4:
supplyinchain
place
Priorities for is
critical
and risk management decisions. infrastructure
organizational
Dependencies
ID.BE-5:
mission,
and critical
Resilience
IDENTIFY (ID)
Governance (ID.GV): The policies, ID.GV-1:

procedures, and operational functions for to
requirements
Organizational
ID.GV-2:
requirements are understood and support Legal
cybersecurity
Cybersecurity
ID.GV-3:
inform the management of policy
roles
and is
and
regulatory
ID.GV-4:
cybersecurity
Risk Assessmentrisk.(ID.RA): The responsibilities
requirements
Governance
ID.RA-1: and
Asset
organization understands the regarding Cyber
risk
vulnerabilities
ID.RA-2:
cybersecurity risk to organizational management
are identified
threat
ID.RA-3:
operations (including mission, and
intelligence
Threats,
ID.RA-4: bothis
functions, image, or reputation), receivedand
internal
Potential
ID.RA-5: from
organizational assets, and individuals. ID.RA-6:
external, are
business
Threats, Risk
Risk Management Strategy impacts and
vulnerabilities,
responses
ID.RM-1: are
Risk
likelihoods,
identified
(ID.RM): tolerances, and assumptions ID.RM-2:
management and and
are established and used to support prioritizedare
processes
Organizational
ID.RM-3: The
operational
Supply riskRisk
Chain decisions.
Management established,
risk tolerance
organization’s
ID.SC-1: Cyber is
(ID.SC): The organization’s determined
supply
ID.SC-2: chainand
determination
of risk tolerance
priorities, constraints, risk tolerances, ID.SC-3:
risk
Suppliers and
and assumptions are established and ID.SC-4:
management
third partywith
Contracts
used to support risk decisions partners ofand
suppliers
Suppliers
ID.SC-5: and
associated with managing
Access Control (PR.AC):supply third-partyand
Response
Access to PR.AC-1:
assets and associated facilities is partners are
recovery
Identities
PR.AC-2: and
planning access
limited to authorized users, processes, PR.AC-3:
credentials
Physical and are
or devices, and to authorized activities PR.AC-4:
issued,
to assetsaccess
Remote is
and transactions. managed
is managed
Access
PR.AC-5: and
permissions and
Network
PR.AC-6:
authorizations
integrity
Identities
PR.AC-7: isare
Awareness and Training (PR.AT): PR.AT-1: protected
proofed
Users, and (e.g.,
devices,
All
The organization’s personnel and bound
and
users to assets
other
are
PR.AT-2:
partners are provided cybersecurity are
informed
Privileged
PR.AT-3: andusers
awareness education and are trained
understand
Third-party
PR.AT-4: their
adequately trained to perform their roles and
stakeholders
Senior
PR.AT-5:
information securityrelated duties and PR.DS-1:
(e.g., suppliers,
executives
Physical andData-
Data Security (PR.DS):
Information and records (data) are understand
cybersecurity
at-rest
PR.DS-2:is their
Data-
managed consistent with the personnel
protected
in-transit
PR.DS-3: is
organization’s risk strategy to protected
Assets
PR.DS-4:are
formally
ROTECT (PR)
protect the confidentiality, Adequate

PR.DS-5:
integrity, and availability of managedto
capacity
Protections
PR.DS-6:
information. ensure data
against
Integrity
leaks are
checking
mechanisms are
Information and records (data) are
managed consistent with the
organization’s risk strategy to
PROTECT (PR)
protect the confidentiality,
integrity, and availability of
information. PR.DS-7: The
development
PR.DS-8:
Information Protection Processes and testing
Integrity
PR.IP-1: A
and Procedures (PR.IP): Security environment(s)
checking
baseline
PR.IP-2: A
policies (that address purpose, scope, mechanisms are
configuration
System
PR.IP-3: of
roles, responsibilities,management information
Development
Configuration
PR.IP-4:
commitment, and coordination among Life Cycle
change
Backups
PR.IP-5: to
control
of
Policy
organizational entities), processes, processes
information
and areare
regulations
PR.IP-6: Data in
and procedures are maintained and conducted,
regarding
is destroyed the
PR.IP-7:
used to manage protection of physical to
according
Protection
PR.IP-8:
information systems and assets. policy
processes
Effectiveness
PR.IP-9: are of
improved plans
protection
Response
PR.IP-10:
technologies
(Incident
Response
PR.IP-11: andis
Responseplans
recovery
Cybersecurity
PR.IP-12: and
A
areincluded
is tested in
vulnerability
Maintenance (PR.MA): Maintenance PR.MA-1:
human
management
and repairs of system components are PR.MA-2:
Maintenance
Protective Technology with policies
(PR.PT): planrepair
and
Remote is
PR.PT-1: of
and procedures.
Technical security solutions are organizationalof
maintenance
Audit/log
PR.PT-2:
managed to ensure the security and organizational
records
Removable
PR.PT-3: areThe
resilience of systems and assets, determined,
media
principle
PR.PT-4: is of
consistent with related policies, protected and
least
Communication
PR.PT-5:
procedures,
Anomalies and and agreements.
Events (DE.AE): sfunctionality
and control
Mechanisms
DE.AE-1: A is
Anomalous activity is detected in a networks
(e.g.,
baseline
DE.AE-2: ofare
failsafe,
timely manner, and the potential load balancing,
network
Detected
DE.AE-3: events
impact of events is understood. operations
are data and
analyzed
Event
DE.AE-4: areto
understand
collected
Impact
DE.AE-5: ofand
Security Continuous Monitoring correlated
events
Incident
DE.CM-1: from
is alert
The
DETECT (DE)
(DE.CM): The information system determined

thresholds
network
DE.CM-2: is are
The
establishedto
and assets are monitored at discrete DE.CM-3:
monitored
physical
intervals to identify cybersecurity detect potential
environment
Personnel
DE.CM-4: is
events and verify the effectiveness of DE.CM-5:
monitored
activity
Malicious to
is code
protective measures. monitored
is detected to
Unauthorized
DE.CM-6:
mobile code
External
DE.CM-7: is
service
detected for
provider
Monitoring
DE.CM-8:
Detection Processes (DE.DP): activity is Roles
unauthorized
Vulnerability
DE.DP-1:
personnel,
scans
Detection processes and procedures DE.DP-2:
and are
are maintained and tested to ensure performed
responsibilities
Detection
DE.DP-3:
timely and adequate awareness of for detection
activities
Detection
DE.DP-4:
anomalous events. complydetection
processes
Event
DE.DP-5: with
areall
information
Detection
RS.RP-1: is
Communications (RS.CO): communicated
processes
Response
RS.CO-1: are
plan
Response activities are coordinated continuously
is executedknow
Personnel
RS.CO-2:
with internal and external during
their or are
roles
Incidents
RS.CO-3: after
and
stakeholders, as appropriate, to order of
reported
Information
RS.CO-4: is
RESPOND (RS)
include external support from law consistent with

shared
Coordination
RS.CO-5:
enforcement agencies. consistent with
with
Voluntary
Analysis (RS.AN): Analysis is RS.AN-1:
conducted to ensure adequate stakeholders
information
Notifications
RS.AN-2: The
response and support recovery sharing
from
impact occurs
detection
RS.AN-3: of the
activities. systems are
incident
Forensics
RS.AN-4: isare
understood
performed
Incidents
RS.AN-5: are
categorizedare
Processes
Mitigation (RS.MI): Activities are RS.MI-1:
consistentare
established
performed to prevent expansion of an RS.MI-2:
Incidents with
to
event, mitigate its effects, and receive, analyze
contained
Incidents
RS.MI-3: are
Improvements (RS.IM): mitigated
Newly
RS.IM-1:
identified plans
Organizational response activities are RS.IM-2:
Response
ECOVER (RC)
improved by
Recovery incorporating
Planning (RC.RP): vulnerabilities
lessons RC.RP-1:
incorporate
Response
learned from
Recovery
Improvements current
processes andand
(RC.IM): previous RC.IM-1:
procedures lessons learned
strategies
Recovery are
plan
are executed and
incorporating lessons learned into updated
is executedplans
Recovery
future activities. during or after a
incorporate
lessons learned
RECOVER (RC)
Improvements (RC.IM):
incorporating lessons learned into RC.IM-2:
future activities. (RC.CO):
Communications Recovery
RC.CO-1:
coordinating centers, Internet Service strategies
Public
RC.CO-2: are
relations
Providers, owners of attacking updated
are managedis
Reputation
RC.CO-3:
systems, victims, other Computer repaired after
Recovery
an incident
activities are
communicated
ybersecurity Guidance 2019
pp-ssp-water-2015
WWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=2019-09-09-111949-960
Description AWWA Guidance: Controls
Physical devices and systems within the organization are inventoried PM-2
Software platforms and applications within the organization are inventoried PM-2
Organizational communication and data flows are mapped PM-2
External information systems are catalogued MA-3
Resources (e.g., hardware, devices, data, and software) are prioritized based PM-5
on their classification,
Cybersecurity roles andcriticality, and business
responsibilities for the value
entire workforce and third- PE-4, PS-2
party stakeholders (e.g., suppliers, customers,
The organization’s role in the supply chain is identified partners) are
andestablished
communicated RA-2, PS-2,
The organization’s place in critical infrastructure and its industry sector is MA-2
identified for
Priorities andorganizational
communicatedmission, objectives, and activities are IR-2
established andand
Dependencies communicated
critical functions for delivery of critical services are IR-2
established
Resilience requirements to support delivery of critical services are IR-3
established
Organizational information security policy is established IR-2, AU-2
Information security roles & responsibilities are coordinated and aligned PS-2, AU-4, AU-6
with internal
Legal roles andrequirements
and regulatory external partners
regarding cybersecurity, including IR-3
privacy
Governanceand civil liberties
and risk obligations,
management are understood
processes and managedrisks
address cybersecurity AU-3, AU-5, CM-6
Asset vulnerabilities are identified and documented AU-5, RA-1, IR-2
Threat and vulnerability information is received from information sharing AU-5, PM-3, IR-2
forums
Threats,andbothsources
internal and external, are identified and documented AU-5, RA-1, IR-2
Potential business impacts and likelihoods are identified AU-5, RA-1, IR-2
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk AU-5
Risk responses are identified and prioritized IR-1
Risk management processes are established, managed, and agreed to by IR-2
organizational
Organizational stakeholders
risk tolerance is determined and clearly expressed SA-4
The organization’s determination of risk tolerance is informed by its role in SC-4
criticalsupply
Cyber infrastructure
chain risk andmanagement
sector specific risk analysis
processes are identified, established, SU1
assessed, managed,
Suppliers and agreed
and third party to by
partners organizational
of information stakeholders
systems, components, and SU2
services are
Contracts identified,
with suppliersprioritized, and assessed
and third-party partnersusing a cyber
are used supply chain SU2
to implement
risk assessment
appropriate
Suppliers and process
measures
third-partydesigned to meet
partners the objectives
are routinely of an
assessed organization’s
using audits, test SU1
cybersecurity
results, or other program
forms of and Cyber Supply
evaluations Chain Risk
to confirm Management
they are Plan
meeting their
contractual
Identities andobligations
credentials are managed for authorized devices and users IA-1, RA-1, SC-19
Physical access to assets is managed and protected PE-1, PE-2, PE-3
Remote access is managed IA-7, SC-12, SC-18, SC-21, RA-2
Access permissions are managed, incorporating the principles of least IA-3, SC-22
privilege integrity
Network and separation of duties
is protected, incorporating network segregation where SC-8, SC-9, SC-14,
appropriate
All users are informed and trained AT-1, AT-2

Privileged users understand roles & responsibilities AT-1, AT-2
Third-party stakeholders (e.g., suppliers, customers, partners) understand AT-2
roles
Senior&executives
responsibilities
understand roles & responsibilities AT-1
Physical and information security personnel understand roles & PS-4, AT-1
responsibilities
Data-at-rest is protected PM-5, MP-2
Data-in-transit is protected PM-4, SC-14, SC23, SC-24
Assets are formally managed throughout removal, transfers, and disposition PM-1
Adequate capacity to ensure availability is maintained MA-1, CM-7
Protections against data leaks are implemented IA-4
Integrity checking mechanisms are used to verify software, firmware, and IR-3
information integrity
The development and testing environment(s) are separate from the CM-4
production environment
A baseline configuration of information SA-3
A System Development Life Cycle to manage systems is implemented CM-1, CM-6
Configuration change control processes are in place SA-3
Backups of information are conducted, maintained, and tested periodically SA-5
Policy and regulations regarding the physical operating environment for PE-4
Data is destroyed are metto policy
according MP-1
Protection processes are continuously improved AU-6
Effectiveness of protection technologies is shared with appropriate parties AU-7
Response plans (Incident Response and Business ANSI/AWWA J100/G440/M19
Response and recovery plans are tested PS-4
Cybersecurity is included in human resources practices (e.g., AT-2
deprovisioning, personnel screening)
A vulnerability management plan is developed and implemented AU-5
Maintenance and repair of organizational assets is performed and logged in MA-1
a timely maintenance
Remote manner, withofapproved and controlled
organizational assets is tools
approved, logged, and MA-1
performedrecords
Audit/log in a manner that prevents
are determined, unauthorized
documented, access
implemented, and reviewed PM-3
in accordance
Removable withispolicy
media protected and its use restricted according to policy MP-1
Access to systems and assets is controlled, incorporating the principle of SC-10, SC-19
least functionalityand
Communications (whitelisting)
control networks are protected IA-7
A baseline of network operations and expected data flows for users and Not addressed
systems
Detectedisevents
established and managed
are analyzed to understand attack targets and methods SC-5
Event data are aggregated and correlated from multiple sources and sensors Not addressed
Impact of events is determined PM-3
Incident alert thresholds are established CM-7
The network is monitored to detect potential cybersecurity events CM-7
The physical environment is monitored to detect potential cybersecurity PE-1, CM-7
events
Personnel activity is monitored to detect potential cybersecurity events CM-7, SA-5
Malicious code is detected SC-5
Unauthorized mobile code is detected SA-4
External service provider activity is monitored to detect potential IA-2
cybersecurity
Monitoring forevents
unauthorized personnel, connections, devices, and software PS-1
is performed scans are performed
Vulnerability IR-2
Roles and responsibilities for detection are well defined to ensure PS-2
accountability and adequate
Detection activities awareness
comply with of anomalous
all applicable events
requirements IR-3
Detection processes are tested ANSI/AWWA G430, G440
Event detection information is communicated to appropriate parties IA-2
Detection processes are continuously improved SC-4
Response plan is executed during or after an event AT-1
Personnel know their roles and order of operations when a response is ANSI/AWWA
needed
Events are reported consistent with established criteria G430
Information is shared consistent with response plans SC-6
Coordination with stakeholders occurs consistent with response plans ANSI/AWWA
Voluntary information sharing occurs with external stakeholders to achieve MA-2
broader cybersecurity
Notifications situational
from detection awareness
systems are investigated SC-5
The impact of the incident is understood ANSI/AWWA J100
Forensics are performed AT-3
Incidents are categorized consistent with response plans AT-3
Incidents are contained IR-1

Incidents are mitigated IR-1
Newly identified vulnerabilities are mitigated or documented as accepted IR-2
risks
Response plans incorporate lessons learned ANSI/AWWA G430, G440
Response strategies are updated ANSI/AWWA
Recovery plan is executed during or after an event restoration of systems or AU-7
assets affected
Recovery plansby cybersecurity
incorporate events
lessons learned ANSI/AWWA
Recovery strategies are updated ANSI/AWWA G430, G440
Public relations are managed ANSI/AWWA
Reputation after an event is repaired ANSI/AWWA G430, G440
Recovery activities are communicated to internal stakeholders and ANSI/AWWA G430, G440
executive and management teams

Sector Mapping Chart - Nov11

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sector Mapping Chart - Nov11

Uploaded by

Copyright:

Available Formats

Source: FDD's Transformative Cyber Innovation Lab. For more information visit https://www.fdd.

FDD NIST Cybe

CCTI/ TCIL Product Recommendation Controls Function

Secure the Data, Not the Device

Cyber Hygiene 101 for Small- and Medium-Sized Businesses

Secure the Data, Not the Device

Cyber Hygiene 101 for Small- and Access Control all AC

Cyber Hygiene 101 for Small- and Anti-Malware, si-3, SI-4

Cyber Hygiene 101 for Small- and Medium-Sized Businessesand

Anti-Malware, si-3, SI-4

Cyber Hygiene 101 for Small- and Medium-Sized Businessesand

Cyber Hygiene 101 for Small- and Medium-Sized

NIST Cybersecurity Framework

ID.AM-1: CM-8, PM-5

CSF v1.1 addition

Asset Management (ID.AM): The data, personnel, devices, systems, and

Business Environment (ID.BE): The organization’s mission, objectives,

Governance (ID.GV): The policies, procedures, and operational

Risk Assessment (ID.RA): The organization understands the cybersecurity

Risk Management Strategy (ID.RM): tolerances, and assumptions are

Supply Chain Risk Management (ID.SC): The organization’s priorities,

Awareness and Training (PR.AT): The organization’s personnel and

Data Security (PR.DS): Information and records (data) are managed

Information Protection Processes and Procedures (PR.IP): Security

Maintenance (PR.MA): Maintenance and repairs of system components are

Anomalies and Events (DE.AE): Anomalous activity is detected in a timely

Security Continuous Monitoring (DE.CM): The information system and

Response Planning Communications (RS.CO): Response activities are

Analysis (RS.AN): Analysis is conducted to ensure adequate response and

Improvements (RS.IM): Organizational response activities are improved

Recovery Planning (RC.RP): Recovery processes and procedures are

Improvements (RC.IM): incorporating lessons learned into future

Communications (RC.CO): coordinating centers, Internet Service

ID.AM-2: Software platforms and applications within X X X X X

ID.AM-3: Organizational communication and data X X X X X

ID.AM-4: External information systems are X X X

ID.AM-5: Resources (e.g., hardware, devices, data, X X X

ID.BE-2: The organization’s place in critical X X

ID.BE-5: Resilience requirements to support delivery X

ID.RA-1: Asset vulnerabilities are identified and X X X X X

ID.RA-2: Cyber threat intelligence is received from X X

ID.RA-3: Threats, both internal and external, are X X X X

ID.RA-4: Potential business impacts and likelihoods X X X X

ID.RA-5: Threats, vulnerabilities, likelihoods, and X X X

ID.RA-6: Risk responses are identified and prioritized X X

ID.RM-1: Risk management processes are established, X X X X

ID.RM-3: The organization’s determination of risk X

PR.AC-3: Remote access is managed X X X X X

PR.AC-4: Access permissions and authorizations are X X X X X

PR.AC-6: Identities are proofed and bound to X X

PR.AC-7: Users, devices, and other assets are X X

PR.AT-2: Privileged users understand their roles and X X X X

PR.AT-3: Third-party stakeholders (e.g., suppliers, X X X

PR.AT-5: Physical and cybersecurity personnel X X X X

PR.DS-1: Data-at-rest is protected X X X

PR.DS-2: Data-in-transit is protected X X X

PR.DS-3: Assets are formally managed throughout X X X

PR.DS-4: Adequate capacity to ensure availability is X X X

PR.DS-5: Protections against data leaks are X X X X

PR.DS-7: The development and testing X X X

PR.IP-1: A baseline configuration of information X X X

PR.IP-3: Configuration change control processes are X X X X X

PR.IP-4: Backups of information are conducted, X X X X