Professional Documents
Culture Documents
org/analysis/2021/07/22/
SBOM
Cyber Hygiene 101 for Small- and Medium-Sized Businesses
Access Control all AC
Cyber Hygiene 101 for Small- and Medium-Sized Businesses
Access Control all AC
SBOM
SBOM
SBOM
SBOM
IDENTIFY (ID)
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
SBOM
Cyber Hygiene 101 for Small- and Medium-Sized Businesses
Avoiding Email Scams AT-2
Cyber Hygiene 101 for Small- and Practicing Good Physical at-3, pe-6
Medium-Sized
Cyber Hygiene Businesses
101 for Small- and Security
PracticingHabits
Good Physical at-3, pe-6
Medium-Sized Businesses
Secure the Data, Not the Device Security Habits
Cyber Hygiene 101 for Small- and Practicing Good Physical at-3, pe-6
Medium-Sized Businesses; Security Habits
Cyber Hygiene 101 for Small- and Practicing Good Physical at-3, pe-6
Medium-Sized
Cyber Hygiene Businesses
101 for Small- and Medium-Sized
Security Businesses
Habits
Firewalls, Intrusion Prevention
AC-3,
System,
SC-7,
and Endpoint Protection Platforms,
Secure the Data, Not the Device Anticipating and Preventing Attacks
SC-28, SA-
11
Cyber Hygiene 101 for Small- and Medium-Sized Businesses
Secure Socket Layer (SSL) Certificates
SC-8
Cyber Hygiene 101 for Small- and Medium-Sized Businesses
Access Control and all AC, SC-
Firewalls, 7, SI-4
PROTECT (PR)
Secure the Data, Not the Device
Secure the Data, Not the Device
Secure the Data, Not the Device
RECOVER
(RC)
https://www.fdd.org/analysis/2021/07/22/comparison-of-cybersecurity-guidance-for-critical-infrastructure-sectors/
NIST SP 800-
Category Subcategory 53, Revision 5
Control
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X
X X X X X
X X X X
X X X X
X X
X X X X
X X X
X X X X X X
X X X X X X
X X X X X
X X X X
X X X X X X X
X X X
X X X X X
X X X X X
X X X X X
X X X
X X X X X
X X X
X
X X X
X X X
X X X
X X
X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X
X X X X
X X X X X X X
X X X X X X
X X X X X
X X X X
X X X X X X
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X X
X X X X X X
X X X X
X X
X X X X X
X X X X X
X X X X X X X
X X X X X
X X X X X X X
X X X X X
X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X X X
X X X X X X
X X X X
X X X X
X X X X X
X X X X X
X X X X X
X X X X X X
X X X
X X X X X
X X X X X
X X X X
X X X X
X X X X X
X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X
X X X
X X X X X X
X X X X X
X X X
X X
X X X X X
X X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X
X X X X X
X X X X
X X X
X X X X
X X
X X X
X X
X X X
X X X
X X
X X
X X
X X
X
X
X X
Communications Sector Critical Manufacturing Sector Dams Sector
The Communications Critical Manufacturing Sector: Cybersecurity Dams Sector: Cybersecurity Framework Imple
Security, Reliability Framework Implementation Guidance. May
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf Guidance. May 2020
https://www.cisa.gov/publication/critical-manufacturing-cybersecurity-framework-implementation
https://www.cisa.gov/sites/default/files/publicati
and Interoperability
2015 2020 2020 2020
Council IV Working
Communication NISTIR 8183 ANSI/ISA 62443 Series of Dams Sector
Cybersecurity Standards on the Cybersecurity
Framework Cybersecurity of Industrial Capability Maturity
Manufacturing Automation and Control Systems Model (Dams-
Profile C2M2)
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X
X X
X X
X X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X X X
X X X X
X
X X X X
X X X X
X X X
X X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X
Dams Sector Defense Industrial Base Sector Emergency Services Sector
ms Sector: Cybersecurity Framework Implementation NIST SP 800-171 Emergency Services Sector: Cybersecurity Framework
Guidance. May 2020 Implementation Guidance. May 2020
www.cisa.gov/sites/default/files/publications/Dams_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
https://www.cisa.gov/sites/default/files/publications/DIB_Guide_to_Imple
https://www.cisa.gov/sites/default/files/publications/Em
2020 2020
North American Electric Electricity Subsector Controlled Emergency Emergency Services
Reliability Corporation Cybersecurity Risk Unclassified Services Sector Sector Roadmap to
(NERC) Critical Infrastructure Management Process Information Cyber Risk Secure Voice and Data
Protection (CIP) Reliability (RMP) Assessment (ESS- Systems (Roadmap)
Standards CRA)
X X X X
X X X X X
X X X X X
X X
X X X
X X X
X X X X
X X
X X X
X X X
X
X X
X X
X
X X X
X X X X X
X X X X
X X X X X
X X X X
X X X X X
X X X
X X X X
X X
X X
X X
X
X
X
X
X X X X X
X X X X
X X X X X
X X X
X X
X X X
X X
X X X X
X X X
X X
X X
X X X
X X
X X
X X X X
X
X
X X X
X X X
X X X
X X X
X X
X X
X X X X X
X X X X
X X X X
X X X
X X
X X
X X
X X
X X X
X X X X
X X X
X X
X X X
X X
X X
X
X X X X
X X X X
X
X X
X
X
X X X X
X X X X
X
X
X X X
X X
X X X X
X X X
X
X X
X X X X
X
X X X X
X X X
X X
X X X X
X X
X X X
X
X X X
X X X X
X X X X
X X X X
X X X X
X X
Services Sector Energy Sector Financial Services
Food andSector
Agriculture
Healthcare Sector
and Public Health Sector
or: Cybersecurity Framework Energy Sector: Cybersecurity Federal FinNational HPH_Framework_Implement
Guidance. May 2020 Framework implantation Restaura https://us-cert.cisa.gov/sites/default/files/c3vp/
/default/files/publications/Emergency_Services_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implementation-
https:// https://www.nist.gov/cyberframework/critical-infrastructu
2020 Guidance. Jan 2015
2015 2015 nt 2017
www.ffie 2016
Energy Sector c.gov/ Associati
Cybersecurity Capability Maturity FFIEC Restaurant Supporting HIPAA
Cybersecurity Maturity Model Practices
Maturity Maturity
cyberasse Industry HITRUST CSF Security
Capability Maturity Level 1 Level 2 Level 3 Controls Rule
Model (C2M2)
Program
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X
X
X
X
X
X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X
X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X
X X X X X
X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
Nuclear Reactors,Transportation
Materials,Water
andSystems
Waste
and Wastewater
Sector
Sector Systems Sector
Nuclear Sector: Transport American
Cybersecurity https://www.cisa.gov/sites/default/files/publications/tss-cybersecurity-framework-implementation-guide
ation Water
https://www.cisa.gov/sites/default/files/publications/Nuclear_Sector_Cybersecurity_Framework_Implementation_Guidan
https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.p
Framework
2020 Systems
2015 Works2019
Implementation
U.S. Nuclear
Sector
Sector
Associati
Water
Power Reactor Strategy
Practices
X X
X X
X X
X
X X
X X
X X
X
X
X X
X X
X X
X X
X X
X
X X
X X
X X
X X
X X
X
X X
X X
X X
X
X X
X
X X
X
X X CSF v1.1 addition
X X
X
X X
X X
X X
X X
X
X X
X
X X
X X
X X
X X
X X
X X
X X
X X
X
X X
X X
X X
X X
X X
X X
X X X
X
X X
X X
X X X
X X
X X
X X X
X X
X X
X X
X X
X X X
X X
X X
X X X
X X
X X
X
X X
X X X
X
X
X
X
X X
X
NIST Cybersecurity Framework
Function Category
PROTECT (PR)
activities.
2015 2020
Chemical
American
Facilities Anti- Payment
Chemical
Terrorism Card
Chemical Council (ACC)
Standards Industry
Security Responsible Stadium
Subcategory (CFATS) Risk-
Assessment Care Security
Data
Guide
Based Security
Tool (CSAT) Code (RCSC):
Performance Standards
Cybersecurity
Standard 8 (PCI-DSS)
Guidance
(RBPS-8)
ID.AM-1: Physical devices and systems within the X X X X X
organization are inventoried
North
2020 2015 2020 2020
American
Dams Electric
ANSI/ISA 62443 Sector Reliability Electricity
NISTIR 8183 Series of Cybersecur Corporatio Subsector
Cybersecurity Standards on the ity n (NERC) Cybersecur
ISO27001/2 COBIT Communication Framework Cybersecurity of Capability Critical ity Risk
Manufacturing Industrial Maturity Infrastruct Manageme
Profile Automation and Model ure nt Process
Control Systems (Dams- Protection (RMP)
C2M2) (CIP)
X X Operational X X X Reliability X
Requirement(s): Standards
Appropriate and adequate
X X Operations
Operationalstaff may be X X X X X
Requirement(s):
Appropriate and adequate
X X Operations
Operationalstaff should be X X X X X
Requirement(s): The
organization can determine
X X "who ‐internally" needs to X
Technology X X
Requirement(s):
Organizational staff
X X assigned to catalog
Operational X X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X
Requirement(s):Organizatio
nal leadership, operations
X and engineering staff may X
Operational X X X
Requirement(s):
Organizational leadership,
X operations
Operationaland engineering X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X
Requirement(s): Once the
organizational leadership,
X X operations
Operationaland engineering X X X X X
Requirement(s): An
organization's executive
and technical leadership
X X Operational X X X X X
Requirement(s): Once the
information security
X X policies are established
Operational X X X X
Requirement(s): An
organization's executive
X and technical leadership
Operational X X X X X
Requirement(s): Once an
organization creates an
X X ongoing Threats/Risk
Operational X X X X X
Requirement(s): Technical
staff may research publicly
X available information and X
Operational X X X
Requirement(s):Technical
staff may research publicly
X available information and X
Operational X X X X
Requirement(s): Technical
staff may research publicly
X available information and X
Operational X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X X X
Requirement(s): The
organization may build a
X list, chart or table to
Operational X X X
Requirement(s): Once an
organization creates an
X ongoing Threats/Risk
Operational X X X X X
Requirement(s): The
appropriate cyber risk
X management
Operational responses, X X X X
Requirement(s): The
appropriate cyber risk
management
Operational responses, X X X
Requirement(s):
Organizational leadership,
X X operations and engineering X X X X
X X X X X
X X X X X
X X X X
X X X X
X X Operational X X X X X
Requirement(s): The
organization can determine
X X "who ‐internally" needs to X
Operational X X X X
Requirement(s): The
organization should
X X determine
Operationalwhom within, X X X X X
Requirement(s): The
organization should
X X determine
Operationalwhom within, X X X X X
Requirement(s):
Organization may
X X implement
Operationalan Access‐ X X X X
Requirement(s):The
organization's technical and
X X operations staff may design X X X X
X X X X X
X X Operational X X X X
Requirement(s):
Organizational leadership,
X X operations
Operationaland engineering X X X X
Requirement(s): * The
organization may determine
X X "who ‐internally" needs to X
Operational X X
Requirement(s):* The
organization may determine
X "who ‐internally" needs to X
Operational X X X
Requirement(s): * The
organization may determine
X X "who ‐internally" needs to X
Operational X X X
Requirement(s): * The
organization may determine
X X "who ‐internally" needs to X
Operational X X X
Requirement(s): *
Organizations may consider
X X deploying
Operationalvarious tools and X X X X
Requirement(s):
*
X X Organizations
Operational may consider X X X X
Requirement(s):Organizatio
ns can monitor and control
X X critical infrastructure asset X
Operational X X
Requirement(s):
Organizations should
X X ensure that bandwidth,
Operational X X X X
Requirement(s): *
Organizations may consider
deploying various tools and
X X Operational X X X X
Requirement(s): *
Organizations may consider
X deploying
Operationalvarious tools and X X X
Requirement(s):
Organizations should
X ensure that all critical X X X
X X Operational X X X X X
Requirement(s): *
Organizations may monitor
X X and establish BASELINE X
Operational X X
Requirement(s):
Organizations using a
X X systems ‐software
Operational X X X X X
Requirement(s):
Organizations can monitor
X and control critical
Operational X X X X X
Requirement(s):
Organizations may
X X establish a critical
Operational X X X
Requirement(s):
Organizations can consider
X X building a Security Team of X
Operational X X X
Requirement(s):Organizatio
ns can monitor and control
X X critical infrastructure asset X
Operational X X
Requirement(s):
Organizations can strive to
X X identify a cyber incident as X
Operational X
Requirement(s):
Organizations may share
X X what they learn about
Operational X X X X X
Requirement(s): *
Organizations may
X X develop/document
Operational a X X X X
Requirement(s): *
Organizations may TEST
X formalized
OperationalIncident X X X X X
Requirement(s):
Organizations, sub‐
X organizations
Operational and all data X X X
Requirement(s):
Organizations may
establish and document a
Operational X X X X
Requirement(s):
Organizations may monitor
X and control critical
Operational X X X X
Requirement(s):
Organizations may monitor
and control critical
X Operational X X X X
Requirement(s):
Organizations may collect
X data and track all activities X
Operational X X X
Requirement(s):
Organizations may identify
all possible threats and
Operational X X X
Requirement(s): * The
organization can determine
X "who ‐internally" needs to X
Operational X X X
Requirement(s):
Organizations may protect
X X critical infrastructure X X X
X Operational X X X X
Requirement(s): The
organization and
X X appropriate
Operational staff can X X X X X
Requirement(s): The
organization and
appropriate
Operational staff can X X X X
Requirement(s): The
organization and
X X appropriate
Operational staff can X X
Requirement(s): The
organization and
X X appropriate
Operational staff can X X X
Requirement(s): When
organizations employ
X monitoring,
Operational scanning and X X X X
Requirement(s): The
organization and
X X appropriate
Operational staff monitors X X X X
Requirement(s): For critical
infrastructure, the
X X organization
Operational and X X X
Requirement(s): The
organization and
X X appropriate
Operational staff may X X X X
Requirement(s): For critical
infrastructure, the
X X organization
Operational and X X X
Requirement(s): For critical
infrastructure, the
X organization
Operational and X X
Requirement(s): For critical
infrastructure,
X organizations
Operational may require X X X
Requirement(s): For critical
infrastructure, the
organization and
X Operational X X X X
Requirement(s): For critical
infrastructure, the
organization
Operational and X X X
Requirement(s): The
organization and
appropriate
Operational staff develops a X X X
Requirement(s): For critical
infrastructure, the
X X organization
Operational and X X X
Requirement(s): The
organization and
X appropriate
Operational staff may test X X X X
Requirement(s): The
organization and
X appropriate
Operational staff may share X X X
Requirement(s): The
organization and
X appropriate
Operational staff may X X X X
Requirement(s): The
organization and
X appropriate
Operational staff may X X X X
Requirement(s): The
organization and supporting
X staff may develop an
Operational X X X X
Requirement(s): The
organization and
X appropriate
Operational staff require the X X X X
Requirement(s): The
organization and
X X appropriate
Operational staff may X X X X
Requirement(s): The
organization and
appropriate
Operational staff may X X X
Requirement(s): The
organization and
X X appropriate
Operational staff establish X X X X
Requirement(s): The
organization and
X appropriate
Operational staff may X X X
Requirement(s):
Organization can determine
X the consequences of various X
Operational X X
Requirement(s): The
organization and
X appropriate
Operational staff may X X X X
Requirement(s): The
organization and
X appropriate staff can track X X X
Operational X X X
Requirement(s): An
organization and
appropriate
Operational staff can X X X
Requirement(s): For critical
infrastructure, appropriate
and adequate Operations
Operational X X
Requirement(s): For critical
infrastructure, the
organization
Operational and X X X X
Requirement(s): The
organization and
appropriate
Operational staff should not X X X
Requirement(s): The
organization and
appropriate
Operational staff may X X X
Requirement(s): The
organization provides for
the recover and
Operational X X X X
Requirement(s): The
organization and
appropriate
Operational staff should not X X X
Requirement(s): For critical
infrastructure, appropriate
and adequate Operations
Operational X X
Requirement(s): For critical
infrastructure, the
organization
Operational and supporting X X
Requirement(s): For critical
infrastructure, the
organization
Operational and supporting X X X
Requirement(s): The
appropriate staff and
organization leaders may
Defense Industrial Emergency
Base SectorServices Sector Energy Sector Financial Services Sector
NIST SP 800-171 Emergency Services Sector: Energy Sector: Cybersecurity Federal Financial I
Cybersecurity Framework Framework implantation
Implementation Guidance. May Guidance. Jan 2015
2020
https://www.cisa.gov/sites/default/files/publications/DIB_Guide_to_Implementing_the_Cybersecurity_Framework_S508C.PDFhttps://csrc.nist.gov/publications/detail/sp/80
https://www.cisa.gov/sites/default/files/publications/Emergency_Services_Sector_Cybersecurity_Framework_Implementation_Guidance_FI
https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implem
https://www.ffiec.gov/
cyberassessmenttool.ht
m
https://www.nist.gov/
2020 2015 2015
cyberframework/critical-
infrastructure-resources
Emergency
Services Cybersecurity Capability Maturity
Emergency Energy Sector
Sector Model Practices
Services Cybersecurity
Roadmap
Controlled Unclassified Sector Capability
to Secure FFIEC
Information Cyber Risk Maturity Model
Voice and Maturity Maturity Maturity
Assessment (C2M2)
Data Level 1 Level 2 Level 3
(ESS-CRA) Program
Systems
(Roadmap)
3.4.1Establish and mainta X X X ACM-1a ACM-1c ACM-1e, D1.G.IT.B.1: An
ACM-1f inventory of
organizational assets
3.4.13.4.1Establish and m X X X ACM-1a ACM-1c ACM-1e, (e.g., hardware,
D1.G.IT.B.1: An
ACM-1f inventory of
organizational assets
3.1.3 Control the flow of X X X RM-2g ACM-1e (e.g., hardware,Data
D4.C.Co.B.4:
CUI in accordance with flow diagrams are in
approved authorizations. place and document
3.13.1
3.1.20 Monitor,
Verify andcontrol, X EDM-1a EDM-1c, EDM-1g, information flowAto
D4.RM.Dd.B.2:
and protect
control/limit connections EDM-1e RM-1c list of third-party
communications (i.e.,
to and use of external service providers is
information
systems. transmitted maintained.
X X X ACM-1a, ACM-1c D1.G.IT.B.2:
ACM-1b ACM-1d Institution assets
(e.g., hardware,
X X WM-1a, WM-1c systems, data, and
D1.R.St.B.1:
WM-1b Information security
roles and
X X X EDM-1b EDM-1d EDM-1g responsibilities
D1.G.SP.A.3: The have
EDM-1f RM-1c cybersecurity
strategy identifies
X X X EDM-1b EDM-1d, EDM-1g and communicates
D1.G.SP.Inn.1: The
EDM-1f, RM-1c cybersecurity
CPM-1c strategy identifies
X X X RM-3b RM-1c and communicates
D1.G.SP.E.2: The
institution has a
formal cybersecurity
X X X ACM-1a, ACM-1c , ACM-1e, program that isThe
D4.C.Co.B.1:
ACM-1b, ACM-1d, ACM-1f, critical business
EDM-1a EDM-1c , RM-1c , processes that are
X X IR-4a, IR- EDM-1e
IR-4e EDM-1g dependent on A
D5.IR.Pl.B.5:
4b, IR-4c formal backup and
recovery plan exists
X CPM-2g CPM-5d for all critical The
D1.G.SP.B.4:
RM-3e institution has
board-approved
policies
X WM-1a, WM-1c, WM-1e , D1.G.SP.B.7: All
WM-1b WM- WM-1f, elements of the
2d,WM- WM-1g information security
X 5b, ISC-2b CPM-2k, program are
D1.G.Ov.E.2:
IR-3n, Management is
RM-3f, responsible for
X X RM-2a ACM-4f,
RM-2h, ensuring compliance
D1.G.Ov.B.1:
RM-2b RM-3e, Designated
RM-1c, members of
3.11.1 Periodically X X X TVM-2a, TVM-2d, RM-1e
RM-1c , management
D2.TI.Ti.B.2:are
assess the risk to TVM-2b TVM-2e, RM-2j, Threat information
organizational operations TVM-2f TVM-2i, is used to monitor
(including
3.14.1 mission,
Identify, X X X TVM-1a, TVM-2d TVM-2j, threats and The
D2.TI.Ti.B.1:
report, and correct TVM-1b, institution belongs
information and system TVM-2a, or subscribes to a
flaws
3.11.1in a Periodically
timely manner. X X X TVM-2b
TVM-1a, TVM-1d, RM-2j threat and
D3.DC.An.B.1: The
assess the risk to TVM-1b TVM-1e TVM-1j institution is able to
organizational operations detect anomalous
(including
3.11.1 mission,
Periodically X X X TVM-1d RM-1c activities through
D5.RE.Re.B.1:
assess the risk to TVM-1f TVM-1i Appropriate steps
organizational operations are taken to contain
(including mission,assess X
3.11.1Periodically X X RM-1c and control an A
D1.RM.RA.B.1:
RM-2j risk assessment
TVM-2m focused on
X X X RM-2e RM-1c safeguarding
D5.IR.Pl.B.1: The
TVM-1d RM-2j institution has
IR-3m documented how it
X X X RM-2a RM-1a RM-1c will react and
D1.G.Ov.B.1:
RM-2b RM-1b RM-1d Designated
RM-2c RM-1e members of
X X RM-2d RM-2h
RM-1c management areThe
D1.G.Ov.Int.3:
RM-1e institution has a
cyber risk appetite
X X RM-1b RM-1c statement approved
D1.G.SP.A.4: The
risk appetite is
informed by the
X institution’s role in
X
3.5.1Identify system X X X IAM-1a IAM-1d RM-1c D3.PC.Im.B.7:
users, processes acting on IAM-1b IAM-1e IAM-1g Access to make
behalf of users, and IAM-1c IAM-1f changes to systems
devices.
3.10.1 Limit physical X X IAM-2a IAM-2d IAM-2g configurations
D3.PC.Am.B.11:
access to organizational IAM-2b IAM-2e Physical security
systems, equipment, and IAM-2c IAM-2f controls are used to
the respective
3.1.1 operating
Limit system X X X IAM-2a IAM-2d IAM-2g prevent
D3.PC.Am.B.15:
access to authorized IAM-2b IAM-2e Remote access to
users, processes acting on IAM-2c IAM-2f critical systems by
behalf
3.1.1 of authorized
Limit system X IAM-2d employees,
D3.PC.Am.B.1:
access to authorized Employee access is
users, processes acting on granted to systems
behalf of authorized
3.1.3Control the flow of X CPM-3a CPM-3b CPM-3d and confidential
D3.DC.Im.B.1:
CUI in accordance with CPM-3c Network perimeter
approved authorizations. defense tools (e.g.,
3.13.1 Monitor, X X border router and
control, and protect
communications (i.e.,
information transmitted
X X
X X SA-2a D3.DC.Ev.B.1: A
normal network
activity baseline is
3.3.1Create and retain X IR-1f established.
D5.IR.Pl.Int.4:
system audit records to IR-2i Lessons learned
the extent needed to IR-3h from real-life cyber
enable the monitoring,
3.3.5Correlate audit revie X IR-1e IR-1f IR-2i risk incidents and
D3.DC.Ev.E.1: A
process is in place to
correlate event
3.11.1Periodically assess X X IR-2b IR-2d IR-2g RM- information
D5.IR.Te.E.1:from
TVM-1d 2j Recovery scenarios
include plans to
3.6.1Establish an X IR-2a IR-2d IR-2g RM- recover from data
D5.DR.De.B.1:
operational incident- TVM-1d 2j Alert parameters are
handling capability for SA-2d set for detecting
organizational
3.13.1 systems
Monitor, X X X SA-2a SA- SA-2e SA-2g SA- information
D3.DC.An.B.2:security
control, and protect 2b SA-2f 2i Customer
communications (i.e., TVM-1d transactions
information
3.10.2 transmitted
Protect and X X X SA-2a SA- SA-2e SA-2i generating
D3.PC.Am.E.4:
monitor the physical 2b Physical access to
facility and support high-risk or
infrastructure
3.1.12 for and
Monitor X SA-2a SA- SA-2e SA-2i confidential
D3.DC.An.A.3:systems
A
control remote access 2b system is in place to
sessions. monitor and analyze
3.3.1Create,
3.14.1 protect, and
Identify, X SA-2a SA- SA-2e SA-2i employee behavior
D3.DC.Th.B.2:
retain system audit
report, and correct 2b CPM-4a Antivirus and anti-
records to the
system flaws in extent
a timely malware tools are
needed
manner. to enable the
3.13.13 Control and X SA-2a SA- SA-2e SA-2h SA- used to detect
D3.PC.De.E.5:
monitor the use of mobile 2b 2i Antivirus and anti-
code. malware tools are
3.14.6 Monitor X EDM-2a SA-2e EDM-2j deployed on end-
D4.RM.Om.Int.1:
organizational systems, SA-2a EDM-2n Third-party
including inbound and SA-2b employee access to
outbound
3.1.12 Monitor and X X X SA-2a SA- SA-2e SA-2g SA- the institution's
D3.DC.Ev.B.3:
control remote access 2b SA-2f 2i Processes are in
sessions. TVM-1d place to monitor for
3.3.1Create, protect, and the presence of
retain system audit
records to the extent
needed to enable the
3.11.2 Scan for X X X TVM-2e TVM-2i D3.DC.Th.E.5:
vulnerabilities in TVM-2j Vulnerability
organizational systems TVM-2k scanning is
and applications X WM-1a WM-1d RM-1c
WM-1f conducted and
D3.DC.Ev.B.4:
Responsibilities for
monitoring and
3.12.1 Periodically X IR-1d IR-1g reporting suspicious
D1.G.Ov.E.2:
assess the security IR-5a IR-5f Management is
controls in organizational TVM-1d RM-1c responsible for
systems
3.10.4 toMaintain
determineaudit
if X IR-3e RM-2j
IR-3j ensuring compliance
D3.DC.Ev.Int.2:
logs of physical access. Event detection
3.12.1 Periodically processes are proven
assess the security X X X IR-1b ISC-1c IR-3n reliable
D3.DC.Ev.B.2:
controls in organizational IR-3c ISC-1d ISC-1h Mechanisms (e.g.,
systems to determine if ISC-1a ISC-1j antivirus alerts, log
X X X IR-3h IR- event alerts) are in
D5.IR.Pl.Int.3:
3k Lessons learned
from real-life cyber
3.6.2Track, document, X X X IR-3d incidents and attacks
D5.IR.Pl.B.1: The
and report incidents to institution has
appropriate documented how it
organizational officials
3.6.2Track, document, X X IR-3a IR-5b will react and Roles
D5.IR.Pl.B.3:
and report incidents to and responsibilities
appropriate for incident
organizational officials X IR-1a IR- response team
D5.IR.Pl.B.2:
1b Communication
channels exist to
3.6.1Establish an operatio X ISC-1a IR-3d IR-3i provide employees a
D5.ER.Es.B.2:
ISC-1b ISC-1c IR-3l Procedures exist to
ISC-1c ISC-1d notify customers,
3.6.1Establish an X X X IR-3d regulators, andAlaw
D5.ER.Is.B.1:
operational incident- IR-5b process exists to
handling capability for contact personnel
organizational systems X ISC-1a ISC-1c ISC-1h who are responsible
D2.IS.Is.B.3:
ISC-1d ISC-1i Information about
ISC-1e ISC-1j threats is shared
3.3.5Correlate audit X X X ISC-1f
IR-1e ISC-1k
IR-1f with law
D5.DR.De.B.3:
review, analysis, and Tools and processes
reporting processes for are in place to
investigation and assess X
3.11.1Periodically X X IR-2d IR-2g RM- detect, alert, and
D1.RM.RMP.A.4:
TVM-1d 2j A process is in place
to analyze the
X IR-3d IR-3h IR- financial impact
D3.CC.Re.Int.3:
3i Security
investigations,
3.6.1Establish an X IR-2a IR-1d forensic analysis,
D5.ER.Es.B.4:
operational incident- IR-1e Incidents are
handling capability for classified, logged
organizational systems X X X and tracked.
3.6.1Establish an X X IR-3b D5.DR.Re.B.1:
operational incident- Appropriate steps
handling capability for are taken to contain
organizational systems
3.6.1Establish an X X X IR-3b and control an
D5.DR.De.B.1:
operational incident- Alert parameters are
handling capability for set for detecting
organizational
3.11.1 systems
Periodically X TVM-2c TVM-2f RM-2j information
D1.RM.RA.E.1:security
assess the risk to TVM-2g TVM-2m Risk assessments
organizational operations TVM-2n are used to identify
(including mission,
3.6.1Establish an X X IR-3h the cybersecurity
D5.IR.Pl.Int.4:
operational incident- Lessons learned
handling capability for from real-life cyber
organizational systems
3.6.2Track, document, X X X IR-3h IR- incidents and attacks
D5.IR.Pl.Int.4:
and report incidents to 3k Lessons learned
appropriate from real-life cyber
organizational officials
3.6.1Establish an X X X IR-3b IR-3d IR-3o IR- incidents and attacks
D5.IR.Pl.B.6: The
operational incident- 4k institution plans to
handling capability for use business
organizational systems
3.6.1Establish an X X X IR-3h continuity, disaster
D5.IR.Pl.Int.4:
operational incident- IR-4i Lessons learned
handling capability for IR-3k from real-life cyber
organizational systems
3.6.1Establish an X X X IR-3h IR- incidents and attacks
D5.IR.Pl.Int.4:
operational incident- 3k Lessons learned
handling capability for from real-life cyber
organizational systems X RM-1c incidents and attacks
D5.ER.Es.Int.3: An
external
communication plan
X IR-3d is used for notifying
D5.IR.Pl.Int.1: A
strategy is in place
to coordinate and
3.6.1Establish an X IR-3d communicate
D5.ER.Is.B.1:with
A
operational incident- process exists to
handling capability for contact personnel
organizational systems who are responsible
Food and Agriculture
Government
Sector Facilities
Healthcare
Sector
and Public Health
Information
SectorTechnology Sector
National Restaurant HPH_Framework_Implementa
Association:
Cybersecurity 201
https://www.nist.gov/cyberframework/critical-infrastructure-resourceshttps://www.restaurant.org/downloads/pdfs/advocacy/cybersecurity201.pdf
https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidanc
2017 2016
Supporting
HITRUST HIPAA Security
Restaurant Industry
CSF Rule
Controls
A-3.1.3 MA-3
D-1.22
A-3.1.3 PM-5
D-3.5
E-8.1
A-4.8, A-4.11 PE-4, PS-2
E-8.1
IR-2
E-11.2 IR-2
SC-4
D-5.4 CM-4
E-10.3
A-4.12 PE-4
E-5.1
E-1.6 MP-1
A-4.12 AU-6
E-9.8
A-4.12 AU-7
A-4.9 AU-5
D-5.5
E-3.2, E-11.6, E-12
E-4.2, E-4.3 Goal 1: Define MA-1
Conceptual
Environment
Remote maintenance to MA-1
critical safety, security, and
reliability systems is
prohibited by the defensive
D-2.1, D-2.2, D-2.3, D-2.6, Goal 3: Maintain PM-3
D-2.7, D-2.12 Continuous
Cybersecurity
D-1.2, D-1.19 Awareness MP-1
E- 1.4, E-1.5
E-7.4
D-5.2 PM-3
E-3.4
D-5.2 CM-7
E-3.4, E-6
D-3.13 SC-5
D-5.2 SA-4
E-3.4, E-5.2
A-4.6 ANSI/AWWA
D-2.6 G430, G440
A-4.6 SC-4
E-8.1, E-8.6
A-4.6 SC-6
E-8.1
A-4.6 ANSI/AWWA
E-3.5, E-9.8 G430, G440
D-2.6 MA-2
E-8.1 AT-3
A-4.6 AT-3
E-7.4
A-4.7 Goal 4: Enhance IR-1
E-7.4 Intelligence and
Security Information
A-4.9.1 Sharing IR-1
E-12
ANSI/AWWA
G430, G440
Chemical Sector
Source: Chemical Sector: Cybersecurity Framework Implementation Guidance
URL: https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/chemical-framework-implementation-gui
Governan ID.GV-1:
Resilience
ies and
organizatio X X X
ce ID.GV-2:
Organizati
requiremen
critical X X
(ID.GV): ID.GV-3:
Cybersecur
onal
ts to X X
The ID.GV-4:
Legal
ity and
roles
cybersecuri X X
Risk ID.RA-1:
Governanc
regulatory
and X X X
Assessmen ID.RA-2:
Asset
erequiremen
and risk X X
t (ID.RA): ID.RA-3:
Cyber
vulnerabilit
manageme X X X
The ID.RA-4:
Threats,
threat
ies are X X
organizatio ID.RA-5:
Potential
both
intelligence X X X
n ID.RA-6:
Threats,
business
internal X X
Risk ID.RM-1:
Risk
vulnerabilit
impacts X X X
Managem ID.RM-2:
Risk
responses
ies, X X
ent ID.RM-3:
Organizati
manageme
are X X
Supply
Strategy ID.SC-1:
The
onal
nt risk
Chain ID.SC-2:
Cyber
organizatio
tolerance is
Risk ID.SC-3:
Suppliers
supply
n’s
Managem ID.SC-4:
Contracts
and
chainthird
risk
ent ID.SC-5:
Suppliers
with
party
Access PR.AC-1:
Response
and third-
suppliers X X X
Control PR.AC-2:
Identities
and
party X X X
(PR.AC): PR.AC-3:
Physical
and
recovery X X X
Access to PR.AC-4:
Remote
access to
credentials X X X
assets and PR.AC-5:
Access
access
assets isis X X X
associated PR.AC-6:
Network
permission
managed
facilities is PR.AC-7:
Identities
integrity
s and is
Awareness PR.AT-1:
Users,
are proofed
protected X X X
and PR.AT-2:
All
and users
devices,
bound X X
Training PR.AT-3:
Privileged
are
and other X X
(PR.AT): PR.AT-4:
Third-party
users
informed X X
The PR.AT-5:
Senior
stakeholder
understand X X
Data PR.DS-1:
Physical
executives
s (e.g., X X
Security PR.DS-2:
Data-at-
and
understand X X
X X
(PR.DS): PR.DS-3:
Data-in-
rest is
cybersecuri
X X
PR.DS-4:
Assets
transit
protectedare
is
PROTECT (PR)
Informati PR.DS-5:
Adequate X X
formally
protected
on and PR.DS-6:
Protections
capacity
managedto X X X
records PR.DS-7:
Integrity
against
ensure X X
(data) are PR.DS-8:
The
checking
data leaks
Informatio PR.IP-1:
Integrity
developme
mechanism A X X
n PR.IP-2:
nt and A
baseline
checking X X
Protection PR.IP-3:
System
configurati
mechanism X X X
Processes Configurati
Developme
on of
and on change
nt Life
Procedure control
s (PR.IP):
Security
PROTECT
Informatio
n
Protection
Processes PR.IP-4: X X
and PR.IP-5:
Backups of X X X
Procedure PR.IP-6:
Policy
informatio and X X
X X
s (PR.IP): PR.IP-7:
Data
n are is
regulations
PR.IP-8:
Protection
destroyed
regarding X X
Security X X X
policies PR.IP-9:
Effectivene
processes
according
PR.IP-10:
Response
ss
areof X X X
(that PR.IP-11: X X
Response
plans
protection
address PR.IP-12:
Cybersecur X X X
and
(Incident
purpose,
Maintenan PR.MA-1:
A
ity is X X
recovery
ce PR.MA-2:
Maintenan
vulnerabilit
included in X X
Protective
(PR.MA): PR.PT-1:
Remote
ce
y and X X
Maintenan PR.PT-2:
Technolog Audit/log
maintenanc
repair of X X X
y (PR.PT): PR.PT-3:
Removable
records
e of are X X X
Technical PR.PT-4:
The
media
determined is X X X
security PR.PT-5:
Communic
principle
protected of
Anomalies DE.AE-1:
Mechanism
ations
least and X X
and DE.AE-2:
A baseline
scontrol
(e.g., X X X
Events DE.AE-3:
Detected
of network
failsafe, X X
(DE.AE): DE.AE-4:
Event
events
operations data
are X
Anomalous DE.AE-5:
Impact
are
analyzed ofto X X X
Security DE.CM-1:
Incident
events
collected is X X X
DETECT (DE)
Continuou DE.CM-2:
The
alert
determined X X X
s DE.CM-3:
The
network
thresholds is X X X
Monitorin DE.CM-4:
Personnel
physical
monitored X X X
g DE.CM-5:
Malicious
activity
environme is X X
(DE.CM): DE.CM-6:
Unauthoriz
code
monitored is X X
DE.CM-7:
External
ed mobile
detected X X X
The
X X X
informatio DE.CM-8:
Monitoring
service
code is
X X
Detection DE.DP-1:
Vulnerabili
for
provider
Processes DE.DP-2:
Roles
ty scans
unauthoriz and are X X
(DE.DP): DE.DP-3:
Detection
responsibili
performed X X X
Detection DE.DP-4:
Detection
activities
ties for X X X
processes DE.DP-5:
Event
processes
comply X X X
Response RS.RP-1:
Detection
detection
are tested X X
Planning RS.CO-1:
Response
processes
informatio X X
Communi RS.CO-2:
Personnel
plan
are is X X X
cations RS.CO-3:
Incidents
know
executed their X X
X X
RESPOND (RS)
(RS.CO): RS.CO-4:
Informatio
are
roles and
Response RS.CO-5:
Coordinati
nreported
is shared X X
Analysis RS.AN-1:
Voluntary
on with
consistent X X X
(RS.AN): RS.AN-2:
Notificatio
informatio
stakeholder X X
Analysis is RS.AN-3:
The
ns impact
from
n sharing X X
conducted RS.AN-4:
Forensics
of the
detection X X X
to ensure RS.AN-5:
Incidents
are
incident is
Mitigation RS.MI-1:
Processes
are
performed X X
(RS.MI): RS.MI-2:
Incidents
are
categorized X X
Activities RS.MI-3:
Incidents
are
established X X X
Improvem
are RS.IM-1:
Newly
are
contained X X
RECOVER (RC)
ents RS.IM-2:
Response
identified
mitigated X X
Recovery
(RS.IM): RC.RP-1:
Response
plans
vulnerabilit X X
Improvem
Organizati RC.IM-1:
Planning Recovery
strategies
incorporate X X
(RC.RP): RC.IM-2:
ents Recovery
plan is
are updated X X
Communi
Recovery RC.CO-1:
(RC.IM): Recovery
plans
executed X X
incorporati RC.CO-2:
cations Public
strategies
incorporate X X
(RC.CO): RC.CO-3:
Reputation
relations
are updated X X
coordinatin Recovery
is
arerepaired
activities
after an
are
al-framework-implementation-guide-2015-508.pdf
X X
X X
X X
X
X X
X
X X
X X
X
X
X X
X
X X
X X
X X
X X
X X
X X
X X
X
X
X X
X
X
X
X
X X
X
X
X
X
X X
X X
X X
X
X
X
X X
X X
X
X X
X X
X
X X
X
X X
X X
X X
X
X X
X
X
X X
X X
X X
X X
X
X
X X
X X
X X
X
X
X X
X
X
X
X
X X
X
X
X
X X
X
X
X X
X
X
X X
X
X
X
X
X
X
X
Commercial Facilities Sector
Source: Commercial Facilities Sector: Cybersecurity Framework Implementation Guidance 2020
URL: https://www.cisa.gov/sites/default/files/publications/Commercial_Facilities_Sector_Cybersecurity_Framework_
Baldrige
Payment
Cyber Cybersecurit
Card Industry Cybersecurit
Subcateg Resilience y Excellence
Function Category Data Security y Evaluation
ory Review (CRR, Builder
Standards Tool (CSET)
Assessment) (BCEB),
(PCI-DSS)
Asset Management ID.AM-1: X X X Version
X 1.1
(ID.AM): The data, Physical
ID.AM-2: X X X X
personnel, devices, devices
Software
ID.AM-3: and X X X X
systems, and facilities Organizati
systems
platforms
ID.AM-4: X X X X
that enable the and
onal
External
ID.AM-5:
organization to achieve informatio X X X X
communica
Resources
ID.AM-6: X X X X
business purposes are n systems
Business (e.g.,
Cybersecur
ID.BE-1: X X X
Environment hardware,
ity
The roles
ID.BE-2: X X X
(ID.BE): The and
organizatio
The
ID.BE-3: X X X
organization’s mission, organizatio
n’s
ID.BE-4:role in
Priorities X X X
objectives, n’s
for place in
Dependenc
stakeholders, and ID.BE-5: X X X X
Governance (ID.GV): organizatio
ies and
Resilience
ID.GV-1: X X X X
IDENTIFY (ID)
X X X X
The information thresholds
network
The
DE.CM-3: is X X X X
system and assets are physical
monitored
Personnel
DE.CM-4: X X X X
monitored at discrete environme
activity is
Malicious
intervals to identify DE.CM-5: X X X X
monitored
code is
Unauthoriz
DE.CM-6: X X X X
cybersecurity events detected
and verify the ed mobile
External
DE.CM-7: X X X X
effectiveness of code
serviceis
Monitoring
DE.CM-8: X X X X
provider
for
Vulnerabili
Detection Processes DE.DP-1: X X X X
(DE.DP): Detection unauthoriz
ty scans
Roles
DE.DP-2:and are X X X X
processes and performed
responsibili
Detection
DE.DP-3: X X X X
procedures are ties for
activities
Detection
DE.DP-4: X X X X
maintained and tested processes
comply
Event
to ensure timely and DE.DP-5: X X X X
Response Planning are tested
detection
Detection
RS.RP-1: X X X X
Communications informatio
processes
Response
RS.CO-1: X X X
(RS.CO): Response are
plan is
Personnel
RS.CO-2: X X X
activities are executed
know
RS.CO-3:their
Incidents X X X X
coordinated with roles
are and
Informatio
internal and external RS.CO-4: X X X X
reported
RESPOND (RS)
n is shared
Coordinati
RS.CO-5: X X X
stakeholders, as consistent
Analysis (RS.AN): on with
Voluntary
RS.AN-1: X X X X
stakeholder
informatio
Analysis is conducted RS.AN-2:
Notificatio X X X X
to ensure adequate n
nssharing
Thefrom
impact
RS.AN-3: X X X X
response and support Forensics
detection
of the
RS.AN-4: X X X X
recovery activities. incident
Incidentsis
are
RS.AN-5: X X X X
performed
are
Processes
categorized
are
established
RESPOND
Mitigation (RS.MI): RS.MI-1: X X X X
Activities are Incidents
RS.MI-2: X X X X
performed to prevent are
Incidents
RS.MI-3: X X X X
expansion of an event,
Improvements contained
are
Newly
RS.IM-1: X X X X
(RS.IM): mitigated
identified
Response
RS.IM-2: X X X X
RECOVER (RC)
Organizational
Recovery Planning vulnerabilit
plans
Response
RC.RP-1: X X X X
response
(RC.RP): activities
Recovery
Improvements are incorporate
strategies
Recovery
RC.IM-1: X X X X
processes and
(RC.IM): are
planupdated
is
Recovery
RC.IM-2: X X X X
procedures are
incorporating
Communications lessons executed
plans
Recovery
RC.CO-1: X X X
learned
(RC.CO):into future incorporate
strategies
Public
RC.CO-2: X X X
are updated
coordinating centers, relations
Reputation
RC.CO-3: X X X X
Internet Service are
is repaired
Recovery
after an
activities
are
ector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Stadium
ISO27001/2 COBIT
Guide
X X X
X X X
X X X
X X
X X X
X X X
X X
X X
X
X X
X X
X X
X X X
X X
X X
X X X
X
X
X X
X X
X
X
X
X X
X X
X X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X
X X
X X
X X
X
X X
X X X
X X
X X
X
X X
X X
X X
X X X
X X
X X X
X X
X
X X
X
X X
X
X
X
X
X
X
X X
X X
X
X
X
X
Communications Sector
Source: The Communications Security, Reliability and Interoperability Council IV Working Group 4 Final Report : CYBERS
URL: https://www.cisa.gov/publication/nipp-ssp-communications-2015
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
Recovery
improved by Planning RC.RP-1:
lessons learned
(RC.RP): Recovery strategies
Recovery are
plan is
Improvements RC.IM-1:
updated
processes and procedures executed
(RC.IM): incorporating Recovery during
plans
are executed andinto RC.IM-2:
or after a
lessons learned incorporate
Recovery
Communications
future activities. RC.CO-1:
lessons learned
strategies
(RC.CO): coordinating Public are
relations
RC.CO-2:
updated
centers, Internet Service are managed
Reputation
Providers, owners of RC.CO-3: is
repaired
Recoveryafter an
incident
activities are
communicated
rity, Reliability and Interoperability Council IV Working Group 4 Final Report : CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICE
blication/nipp-ssp-communications-2015
pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
Require
Operational Requirement(s): Appropriate and adequate Operations staff may be assigned to locate, track, count, and document all critical inf
mobile devices, receivers, transmitters, antennas, optical systems, transportation systems and any system or device that has computing, storag
Operational Requirement(s): The organization can determine "who‐internally" needs to know "what" information, "when" and "how" will th
ops centers, engineering,
Technology Requirement(s): technical management,
Organizational staffprogram/project
assigned to catalog management,
externally customer service,
facing critical IT, sales, Csuite
infrastructure officials,
information billing,servers,
systems, accounti vi
access controls
externally facing ‐ business
resources process
that arerules within
inventoried. various
This systems
externally to allow
facing authorized
catalog systempersonnel
can be to
madereach their
secure required
to prevent information,
corruption when
of theynen
critical
Operational
conveyed Requirement(s):
through ongoing training,Organizational
to those leadership,
the effected operations
personnel. When and engineering determine
organizations staff may determine
"who‐externally" the primary needs ‐critical
to know infrastructure
"what" inform fu
system catalog
continue to operateis extremely
our business limited andtobusiness with a need
plan(s)?" ‐to‐example
An know basis.
of this exercise staff
may can be similar to: "If we(by lostjob
ourfunction)
<website>, could we s
Operational Requirement(s): Organizational leadership, operations and engineering determine who needs to know
organization,
can be assigned. thenThese
everylevels
function can be prioritized
of cybersecurity based on criticality
responsibilities will include andbut business value.to:*Security
not limited Once theseofhow critical
entire functions are prioritized, grot
Operational
identified and Requirement(s):
prioritized as Organizational
well, based on leadership,
their criticality operations
and and engineering
business value. * Anstaff can determine
organization may identifytheinfrastructure,
organization
the critical
security
fits into aof
information suppl
syste
of
be internal
defined?and Does external communications
the organization turn raw channels.
materials The cybersecurity
into a product? leadership can then develop cybersecurity policies andresources
procedures, then
Operational Requirement(s):Organizational leadership, operations andDoes the organization
engineering staff mayprovidedetermine a service
how the where human
organization fits into and exp
a Critic
organization
infrastructure earn revenue
that supports the from it's customers?
functioning ofleadership, How does the
our societyoperations sales
or economy? function
Does get what it needs
this organization to sell a product
supply a product or service to
or service missioncustomers?
to the government * T
Operational
staff. * TheRequirement(s):
sub ‐ organizations Organizational
that are deemed critical to operating andthe engineering
business staff be
must canprioritized
determine the organization's
such that key decision makers andareitsvery
pri
criticality
such that keywithin a Critical
decision makers Infrastructure
are very aware ecosystem
of theirtoresponsibilities
its entire staff. and Theavailable
sub‐organizations
human and that are deemed
physical resources. critical* to operating
This the busine
Operational
suborganization Requirement(s):
prioritization Organizational
can also be conveyed leadership,to the operations
entire andinengineering
staff such a way staff
that can
every determine
person know criticalwhom functions forsub
(internally
‐organization
delivery of critic
and externally)
direction
depend from.
upon *
obtaining Once
from the organizational
3rd party entities. prioritization
An example exercise
would beis completed,
similar to a the critical
telecom dependencies
network operator of
whoall sub ‐organizations
depends on a diesel and outsid
fuel sup
Operational
externally to Requirement(s):
the main Once the
organization. An organizational
organization leadership,
can identify operations
the critical and engineering
information systemstaffcomponents
has determined and critical
their functionsforfordevelop
functions delive
operator
materials. canThiskeep its critical
may include but network systems operating on back ‐up generator power. * Dependencies supporting critical functions can incl
Operational
components, Requirement(s):
emergency Annot
responders,
limited to redundant
organization's
vendor executive
‐crisis response
circuits
and teams
for communications,
technical leadership can
and outlines
equipment,
alternate
determine
government
secondary suppliers of
which information
agencies etc. and fuel,
datasecondary
types thatsupplican b
responders.
privacy * An
considerations. organization
Other typesmay of develop
information a contingency
may be plan
allowed that
to reach the
certain process
people for
on arestoring
need ‐to ‐information
know basis, systems,
in order and
to implement
perform their
Operational
coordinates Requirement(s):
with external Onceproviders.
service the information security policies are established within an organization, these policies can be conveyed to
areinformation.
of determined, the amount
External of security
policies and and security
procedures for controls
protecting applied to eachcan
information information
also be type can beThese
developed. determined.
externally * facing
Frominformation
here, an organiz secur
Operational
established, Requirement(s): An organization's executive and technical leadership can include
these policies can be conveyed to the appropriate levels of staffing, and external entities such that everyone knows their responsi the organization's legal counsel and/or legal st
organization.
protection
Operational Requirement(s): Once an organization creates an ongoing Threats/Risk catalog, they may progress to developing the appropriatei
policies conform to and do not violate privacy laws and civil liberties obligations. Once the legal details of the cybersecurity and
acceptance
appropriate of these cybersecurity andbut information protection 5policies may need to bemanagement;
obtained. Non ‐acceptanceMitigation,
by certain Preparedness,
individuals, may Resod
Operational responses,
Requirement(s): may include,
Technical not be
staff maylimited
researchto the phases
publicly of emergency
available information and vendor Prevention,
proprietary information to learn of all
These
staff responses
may also can include
research cyberevery‐criminal sub‐elements
organizationvulnerabilities
from the top executives allpublic
the way or through to the
the vendors.
most remote member of an andorganizati
Operational Requirement(s):Technical staff mayfor research publicly that are not
available information known
and vendor by proprietaryOnce documented
information to learn ofkey all or
of
spreading
staff may details
also of
research found
cybertechnical
‐criminal vulnerabilities
elements for over the
vulnerabilitiesInternet. that Anare organization
not public ormay
known outline by what
the systems
vendors. should
All of be
these monitored,
vulnerabilities the freca
Operational
assessment ofRequirement(s):
riskpurpose
by taking Technical
into account staff may
the magnituderesearch publicly available
of harm vulnerabilities
caused from the information
breach and vendor
of the information proprietary information
system. This includesto learn
takingof all
intoo
exist
staff for the
may also sole of spreading
research cyber‐Organizational details
criminal elements of found technical
for vulnerabilities that over the Internet. * An organization may outline what syste
Operational
An organization Requirement(s):
may conduct of an spreading
assessmentdetails leadership,
of riskofby operations
taking and are
into account
not publicstaff
engineering
the magnitude
or known
may
of harm
by the vendors.
determine
caused the
from
All of
primary
the breach
these vulnerabilities
‐critical of functions
the informationand se sh
that exist
operate for the
our business sole purpose
and business plan(s)?" Anmay example found of technical
this chart
exercisevulnerabilities
may to over
be identify
similar to: the Internet.
"If we * An organization should outline wha
Operational
findings. An Requirement(s):
organization may Theconduct
organization ancriticality
assessment build arisk
list,
ofbusiness by taking or table
into account thethreats
magnitude andlost our <website>,
vulnerabilities
ofareharm causedtofrom
could
the the
we still
critical deliver
business
breach thefun
of applic
s
in
every
decreasefunction can be
riskRequirement(s): prioritized
occurrences. AnOnce based
example on
would list network, and hardware, value. Once these critical functions prioritized, then the systems,
Operational
well,threat
basedinformation
on their criticality an organization
and business value. creates
* can an ongoingand
An organization
software resources
Threats/Risk catalog, you may
they needprogress
to accomplish a business
tocomponents
developing thetask. * T
appropriate
this
appropriate responses, is established,
may include, thenot
but organization
be limited to theprioritize
5 phases theofidentifies
criticality
emergency
the critical
riskinformation
of management;
each to the business
PREVENTION,
system operations and the
MITIGATION,
and their functi
urgency
PREPAR and
Operational
efficient action.Requirement(s):
An example, The appropriate
organizations cyber
often risk management
develop plans to responses,
respond to may include,
physical threats, but
such notas be limited to
malicious the 5tophases
access buildingsof emergenc
or equip
in the risk"Who
describe catalog.
doesThese What,responses
and When" mayforinclude
every every sub‐risk
identified organization
in the risk from the top
catalog. executives
These responses all should
the wayinclude through to the most remote mem
Operational Requirement(s): The appropriate cyber risk management responses, may include, but not be limited to every suborganization
the 5 phases of emergenc fro
timeliness
describe "Whoof each response,
does What, and to include,
When" for everybut not limited
identified to immediate
risk in the responses through, timelines needed based on dependencies.
Operational Requirement(s): Organizational leadership, operations andrisk catalog. These
engineering responses
staff may determinecan include
how theevery sub‐organization
organization fits into afromCriti
each response, to include, but not limited to immediate response through, timelines needed
infrastructure that supports the functioning of our society or economy? Does this organization supply a product or service to the government based on dependencies. * Organizations, suborg
implementing
criticality within cybersecurity best practices.
a Critical Infrastructure * Organization
ecosystem to its entire may determine
staff. The sub the consequencesthat
‐organizations of various
are deemed cyber incidents.
critical These consequenc
to operating the busine
suborganization prioritization must also be conveyed to the entire staff in such a way that every person know whom (internally and externall
Operational Requirement(s): The organization can determine "who‐internally" needs to know "what" information, "when" and "how" will th
infrastructure related operations,
Operational Requirement(s): Thenetwork ops centers,
organization engineering,
should determine technical
whom within, management,
internal andprogram/project management,
external to the entire customer
organization, can beservice,
alloweI
determined
spaces, the organization
data Requirement(s): can set
centers, wiring closets, access controls
servers rooms, ‐ business
devices, process
tools,whom rules
vehicles within
etc. that various
allow systems to
theexternal allow
organization authorized personnel to reach the
Operational
must be documented and The organization
conveyed through should
ongoing determine
training, to the within,
effected internal
personnel. and The to the to
organization
be an
entire
can
on‐going concern.
organization,
determine "whocan
‐ be These
allowec
externally"
software
spaces, cabinets,
data locked
centers, wiringfencing,
closets,biometric
serversmaylocks to
rooms, shared tools,
devices, technical areas,etc.
vehicles locked vehicles,
thatpolicy
allow the locked property
organization to beand even building/landscaping
Operational Requirement(s): Organization implement an Access ‐Permission based on Separation of an on‐going
duties concern.
and Least These Sc
Privilege.
USERNAME/PASSWORDs,
harm mult ‐ factor identification, access control lists, scheduling limits, VPN access, LAN/WAN access, biometrics, e
Operational Requirement(s):The organization's technical and operations staff may design their critical infrastructure networks, such thatcollab
an organization without the cooperation of others. In general, employees are less likely to engage in malicious acts if they should they
these processes
so if an anomalythrough
occurs technical and nontechnical
at one location means.
or node, it can The separation
be isolated of duties
and not take down policy alsonetwork.
the entire requires Itimplementation of least
is understood that privilege, m
segmentation w
ongoing process, particularly when employees move through the organization as a result of promotions, transfers,
network integrity. Alternatives to network segmentation may be explored in order to achieve comparable levels of resiliency. relocations, demotions, an
Operational Requirement(s): Organizational leadership, operations and engineering staff should determine who (by job function) needs to kn
can be assigned. These levels of cybersecurity responsibilities will include but not limited to: Security of entire infrastructure, security of gro
of internal and external communications channels. The cybersecurity leadership can then develop cybersecurity policies and procedures, then
organization, these policies should be conveyed to the appropriate levels of executives, management, and staffing, such that everyone knows
Operational Requirement(s): * The organization may determine "who‐internally" needs to know "what" information, "when" and "how" wil
infrastructure related operations,
Operational Requirement(s):* Thenetwork ops centers,
organization engineering,
may determine "whotechnical
‐internally" management,
needs to know program/project
"what" information, management, "when" customer
and "how" service,
willI
been determined
infrastructure the organization
related operations, can
network set access controls
ops centers, ‐ business
engineering, process
technical rules within
management, various systems to allow authorized personnel to reac
Operational
whatwhen ‐ howRequirement(s):
can be * The
documented organization
and conveyed may
through determine
ongoing "who ‐internally"
training, to the needs
effected to program/project
know
personnel. "what" information,
*
management,
The "when"
organization
customerand
should
service,
"how" determwilI
been determined
infrastructure the organization
related operations, can
network set access controls
ops centers, ‐ business
engineering, process
technical rules within
management, various systems to allow authorized personnel to reac
Operational
whatwhen ‐how Requirement(s):
should * The
be documented organization
and conveyed maythrough
determine "who
ongoing ‐training,
internally" to needs
the to program/project
effected know "what" information,
personnel.
management,
* allow "when"
The authorized
organization
customerandmay service,
"how" wilI
determ
been determined
infrastructure the organization
related operations, should
network set
ops access
centers, controls ‐ business
engineering, process
technical rules
management, within various
program/projectsystems to management, customer personnelservice, to Ir
Operational
whatwhen ‐how Requirement(s):
may be documented* Organizations
andset conveyedmay consider deploying
through‐ business
ongoing varioustotools
training, and technologies
thewithin
effected personnel. to PREVENT
* allow / MITIGATE
The organization can/ RESPON
determine
been
Centers determined
should the organization
establish a benchmark must of what access controls
applicationsmay reside process
in the datacenter. rules various
This benchmark systems to authorized personnel to re
Operational
whatwhen ‐ howRequirement(s):
can be *
documented and Organizations
conveyed through ongoing considertraining,deploying
to the various
effected tools
personnel.and may *
include, but
technologies The
not limited/ to:
to PREVENT
organization may
File acti
MITIGATE
determine
in use / VM
(Cloud) quantities and activity.
DataRequirement(s):Organizations
Centers should establish a* benchmark
Organizations should
of what classify, compartmentalize
applications reside in the datacenter. and segment their critical
This benchmark may assets and data.
include, but not Establish
limitea
Operational
default trust is allowed for any entity, user, can monitor
device, and control
application, or critical
packet infrastructure
regardless of what assetit configuration
is and its location andin installation
the network. changes.* Only
Organiza
ports
databases / Protocols in use / VM
and stored data. * Organizations quantities and
Organizationsshould activity.
can also * Organizations
track andbandwidth, may
document physical classify,
the decommissioning compartmentalize of circuits,
equipment,and segment
systems, their critical
servers, networking assets and
Operational
Zones mean Requirement(s):
no default trust is allowed for any entity, ensure
user,thatdevice, application, circuits,
or packet virtual
regardless of what available
it is and its frequencies,
location incomputing the netwo
that failed critical
Operational infrastructure
Requirement(s): assets can have
* Organizations may their functions
consider shifted various
deploying to working toolsassets in order to maintain
and technologies to PREVENT maximum / MITIGATEdesired availability.
/ RESPON
Centers should establish a benchmark of what applications reside in the datacenter.
Operational Requirement(s): * Organizations may consider deploying various tools and technologies to PREVENT / MITIGATE / RESPON This benchmark may include, but not limited to: File acti
in use
Centers / VM
should quantities and activity.
establish a benchmark * Organizations
of what applications can classify,
reside in compartmentalize
the datacenter. and segment
Thisdevelopment
benchmark may their critical assets
include,systems, and
but not limited data. Establish “Z
Operational
default trust Requirement(s):
is allowed for anyOrganizations
entity, user, should
device, ensure
application,that all
or critical
packet infrastructure
regardless of what it is and andlocation
its testing in the servers,*to:
network.
File acti
storage
Organiza and
in use / VM
serving networksquantities and activity. * Organizations can classify, compartmentalize and segment their critical assets and data. Establish “Z
and systems.
default trust is allowed for any entity, user, device, application, or packet regardless of what it is and its location in the network. * Organiza
Operational Requirement(s): * Organizations may monitor and establish BASELINE critical infrastructure network traffic, file access, datab
breaches
Operational andRequirement(s):
attacks. * Organizations Organizations canusingscan and certify‐software
a systems all new networkdevelopment connected lifecycle and (SDLC)
mobile devices approach, beforemaythey can be placed
incorporate security intointose
in
in the datacenter. This
security functions and procedures benchmark may include,
before, can duringbut not limited
and after to: File
they implement activity / Authorized
any of the following Access Accounts
next‐gen technologies; / Data flow activity
Software / Software
Defined N
Operational
monitor and Requirement(s):
control critical asset Organizations
configuration monitor
and and control
installation changes. criticalOnly infrastructure
authorized staff assetand configuration
departments and may installation
be allowed changes.
to change Only th
databases
Operational and stored data. * Organizations
Requirement(s): Organizationsmay mayestablish
also track and document
a critical infrastructure the decommissioning
data and systemsofbackup equipment, policy, systems,
and required servers,procedures.
networking
Backups of critical data, system configurations, critical server images, virtual machine
Operational Requirement(s): Organizations can consider building a Security Team of staff or use external security resources with the followi images, emails, documents, files, videos, content and
decision
Legal based
Professional on the life expectancy of the
/ Security Operations *canOrganizations critical data and the impact
can monitor to the
and organization
control critical if such data
infrastructure was lost,
asset stolen or compromised.
Operational Requirement(s):Organizations monitor and control critical infrastructure asset configuration andconfiguration
installation changes. and installatio
Only a
software,
databases applications,
and stored databases
data. * and stored
Organizations data.
can also* Organizations
track and document can scan
the and certify
decommissioning all new ofnetwork
equipment, connected
systems, and mobile
servers, devices bef
networking
Operational Requirement(s): Organizations can strive to identify a cyber incident as rapidly as possible and reach incident containment withi
acceptable
can strive tolife expectancy
identify a cyber and usefulness
incident of critical
as rapidly data, then establish policies and proceduresand to destroy data within
that is no 1 tolonger relevant * to t
Operational Requirement(s): Organizations mayas possible
share what and theyachieve
learn about full business
Threats, recovery Attacks, Signatures, remediation and remediation/recovery 24 hours. informa Org
learned from
security everydivulge
and Requirement(s):
never cyber incident.
critical This lessons
details of theirlearned
cyber catalog canand
protection, include,
recovery but not limited to:
procedures and malware
technologies behaviors in public/ attacker activities during
fora. Technology
Operational
artifacts / compromised system * Organizations
accounts. * may develop/document
Organizations should bea vigilant formalized againstIncident
Advance Response Plan.Threats
Persistent This Incident
(APTs)Response by constantly Plan Reqsho
mo
procedures.
/Operational
Recovery / Requirement(s):
and Lessons Learned. * Organizations may TEST formalized Incident Response Plans on a regular and frequent basis. This IncidentaR
This Incident Response Plan may be approved by the highest levels of organizational leadership and by
Recovery(DR)
Incident ‐Threat Plan. This Business
Eradication Continuity/Disaster
/ Organizations,
Recovery / andsub Lessons Recovery
Learned. ThisPlan may contain,
Incident Response but TESTING
not limitedmay to the befollowing
coordinated areas: with / Equipment
all levels assets offailu
orga
Operational
Software Requirement(s):
(Viruses, Worms, Trojan horses) attack ‐organizations
/ HackingInternet and allattacks
data owners/ terrorist who manage
attacks / and/ maintain
Fire Natural information
disasters (Flood, technology
Earthquake, Hc
Continuity(BC)/Disaster
destroy all account Recovery(DR)
privilegesOrganizations
for employeesmay Plans on a regular
that establish
have departed and frequent basis.
the organization. This Business Continuity/Disaster
* Organizationsmanagement may develop Recovery
andasimplement TESTING a Mobile may D
Operational
procedures Requirement(s):
/control
and Lessons Learned. Thisconnections
Business Continuity/Disaster and document a Threats/Vulnerabilities
Recovery TESTING may be coordinated plan
with levels it relates to critical
of organizational in
Encryption
limited to: Unauthorized / Authorized
Access system
/ Data Breaches / / Mobile/ DDoS
Malware Device/ Threats
Advanced / Mobile
Persistent Device Threats Security
/ Zero testing
‐ day / Mobile
Attacks / device
Phishing patching
/ SQL and
Injec
Operational
Organizations Requirement(s):
may deploy Organizations maycontinuous
monitor and control critical infrastructure asset configuration and installation changes.
but notOnly
network,
databases system,
and storeddata, and ENDPOINT
data. storage
* Organizations
device
information. can * Organizations
classify,
monitoring
compartmentalizemayand security
consider
and
management
executing
segment penetration
their
functions.
critical testing
assets
ENDPOINTs
and and vulnerability
data.
include
Establish scanning
“Zones”
lim
ofexev
Operational
assets are Requirement(s):
created and exposed Organizations
to attackers may
for the monitor
purpose and
of control
learning critical
attack infrastructure
signatures and asset
attack configuration
behaviors forand use installation
in protecting changes.
“Real” Only
criti
allowed
databases forand any entity, user, device,
stored data. * Organizations application,
Organizations or packet
cancollect
classify, regardless
compartmentalize of what it is and
and segment its location in
their critical the network.
assets and *
data. Organizations
Establish may
“Zones” on
Operational
suborganizations. Requirement(s):
* Organizations may may
collect data and data
trackandall track all activities
activities with with critical
critical assets. infrastructure
Thisinmay assets.
include, but Thisnot may
limited include, butofn
to logging
is
theseallowed for any
events Requirement(s): entity,
occurred and who user, device, application,
conducted these or packet regardless of what it is and its location the network. * Organizations may o
Operational
suborganizations. * OrganizationsOrganizations may collectmayactivities.
identify
data andall possible
track threats and
all activities withvulnerabilities
critical assets.toThis theirmay infrastructure
include, butassets, not limitedincluding, but n
to logging
Injections
Operational / USB injected bots* / The
Requirement(s): and False alarms.can
organization * determine
Organizations "whomay deploy ENDPOINT
‐internally" needs to know device
"what" continuous
information, monitoring"when"and andsecurity
"how" will man
drives ‐ devices
infrastructure / Bluetooth
related operations, devices / hubs
network ops / any devices
centers, that connects
engineering, to the public
technical management, Internet and external
program/project (Cloud) data
management, centers. customer service, I
Operational Requirement(s): Organizations may protect critical infrastructure related physical and virtual circuits, networks and communicat
business process rules within various systems to allow authorized personnel to
the latest cyber/network security best practices. * Organizations can stay abreast of the latest types of attacks against communications reach their required information, when they need it to perform
prot
the direct connection to a public network. * The Organization can implement an Access‐Permission policy based on Separation of duties an
Operational Requirement(s): The organization and appropriate staff can develop, document, and maintain under configuration control, a curr
system
Operational components (e.g. standard
Requirement(s): software packages
The organization installed on
and appropriate staffworkstastions,
can correlatenotebook computers, servers,
incident information and individualnetworkincident components, responses or mobi
to a
organizational
automated informational
mechanisms to systems
integrate change
audit review,over time.
analysis, * The
and organization
reporting may
processes determine
to support "who ‐internally"
organization needs
processes to forknow "what"
investigation informat
and ref
Operational
Tiers I,II,III Requirement(s):
of operations, The organization
network ops centers, and appropriate
engineering, staff canmanagement,
technical properly track and document management,
program/project information system customer security
service, incidents
IT, sale
organization
analysis ‐wide
of incident situational
information. awareness.
Also, * Organizations
the organization should
and appropriate conduct staff frequent
may develop correlation
an incident of threat intelligence
response to plan with
that defines collected network
the resource
Operational
attacker to wipe Requirement(s):
maliciousnetwork Thefiles
code, organization
and toolsets andfrom appropriate
compromised staff can coordinate
systems with
–ormodifications,
‐ to external
monitor the organizations
attacker’s activity correlate
in order andto share
gain incident
further
and
may establish
also employ BASELINE
automatic tools totraffic,
support file access,
near real ‐ database
time analysisactivity,
of software
events. * The organization stored data
may access,
also identifyand overall
critical assets
information behavis
Operational
system, data, Requirement(s):
and storage When organizations
information collection, employ
and monitoring,
alertBreaches
upon deviations scanning from and
normal collection
BASELINE functions, assetand baselines
behavior. have
*/ Zero been set for
Organizations can'norco
including,
aOperational but not
minimum. Requirement(s): limited to:
This can be an iterative Unauthorized process and Access / Data
theappropriate
thresholds staff should / Malware
be adjusted / DDoS / Advanced
as the organization Persistent
learns Threats
more details of ‐day Attacks
'normal' of / Ph
behavio
The organization and monitors the
incidents. These consequences may include, but not limited to degradation of public trust / financial and market losses / degradation of brandinformation system to detect attacks and indicators poten
local, network,
Operational and remote connections.
Requirement(s): For critical To accomplish the
infrastructure, thisorganization
organizationand mayappropriate
deploy monitoring staff maydevices establish strategically
procedureswithin the information
for monitoring and al
transactions
complement of
the interests
cyber to the
security organization.
measures taken * to Organizations
protect assets may
that continuously
are part of the monitor
information and establish
system. BASELINE
When developing network a traffic,for
program filephys
acc
Operational
unauthorized Requirement(s):
access, breaches The
and organization
attacks. * and appropriatemay
Organizations staffconsider
may identify executing and select the proper
penetration testing typesand ofvulnerability
critical infrastructurescanning inform
exercise
*information
Organizations accounts,can monitor
establish and control critical asset and configuration and installation changes. Only authorized staff and departments may be
Operational
organization Requirement(s):
may determine Foraccount
whom critical
within,
privileges,
infrastructure,
internal and the
monitor
external
the use
organization
to the entire
of
andinformation
appropriate
organization,
system
staff
may
accounts,
employs
be allowed
including
malicious
"PHYSICAL"
deleting
code protectionaccounts
accessthese
promptl
mechanism
to critical
logging
code of all logins, applications
protection to perform periodic used, files accessed/copied/downloaded,
scansinfrastructure,
of the information system at a defined all doors opened,
frequency andInternet
realdefineconnections/URLs
‐time scans of files /
from timesexternal sources eventsn
Operational
the threat of Requirement(s):
an insider cyberattack. For critical * The organization the organization
can carefullyand audit appropriate
user access staff may
permissions whenacceptable
an employee and unacceptable
changes roles mobil
in th
acceptable
Operational Requirement(s): For critical infrastructure, organizations may require that service providers of external information system withi
mobile code and mobile code technologies. * The organization may authorize, monitor, and control the use of mobile code servi
and
an Securitybasis.
ongoing Plan‐Policy. This plan may
* Organizations include but
can monitor and not limited
control to: Authorized
critical assetand access control
configuration and / VPN Access
installation changes. control*/ Encryption Organizations controlcan /claA
Operational
device patching Requirement(s):
and update For critical
frequency / infrastructure,
Loss of Device the organization
procedures / Employee appropriate
termination staff may develop
procedures / a monitoring
Employee mobile strategy
device and implem
responsibil
for the most
metrics. critical
TheRequirement(s):
organizationdata and cannetwork
analyze assets. Zerothe
andinfrastructure,
assess ‐Trust Zones mean
information thatno default trust
is generated byisthis allowed
monitoring for any entity, user, device, application, or pa
Operational
network access and andapplications For tocritical
only authorized usersthe andorganization
authorized and appropriate
suborganizations. staff * can scanprogram
Organizations
for any
for vulnerabilities
mayand collect
anomalies
indata
theand or security
information
track all as
stored data
identified andaccess, overall
reported. The process assets behavior,
may include in order to better detect anomalies, unauthorized access, breaches attacks.
Operational Requirement(s): The organization andanalyzing
appropriate the staff
scansdevelops
and correcting a security legitimate
assessment vulnerabilities.
plan that describes * Organizations
the scope ofmay cons
the asses
infrastructure assets. Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organization
where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organization they are ser
operations and engineering staff should determine who (by job function) has various levels of cybersecurity responsibilities and leadership sh
Operational Requirement(s): For critical infrastructure, the organization and appropriate staff should develop a plan to monitor the informatio
are in accordance
Operational with applicable
Requirement(s): federal laws, and
The organization privacy considerations,
appropriate staff may Executive
test critical Orders, directives,
infrastructure policies,
intrusion or regulations.
‐monitoring tools at a defined fre
objectives
Operational Requirement(s): The organization and appropriate staff may share information obtained from the vulnerabilityexercises
of the organization. * Organizations may consider executing penetration testing and vulnerability scanning scanningon a perio
process
systems.
Operational ThisRequirement(s):
could include automatic
The organization alerts from andthe information
appropriate staffsystem itself that
may analyze conveys the information
communication traffic/eventtopatternsthe appropriate staff. infrastr
for the critical * Org
and overall
system ‐ assets behavior,
monitoring devices inreduce
to order tothe better
number detectof anomalies,
false positivesunauthorized
and the access,ofbreaches
number false and attacks.
negatives. In * Organizations
addition, the organization can conduct
may usefrst
Operational
share and used Requirement(s):
learn Threat, Attack,The organization
Signature, and appropriate
and remediation staff maywith
information provide the capability
andempirical
from trusted to restore critical
organizations, infrastructure
government entitiesinformation
andusetrusted
activities
identify classes in continuous
of incidents and monitoring
the process
appropriateand need
responsesto be modified
to these based on data. * Organizations may consider the of “S
Operational
signatures Requirement(s):
and attack behaviors The fororganization
use in protecting supporting
“Real” staffincidents
critical may
assets. developto ensure
*
a response
an incident
Organizations can
plan plan
response strive
can be
to
carefully
that provides
identify a
carried
cyber a roadmap out. for
incident
* imple
as
Organ
rapidl
should track and
organization; and measure performance
defines reportable times and
incidents etc. seeksplan waysmay to reduce time totocontainment. * Organizations can strive to identifyas it arelate
cybe
Operational
measure Requirement(s):
performance times Theseeks
and organization
ways to andThis
reduceappropriate
time to
be require
staff
Recovery.
provided
* the organization
reporting
Organizations
‐defined
of can
suspect
catalog
incident
security
lessons
response
incidents
learned
personnel
within
from a specified
every cyber time
inci
may
chain contain,
for but not limited
information systems toorthe following areas:
information system Preparation
components / Incident
related toIdentification
the incident. / Incident
* Containment
Organizational / Incidentoperations
leadership, ‐Threat Eradication
and eng
Operational
all Requirement(s):
data/system/network The organization
owningresponsibilities and appropriate staff may incorporate into their critical
business units.and leadership should be assigned. The cybersecurity leadership may then develop cybersecur infrastructure information system mon
various levelsdeploys
organization of cybersecurity
near realThe time analysis of and events and anomalies that coordinate
occur within
Operational
are established Requirement(s):
within an organization,organization
theseinformation
policies appropriate
may be and staff may
conveyed to the appropriate its the information
contingency
levels plan system.
of executives, with the This analysis may
contingency
management, andplansnotofonly
staffing,externin
suc
Threat,
Signature, Attack, Signature, and remediation with from trusted organizations, government entities and trusted peers.
Operationaland remediation information
Requirement(s): The organization with and andfrom trusted organizations,
appropriate staff establishgovernment entities contact
and institutionalize and trusted withpeers.
selected * groups
The organization
and associatio can
take
and into account "all" external
directives from these organizations communicationson an ongoing with: vendors/suppliers,
basis. * staff Organizations emergency responders, government officials, peers, customers, pub
Operational
eCommerce Requirement(s):
interfaces, mobile/remoteThe organizationemployees andetc.
appropriate
* Once these may reviewmay
communication andshare
analyzesand learn
paths and criticalThreat,
flows
Attack, Signature,
infrastructure information
have been determined
and remediatio
thesystem audit
organizatio
information system provides the capability to centrally review and analyze audit records from
Operational Requirement(s): Organization can determine the consequences of various cyber incidents as it relates to critical infrastructure. T multiple components within the system. Auto
Organizations
degradation of may
brandconduct frequent
reputation correlation of infrastructure.
threat intelligence with collected network, system, data, staffand storage incident
information. * Orga
Operational
should track Requirement(s):
and measure The/ impact
performance organizationto critical
times andseek
and appropriate
ways to staff
reduce
*may Thedeploy
organization
timewith a critical
to containment.
and appropriate
infrastructure
* Organizations
correlates
information may system
decidechain. which information
whether provides
to respoa
also
such coordinate
information incident
in a handling
summary activities
format that involving
is more supply
meaningful chain
to events
analysts. * other organizations
Organizations may involved
consider in the
building supply
a Security *
Team Organiz
of staf
Operational
behaviors Requirement(s):
/ attacker activities The
duringorganization
compromise and /appropriate
network staff ‐can
‐system datatrack and document
anomalies andconduct criticalfrom
deviations infrastructure
the BASELINE information system securit
/ Applications and s
Compliance Auditor / Legal Professional / Security Operations * Organizations can
Organizations may catalog lessons learned from every cyber incident. This lessons learned catalog may include, but not limited to: malware frequent correlation of threat intelligence with
This lessons
software thatlearned catalog should
can be disabled / artifactsinclude, but not limited
/ compromised systemto:accounts.
malware behaviors* Organizations/ attacker may activities
share and during
learncompromise
Threat, Attack, / network ‐system
Signature, an
Operational Requirement(s): An organization and appropriate staff can coordinate incident handling activities with contingency planning act
officials,
Operational andRequirement(s):
physical and personnel For critical security offices. *appropriate
infrastructure, Organizations can striveOperations
and adequate to identify staff a cybercanincident
implement as rapidly
incidentashandling
possible measures
and reach
containment.
may include Requirement(s):
lessons learned from ongoing incident handling activities. These measures should alsodevelop
be incorporated into monitoring
training andstrategytesting
Operational For critical infrastructure, the organization and appropriate staff may a continuous
remediation
which within
to monitor 1 to 24
them, and thehours. Organizations may track and measure performance times and seek ways to reduce time to Recovery.
Operational Requirement(s): Thefrequency
organization in which to employ such
and appropriate staff monitoring.
should not only * incorporate
The organization lessonsand appropriate
learned from withinstaff can the update this r
organization
threats
aligned and vulnerabilities
withRequirement(s): to their assets,
the organization.The* organization including,
Organizations but
can not limited
catalog lessons to: Unauthorized
learned from Access / Data
every cyberresponse Breaches
incident.strategies / Malware
This lessons / DDoS / Advanced P
Operational
lessons learned from every cyber incident. This and appropriate
lessons learned staff
catalogmay revisit
may the developed
include, but not limited to: malware on a learned
behaviorsscheduled
/
catalog
attacker
can
andinc
basisactiviti r
the BASELINE
catalog lessons / Applications
learned from everyand cyber
software that can
incident. be lessons
This disabledlearned
/ artifacts / compromised
catalog may include, system accounts.
but critical
not limited to: malware behaviorssystem / attacker
Operational Requirement(s): The organization provides for the recover and reconstitution of the infrastructure information to
disabled /
organizational artifacts / compromised
information systems system
to fully accounts.
operational states. * Organizations can strive to identify a cyber incident as rapidly as possible
Operational Requirement(s): The organization and appropriate staff should not only incorporate lessons learned from within the organization
and seekwith
aligned ways thetoorganization.
reduce time to *Recovery. Organizations can catalog lessons
Operational Requirement(s): For critical infrastructure, appropriate andlearned
adequate from every cyber
Operations staffincident and how the
may implement business
incident functions
handling measure wer
behaviors
should /
include attacker activities
lessons learnedFor during
from compromise
ongoing / network
incident handling ‐system ‐data
activities.and anomalies
These and
measures deviations
may also from the BASELINE
be incorporated / Applications
into training and testing as
and
Operational Requirement(s): critical infrastructure, the organization supporting staff can identify external compliance requirements
lessons learned
requirements arecatalog
addressed mayandinclude, but not limited * to: Business Continuity(BC) /the
Disaster Recoveryof(DR) / malware behaviorsThese / attacker ac
Operational
disabled Requirement(s):
/ artifacts / compromised Forcommunicated.
critical
systeminfrastructure,
accounts.
Organization
the organization may determine
and supporting consequences
staff may identify various
externalcyber incidents.
compliance conseq
requirements
critical infrastructure.
requirements *
are addressed and Organizations may have appropriate press releases and official notifications prepared and delivered in a timely ma
Operational
adoption andRequirement(s): Thecommunicated.
adaptation.* Organizations appropriate staff* and Organization
organization can determine
leaders may the consequences
identify of variousand
essential missions cyber incidents.
business Theseand
functions consequ
their
critical infrastructure. can have appropriate press releases and official notifications
individuals. Once finalized, the organization may distribute copies of this plan, update the plan as need be, and protect the plan from unautho prepared and delivered in a timely man
adoption and adaptation.
"how" will that information be delivered. The organization can take into account "all" internal communications with: Tiers I,II,III of operatio
billing, accounting, human resources, security offices etc. * Once these communication paths and flows have been determined the organi
Critical Manufacturing Sector
Source: Critical Manufacturing Sector: Cybersecurity Framework Implementation Guidance. May 2020
URL: https://www.cisa.gov/publication/critical-manufacturing-cybersecurity-framework-implementation-guidance#
ID.GV-2: X X
operational requirements are support delivery
cybersecurity
Cybersecurity
understood and inform the ID.GV-3:
policy is Legal X X
rolesregulatory
and
management of cybersecurity and ID.GV-4:
responsibilities X X
risk. requirementsand
Risk Assessment (ID.RA): Governance
ID.RA-1:
regarding Asset X X
The organization understands risk management
vulnerabilities
ID.RA-2: Cyber
processes address X X
the cybersecurity risk to are identified
threat and
organizational operations ID.RA-3:
documented X X
intelligence
bothis
(including mission, functions, Threats,
ID.RA-4:
received from X X
image, or reputation), internal
Potential and
organizational assets, and ID.RA-5:
external, are X
business
Threats, impacts
individuals. ID.RA-6:
and Risk
likelihoods X
vulnerabilities,
responses
ID.RM-1: are
Risk Management Strategy likelihoods, Risk
and X X
(ID.RM): tolerances, and identified
management and
ID.RM-2: X X
assumptions are established prioritized
processes
Organizationalare
and used to support ID.RM-3:
established, The X
risk tolerance
organization’s is
operational risk
Supply Chain Risk decisions. ID.SC-1: Cyber
determined and X
Management (ID.SC): The determination
supply
ID.SC-2: chain riskof
risk tolerance is X
organization’s priorities, management
Suppliers
constraints, risk tolerances, ID.SC-3: and
processes X
third partyare
Contracts with
and assumptions are ID.SC-4:
partners ofand X
established and used to suppliers
Suppliers
support risk decisions ID.SC-5: and
third-party X
third-party
Response and
Access Control (PR.AC): PR.AC-1:
partners are X X
Access to assets and recovery
Identities and
PR.AC-2:and X X
associated facilities is limited planning
credentials
Physical access are
to authorized users, processes, PR.AC-3:
issued, managed,
to assetsaccess
is
X X
or devices, and to authorized Remote
PR.AC-4:
managed Access
and
is
X X
activities and transactions. managed
permissions
PR.AC-5: and X X
authorizations
Network
PR.AC-6:
are managed, X
integrity
Identitiesisare
protected
proofed and (e.g.,
bound to
to authorized users, processes,
or devices, and to authorized
activities and transactions.
PR.AC-7: Users, X
Awareness and Training devices,
PR.AT-1:and All X X
(PR.AT): The organization’s other
users assets
are are
PR.AT-2:
authenticated X X
personnel and partners are informed
Privileged andusers
provided cybersecurity PR.AT-3:
trained Third- X X
understand
party their
awareness education and are PR.AT-4:
roles and Senior X X
adequately trained to perform stakeholders
executives
their information PR.AT-5:
(e.g., suppliers, X X
understand
Physical and their
Data Security (PR.DS): PR.DS-1:
roles and Data- X X
cybersecurity
at-rest is Data-
Information and records PR.DS-2:
personnel X X
(data) are managed protected
in-transit
PR.DS-3:isAssets X X
consistent with the protected
are formally
organization’s risk strategy PR.DS-4: X X
managed
Adequate
to protect the PR.DS-5:
throughout X X
confidentiality, integrity, capacity
Protectionsto
PROTECT (PR)
PR.DS-6:
ensure X X
and availability of against
Integritydata leaks
information. PR.DS-7:
are The
implemented X
checking
development and
PR.DS-8:
mechanisms are X
testing
Integrity
Information Protection PR.IP-1: A
environment(s) X X
Processes and Procedures checking
baseline
PR.IP-2:
mechanisms A are X X
(PR.IP): Security policies configuration
System of
(that address purpose, scope, PR.IP-3:
information X X
Development
Configuration
roles, PR.IP-4:
Life Cycle to X X
responsibilities,management change
Backups control
of
commitment, and PR.IP-5:
processes Policy
arearein X X
information
and regulations
coordination among PR.IP-6:
conducted, Data is X X
organizational entities), regarding
destroyed the
PR.IP-7:
physical X X
processes, and procedures are according to
Protection
PR.IP-8:
maintained and used to policy X
processes
Effectivenessare of
manage protection of PR.IP-9: X X
improved
protection
information systems and Response plans
assets. PR.IP-10:
technologies is X X
(Incident
Response and
PR.IP-11:
Response and X X
recovery plans
Cybersecurity is
PR.IP-12:
are testedinA X
included
vulnerability
Maintenance (PR.MA): PR.MA-1:
human resources X X
Maintenance and repairs of management
Maintenance plan
and
PR.MA-2:
is developed and X X
system components are repair
Remote of
Protective Technology
performed consistent with PR.PT-1:
organizational X X
(PR.PT): Technical security maintenance
Audit/log of
records
PR.PT-2:
organizational X X
solutions are managed to are determined,
Removable
ensure the security and PR.PT-3:
documented, The X X
media is of least
principle
resilience of systems and PR.PT-4:
protected andisits X X
assets, consistent with related functionality
Communications
PR.PT-5:
incorporated X
policies, procedures, and and control by
Mechanisms
Anomalies and Events DE.AE-1:
networks A
are X X
(DE.AE): Anomalous activity (e.g., failsafe,
baseline of
DE.AE-2:
load balancing, X X
is detected in a timely network
Detected events
manner, and the potential DE.AE-3:
operations Event
and X X
are
dataanalyzed
are to
collected
impact of events is DE.AE-4:
understand Impact
attack X
understood. and
of correlated
events is
DE.AE-5:
from multiple X X
determined
Incident alert
Security Continuous DE.CM-1: The X X
Monitoring (DE.CM): The thresholds
network is are
DE.CM-2:
established The X X
information system and assets monitored to
DETECT (DE)
physical
DE.CM-3:
are monitored at discrete detect potential X X
environment
Personnel is
intervals to identify DE.CM-4:
monitored to X X
cybersecurity events and activity
Malicious is code is
verify the effectiveness of DE.CM-5:
monitored to X X
detected
Unauthorized
protective measures.
mobile code is
detected
information system and assets
DETECT (DE
are monitored at discrete
intervals to identify
cybersecurity events and
verify the effectiveness of
protective measures. DE.CM-6: X
External
DE.CM-7: service
X
provider
Monitoring activity
for
DE.CM-8:
is monitored to X X
unauthorized
Vulnerability
Detection Processes DE.DP-1:
personnel, Roles X X
(DE.DP): Detection processes scansand are
DE.DP-2:
performed X X
and procedures are maintained responsibilities
Detection
and tested to ensure timely DE.DP-3:
for detection are X X
activities
Detection comply
and adequate awareness of DE.DP-4:
with all are Event X X
anomalous events. processes
detection
DE.DP-5:
tested X X
information
Detection is
Response Planning RS.RP-1:
communicated X X
Communications (RS.CO): processes Response
RS.CO-1:
are
plan is
continuously X X
Response activities are executed
Personnel during
know
coordinated with internal and or RS.CO-2:
after an and X X
their roles
Incidents are
external stakeholders, as RS.CO-3:
order of X X
appropriate, to include reported
Information is
external support from law RS.CO-4:
consistent with X X
shared consistent
Coordination
enforcement agencies. RS.CO-5:
with response X
RESPOND (RS)
with stakeholders
Voluntary
Analysis (RS.AN): Analysis RS.AN-1:
occurs consistent X X
is conducted to ensure information
Notifications
RS.AN-2: The X X
adequate response and support sharing
from
impact
occurs
detection
of the
recovery activities. RS.AN-3:
systems are X X
incident
Forensics isare
RS.AN-4:
understood X X
performed
Incidents
RS.AN-5:are
categorized
Processes are
Mitigation (RS.MI): RS.MI-1:
consistent with X X
Activities are performed to established
Incidents areto
RS.MI-2: X X
prevent expansion of an event, receive,
contained
Incidents
analyze
are
mitigate its effects, and RS.MI-3: Newly X
mitigated
identified
eradicate the incident.
Improvements (RS.IM): RS.IM-1: X X
Organizational response vulnerabilities
Response plans
RS.IM-2:
are mitigated or X
activities are improved by incorporate
Response
Recovery Planning
incorporating lessons RC.RP-1:
lessons learned X
RECOVER (RC)
Baldrige Cybersecurity
Cyber Resilience Cybersecurity Excellence Builder
Review (CRR) Evaluation Tool (CSET) (BCEB),
Version 1.1
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Framework%20Implementation%20Guidance,Institute%20of%20Standards%20and%20Technology%20%28NIST%29%20in%202014.
28NIST%29%20in%202014.
DAM Sector
Source: Dams Sector: Cybersecurity Framework Implementaion Guidance. May 2020
URL: https://www.cisa.gov/sites/default/files/publications/Dams_Sector_Cybersecurity_Framework_Implementatio
Governance mission,
and critical
Resilience
ID.GV-1: X X
functions for to
requirements
(ID.GV): The ID.GV-2:
Organizational X X
policies, support delivery
cybersecurity
Cybersecurity
ID.GV-3: Legal X
procedures, and ID.GV-4:
policy
roles
and is
and
regulatory X X
Risk responsibilities
requirements
Governance
ID.RA-1: and
Asset X X
Assessment regarding
risk
vulnerabilities
ID.RA-2: Cyber X
management
(ID.RA): The ID.RA-3:
are identified
threat X X
organization and documented
intelligence
Threats,
ID.RA-4: bothis X
understands the ID.RA-5:
receivedand
internal
Potential from X X
cybersecurity ID.RA-6:
external, are
business
Threats, Risk X
Risk impacts
ID.RM-1: and
vulnerabilities,
responses are
Risk X X
likelihoods,
identified
Management ID.RM-2:
management and and X
Strategy prioritizedare
processes
Organizational
ID.RM-3: The X
(ID.RM):
Supply established,
risk tolerance
organization’s
Chain ID.SC-1: Cyber is X X
Risk determined
supply
ID.SC-2: chainandof
determination X X
risk tolerance
Management ID.SC-3:
Suppliers and is X X
(ID.SC): The ID.SC-4:
management
third partywith
Contracts X X
organization’s ID.SC-5:
partners ofand
suppliers
Suppliers and X X
third-partyand
Response
Access Control PR.AC-1: X X
(PR.AC): partners are
recovery
Identities
PR.AC-2: and X X
planning access
Access to assets PR.AC-3:
credentials
Physical and are X X
and associated PR.AC-4:
issued,
to assetsaccess
Remote is X X
facilities is managed
is managed
Access
PR.AC-5: and X X
limited to permissions and
Network
PR.AC-6: X X
authorized authorizations
integrity
Identities
PR.AC-7: isare X X
protected
proofed
Users,
Awareness and PR.AT-1: and(e.g.,
devices,
All X X
Training bound
and
users to assets
other
are
PR.AT-2: X X
are
(PR.AT): The PR.AT-3:
informed
Privileged andusers X
organization’s PR.AT-4:
trained
understand
Third-party their X
personnel and PR.AT-5:
roles and
stakeholders
Senior X X
(e.g., suppliers,
executives
Physical
Data Security PR.DS-1: and
Data- X X
(PR.DS): understand
cybersecurity
at-rest
PR.DS-2:is Data-their X X
Information personnel
protected
in-transit
PR.DS-3: is X
protected
Assets
and records PR.DS-4: are X
PROTECT (PR)
formally
Adequate
PR.DS-5: X X
(data) are
managedto
capacity
Protections
PR.DS-6: X X
managed ensure
against
Integritydata
PR.DS-7: The X X
consistent leaks are
checking
development
PR.DS-8: X X
with the
Information mechanisms
and A are
testing
Integrity
PR.IP-1: X X
Protection environment(s)
checking
baseline
mechanisms are
Processes and configuration of
Procedures information
(PR.IP):
Security
PROTECT (P
Information
Protection PR.IP-2: A X
Processes and System
PR.IP-3: X X
Procedures Development
Configuration
PR.IP-4: X X
(PR.IP): Life Cycle
change
Backups
PR.IP-5: of to
control
Policy X
Security processes
information
and areare
regulations
PR.IP-6: Data inis X X
policies (that conducted,
regarding
PR.IP-7: the
destroyed X
address physical to
according
Protection
PR.IP-8: X
purpose, scope, policy
processes
Effectiveness
PR.IP-9: are of X X
roles, improved plans
protection
Response
PR.IP-10: X X
responsibilities, technologies
(Incident
Response
PR.IP-11: andis X X
management Response
recovery
Cybersecurity
PR.IP-12: and
plans
A is X X
Maintenance are testedin
included
vulnerability
PR.MA-1: X X
(PR.MA): human
management
Maintenance
PR.MA-2: X X
Maintenance
Protective planrepair
and
Remote is
PR.PT-1: of X X
and repairs of
Technology organizationalof
maintenance
Audit/log
PR.PT-2: X X
(PR.PT): organizational
records areThe
Removable
PR.PT-3: X
Technical determined,
media
principle
PR.PT-4: is of X X
security protected and its
least
Communication
PR.PT-5: X X
Anomalies and sfunctionality
and control
Mechanisms
DE.AE-1: A is X X
Events networks
(e.g.,
baseline
DE.AE-2: ofare
failsafe, X X
(DE.AE): load balancing,
network
Detected
DE.AE-3: events
Event X
Anomalous operations
are
data are and
analyzed
DE.AE-4: to X
activity is understand
collected
Impact
DE.AE-5: ofand
events X
Security correlated
is determined
Incident
DE.CM-1: from
alert
The X X
DETECT (DE)
Continuous thresholds
network
DE.CM-2: is are
The X X
Monitoring establishedto
monitored
physical
DE.CM-3: X
(DE.CM): The detect potential
environment
Personnel
DE.CM-4: is X X
information monitored
activity
Malicious
DE.CM-5: to
is code X
system and monitored
is detected to
Unauthorized
DE.CM-6: X
assets are mobile code
External
DE.CM-7: is
service X X
monitored at detected activity
provider
Monitoring
DE.CM-8: for X X
Detection is monitored
unauthorized
Vulnerability
DE.DP-1: to
Roles X
Processes personnel,
scans
and
DE.DP-2:are X
(DE.DP): performed
responsibilities
Detection
DE.DP-3: X
Detection for detection
activities
Detection
DE.DP-4: are
Event X X
processes and comply with
processes
detection
DE.DP-5: areall X
Response tested
information
RS.RP-1: is
Detection X X
Planning communicated
processes
Response
RS.CO-1: are
plan X X
Communicatio continuously
is executedknow
Personnel
RS.CO-2: X X
ns (RS.CO): during
their or are
roles
Incidents
RS.CO-3: after
and X X
Response order of
reported
Information
RS.CO-4: is X X
RESPOND (RS)
X X X X
X X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X
X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X
X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X X
X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X
X X X
X X X X
X X X
X X X X
X X X X
X X X
X X X
X X X
X X X
X X X X
X X X
X X X X
X X X
X X X
X X X
X X
X X
X X
X X X
X X X
X X X
X X X X
X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Defense Industrial Base Sector
Source: NIST SP 800-171
URL: https://www.cisa.gov/sites/default/files/publications/DIB_Guide_to_Implementing_the_Cybersecurity_Frame
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-
CUI
Function Category CSF Subcategory
Requirement
PR.DS-5 3.2.3
PR.DS-5 3.9.2
PR.DS-5 3.13.1
PR.DS-5 3.13.5
PR.DS-5 3.13.6
PR.DS-5 3.13.7
PR.DS-5 3.13.8
PR.DS-5 3.13.11
PR.DS-5 3.13.16
PR.DS-5 3.14.6
PR.DS-6
PR.DS-7
PR.IP-1 3.4.1
PR.IP-1 3.4.2
PR.IP-1 3.4.6
PR.IP-1 3.4.7
PR.IP-1 3.4.8
PR.IP-2
PR.IP-3 3.4.3
PR.IP-3 3.4.4
PR.IP-3 3.4.5
Information Protection Processes
and Procedures (PR.IP): Security PR.IP-4
policies (that address purpose, PR.IP-5
scope, roles, PR.IP-6 3.8.3
responsibilities,management PR.IP-7
commitment, and coordination
among organizational entities), PR.IP-8
processes, and procedures are PR.IP-9 3.6.1
maintained and used to manage PR.IP-9 3.6.2
protection of information systems PR.IP-10 3.6.3
and assets. PR.IP-11 3.9.1
PR.IP-11 3.9.2
PR.IP-12 3.11.2
PR.IP-12 3.11.3
PR.IP-12 3.12.2
PR.IP-12 3.12.3
PR.IP-12 3.14.1
PR.IP-12 3.14.2
PR.IP-12 3.14.3
PR.MA-1 3.7.1
Maintenance (PR.MA): PR.MA-1 3.7.2
Maintenance and repairs of system PR.MA-1 3.7.3
components are performed
consistent with policies and PR.MA-1 3.7.4
procedures. PR.MA-1 3.7.6
PR.MA-2 3.7.5
PR.PT-1 3.3.1
PR.PT-1 3.3.2
PR.PT-1 3.3.3
PR.PT-1 3.3.4
PR.PT-1 3.3.5
PR.PT-1 3.3.6
PR.PT-1 3.3.7
PR.PT-1 3.3.8
PR.PT-1 3.3.9
PR.PT-2 3.8.1
PR.PT-2 3.8.2
PR.PT-2 3.8.3
PR.PT-2 3.8.4
Protective Technology (PR.PT):
Technical security solutions are PR.PT-2 3.8.5
managed to ensure the security and PR.PT-2 3.8.6
resilience of systems and assets, PR.PT-2 3.8.7
consistent with related policies, PR.PT-2 3.8.8
procedures, and agreements.
PR.PT-3 3.1.1
PR.PT-3 3.1.2
PR.PT-3 3.4.6
PR.PT-3 3.4.7
PR.PT-3 3.4.8
PR.PT-4 3.1.16
PR.PT-4 3.1.17
PR.PT-4 3.13.1
PR.PT-4 3.13.2
PR.PT-4 3.13.5
PR.PT-4 3.13.6
PR.PT-4 3.13.7
PR.PT-4 3.13.15
DE.AE-1
DE.AE-2 3.3.1
DE.AE-2 3.3.2
DE.AE-2 3.3.5
Anomalies and Events (DE.AE): DE.AE-2 3.6.1
Anomalous activity is detected in a
DE.AE-2 3.14.6
timely manner, and the potential
impact of events is understood. DE.AE-2 3.14.7
DE.AE-3 3.3.5
DE.AE-4 3.11.1
DE.AE-5 3.6.1
DE.AE-5 3.6.2
DE.CM-1 3.13.1
DE.CM-1 3.14.6
DE.CM-1 3.14.7
DE.CM-2 3.10.2
DE.CM-2 3.10.3
DE.CM-3 3.1.12
DE.CM-3 3.3.1
DE.CM-3 3.3.2
DE.CM-3 3.4.9
DE.CM-4 3.14.1
DETECT (DE)
NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems
The requirements recommended for use in SP 800-171 are derived from FIPS Publication 200 and the moderate security contr
2002, Controlled Unclassified Information). The tailoring criteria applied to the FIPS Publication 200 security requirements and
of those requirements and controls—rather, the tailoring criteria focuses on the protection of CUI from unauthorized disclos
Since the security requirements are derivative from the NIST publications listed above, organizations should not assume that s
controls in FIPS Publication 200 and Special Publication 800-53. In addition to the security objective of confidentiality, the obje
establishing and maintaining a comprehensive information security program. While the primary purpose of SP 800-171 is to de
confidentiality and integrity since many of the underlying security mechanisms at the system level support both security objec
Some SP 800-171 security requirements are not mapped to any CSF subcategories due to the scoping of SP 800-171 which is f
requirements supporting availability and integrity are not addressed in SP 800-171) and assumes some security best practices
171 Appendix E). Note also that some CSF subcategories are not mapped to SP 800-171 CUI security requirements for similar r
needed to protect CUI. The following are the SP 800-171 security requirements that could not logically be mapped to CSF subc
_Guide_to_Implementing_the_Cybersecurity_Framework_S508C.PDF **
1/rev-2/final/documents/csf-v1-0-to-sp800-171rev2-mapping.xlsx
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and docum
throughout themaintain
Establish and respective systemconfigurations
baseline development life
and cycles.
inventories of organizational systems (including hardware, software, firmware, and docum
throughout the respective system development life cycles.
Control the flow of CUI in accordance with approved authorizations.
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries
internal boundaries of organizational systems.
Verify and control/limit connections to and use of external systems.
Limit use of organizational portable storage devices on external systems.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and indivi
from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting the system are identif
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Identify, report, and correct information and system flaws in a timely manner.
Monitor system security alerts and advisories and take actions in response.
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
Identify unauthorized use of organizational systems.
Identify, report, and correct information and system flaws in a timely manner.
Monitor system security alerts and advisories and take actions in response.
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and indivi
from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Identify, report, and correct information and system flaws in a timely manner.
Monitor system security alerts and advisories and take actions in response.
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and indivi
from the operation
Periodically assess of
theorganizational systems operations
risk to organizational and the associated processing,
(including storage, orimage,
mission, functions, transmission of CUI. organizational assets, and indivi
or reputation),
from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
No mapping; see Mapping Disclaimer.
ork (CSF) Subcategories and the Controlled Unclassified Information (CUI) Requirements in NIST Special Publication (SP) 800-171. The int
ents (in whole or in part) between the two publications. It is important to consider the different scope between the two publications w
Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve tha
FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (3
to the FIPS Publication 200 security requirements and the NIST Special Publication 800-53 security controls is not an endorsement for the
es on the protection of CUI from unauthorized disclosure in nonfederal systems and organizations.
s listed above, organizations should not assume that satisfying those particular requirements will automatically satisfy the security require
on to the security objective of confidentiality, the objectives of integrity and availability remain a high priority for organizations that are co
ram. While the primary purpose of SP 800-171 is to define requirements to protect the confidentiality of CUI, there is a close relationship
anisms at the system level support both security objectives.
categories due to the scoping of SP 800-171 which is focused solely on protecting the confidentiality of CUI in nonfederal systems (i.e., sec
P 800-171) and assumes some security best practices to be routinely satisfied by nonfederal organizations as part of conducting business
d to SP 800-171 CUI security requirements for similar reasons or because the SP 800-171 requirements are aligned with specific federal req
ements that could not logically be mapped to CSF subcategories: 3.1.22; 3.10.6; and 3.13.14.
Emergency Services Sector
Source: Emergency Services Sector: Cybersecurity Framework Implementation Guidance. May 2020
URL: https://www.cisa.gov/sites/default/files/publications/Emergency_Services_Sector_Cybersecurity_Framewor
Emergency Services
Emergency Services
Sector Roadmap to Secure
Function Category Subcategory Sector Cyber Risk
Voice and Data Systems
Assessment (ESS-CRA)
(Roadmap)
Asset Management ID.AM-1: X X
(ID.AM): The data, Physical
ID.AM-2: X X
personnel, devices, devices
Softwareand
ID.AM-3: X X
systems, and facilities systems
platforms within
Organizational
ID.AM-4: and
that enable the applications
communication
External
organization to achieve ID.AM-5: X X
and data flows
information
Resources
ID.AM-6: (e.g., X
business purposes are systems are
Business Environment hardware,
Cybersecurity
ID.BE-1: The X X
(ID.BE): The devices,
roles anddata,
organization’s
ID.BE-2: The X X
organization’s mission, responsibilities
role in
ID.BE-3: the
organization’s X X
objectives, stakeholders, supply
place inchain
Priorities
ID.BE-4: for is
critical X X
and activities are infrastructure
organizational
Dependencies
understood and roles, ID.BE-5: X
Governance (ID.GV): mission,
and critical
Resilience
ID.GV-1:
IDENTIFY (ID)
The X X
established
The information system monitored
DE.CM-3: to
physical
and assets are monitored environment
detect
Personnel
DE.CM-4: potential is
at discrete intervals to monitored
activity is code
Malicious to
identify cybersecurity DE.CM-5:
monitored
is detected to
Unauthorized
DE.CM-6:
events and verify the
mobile
effectiveness of protective External
DE.CM-7: code is
service X X
measures. detected
provider
Monitoring for
DE.CM-8: X X
Detection Processes activity
unauthorizedis
Vulnerability
DE.DP-1:
(DE.DP): Detection personnel,
scans are
Roles
DE.DP-2: and
processes and procedures performed
responsibilities
Detection
DE.DP-3:
are maintained and tested Detection
for detection
activities
DE.DP-4: X X
to ensure timely and comply
processes with
Event detection areall
adequate awareness of DE.DP-5: X X
Response Planning tested
information
Detection is
RS.RP-1: X X
Communications communicated
processes
Response are
RS.CO-1: plan X
(RS.CO): Response continuously
is executedknow
Personnel
RS.CO-2:
activities are coordinated during
their or are
roles
Incidents
RS.CO-3: after
and
with internal and external Information
order
reportedof
stakeholders, as RS.CO-4: is X X
consistent with
RESPOND (RS)
shared
Coordination
RS.CO-5:
appropriate, to include consistent
Analysis (RS.AN): Voluntary with
with
RS.AN-1: X X
Analysis is conducted to stakeholders
informationThe
Notifications
RS.AN-2: X X
ensure adequate response sharing
from
impact
RS.AN-3: occurs
detection
of the
and support recovery systems
incident
Forensics
RS.AN-4: are are
is
activities. understood
performed
Incidents are
RS.AN-5: X X
categorized
Processes are
consistent with
established to
receive, analyze
RESPOND
Mitigation (RS.MI): RS.MI-1: X
Activities are performed Incidents
RS.MI-2: are X X
to prevent expansion of contained
Incidents
RS.MI-3: are
an event, mitigate
Improvements its
(RS.IM): mitigated
Newly
RS.IM-1: X
Organizational response identified
Response plans
RS.IM-2: X X
RECOVER (RC)
activities are
Recovery improved by vulnerabilities
Planning incorporate
Response
RC.RP-1: X X
incorporating
Improvements (RC.IM): lessons
(RC.RP): lessons
Recovery Recovery
RC.IM-1: learned
strategies are
plan X X
processes and lessons
incorporating updated
procedures Recovery
is executed
RC.IM-2: plans X X
are executed
learned into
Communications and
future during or after a
incorporate
Recovery
RC.CO-1:
activities. lessons learned
strategies
(RC.CO): coordinating RC.CO-2: are
Public relations
updated
centers, Internet Service are managed
Reputation is
RC.CO-3:
Providers, owners of repaired after
Recovery
an incident
activities are
communicated
ybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Energy Sector
Cybersecurity Capability Cyber Resilience Review Cybersecurity Evaluation
Maturity Model (C2M2) (CRR) Tool (CSET)
Program
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Baldrige Cybersecurity
Excellence
Builder (BCEB), Version 1.1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Energy Sector
Source: Energy Sector: Cybersecurity Framework implantation Guidance. Jan 2015
URL: https://www.energy.gov/ceser/downloads/energy-sector-cybersecurity-framework-implementation-guidance
https://www.cisa.gov/publication/nipp-ssp-energy-2015
Cybersecurity Capability Maturity Model Pra
RESPOND (RS)
support from law enforcement RS.CO-5: ISC-1a
agencies.
Analysis (RS.AN): Analysis is Voluntary
RS.AN-1:
conducted to ensure adequate information
Notifications
RS.AN-2: The
response and support recovery sharing
from
impact occurs
detection
of the
RS.AN-3:
activities. systems
incident
Forensics are
isare
RS.AN-4: IR-2a
understood
performed
Incidents are
RS.AN-5:
categorized
Mitigation (RS.MI): Activities Processes
RS.MI-1: are IR-3b
consistent
established with
are performed to prevent RS.MI-2: areto
Incidents IR-3b
receive,
Incidentsanalyze
expansion of an event, mitigate contained are
RS.MI-3: Newly TVM-2c
its effects, and eradicate the identified
mitigated
Improvements (RS.IM): RS.IM-1:
Organizational response vulnerabilities
Response plans
RS.IM-2:
activities are mitigated or
Recovery Planning (RC.RP): incorporate
are improved by
RECOVER (RC)
Response
RC.RP-1: IR-3b
incorporating lessons learned lessons learned
strategies
Recovery processes
Improvements and
(RC.IM): RC.IM-1: are
Recovery plan is
procedures are executed and updated
executed
incorporating lessons learned RC.IM-2: during
Recovery plans
into future activities. or after a
incorporate
Communications (RC.CO): Recovery RC.CO-1: Public
lessons learned
strategies
coordinating centers, Internet relations are
RC.CO-2:are
updated
Service Providers, owners of managed
Reputation is
RC.CO-3:
attacking systems, victims, repaired after an
Recovery
incident
activities are
communicated to
rsecurity-framework-implementation-guidance
WM-3b WM-3g
WM-3c
WM-1c WM-1d WM-3h
WM-1e
WM-1c WM-1d WM-1f
WM-1e
WM-1c WM-1d WM-1f
WM-1e
WM-1c WM-1d WM-1f
WM-1e
WM-1f
ACM-3c ACM-3f
ACM-3d
CPM-3b ACM-4e
CPM-3b TVM-2n
SA-2e SA-2i
ACM-3c ACM-3e
ACM-2c ACM-2d
ACM-3d ACM-2e
ACM-3c ACM-3e
ACM-3d ACM-3f
ACM-4f RM-3f
ACM-3d
CPM-1g
ISC-1c ISC-1h
ISC-1d
IR-3f ISC-1i
IR-3k
IR-4d
IR-3e IR-4f IR-3m
IR-3k
WM-2c WM-2d IR-4i
WM-2e
TVM-3a WM-2f
TVM-3e
ACM-4c ACM-3f
IAM-2d IAM-2g
IAM-2e
SA-1b IAM-2f IAM-2h
SA-1d
SA-1c SA-1e
IAM-3e IAM-3f
IAM-2d IAM-2g
IAM-2e
CPM-3b CPM-3c IAM-2h
CPM-3d
IR-1f
IR-1e IR-2i
IR-1f IR-2i
IR-2d IR-2g RM-2j
TVM-1d
IR-2d IR-2g RM-2j
TVM-1d
SA-2e SA-2g SA-2i
SA-2f
SA-2e SA-2i
SA-2e SA-2i
SA-2e CPM-4a SA-2i
SA-2e SA-2h SA-2i
SA-2e EDM-2j EDM-2n
SA-2e SA-2g SA-2i
SA-2f
TVM-2e TVM-2i
WM-1d TVM-2j
WM-1f
IR-1d IR-1g
IR-5a
IR-3e IR-5f
IR-3j
ISC-1c ISC-1d IR-3n
ISC-1h
IR-3h IR-3k
IR-3d
IR-5b
IR-3d IR-3i
ISC-1c
IR-3d IR-3l
IR-5b
ISC-1c ISC-1h
ISC-1d
IR-1e ISC-1i
IR-1f
IR-2d IR-2g RM-2j
TVM-1d
IR-3d IR-3h IR-3i
IR-1d
IR-1e
ID.GV-2:
critical services are
and operational cybersecurity
Cybersecurity policy
roles
requirements are ID.GV-3:
is established Legal andand
and responsibilities
understood and inform the regulatory
ID.GV-4:
are coordinated and
management of requirements
Governance and
Risk Assessment ID.RA-1:
regarding Asset
(ID.RA): The risk management
vulnerabilities are
ID.RA-2: Cyber
organization understands processes
identified address
and
threat intelligence
the cybersecurity risk to ID.RA-3:
documented Threats, is
received from
organizational operations both internal
ID.RA-4:
information
and
Potential
(including mission, external,
business are sharing
impacts
functions, image, or ID.RA-5:
identified Threats,
and are
and likelihoods
reputation), organizational vulnerabilities,
ID.RA-6:
identified Risk
assets, and individuals. likelihoods,
responses and
are
Risk Management ID.RM-1:
impacts are Risk
Strategy (ID.RM): identified
management and to
used
ID.RM-2:
prioritized
tolerances, and processes
Organizational are risk
assumptions are ID.RM-3:
established, The
tolerance
organization’sis
established
Supply andRisk
Chain used to ID.SC-1:
determined Cyber
andof
Management (ID.SC): determination
supply
ID.SC-2: chain risk
Suppliers
The organization’s risk tolerance is
management
and third party
priorities, constraints, risk ID.SC-3:
processes
partners
Contracts
ofare and
tolerances, and with suppliers
ID.SC-4: Suppliers
information
third-party partners
assumptions are and third-party
established and used to ID.SC-5:
are used Response
to
partners are
Access Control (PR.AC): and recovery
PR.AC-1:
routinely Identities
assessed
Access to assets and planning
and and
credentials testing
are
PR.AC-2:
are conducted Physical
with
associated facilities is issued,
access managed,
to assets is
limited to authorized PR.AC-3:
verified, Remote
revoked,
managed
access and
is managed
users, processes, or PR.AC-4:
protected Access
devices, and to authorized permissions and
activities and transactions. PR.AC-5:
authorizations
Network
are
integrity
PR.AC-6: is Identities
managed,
protected (e.g.,
are proofed and
network
bound to credentials
and asserted in
limited to authorized
users, processes, or
devices, and to authorized
activities and transactions.
PR.AC-7: Users,
Awareness and Training devices,
PR.AT-1:and Allother
users
(PR.AT): The assets
are are
informed and
PR.AT-2:
organization’s personnel authenticated
trained
Privileged
(e.g.,
users
PR.AT-3:
and partners are provided understand their Third-
cybersecurity awareness partyPR.AT-4:
roles
stakeholders
and Senior
education and are (e.g., suppliers,
executives
adequately trained to PR.AT-5:
customers, Physical
partners)
understand
and their
cybersecurity
Data Security PR.DS-1:
roles and Data-at-
personnel
(PR.DS): Information rest is protected
PR.DS-2:
understand Data-in-
their
and records (data) are transit is protected
PR.DS-3: Assets
managed consistent are formally
with the organization’s PR.DS-4:
managed
Adequate
capacity
risk strategy to protect PR.DS-5: to ensure
throughout
availability removal,
is
the confidentiality, Protections against
PROTECT (PR)
PR.DS-6: Integrity
maintained
integrity, and data leaks
checking are
availability of PR.DS-7: The
implemented
mechanisms
development are
and
information. PR.DS-8:
used to Integrity
verify
testing
Information Protection checking
PR.IP-1: A baseline
environment(s) are
Processes and mechanisms
configuration are
of
PR.IP-2:
used A
to verify System
Procedures (PR.IP): information
Development Life
Security policies (that PR.IP-3:
technology/industri
Cycle to manage
address purpose, scope, Configuration
PR.IP-4:
systems isBackups
roles, change
of control
information are
responsibilities,manageme PR.IP-5:
processes
conducted,
Policy
are in and
nt commitment, and regulations
PR.IP-6: Data is
maintained,
regarding theand
coordination among destroyed according
PR.IP-7: operating
Protection
organizational entities), physical
to policy are
processes
processes, and procedures PR.IP-8:
improved
are maintained and used Effectiveness
PR.IP-9: Response of
to manage protection of protection
plans (Incident
information systems and PR.IP-10:
technologies
Response
Response
andis
assets. and recovery
PR.IP-11: plans
Business
are tested
Cybersecurity
PR.IP-12: A is
included in human
Maintenance (PR.MA): vulnerability
PR.MA-1:
resources practices
Maintenance and repairs management
Maintenance
PR.MA-2:
plan
and is
Remote
developed
of system components are repair of and
Protective consistent
Technology maintenance
PR.PT-1: Audit/log of
performed with organizational
organizational
(PR.PT): Technical records
PR.PT-2: are
security solutions are assets is approved,
determined,
Removable
PR.PT-3: Themedia is
managed to ensure the documented,
protected and its
security and resilience of principle
PR.PT-4:
use
of least
restricted
systems and assets, functionality
Communications is
consistent with related PR.PT-5:
incorporated by
and control (e.g.,
Anomalies and Events Mechanisms
DE.AE-1:
networks A
are
(DE.AE): Anomalous failsafe,
baseline load
of network
DE.AE-2:
balancing, Detected
hot
activity is detected in a operations
events and
are analyzed
timely manner, and the DE.AE-3:
expected Event
data flows
to understand attack
potential impact of events data are
DE.AE-4:
targets
collected
Impact
and methods of
is understood. and correlated
events is from
DE.AE-5:sources
multiple Incident
determined
alert
Security Continuous DE.CM-1: The are
thresholds
Monitoring (DE.CM): established
network
DE.CM-2: is The
The information system monitored to detect
DETECT (DE)
physical
DE.CM-3:
and assets are monitored potential
environment is is
at discrete intervals to Personnel
DE.CM-4: activity
monitored
monitored to
to detect
detect
identify cybersecurity Malicious code is
events and verify the DE.CM-5:
potential
detected
Unauthorized
effectiveness of protective
measures. mobile code is
detected
The information system
DETECT (DE
and assets are monitored
at discrete intervals to
identify cybersecurity
events and verify the
effectiveness of protective DE.CM-6: External
measures. service provider
DE.CM-7:
activity
Monitoringis for
DE.CM-8:
monitored to detect
unauthorized
Vulnerability scans
Detection Processes DE.DP-1:
personnel, Roles
(DE.DP): Detection are
and performed
responsibilities
DE.DP-2: Detection
processes and procedures for detection
activities complyare
are maintained and tested DE.DP-3:
well
with defined Detection
to
all applicable
to ensure timely and processes
DE.DP-4: are tested
Event
requirements
adequate awareness of detection
anomalous events. DE.DP-5: Detection
information
processes areis
Response Planning RS.RP-1:
communicated Response
Communications continuously
plan is executed
RS.CO-1:
improved Personnel
(RS.CO): Response during
know or after
their rolesan
activities are coordinated RS.CO-2:
incident
andreported
order of
Incidents
with internal and external are
RS.CO-3:
operations when a
stakeholders, as consistent
Information with
is
appropriate, to include RS.CO-4:
established criteria
shared consistent
Coordination with
external support from law RS.CO-5:
with responseoccurs
plans
RESPOND (RS)
D1.G.IT.B.1: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
D1.G.IT.B.1: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
D4.C.Co.B.4: Data flow diagrams are in place and document information flow to external parties.
D4.C.Co.Int.1:
D4.RM.Dd.B.2:AAvalidated asset inventory
list of third-party serviceisproviders
used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, an
is maintained.
D4.C.Co.B.3: A networkassets
D1.G.IT.B.2: Institution diagram is in
(e.g., place and
hardware, identifies
systems, all and
data, external connections.
applications) are prioritized for protection based on the data classification
D1.R.St.B.1: Information security roles and responsibilities have been identified.
D1.TC.Cu.B.1: Management
D1.G.SP.A.3: The holds
cybersecurity employees
strategy accountable
identifies for complying
and communicates the with the information
institution’s role as a security program.
component of critical infrastructure in the fin
D1.G.SP.Inn.1: The cybersecurity strategy identifies and communicates its role as it relates to other critical infrastructures.
D1.G.SP.E.2: The institution has a formal cybersecurity program that is based on technology and security industry standards or benchmarks.
D1.G.Ov.Int.5: Thecritical
D4.C.Co.B.1: The board business
or an appropriate
processesboard committee
that are dependentensures management’s
on external annual
connectivity cybersecurity
have self-assessment
been identified. evaluates
D1.G.IT.B.2: the insti
Organizational
standards.
applications)
D5.IR.Pl.B.5:are prioritized
A formal for protection
backup based
and recovery planonexists
the data classification
for all and business
critical business lines. value.
D5.IR.Pl.E.3:
D1.G.SP.B.4: Alternative processes
The institution have been
has board-approved policies commensurate with its risk and complexity that address information security.
D1.G.SP.B.7: All elements of the information security program are coordinated enterprise-wide.
D4.RM.Co.B.2: Contracts acknowledge
D1.G.Ov.E.2: Management is responsiblethat
forthe third party
ensuring is responsible
compliance for the
with legal andsecurity of the
regulatory institution’s
requirements confidential
related data that it possesse
to cybersecurity.
D1.G.Ov.B.1: Designated members of management are held accountable by the board or an appropriate board committee for implementing a
continuity programs.
D2.TI.Ti.B.2: Threat information is used to monitor threats and vulnerabilities.
D3.DC.Th.B.1: Independent
D2.TI.Ti.B.1: The institutiontesting
belongs(including penetration
or subscribes testing
to a threat and and vulnerability
vulnerability scanning) is conducted
information-sharing according
source(s) to the information
that provides risk assessment
on t
network.
D3.DC.An.B.1: The institution is able to detect anomalous activities through monitoring across the environment. D2.MA.Ma.E.1: A process
discover emerging
D5.RE.Re.B.1: threats. steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer in
Appropriate
D5.ER.Er.Ev.1:
D1.RM.RA.B.1:Criteria have been established
A risk assessment focused on for escalating customer
safeguarding cyber incidents or vulnerabilities
information to the board
identifies reasonable andand senior management
foreseeable internal andbased on
external
threats, and theThe
D5.IR.Pl.B.1: sufficiency of has
institution policies, procedures
documented howand customer
it will information
react and respond tosystems.
cyber incidents.
D5.DR.Re.E.1: The incident
D1.G.Ov.B.1: Designated response
members ofplan is designed
management aretoheld
prioritize incidents,
accountable enabling
by the a rapid
board or response for
an appropriate significant
board committeecybersecurity incidenta
for implementing
plan and process
continuity outlines
programs. the mitigating actions, resources, and time parameters.
D1.G.Ov.Int.3: The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.
D1.G.SP.A.4: The risk appetite is informed by the institution’s role in critical infrastructure.
D3.PC.Im.B.7: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
D3.PC.Am.B.6:
D3.PC.Am.B.11:Identification and authentication
Physical security are to
controls are used required
preventand managed for
unauthorized access
access to to systems, applications,
information systems and and hardware.
telecommunication systems.
D3.PC.Am.B.17:
D3.PC.Am.B.15: Administrative,
Remote access tophysical, or technical
critical systems controls arecontractors,
by employees, in place to and
prevent
thirdusers without
parties uses encrypted connections and multifactor a
D3.PC.De.E.7: The institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A
D3.PC.Am.B.1: Employee access is granted to systems and confidential data based on job responsibilities and theifprinciples
mobile devices areprivileg
of least not us
D3.PC.Am.B.2: Employee
D3.DC.Im.B.1: Network access todefense
perimeter systemstools
and (e.g.,
confidential data provides
border router for separation
and firewall) are used.of duties.
D3.DC.Im.Int.1: The enterprise network is segmented in multiple, separate trust/security zones with defense-in- depth strategies (e.g., logica
to mitigate attacks.
D1.TC.Tr.B.2: Annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social e
issues.
D1.TC.Tr.E.3: Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of re
D1.TC.Tr.B.4: Customer awareness materials are readily available (e.g., DHS’ Cybersecurity Awareness Month materials).
D1.TC.Tr.Int.2: Cybersecurity
D1.TC.Tr.E.2: Management is awareness information is
provided cybersecurity provided
training to retail
relevant customers
to their and commercial clients at least annually.
job responsibilities.
D1.TC.Tr.E.3: Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of re
D1.R.St.E.3:
D1.G.IT.B.13:Staff with cybersecurity
Confidential responsibilities
data is identified has the requisite
on the institution's qualifications to perform the necessary tasks of the position.
network.
D3.PC.Am.B.14:
D3.PC.Am.B.13: Mobile devices
Confidential (e.g.,
data laptops, tablets,
is encrypted and removable
when transmitted media)
across publicare
or encrypted
untrusted if used to (e.g.,
networks store confidential
Internet). data. (*N/A if mobi
contracts that
D3.PC.Am.E.5: address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential d
D1.G.IT.E.3: TheControls are proactively
institution in place to prevent
managesunauthorized access to
system end-of-life cryptographic
(e.g., replacement)keys.
to limit security risks. D1.G.IT.E.2: The institution h
considers whether
D5.IR.Pl.B.5: assetsbackup
A formal to be acquired have appropriate
and recovery security
plan exists for safeguards.
all critical business lines.
D5.IR.Pl.B.6:
D3.PC.Am.B.15:TheRemote
institution plans
access to to use business
critical systemscontinuity, disaster
by employees, recovery,and
contractors, andthird
dataparties
backupuses
programs to recover
encrypted operations
connections following aa
and multifactor
D3.PC.Am.Int.1: The institution
D3.PC.Se.Int.3: Software has implemented
code executables toolsare
and scripts to digitally
prevent unauthorized accessthe
signed to confirm to software
or exfiltration
authorofand
confidential
guaranteedata.
that the code has not
D3.PC.De.Int.2:
D3.PC.Am.B.10:Mobile device
Production andmanagement includes
non-production integrity scanning
environments (e.g., jailbreak/rooted
are segregated detection).
to prevent unauthorized (*N/A
access if mobiletodevices
or changes are notasse
information us
institution or the institution’s third party.)
D3.PC.Im.B.5: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
D3.PC.Se.B.1: Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SD
D3.PC.Se.E.1:
D1.G.IT.B.4: ASecurity testing occursprocess
change management at all post-design
is in place phases of the
to request andSDLC forchanges
approve all applications,
to systemsincluding mobile applications.
configurations, (*N/A ifappli
hardware, software, ther
D5.IR.Pl.B.5: A formal backup and recovery plan exists for all critical business lines.
D5.IR.Te.E.3:
D3.PC.Am.B.11:Information backupscontrols
Physical security are tested
areperiodically to verify
used to prevent they are accessible
unauthorized and readable.systems and telecommunication systems.
access to information
D1.G.IT.B.19: Data is disposed of or destroyed according to documented requirements and within expected time frames.
D1.RM.RMP.E.2: Management reviews and uses the results of audits to improve existing policies, procedures, and controls.
D1.G.Ov.A.2: Management
D2.IS.Is.B.1: Information has a formal
security threatsprocess to continuously
are gathered and sharedimprove cybersecurity
with applicable oversight.
internal employees.
D2.IS.Is.E.2:
D5.IR.Pl.B.1:AThe
representative from
institution has the institution
documented howparticipates
it will reactin law
and enforcement
respond or incidents.
to cyber information-sharing organization meetings.
D5.DR.Re.B.1: Appropriate steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer in
D5.DR.Re.E.4:
D5.DR.De.B.1: Procedures include
Alert parameters arecontainment strategies
set for detecting and notifying
information potentially
security incidents impacted third
that prompt parties. actions.
mitigating
D5.DR.Re.E.3:
D1.RM.RA.E.1:Containment and mitigation
Risk assessments are used tostrategies
identify are
the developed for risks
cybersecurity multiple incident
stemming types
from new(e.g., DDoS,services,
products, malware).or relationships.
D5.IR.Pl.Int.4: Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the in
plan.
D5.IR.Pl.Int.4: Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the in
plan.
D5.IR.Pl.B.6: The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following a
D5.IR.Pl.Int.4: Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the in
plan.
D5.IR.Pl.Int.4: Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the in
plan.
D5.ER.Es.Int.3: An external communication plan is used for notifying media regarding incidents when applicable.
D5.IR.Pl.Int.1: A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber atta
D5.ER.Is.B.1: A process exists to contact personnel who are responsible for analyzing and responding to an incident.
D5.IR.Pl.Int.1: A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber attac
Food and Agriculture Sector
Source: National Restaurant Association: Cybersecurity 201
URL: https://www.cisa.gov/publication/nipp-ssp-food-ag-2015
https://www.nist.gov/cyberframework/critical-infrastructure-resources
https://www.restaurant.org/downloads/pdfs/advocacy/cybersecurity201.pdf
mission,functions
critical
Resilience
Governance (ID.GV): ID.GV-1:
The policies, for delivery ofto
requirements
Organizational
ID.GV-2:
procedures, and support delivery
cybersecurity
Cybersecurity
ID.GV-3: Legal
operational policy
roles
and is
and
regulatory
ID.GV-4:
Risk Assessment responsibilities
requirements
Governance
ID.RA-1: Assetand
(ID.RA): The regarding
risk management
vulnerabilities
ID.RA-2: Cyber are
organization processes
identified
threat
ID.RA-3: address
and
intelligence
Threats,
understands the documented
is received
both internal
ID.RA-4: fromand
cybersecurity risk to information
external,
Potential
ID.RA-5: are
business
Threats,
organizational identified
impacts
ID.RA-6:and and
vulnerabilities,
Risk
Risk Management likelihoodsare
likelihoods,
responses
ID.RM-1: are
and
Risk
Strategy (ID.RM): impacts areand
identified
management
ID.RM-2: used
tolerances, and prioritizedare
processes
Organizational
ID.RM-3: The
assumptions
Supply Chain areRisk established,
risk tolerance
organization’s
ID.SC-1: Cyber is
determined
supply chainand
Management (ID.SC): determination
ID.SC-2: of
risk
The organization’s risk tolerance
management
Suppliers
ID.SC-3: and is
priorities, constraints, ID.SC-4:
processes
third partyare
Contracts with
risk tolerances, and partners ofand
suppliers
Suppliers
ID.SC-5: and
Access Control third-partyand
Response
PR.AC-1:
(PR.AC): Access to partners
recoveryare
Identities
PR.AC-2: planning
and
assets and associated and testing
credentials
Physical
PR.AC-3: are to
access
facilities is limited to issued,ismanaged,
assets
Remote
PR.AC-4: managed
access
Access is
authorized users, and protectedand
managed
permissions
PR.AC-5:
processes, or devices, PR.AC-6:
authorizations
Network integrity are
and to authorized managed,
is protected
Identities
PR.AC-7: are(e.g.,
Users,
Awareness and network and
proofed
devices,
PR.AT-1: andAllother
boundare
assets
Training (PR.AT): The PR.AT-2:
users to
are
authenticated
organization’s personnel PR.AT-3:
informed
Privileged and
users
Third-
and partners are trainedstakeholders
understand
party
PR.AT-4: their
Senior
provided cybersecurity PR.AT-5:
roles and
(e.g., suppliers,
executives
Data Security customers,
understand
Physical
PR.DS-1: and their
Data-
(PR.DS): Information roles
PR.DS-2:and
cybersecurity
at-rest is Data-
personnelisAssets
protected
in-transit
and records (data) are PR.DS-3:
protected
are
managed consistent PR.DS-4: formally
PROTECT (PR)
managed
Adequate
PR.DS-5:
with the
throughout
capacity
Protections
PR.DS-6: to ensure
organization’s risk availability
against
Integrity
PR.DS-7: data isleaks
checking
The
strategy to protect the PR.DS-8:
are implemented
mechanisms
development are
and
confidentiality, used to verify
testing
Integrity checking
environment(s)
mechanisms are
used to verify
PROTECT (PR)
Information PR.IP-1: A
Protection Processes PR.IP-2:
baseline A
and Procedures configuration of
System
PR.IP-3:
(PR.IP): Security information
Development
Configuration
PR.IP-4: Backups Life
policies (that address Cycle
change
of tocontrol
manage
information
PR.IP-5: Policyare
purpose, scope, roles, and processes
conducted, are inis
regulations
PR.IP-6: Data
responsibilities,manage PR.IP-7:
maintained,
regarding
destroyed theand
ment commitment, and PR.IP-8:
physical to
according
Protection
coordination among policy
processes
Effectiveness
PR.IP-9: are of
organizational entities), PR.IP-10:
improved plans
protection
Response
processes, and technologies
Response andis
(Incident
PR.IP-11:
procedures are Responseplans
recovery
Cybersecurity
PR.IP-12: and
A isare
Maintenance tested in
included
vulnerability
PR.MA-1:
human resources
management
(PR.MA): Maintenance PR.MA-2:
Maintenance plan
and
and repairs Technology
Protective of system is developed
repair
Remote
PR.PT-1: of and
components are
(PR.PT): Technical organizational
maintenance
Audit/log
PR.PT-2: of
records
security solutions are organizational
are determined,
Removable
PR.PT-3: Themedia
managed to ensure the PR.PT-4:
documented,
is protected
principle of and
least
security and resilience PR.PT-5:
its use restricted
functionality
Communications is
incorporated
and controlA by
Mechanisms
Anomalies and Events DE.AE-1:
(DE.AE): Anomalous DE.AE-2:networks
(e.g.,
baseline ofare
failsafe,
load balancing,
activity is detected in a DE.AE-3:
network
Detected events
Event
timely manner, and the DE.AE-4:
operations
are
data analyzed and
are collectedto
Impact
potential impact of understand
and
of is attack
correlated
events
DE.AE-5:
from multiple
determined
Incident
Security Continuous DE.CM-1: alertThe
DETECT (DE)
thresholds
Monitoring (DE.CM): DE.CM-2:
network is are
The
establishedto
The information system DE.CM-3:
monitored
physical
and assets are monitored DE.CM-4:
detect potential
environment
Personnel is
activity
at discrete intervals to DE.CM-5:
monitored
is monitored
Malicious to to is
code
identify cybersecurity DE.CM-6:
detect potential
detected
Unauthorized
events and verify the mobile code
External
DE.CM-7: is
service
effectiveness of detected activity
provider
Monitoring
DE.CM-8: for
Detection Processes is monitored
unauthorized
Vulnerability
DE.DP-1: to
Roles
(DE.DP): Detection personnel,
scans
and
DE.DP-2:are
processes and performed
responsibilities
Detection
DE.DP-3:
procedures are for detection
activities
Detection
DE.DP-4: complyare
Event
maintained and tested to detection
with all are
processes
DE.DP-5:
Response Planning tested
information
Detection
RS.RP-1: is
Communications communicated
processes
Response
RS.CO-1: are
plan is
(RS.CO): Response continuously
executed
Personnel
RS.CO-2: during
know
activities are or after
their anare
roles
Incidents
RS.CO-3: and
coordinated with order
reportedof
Information
RS.CO-4: is
RESPOND (RS)
(RS.IM): vulnerabilities
Response
RS.IM-2: plansare
Organizational
Recovery Planning mitigated or
response RC.RP-1:
incorporate
Response
activities are
(RC.RP):
Improvements improved RC.IM-1:
Recovery lessons learned
strategies
Recovery are
plan is
processes and
(RC.IM): updated during
executed
incorporating RC.IM-2:
Recovery plans
procedures
lessons are executed
learned
Communications into or after a Public
incorporate
Recovery
RC.CO-1:
future activities.
(RC.CO): lessons learned
strategies
coordinating RC.CO-2:
relations are
are
updated is
centers, Internet Service RC.CO-3:
managed
Reputation
Providers, owners of repaired after an
Recovery
incident are
activities
communicated to
ation: Cybersecurity 201
ication/nipp-ssp-food-ag-2015
erframework/critical-infrastructure-resources
g/downloads/pdfs/advocacy/cybersecurity201.pdf
Guidance
1) Develop a tagging system for all physical IT devices, including a simple system for identifying type of
physical
1) Developasset, i.e., CPU or or
documentation peripheral.
use third-party secure database software to inventory all software.
1) Map your restaurant’s communication and data flow requirements, and draft network diagrams.
1) Document all external systems, and code the systems for tracking, including type of system, data risk and
locations.
1) Create a scoring system to identify the most critical to least critical technology systems.
1) Develop roles and responsibilities for your employees and third parties regarding information systems and
cybersecurity.
1) Identify andAll information
understand yoursystems
restaurant’s and vendor partners’ role in each step of the supply chain.
1) Document and communicate the infrastructure that supports the critical business activities identified in ID.BE-
1 (above).
1) Document and prioritize your business activities to determine processes, technology and stakeholders that are
keyCreate
1) to achieving
a list ofthe organization’s
services objectives.
that are critical to running your business.
1) Document your requirements for delivery of critical services, including hours required to be available,
maximum
1) Determineamount of time service
the regulatory cannot
and legal be available
requirements forand
the how to deal with
restaurant’s unavailability.
security and include this information in
your
1) Thesecurity policies.
IT subject matter expert in partnership with HR and functional areas (i.e., finance, legal, supply chain,
operations)
1) IT subjectshould
matterestablish the roles
experts should beand
wellresponsibilities of employeesindustry
informed of ever-changing and external partners
standards andfor the use and
regulatory
access
1) Meetofwith
company
requirements, your information
and provide
board and/or systems.
ongoing updates toteam
management the organization.
at least annually to discuss risks to the company, including
cybersecurity
1) Review therisks.
network diagrams to assess and document vulnerabilities (see ID.AM-3).
1) Review ID.AM-1 and ID.AM-2 to identify threatprotection systems available to the organization.
1) Determine sources of information about threats (industry resources like the National Restaurant Association,
external
1) sources
IT subject identified
matter expertsinreview
ID.RA-2, providersdiagrams
the network of threat-protection systems and
to identify potential internal
business subject
impacts andmatter
likelihoods.
experts).
1) IT subject matter experts rank the identified business impacts and likelihoods based on the risk.
1) IT subject matter experts identify the risk responses and prioritize them based on their impact on the business.
1) Establish a schedule for leadership to review risk assessment details whenever they are updated.
1) Review the risk responses (ID.RA-6) according to the schedule and process outlined by ID.RM-1.
1) As part of your overall risk-management strategy, regularly consult with peers in other organizations (if
possible) and industry resources (e.g., the National Restaurant Association) to stay abreast of evolving industry-
specific risks.
1) Require unique accounts for each individual who accesses a POS terminal.
1) Keep an inventory of unused devices in a secure
1) Manage and log all remote access of your systems
1) Limit access privileges to the least necessary to
1) Use physical or virtual firewalls to separate critical
Notify your security team and managers when an event occurs. Ensure that your team knows their roles and how
to respond.
Have a plan in place that spells out what needs to be communicated, and to whom, when an event occurs.
Develop a crisis communications plan, and follow it during an incident. Share the information needed to properly
respond.
Consistently update your stakeholders so they can help reduce the impact of an incident.
Periodically share risk trends and security information with stakeholders.
Review alerts immediately with your personnel/vendors from any systems that send alerts, such as virus and
network-security
Understand that astools.
an event begins, your first discoveries may not be the source of the problem. As an example,
onethe
In person
eventskimming
of a majorinbreach
a restaurant
of yourmay lead toperform
systems, your finding that others
a forensics audit. are involved.
Consult Or you may
immediately withfind that one
a forensics
breached
expert
Follow system
toyour
ensure leads
that
response to are
you
plananother breached
toproperly
ensure system.evidence
maintaining
clear thinking and can mitigate
and that appropriate actionstheare
breach
taken.as soon as possible.
Contain incidents to lessen their impact on your restaurant. For example, if a foreign device is detected on a
credit terminal,
Collect evidenceremove the credit
concerning terminalsand
the incident, at follow
that location and stop plan
your response takingto credit.
mitigate or eliminate the incident. In
the event
Apply of learning
your a foreignfrom
device on a credit
evidence terminal,
collection andstop taking
perform credit,
any take it off the network,
migration/corrective tasks. secure the device and
check alla other
Having meetingdevices. Bringincident
after every in known togood replacement
discuss devices to replace the suspected devices. Store the
lessons learned.
infected device
Learning how tosomewhere thatwith
respond starts is secured. It maythan
a plan rather become legal evidence
the experience and
itself. shouldupdate
Always not be your
tampered
plans.with.
Carry out your recovery plan to limit the impact of your event.
Your recovery plan should incorporate lessons learned from responding to the incident. For example, if an
employee
Learn fromwasrealskimming cards at your
security incidents, and restaurant, review to
use those lessons with youryour
update teamresponse
how theyplan.
handled the incident
Annually review and
yourwhat
plan
improvements
with your security
Implement can team
a crisis be made to yourpartners.
or vendor
communications plan to manage the public relations fallout from the incident. Consider hiring
an outside
Take steps PR consultant
to repair your to help you.after a security incident. For example, if email addresses are the only
reputation
information
Keep managing that partners,
is breached, assure
owners andyour customers
other that no other
key stakeholders personal
informed information
of your recoverywas compromised.
process. Be if a
For example,
very clear
loyalty in yourwas
program communications
compromised and to avoid misunderstandings.
you have shut down this Do not forget
system, to apologize
you should andtonote
continue that you are
communicate and
taking
give steps
daily to ensure
updates that this
to your will team.
internal not happen again. Work with PR partners when available.
Gov Facilites Sector
Source:
URL: https://www.cisa.gov/publication/nipp-ssp-government-facilities-2015
https://www.nist.gov/cyberframework/critical-infrastructure-resources
Healthcare Sector
Source: HPH_Framework_Implementation_Guidance
URL: https://us-cert.cisa.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guida
for
The policies, procedures, ID.GV-2:delivery
requirements
Organizational ofto 04.b Information
Review of the Information Security Policy
05.b Security Coordination
and operational support delivery 05.c Allocation of Information Security
cybersecurity
Cybersecurity
ID.GV-3: Legal 01.a Access Control Policy
requirements are policy
and andis
rolesregulatory 02.a Roles and Responsibilities
understood and inform the ID.GV-4:
responsibilities
requirements are
0.a Information Security Management
Risk Assessment Governance
ID.RA-1: Assetand 03.b Program
Performing Risk Assessments
(ID.RA): The regarding
risk management
vulnerabilities are 03.d
ID.RA-2: Cyber 05.g Risk Evaluation
Contact with Special Interest Groups
processes
organization understands threat
identified address
and
intelligence 10.m Control of Technical Vulnerabilities
ID.RA-3: Threats, 03.b Performing Risk Assessments
the cybersecurity risk to is documented
received from
both internal and 03.b 03.d Performing
Risk Evaluation
organizational operations ID.RA-4:
information
external, are
Risk Assessments
(including mission, Potential business 03.d Risk Evaluation
ID.RA-5: Threats, 03.b Performing Risk Assessments
identified
impacts andand
vulnerabilities, 03.d Risk
Risk Mitigation
Evaluation
functions, image, or ID.RA-6: Risk 03.c
reputation), organizational likelihoods
likelihoods,
responses are
areand 06.g Compliance with Security
Risk Management ID.RM-1: Risk 03.a Risk Management ProgramPolicies and
Strategy (ID.RM): impacts
identified
management areand used Development
ID.RM-2: 03.a Risk Management Program
tolerances, and prioritized
processes
Organizational are Development
ID.RM-3: The 03.a Risk Management Program
assumptions are established,
risk tolerance
organization’s is Development
Supply Chain Risk ID.SC-1: Cyber
Management (ID.SC): determinedsupply
ID.SC-2: chainand
determination of
risk
The organization’s risk tolerance
management
Suppliers and is
ID.SC-3:
priorities, constraints, risk processes
third partyare
Contracts with
tolerances, and ID.SC-4:
partners
suppliers
Suppliers andof
and
assumptions are ID.SC-5:
third-party
third-party
Response
Access Control PR.AC-1: and 01.b User Registration
partners
recovery are
(PR.AC): Access to PR.AC-2:planning
Identities and 01.d
01.g User Password
Unattended UserManagement
Equipment
assets and associated and testing
credentials
Physical access are
are to 01.j
08.a Policy
Physical
PR.AC-3: Remote onSecurity Perimeter
the Use of Network Services
facilities is limited to issued,
assets
access ismanaged,
is managed
managed 01.n Network Connection Control
authorized users, PR.AC-4: Access 01.b User Registration
and protectedand 01.c Privilege Management
permissions
processes, or devices, and PR.AC-5: 01.m Segregation in Networks
to authorized activities authorizations
Network integrity
PR.AC-6: are 01.n Network Connection Control
and transactions. managed,
is protected
Identities are (e.g.,
PR.AC-7: Users,
network
proofed and
devices, and
Awareness and Training PR.AT-1: Allbound
other 02.d Management Responsibilities
(PR.AT): The to credentials
assets
users are
are informedand 02.e Information Security Awareness,
PR.AT-2: 02.d Management Responsibilities
authenticated
organization’s personnel Privileged
and trainedThird-
users 02.e
PR.AT-3: 02.d Information
ManagementSecurity Awareness,
Responsibilities 05.j Addressing
and partners are provided understand
party stakeholderstheir Security When Dealing with Customers
cybersecurity awareness (e.g.,PR.AT-4: Senior 02.d Management Responsibilities
roles and
suppliers,
executives
education and are PR.AT-5: Physical 02.e02.d Information
ManagementSecurity Awareness,
Responsibilities
customers,
understand
and cybersecuritytheir 02.e Information Security Awareness,
Data Security PR.DS-1: Data-at- 01.x Mobile Computing and
roles and
personnel
rest is protected Communications
(PR.DS): Information PR.DS-2: Data-in- 09.m Network Controls
understand their 09.u Physical Media in Transit
and records (data) are transit is protected
managed consistent
with the organization’s
(PR)
164.308(a)(1)(ii)(A)
164.310(a)(2)(ii)
164.308(a)(1)(ii)(A)
164.308(a)(7)(ii)(E)
164.308(a)(1)(ii)(A)
164.308(a)(3)(ii)(A)
164.308(a)(4)(ii)(A)
164.308(b)
164.308(a)(7)(ii)(E)
164.308(a)(2)
164.308(a)(3)
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)
164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(C)
164.308(a)(7)(i) 164.308(a)(7)(ii)(D)
164.308(a)(7)(ii)(E)
164.308(a)(1)(ii)(B)
164.308(a)(6)(ii)
164.308(a)(1)(i)
164.316
164.308(a)(1)(i)
164.308(a)(2)
164.306
164.308
164.308(a)(1) 164.308(b)
164.308(a)(1)(ii)(A)
164.308(a)(7)(ii)(E)
None
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(D)
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(A) 164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(1)(ii)(B)
164.314(a)(2)(i)(C)
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(B)
164.308(a)(6)(ii)
164.308(a)(3)(ii)(B)
164.308(a)(3)(ii)(C)
164.308(a)(1)(ii)(B) 164.308(a)(7)(i)
164.308(a)(7)(ii)(A)
164.308(a)(4)(i)
164.308(b)(1)
164.308(a)(3)
164.308(a)(4)
164.308(a)(4)(ii)(B)
164.310(a)(1) 164.310(b)
164.308(a)(5)
164.308(a)(2)
164.308(a)(3)(i) 164.308(a)(5)(i)
164.308(b) 164.314(a)(1)
164.314(a)(2)(i)
164.308(a)(2)
164.308(a)(3)(i)
164.308(a)(2)
164.308(a)(3)(i)
164.308(a)(1)(ii)(D)
164.308(b)(1) 164.310(d)
164.308(b)(1)
164.308(b)(2)
164.308(a)(1)(ii)(A)
164.310(a)(2)(ii)
164.308(a)(1)(ii)(A) 164.308(a)(1)(ii)(B)
164.308(a)(7)
164.308(a)(1)(ii)(D)
164.308(a)(3)
164.308(a)(1)(ii)(D)
164.312(b) 164.312(c)(1)
164.308(a)(4)
164.308(a)(8)
164.308(a)(7)(i)
164.308(a)(1)(i)
164.308(a)(8)
164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(D)
164.308(a)(7)(i)
164.308(a)(7)(ii)(C)
164.310(d)(2)(i)
164.310(d)(2)(ii)
164.306(e)
164.308(a)(7)(ii)(D)
164.308(a)(6)(ii)
164.308(a)(6) 164.308(a)(7)
164.310(a)(2)(i)
164.308(a)(7)(ii)(D)
164.308(a)(1)(ii)(C) 164.308(a)(3)
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
164.308(a)(3)(ii)(A) 164.308(a)(1)(ii)(B)
164.310(a)(2)(iv)
164.308(a)(3)(ii)(A)
164.310(d)(1)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(C)
164.308(a)(3)(i)
164.308(a)(3)(ii)(A)
164.308(a)(3)
164.308(a)(4)
164.308(a)(1)(ii)(D)
164.312(a)(1)
164.308(a)(1)(ii)(D) 164.312(b)
164.308(6)(i)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(6)(ii)
164.308(a)(6)(i)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.310(a)(2)(ii)
164.310(a)(2)(iii)
164.308(a)(1)(ii)(D)
164.308(a)(3)(ii)(A)
164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(1)(i)
164.308(a)(8)
164.308(a)(2)
164.308(a)(3)(ii)(A)
164.308(a)(1)(i)
164.308(a)(8)
164.306(e)
164.308(a)(6)(ii)
164.314(a)(2)(i)(C)
164.306(e) 164.308(a)(8)
164.308(a)(6)(ii)
164.308(a)(7)(i)
164.308(a)(2)
164.308(a)(7)(ii)(A)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.308(a)(6)
164.308(a)(7)
164.308(a)(6)
164.308(a)(1)(i)
164.308(a)(1)(ii)(D)
164.308(a)(6)(ii)
164.308(a)(7)(ii)(B)
164.308(a)(6)
164.308(a)(6)(ii)
164.308(a)(6)(ii)
164.308(a)(6)(ii)
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(B)
164.308(a)(7)(ii)(D)
164.308(a)(8)
164.308(a)(7)(ii)(D) 164.308(a)(8)
164.308(a)(7)
164.310(a)(2)(i)
164.308(a)(7)(ii)(D)
164.308(a)(8)
164.308(a)(7)(ii)(D)
164.308(a)(8)
164.308(a)(6)(i)
164.308(a)(6)(i)
164.308(a)(6)(ii)
164.308(a)(7)(ii)(B)
Information Technology Sector
Source:
URL: https://www.cisa.gov/publication/nipp-ssp-information-technology-2016
Nuclear Sector
Source: Nuclear Sector: Cybersecurity Framework Implementation Guidance. May 2020
URL: https://www.cisa.gov/sites/default/files/publications/Nuclear_Sector_Cybersecurity_Framework_Implemen
ID.GV-2:
support delivery A-4.11
policies, cybersecurity
Cybersecurity
procedures, and ID.GV-3:
policy
roles andis Legal A-2.1, A-2.2
operational and regulatory
ID.GV-4:
responsibilities A-4.9
requirements are requirements
Governance and A-3.1.5, A-4.4.3.2
Risk ID.RA-1:
regarding Asset
Assessment risk management
vulnerabilities are D-5.5
ID.RA-2: Cyber A-4.9.1
(ID.RA): The processes
identified
threat
address
and
intelligence E-3.5,
organization ID.RA-3:
documented A-2.1, E-9.8
A-4.9.1
is received from
understands the Threats,
ID.RA-4:
information
both E-3.5
A-3.1.3
cybersecurity internal
Potential and
business
risk to ID.RA-5:
external, are A-4.9.1, A-4.9.4
impacts
Threats, and
organizational ID.RA-6:
likelihoods Risk
are A-4.2, A-4.9.4
operations vulnerabilities,
responses are
Risk ID.RM-1: Risk
likelihoods, and
Management identified
management
ID.RM-2:
and
Strategy prioritized
processes are
Organizational
ID.RM-3: The
(ID.RM): established,
risk tolerance is
tolerances,
Supply Chain and organization’s
ID.SC-1:
determined Cyber
andof Plant Cyber Security Teams establish
Risk determination
supply chain risk processes and
that partners
address cyber supply chain
ID.SC-2:
tolerance is Suppliers are identified,
Management risk management
Suppliers and risk management
vetted, and in
validated their Cyber
through theSecurity
nuclear
(ID.SC): The ID.SC-3:
processes
third party are Baseline
Plans.
procurement
cyber security
process.
requirements are
Contracts
organization’s ID.SC-4: with integrated into the procurement process.
The nuclear industry implements a graded
partners
suppliers ofand Plants implement procedures to facilitate
priorities, Suppliers and approach based upon the component
constraints, risk ID.SC-5:
third-party To
and the extent
maintain practicable,
the procurementplants also risk.
policiesutilize
third-party
Response and Plant Cyber
third-party Security
security Teams
alert collect
notification and
Access Control PR.AC-1:
partners are D-1.2,
documentD-1.11
thevendor
information security
(PR.AC): recovery
Identities and services
D-4.2, and
D-4.3, D-4.5,security alert lists.
D-4.6, D4.7
PR.AC-2:
planning and D-4.4
Plants also include vendor representatives
Access to assets credentials
Physical access are E-5.4,
and associated PR.AC-3:
issued, managed, A-4.3 E-5.5
to assets
Remote is
access is D-1.1
facilities is PR.AC-4:
managed Access
and D-1.5, D-1.6, D-5.3
limited to managed
permissions and
authorized PR.AC-5: A-4.3,
authorizations
Network are D-1.4
integrity
users, processes, PR.AC-6:
managed,
or devices, and is protected
Identities are(e.g.,
to authorized network
proofed and
bound to
and associated
facilities is
limited to
authorized
users, processes,
or devices, and
PR.AC-7: Users,
to authorized
Awareness and devices,
PR.AT-1:and All A-4.8
Training other
users assets
are are E-9.1, E-9.2, E-9.3
PR.AT-2: A-4.8, A-4.11
(PR.AT): The authenticated
informed
Privileged and
organization’s PR.AT-3:
trained Third- E-7.2,
users A-4.8, E-8.3,
A-4.11E-9.1, E-9.3
understand their
personnel and party
PR.AT-4:
roles
E-11.1, E-11.2, E-11.3
and Senior A-4.8, A-4.11
partners are stakeholders
executives E-9.1,
provided PR.AT-5:
(e.g., suppliers, A-4.8, E-9.3
A-4.11
understand
Physical and their E-9.1, E-9.3
Data Security PR.DS-1:
roles and Data- D-3.19
cybersecurity
at-rest is Data- D-3.6, D-3.7
(PR.DS): PR.DS-2:
personnel
Information protected
in-transit
PR.DS-3:isAssets E-1.6, E-10.9
and records protected
are formally
(data) are PR.DS-4: D-3.4
managed
Adequate
managed PR.DS-5:
throughout D-1.4, D-1.5, D-1.6, D-1.15,
consistent with capacity
Protectionsto ensure D-3.7, D-3.9, D-4.9, D-5.3
PROTECT (PR)
PR.DS-6:
availability E-3.7
the against
Integritydataisleaks
organization’s arePR.DS-7: The
implemented D-5.4
checking
development and E-10.3
risk strategy to PR.DS-8:
mechanisms are
testing
Integrity
protect the
Information PR.IP-1: A
environment(s) A-3.1.3, A-3.1.5,
Protection checking
baseline A-4.4.1,
PR.IP-2: A A-4.5 A-4.4.2, A-4.5
Processes and mechanisms
configuration
System
are
of E-11.3,
Procedures PR.IP-3:
information A-4.4.1 E-11.4, E-11.5, E-11.6
Development
Configuration D-1.18, D-4.1, D-4.7,
(PR.IP): PR.IP-4:
Life Cycle Backups
to E-8.2, E-8.5
Security policies change
of control
information
(that address PR.IP-5:
processes Policy
are in A-4.12
are
and conducted,
regulations
purpose, scope, PR.IP-6:
maintained, Data and is E-5.1
E-1.6
roles, regarding
destroyed the
PR.IP-7: A-4.12
responsibilities, physical
according to
Protection
PR.IP-8: E-9.8
A-4.12
management policy
processes
Effectivenessare of
commitment, PR.IP-9: A-4.6, A-4.7
improved
protection
and Response
coordination PR.IP-10: is E-7.1,
technologies
plans E-7.3, E-7.6,
E-8.2 E-8.1
(Incident
Response and
among PR.IP-11:
Responseplansand E-2.1, E-2.2, E-5.2
organizational recovery
Cybersecurity is
entities), PR.IP-12:
are testedinA A-4.9
included
vulnerability D-5.5
Maintenance PR.MA-1:
human resources E-4.2, E-4.3
(PR.MA): management
Maintenance plan
and
PR.MA-2:
is developed and Remote maintenance to critical safety,
Maintenance repair
Remote of security, and reliability systems is
Protective
and repairs of PR.PT-1:
organizational D-2.1, D-2.2, D-2.3, D-2.6,
Technology maintenance
Audit/log of prohibited by the defensive architecture
PR.PT-2: records D-2.7,
organizational D-1.2, D-2.12
D-1.19
described in the cyber security plan. (A-4.3
(PR.PT): are determined, E- 1.4, E-1.5
Removable
Technical PR.PT-3:
documented, The D-1.2, D-1.3, D-1.11, D-1.16,
media is of least D-5.1, D-5.4
principle
security PR.PT-4:
protected andisits A-4.3
solutions are functionality
Communications E-6
managed to PR.PT-5:
incorporated by
and control
Anomalies and Mechanisms
DE.AE-1:
networks A
are D-2.6
Events (e.g., failsafe,
baseline of
DE.AE-2:
load balancing, D-2.6
(DE.AE): network
Detected events E-7.4,
Anomalous DE.AE-3:
operations Event
and E-7.4 E-7.5
are
dataanalyzed to
are collected
activity is DE.AE-4:
understand Impact
attack D-5.2
detected in a and
of correlated
events is E-3.4
DE.AE-5:
timely manner, from multiple D-5.2
determined
Incident
Security DE.CM-1: The E-3.4,
alert D-4.4 E-6
Continuous thresholds
network are
is The E-5.6,
DE.CM-2:
established E-2.1 E-5.7, E-5.8
Monitoring monitored to
DETECT (DE)
physical
DE.CM-3: E-3.3
(DE.CM): The detect potential
environment is
information Personnel
DE.CM-4: activity
monitored
is monitored to to D-3.13
system and Malicious code is
assets are DE.CM-5:
detect potential D-5.2
detected
Unauthorized E-3.4, E-5.2
monitored at
discrete mobile code is
intervals to detected
identify
cybersecurity
Monitoring
DETECT (DE
(DE.CM): The
information
system and
assets are
monitored at DE.CM-6: D-1.2, D-1.17, D-1.19
discrete External service D-4.4,
DE.CM-7: E-12 D-5.2, D-5.3
intervals to provider activity
Monitoring
DE.CM-8: for
identify is monitored to A-4.6
unauthorized
cybersecurity
Detection Vulnerability
DE.DP-1: Roles E-3.4A-4.6
personnel,
scans are
Processes and
DE.DP-2: D-5.2
(DE.DP): performed
responsibilities
Detection
DE.DP-3: E-3.4
Detection for detection
activities complyare A-4.6
processes and Detection
DE.DP-4: Event D-2.6A-4.6, A-4.12
with all are
processes
procedures are detection E-12
maintained and DE.DP-5:
tested A-4.6
information
Detection is E-8.1,
Response RS.RP-1:
communicated A-4.6, E-8.6
A-4.8
Planning processes
Response are
plan is E-7.1, E-7.6, E-8.1
RS.CO-1:
continuously A-4.6
Communicatio executed
Personnel during
know A-4.6
ns (RS.CO): RS.CO-2:
or after an and
their roles
Incidents are E-8.1
Response RS.CO-3:
order of A-4.6
activities are reported
Information is E-8.1
coordinated RS.CO-4:
consistent with A-4.6
shared consistent
Coordination E-3.5,
with internal RS.CO-5:
with response D-2.6 E-9.8
RESPOND (RS)
Planning strategies
Recovery are
plan is E-3.11,
Improvements RC.IM-1:
updated A-4.9.4 E-7.4, E-8.1, E-12
(RC.RP):
(RC.IM): executed
Recovery during
plans E-7.1
Recovery RC.IM-2:
or after a
incorporating incorporate
Recovery
Communicatio
lessons learned RC.CO-1:
lessons Public
learned
ns (RC.CO): strategies
relations are
are
RC.CO-2:
updated A-4.7
coordinating managed
Reputation is E-8.1
centers, Internet RC.CO-3:
repaired
Recovery after an
Service incident
activities are
communicated to
bersecurity_Framework_Implementation_Guidance_FINAL_508.pdf
Transportation System Sector
Source: Transportation Systems Sector Cybersecurity Framework Implementation Guidance
URL: https://www.cisa.gov/sites/default/files/publications/tss-cybersecurity-framework-implementation-guide-
https://www.cisa.gov/transportation-systems-sector
Asset ID.AM-1:
Management Physical devices
ID.AM-2:
(ID.AM): The and systems
Software
ID.AM-3:
data, personnel, within the and
platforms
Organizational Goal 1:Define Conceptual Environment
devices, systems, ID.AM-4:
applications
communication
External
and facilities that ID.AM-5:
and data flows
information
Resources
enable the ID.AM-6: (e.g.,
organization systems
hardware,
to Cybersecurityare
Business ID.BE-1: The
Environment roles devices,
anddata,
organization’s
ID.BE-2: The
(ID.BE): The responsibilities
role in the
organization’s Goal 5: Ensure Sustained Coordination and
ID.BE-3:
organization’s supply
place chain is
in critical Strategic Implementation
Priorities
ID.BE-4: for
mission, infrastructure
organizational
objectives, Dependencies
ID.BE-5:
mission,
and critical
Resilience
Governance ID.GV-1:
IDENTIFY (ID)
functions
requirements
(ID.GV): The ID.GV-2: for to
Organizational
support delivery Goal 5: Ensure Sustained Coordination and
policies, cybersecurity
Cybersecurity
ID.GV-3: Legal Strategic Implementation
procedures, and policy
roles
and is
and
regulatory
operational ID.GV-4:
responsibilities
requirements
Governance and
Risk ID.RA-1: Asset
Assessment regarding
risk management
vulnerabilities
ID.RA-2: Cyber
(ID.RA): The processes
are identified
threat
ID.RA-3:
organization and documented
intelligence
Threats, bothis Goal 1:Define Conceptual Environment
understands the ID.RA-4:
received
internal from
cybersecurity ID.RA-5:and
Potential
external,
business are
Threats, impacts
risk to ID.RA-6: Risk
organizational and likelihoods
vulnerabilities,
responses
Risk ID.RM-1: are Risk
likelihoods,
identified and
Management ID.RM-2: and
management Goal 1: Define Conceptual Environment
Strategy prioritized
processes
ID.RM-3: are
OrganizationalThe
(ID.RM): established,
risk tolerance is
Supply Chain organization’s
ID.SC-1: Cyber
Risk determined
determination and
supply chain risk of
ID.SC-2:
Management risk tolerance
management
Suppliers is
ID.SC-3: and
(ID.SC): The processes
third partyare
Contracts with
organization’s ID.SC-4:
partners
suppliers of
and
priorities, Suppliers and
ID.SC-5:
third-party
Access Control third-party
Response
PR.AC-1: and
(PR.AC): partners
recovery
Identities are
PR.AC-2:and
planning
Access to assets credentials and
Physical accessare
PR.AC-3:
and associated issued,
to managed,
assetsaccess
Remote is is Goal 1:Define Conceptual Environment
facilities is PR.AC-4:
managed
managed
Access and
limited to PR.AC-5:
authorized users, permissions
PR.AC-6: and
Network
authorizations
integrity
processes, or PR.AC-7:isare
Identities Users,
devices, and to protected (e.g.,
Awareness and proofed
devices, and
PR.AT-1: andAll
Training bound
other
users to are
assets
are
PR.AT-2:
authenticated
(PR.AT): The Privileged
informed users Goal 3: Maintain Continuous Cybersecurity
PR.AT-3:and Third-
organization’s understand
trained
party
PR.AT-4: their Awareness
Senior
personnel and roles and
stakeholders
partners are executives
PR.AT-5:
(e.g., suppliers,
understand
Physical andtheir
roles and
cybersecurity
personnel
)
Data Security PR.DS-1: Data-
(PR.DS): at-rest
PR.DS-2: is Data-
Information protected
in-transit isAssets
PR.DS-3:
and records protected
are formally
PR.DS-4: Goal 4: Enhance Intelligence and Security
(data) are managed
Adequate
PR.DS-5: Information Sharing
PROTECT (PR)
managed throughout
capacity
Protections to
PR.DS-6:
consistent with ensure
against
Integrity data
PR.DS-7: The
the leaks
checkingare
development
PR.DS-8: and
organization’s mechanisms
testing are
Information Integrity
PR.IP-1: A
Protection environment(s)
checking
baseline
PR.IP-2: A
Processes and mechanisms
configuration
System
PR.IP-3:
are
of
Procedures information
Development
Configuration
(PR.IP): PR.IP-4:
Life
changeCycle to
PR.IP-5:control
Security policies Backups of
Policy
processes
information
and regulationsarearein
(that address PR.IP-6: Data is
conducted,
regarding
purpose, scope, destroyed the Goal 1:Define Conceptual Environment
PR.IP-7:
roles, physical
according
PR.IP-8: to
Protection
responsibilities, policy
processes are of
Effectiveness
PR.IP-9:
management improved
protection
Response
PR.IP-10: plans
commitment,
technologies
Response andis
and coordination (Incident
PR.IP-11:
Response
recovery and is
among PR.IP-12:plans
Cybersecurity A
organizational are tested
included
vulnerability in
Maintenance PR.MA-1:
(PR.MA): human
managementresources
Maintenance and Goal 1: Define Conceptual Environment
PR.MA-2:
Maintenance and plan
repair
Remoteis of
Protective PR.PT-1:
repairs of system organizational
Technology maintenance
Audit/log of
PR.PT-2:
(PR.PT): organizational
records
Removable are Goal 3: Maintain Continuous Cybersecurity
PR.PT-3: The
Technical media
principle
PR.PT-4: is of least Awareness
determined,
security protected
functionality andisits
solutions are Communications
PR.PT-5:
incorporated
controlA by
Anomalies and and Mechanisms
DE.AE-1:
Events networks
(e.g.,
baseline ofare
failsafe,
DE.AE-2:
(DE.AE): load balancing,
network
Detected events Goal 4: Enhance Intelligence and Security
DE.AE-3: Event
Anomalous operations
are analyzed andto Information Sharing
data are
DE.AE-4:
activity is understand
collected
detected in a Impact
DE.AE-5: ofand events
correlated
is determined
Incident alert from
Security DE.CM-1: The
Continuous thresholds
network
DE.CM-2: The is are
DETECT (DE)
Monitoring established
monitored
physical to
DE.CM-3:
(DE.CM): The environment
detect potential
information DE.CM-4: is Goal 4: Enhance Intelligence and Security
Personnel
monitored
activity
Malicious to
is code
system and DE.CM-5: Information Sharing
monitored
is detected to
Unauthorized
assets are DE.CM-6:
monitored at mobile
External
DE.CM-7: code
serviceis
detected
discrete intervals Monitoring
provider activity
for
DE.CM-8:
to identify is monitored
unauthorized to
Detection Vulnerability
DE.DP-1: Roles
Processes personnel,
scans
and are
DE.DP-2:
(DE.DP): performed
responsibilities
Detection Goal 4: Enhance Intelligence and Security
DE.DP-3:
Detection for detection
activities complyare Information Sharing
Detection
DE.DP-4: Event
processes and with all
processes
DE.DP-5: are
procedures are detection
tested
information
Detection is Goal 1: Define Conceptual Environment
Response RS.RP-1:
communicated
processes
Planning RS.CO-1: are
Response plan is
Communication continuously
executed
Personnel
RS.CO-2: know during
s (RS.CO): or after
their anare
roles
Incidents and Goal 2: Improve and Expand Voluntary
Response RS.CO-3:
order
reportedof Participation
activities are Information
RS.CO-4: is
consistent with
coordinated with shared consistent
POND (RS)
Coordination
internal and with
with response
stakeholders
Planning
Communication
s (RS.CO): Goal 2: Improve and Expand Voluntary
Response Participation
activities are
RESPOND (RS)
coordinated with RS.CO-5:
internal
Analysisand Voluntary
RS.AN-1:
(RS.AN): information
Notifications
RS.AN-2: The
Analysis is sharing
from
impact occurs
detection
of the Goal 4: Enhance Intelligence and Security
RS.AN-3:
conducted to systems are
incident isare Information Sharing
Forensics
ensure adequate RS.AN-4:
understood
performed
response and Incidents are
RS.AN-5:
Mitigation categorized
Processes
RS.MI-1: are
consistent
established with Goal 4: Enhance Intelligence and Security
(RS.MI): RS.MI-2: areto
Incidents
receive, Information Sharing
Activities are Incidentsanalyze
contained
RS.MI-3: are
Newly
performed to mitigated
Improvements identified
RS.IM-1: Goal 3: Maintain Continuous Cybersecurity
(RS.IM): vulnerabilities
Response plans Awareness
RS.IM-2:
Organizational are mitigated or
incorporate
RECOVER (RC)
Recovery Response
RC.RP-1: Goal 1
response lessons learned
strategies
Planning RC.IM-1: are
Improvements Recovery plan is Goal 3: Maintain Continuous Cybersecurity
(RC.RP):
(RC.IM): updated
executed
Recoveryduring
plans Awareness
RC.IM-2:
Recovery
incorporating or after a
incorporate
Recovery
Communication RC.CO-1: Public
lessons learned lessons
s (RC.CO): learned
strategies
relations are Goal 2: Improve and Expand Voluntary
RC.CO-2:are
coordinating updated
managed Participation
Reputation is
RC.CO-3:
centers, Internet Recovery
repaired after an
incident
activities are
communicated to
ork-implementation-guide-2016-508v2_0.pdf
Water Sector
Source: American Water Works Association Cybersecurity Guidance 2019
URL: https://www.cisa.gov/publication/nipp-ssp-water-2015
https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=2019-09
PROTECT (PR)
protect the confidentiality,
integrity, and availability of
information. PR.DS-7: The
development
PR.DS-8:
Information Protection Processes and testing
Integrity
PR.IP-1: A
and Procedures (PR.IP): Security environment(s)
checking
baseline
PR.IP-2: A
policies (that address purpose, scope, mechanisms are
configuration
System
PR.IP-3: of
roles, responsibilities,management information
Development
Configuration
PR.IP-4:
commitment, and coordination among Life Cycle
change
Backups
PR.IP-5: to
control
of
Policy
organizational entities), processes, processes
information
and areare
regulations
PR.IP-6: Data in
and procedures are maintained and conducted,
regarding
is destroyed the
PR.IP-7:
used to manage protection of physical to
according
Protection
PR.IP-8:
information systems and assets. policy
processes
Effectiveness
PR.IP-9: are of
improved plans
protection
Response
PR.IP-10:
technologies
(Incident
Response
PR.IP-11: andis
Responseplans
recovery
Cybersecurity
PR.IP-12: and
A
areincluded
is tested in
vulnerability
Maintenance (PR.MA): Maintenance PR.MA-1:
human
management
and repairs of system components are PR.MA-2:
Maintenance
performed consistent
Protective Technology with policies
(PR.PT): planrepair
and
Remote is
PR.PT-1: of
and procedures.
Technical security solutions are organizationalof
maintenance
Audit/log
PR.PT-2:
managed to ensure the security and organizational
records
Removable
PR.PT-3: areThe
resilience of systems and assets, determined,
media
principle
PR.PT-4: is of
consistent with related policies, protected and
least
Communication
PR.PT-5:
procedures,
Anomalies and and agreements.
Events (DE.AE): sfunctionality
and control
Mechanisms
DE.AE-1: A is
Anomalous activity is detected in a networks
(e.g.,
baseline
DE.AE-2: ofare
failsafe,
timely manner, and the potential load balancing,
network
Detected
DE.AE-3: events
impact of events is understood. operations
are data and
analyzed
Event
DE.AE-4: areto
understand
collected
Impact
DE.AE-5: ofand
Security Continuous Monitoring correlated
events
Incident
DE.CM-1: from
is alert
The
DETECT (DE)
improved by
Recovery incorporating
Planning (RC.RP): vulnerabilities
lessons RC.RP-1:
incorporate
Response
learned from
Recovery
Improvements current
processes andand
(RC.IM): previous RC.IM-1:
procedures lessons learned
strategies
Recovery are
plan
are executed and
incorporating lessons learned into updated
is executedplans
Recovery
future activities. during or after a
incorporate
lessons learned
RECOVER (RC)
Improvements (RC.IM):
incorporating lessons learned into RC.IM-2:
future activities. (RC.CO):
Communications Recovery
RC.CO-1:
coordinating centers, Internet Service strategies
Public
RC.CO-2: are
relations
Providers, owners of attacking updated
are managedis
Reputation
RC.CO-3:
systems, victims, other Computer repaired after
Recovery
an incident
activities are
communicated
ybersecurity Guidance 2019
pp-ssp-water-2015
WWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=2019-09-09-111949-960
Physical devices and systems within the organization are inventoried PM-2
Software platforms and applications within the organization are inventoried PM-2
Organizational communication and data flows are mapped PM-2
External information systems are catalogued MA-3
Resources (e.g., hardware, devices, data, and software) are prioritized based PM-5
on their classification,
Cybersecurity roles andcriticality, and business
responsibilities for the value
entire workforce and third- PE-4, PS-2
party stakeholders (e.g., suppliers, customers,
The organization’s role in the supply chain is identified partners) are
andestablished
communicated RA-2, PS-2,
The organization’s place in critical infrastructure and its industry sector is MA-2
identified for
Priorities andorganizational
communicatedmission, objectives, and activities are IR-2
established andand
Dependencies communicated
critical functions for delivery of critical services are IR-2
established
Resilience requirements to support delivery of critical services are IR-3
established
Organizational information security policy is established IR-2, AU-2
Information security roles & responsibilities are coordinated and aligned PS-2, AU-4, AU-6
with internal
Legal roles andrequirements
and regulatory external partners
regarding cybersecurity, including IR-3
privacy
Governanceand civil liberties
and risk obligations,
management are understood
processes and managedrisks
address cybersecurity AU-3, AU-5, CM-6
Asset vulnerabilities are identified and documented AU-5, RA-1, IR-2
Threat and vulnerability information is received from information sharing AU-5, PM-3, IR-2
forums
Threats,andbothsources
internal and external, are identified and documented AU-5, RA-1, IR-2
Potential business impacts and likelihoods are identified AU-5, RA-1, IR-2
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk AU-5
Risk responses are identified and prioritized IR-1
Risk management processes are established, managed, and agreed to by IR-2
organizational
Organizational stakeholders
risk tolerance is determined and clearly expressed SA-4
The organization’s determination of risk tolerance is informed by its role in SC-4
criticalsupply
Cyber infrastructure
chain risk andmanagement
sector specific risk analysis
processes are identified, established, SU1
assessed, managed,
Suppliers and agreed
and third party to by
partners organizational
of information stakeholders
systems, components, and SU2
services are
Contracts identified,
with suppliersprioritized, and assessed
and third-party partnersusing a cyber
are used supply chain SU2
to implement
risk assessment
appropriate
Suppliers and process
measures
third-partydesigned to meet
partners the objectives
are routinely of an
assessed organization’s
using audits, test SU1
cybersecurity
results, or other program
forms of and Cyber Supply
evaluations Chain Risk
to confirm Management
they are Plan
meeting their
contractual
Identities andobligations
credentials are managed for authorized devices and users IA-1, RA-1, SC-19
Physical access to assets is managed and protected PE-1, PE-2, PE-3
Remote access is managed IA-7, SC-12, SC-18, SC-21, RA-2
Access permissions are managed, incorporating the principles of least IA-3, SC-22
privilege integrity
Network and separation of duties
is protected, incorporating network segregation where SC-8, SC-9, SC-14,
appropriate
A baseline of network operations and expected data flows for users and Not addressed
systems
Detectedisevents
established and managed
are analyzed to understand attack targets and methods SC-5
Event data are aggregated and correlated from multiple sources and sensors Not addressed
Impact of events is determined PM-3
Incident alert thresholds are established CM-7
The network is monitored to detect potential cybersecurity events CM-7
The physical environment is monitored to detect potential cybersecurity PE-1, CM-7
events
Personnel activity is monitored to detect potential cybersecurity events CM-7, SA-5
Malicious code is detected SC-5
Unauthorized mobile code is detected SA-4
External service provider activity is monitored to detect potential IA-2
cybersecurity
Monitoring forevents
unauthorized personnel, connections, devices, and software PS-1
is performed scans are performed
Vulnerability IR-2
Roles and responsibilities for detection are well defined to ensure PS-2
accountability and adequate
Detection activities awareness
comply with of anomalous
all applicable events
requirements IR-3
Detection processes are tested ANSI/AWWA G430, G440
Event detection information is communicated to appropriate parties IA-2
Detection processes are continuously improved SC-4
Response plan is executed during or after an event AT-1
Personnel know their roles and order of operations when a response is ANSI/AWWA
needed
Events are reported consistent with established criteria G430
Information is shared consistent with response plans SC-6
Coordination with stakeholders occurs consistent with response plans ANSI/AWWA
Voluntary information sharing occurs with external stakeholders to achieve MA-2
broader cybersecurity
Notifications situational
from detection awareness
systems are investigated SC-5
The impact of the incident is understood ANSI/AWWA J100
Forensics are performed AT-3
Incidents are categorized consistent with response plans AT-3