Cybersecurity Framework vPA 092813
Cybersecurity Framework vPA 092813
Cybersecurity Framework vPA 092813
Step 2 - Assess Security Index using the next Tab [Security Index]
Step 3 - Use Tab [Risk Register] to align controls application and roadmap with priorities based on risk.
Step 4 - Keep applying complete controls in Tab [Framework Core] based on overall risk and cost benefit analysis.
Step 5 - Assess Security Index using the next Tab [Security Index]
Step 6 - Repeat Step1 and be vigilant.
*Tab [Evidence-based Priority Controls] will be subject to change based on guidance from DHS and contr
Released publicly on 10/10/2013 aka Day 240 since EO 13,636 and PPD-21 were issued and the day this was due by
The Internet never sleeps and neither does the security community.
astructure (scope)
es based on risk.
k and cost benefit analysis.
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
*Based on the Cloud Security Alliance Cloud Controls Matrix (CCM) v1.4 with minor updates and NIS
https://cloudsecurityalliance.org/cm
**Hit [2] Tab in order to see completed version of CSF. Tab [1] only displays the base framework of t
the Core Security Frameworks, associated core Industrial Controls and Privacy frameworks and stand
Critical Infrastructure Sectors
Core Security Frameworks
Description
NIST
ISO/IEC 27001-2005 COBIT 4.1 SP800-53 CCS CSC
R3
ontrols Matrix (CCM) v1.4 with minor updates and NIST outline and Discussion Draft CSF groupings
n of CSF. Tab [1] only displays the base framework of the Cybersecurity Framework highlighting
e Industrial Controls and Privacy frameworks and standards that are auditable and/or have associated certifications in the indus
Evidence-based, Prioritized Key
Informative References
Failures)
AICPA
ISA 99 GAPP AICPA
NERC CIP Trust Service Criteria
IEC 62443 (Aug 2009) TS Map
(SOC 2SM Report)
Classification
IDENTIFY
IDENTIFY
Information System Regulatory Mapping
IDENTIFY
Data Integrity
PROTECT
Network Security
PROTECT
Audit Logging / Intrusion Detection
PROTECT
Production Changes
PROTECT
Policy
DETECT
DETECT
Training / Awareness
DETECT
Management Oversight
DETECT
User Responsibility
DETECT
Workspace
DETECT
Encryption
DETECT
Vulnerability / Patch Management
DETECT
DETECT
Incident Reporting
DETECT
Incident Response Legal Preparation
DETECT
eCommerce Transactions
DETECT
Portable / Mobile Devices
DETECT
Portable / Mobile Devices
DETECT
Policy
RESPOND
Incident Management
RECOVER
*Based on the Cloud Security Alliance Cloud Controls Matrix (CCM) with minor updates and NIST out
**See next tab over for evidence on how these 22 controls were identified.
***This tab will be subject to change based on guidance from DHS and controls failures analysis orga
Critical Infrastructure Sectors
Core Security Frameworks
Description
NIST
ISO/IEC 27001-2005 COBIT 4.1 SP800-53 CCS CSC
R3
Users shall be made aware of their Clause 5.2.2 PO 4.6 AT-2 CSC9
responsibilities for: A.8.2.2 AT-3 CSC10
• Maintaining awareness and A.11.3.1 AT-4 CSC11
compliance with published security A.11.3.2 PL-4 CSC12
policies, procedures, standards and CSC14
applicable regulatory requirements CSC15
• Maintaining a safe and secure CSC16
working environment CSC17
• Leaving unattended equipment in CSC18
a secure manner CSC19
Policies and procedures shall be Clause 5.2.2 AC-11
established for clearing visible A.8.2.2 MP-2
documents containing sensitive data A.9.1.5 MP-3
when a workspace is unattended A.11.3.1 MP-4
and enforcement of workstation A.11.3.2
session logout for a period of A.11.3.3
inactivity.
ontrols Matrix (CCM) with minor updates and NIST outline and Discussion Draft CSF groupings
se 22 controls were identified.
Failures)
AICPA
ISA 99 GAPP AICPA
NERC CIP Trust Service Criteria
IEC 62443 (Aug 2009) TS Map
(SOC 2SM Report)
HISPI 20 ISO
27001
CIP-007-3 8.2.1 S3.7 (S3.7) Procedures exist to
- R6.5 8.2.2 identify, report, and act upon
system security breaches
and other incidents.
Verizon
DBIR 2013
CIP-003-3 1.2.6 A3.16.0 (A3.16.0, S3.13.0)
- R6 S3.13.0 Procedures exist to provide
that only authorized, tested,
and documented changes
are made to the system.
CCS CSC /
Aus DSD
Sweet Spot
CIP-003-3 8.1.0 S1.1.0 (S1.1.0) The entity's security
- R1 -R1.1 8.1.1 policies are established and
- R1.2 - R2 periodically reviewed and
- R2.1 - approved by a designated
R2.2 - S1.3.0 individual or group.
R2.3
(S1.3.0) Responsibility and
accountability for developing
S2.3.0 and maintaining the entity’s
system security policies,
and changes and updates to
those policies, are assigned.
HISPI 20 ISO
27001
CIP-007-3 1.2.6 S3.4 (S3.4) Procedures exist to
- R7.1 3.2.4 protect against unauthorized
8.2.6 access to system resources.
HISPI 20 ISO
27001
8.2.1 (S2.3.0) Responsibility and
S2.3.0 accountability for the entity’s
system availability,
confidentiality of data,
processing integrity, system
security and related security
policies and changes and
updates to those policies
are communicated to entity
personnel responsible for
implementing them.
HISPI 20 ISO
27001
(A) 2012 HISPI Top 20 ISO\IEC 27001:2005 Annex A Mitigating Controls Failures Q4'2012
Work in progress:
****(D) Will add 2013 Mandi
*****(E) Will add 2013 Trustw
******(F) Will add 2012 Micr
(D) 2013 Mandiant APT1 Report and Digital Appendix & Indicators
(E) Will add 2013 Trustwave Global Security Report (GSR)
(F) Will add 2012 Microsoft Security Intelligence Report (SIR) Volume 14
7001 Annex A control failures
*Several of the top 10 were missing in the NIST Discussion Preliminary Draft released prior to Dallas work shop
Work in progress:
****(D) Will add 2013 Mandiant APT1 Report and Digital Appendix & Indicators
*****(E) Will add 2013 Trustwave Global Security Report (GSR)
******(F) Will add 2012 Microsoft Security Intelligence Report (SIR) Volume 14
*Identity controls failed
* hysical security controls failed
Detection failed
CSF Domain Risk Index (SCMMI 0-5) Goal (Target State) Risks (See Risk Register)
IDENTIFY 2 4.25
PROTECT 2.5 3.25
DETECT 2 3.5
RESPOND 1.25 3.75 Security Capability Mat
RECOVER 2 3 SCMMI Index 1 - Initial
RESPOND
SCMMI Index 2 - Repea
DETECT
PROTECT
IDENTIFY
2
RECOVER
3.25
PROTECT SCMMI Index 4 - Quanti
3 2.5
2
0
1.25
2
3.75 3.5
Index 2 is a managed state. Managed, as the word means, the security capabilities are
defined at this level. Basic security capabilities and principles are established to track
security, risks, cost, schedule and functionality. The necessary security and risk
management discipline are in place to repeat earlier success on security capbilities.
Effective security practices can be characterized as practiced, documented, enforced,
trained, measured, and able to improve.
SCMMI Index 3 - Defined
Index 3 is a defined state, and looks at building security capabilities and organizational
level security capabilities using the strong base set at SCMMI 2. Index 3 is, when an
organization will have security practices for Requirements gathering (Test
Requirements Gathering), Design & Build (Strategize and Prepare Test Cases / Scripts),
Reviews, Testing (Execute Test Cases / Scripts) etc, defined at organization level.
Information and artifacts of previous security capabilities are available for re-use
within the organization through mechanisms of knowledge sharing.
Index
SCMMI Index 4 - 4Quantitatively
in SCMMI is aManaged
very critical step. It is called “Quantitatively Managed” state. At
this state, the organization has achieved all the in SCMMI 2, 3 and 4. They key attribute
of SCMMI 4 is sub-category performance. The selected sub-categories are controlled
using statistical and other quantitative techniques. At Index 4, security practices
happen through Quantitative techniques. Quantitative objectives are based on the
needs of the client, end users, organization and process improvement. Quality and
process performances are understood in statistical terms and are managed throughout
the life of the capabilities.For the various capabilities measures of practice
performance are collected and statistically analyzed. Special Causes of practice
performance are identified and corrected to prevent future occurrences. The crucial
difference between Level 3 and 4 is Predictability. At Level 4, performance of practices
are quantitatively predictable.
SCMMI Index 5 - Optimizing
Index 5 is an Optimizing state that focuses on continually improving security practices
performance through both incremental and innovative improvements. The effects of
deployed practice improvements are measured and evaluated. A critical distinction
between SCMMI 4 and 5, is the type of practice variation that is addressed. At SCMMI
4, we look at special cause of variation. At SCMMI 5, we are concerned with addressing
common causes of variation and changing the security practices (E.g. Defect & Problem
Prevention)
Example Risk Management Methodologies to Implement
NIST SP 800-37 Risks identified by security, com
ISO 31000 / ISO 27005 the 4 pillars of the COSO Enterp
Risk Register
CSF Domain Risks (List of risks by CSF Functions)
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Example Roadmap
*Set based on prioritized issues in Risk Register
Risks identified by security, compliance, privacy, and risk management teams tend to follow
the 4 pillars of the COSO Enterprise Risk Management (COSO ERM) model below.
CSA
Function Category Subcategory CCM 1.4
Control ID
Program RI-01
Assessments RI-02
Risk Management
Mitigation / Acceptance RI-03
Risk Management
Classification DG-02
I
D
E
N
T
I
F
Y Risk Assessments DG-08
Legal
Human Resources
Security
Employment Agreements HR-02
Human Resources
Security
Compliance
Compliance
Security
Architecture
Network Security SA-08
Security
Architecture
Segmentation SA-09
Wireless Security SA-10
Shared Networks SA-11
P
R
Mobile Code SA-15
O
T
E
C
T
New Development / Acquisition RM-01
Release
Management
Facility Security
Unauthorized Persons Entry FS-05
Policy IS-03
Workspace IS-17
D
E
T Information
E Security
C
T
E
T Information
E Security
C
T
Encryption IS-18
Documentation OP-02
R
E
S
P Operations
Management
O
N
D
Capacity / Resource Planning OP-03
R
E
C
O Resiliency
V
E
R
Business Continuity Testing RS-04
*Based on the Cloud Security Alliance Cloud Controls Matrix (CCM) and NIST outline C
Critical Infrastructure Sectors (Key Control F
An Information Security
Management Program (ISMP) has
been developed, documented,
approved, and implemented that
includes administrative, technical,
and physical safeguards to protect
assets and data from loss, misuse,
unauthorized access, disclosure,
alteration, and destruction. The
security program should address, but
not be limited to, the following areas
insofar as they relate to the
characteristics of the business:
• Risk management
• Security policy
• Organization of information
security
• Asset management
• Human resources security
• Physical and environmental
security
• Communications and operations
management
• Access control
• Information systems acquisition,
development, and maintenance
Executive and line management
shall take formal action to support
information security through clear
documented direction, commitment,
explicit assignment and verification
of assignment execution
loud Controls Matrix (CCM) and NIST outline CSF (San Diego)
re Sectors (Key Control Failures by Sector and Breach Statistics)
Nuclear
Food and Healthcare Transporta Water and
Financial Government Information Reactors,
Energy
Services
Agricultur
Facilities
and Public
Technology Materials,
tion Wastewate COBIT 4.1
e Health Systems r Systems
and Waste
Electricity
PO 9.1
PO 9.4
PO 9.5
PO 9.6
DS 2.3
DS5.1
PO 2.3
PO 2.3
DS 11.6
PO 2.3
DS 11.6
DS 4.1
DS 4.2
DS 4.5
DS 4.9
DS 11.6
DS 11.4
DS 11.6
PO 9.1
PO 9.2
PO 9.4
DS 5.7
DS5.11
PO 7.6
DS 2.1
PO 7.8
ME 2.1
ME 2.2
PO 9.5
PO 9.6
DS5.5
ME2.5
ME 3.1
PO 9.6
ME 2.6
DS 2.1
DS 2.4
ME 3.1
ME 3.1
DS5.3
DS5.4
DS5.11
AI2.4
DS5.7
DS5.10
DS5.5
DS5.7
DS5.8
DS5.10
DS5.7
DS5.7
DS5.5
DS5.6
DS9.2
A12
A16.1
A16.1
A17.6
PO 8.1
DS5.7
DS 12.1
DS 12.4
DS 4.9
DS 12.3
DS 12.2
DS 12.3
DS 12.3
R2 DS5.2
R2 DS5.5
DS5.1
DS5.2
AI2.1
AI2.2
AI3.3
DS2.3
DS11.6
DS 5.2
DS 5.4
PO 7.7
DS 5.4
DS5.4
DS 5.4
DS5.3
DS5.4
PO 7.4
DS5.1
DS5.3
DS5.4
DS5.5
DS 5.4
PO 4.6
DS5.8
DS5.10
DS5.11
DS5.8
AI6.1
AI3.3
DS5.9
DS5.9
DS5.6
DS5.6
DS5.6
DS 4.9
DS 5.3
DS 5.10
5.11
DS 5.7
DS5.7
DS5.10
DS5.11
DS5.5
DS5.7
DS13.1
DS 9
DS 13.1
DS 3
A13.3
PO 9.1
PO 9.2
DS 4.2
NIST FedRAMP Security Controls
HIPAA / HITECH Act ISO/IEC 27001-2005 SP800-53 (Final Release, Jan 2012)
R3 --LOW IMPACT LEVEL--
45 CFR 164.308 (a)(8) Clause 4.2.1 c) through g) AC-4 NIST SP 800-53 R3 AC-1
45 CFR 164.308(a)(1)(ii)(B) Clause 4.2.2 b) CA-2 NIST SP 800-53 R3 AT-1
Clause 5.1 f) CA-6 NIST SP 800-53 R3 AU-1
Clause 7.2 & 7.3 PM-9 NIST SP 800-53 R3 CA-1
A.6.2.1 RA-1 NIST SP 800-53 R3 CA-6
A.12.6.1 NIST SP 800-53 R3 CA-7
A.14.1.2 NIST SP 800-53 R3 PL-1
A.15.2.1 NIST SP 800-53 R3 RA-1
A.15.2.2 NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
45 CFR 164.308 (a)(1)(ii)(A) Clause 4.2.1 c) through g) PL-5 NIST SP 800-53 R3 CM-1
Clause 4.2.3 d) RA-2 NIST SP 800-53 R3 RA-1
Clause 5.1 f) RA-3 NIST SP 800-53 R3 RA-2
Clause 7.2 & 7.3 NIST SP 800-53 R3 RA-3
A.6.2.1
A.12.5.2
A.12.6.1
A.14.1.2
A.15.1.1
A.15.2.1
A.15.2.2
45 CFR 164.308 (a)(1)(ii)(B) Clause 4.2.1 c) through g) CA-5 NIST SP 800-53 R3 CA-5
Clause 4.2.2 b) CM-4 NIST SP 800-53 R3 CP-1
Clause 4.3.1 NIST SP 800-53 R3 RA-1
Clause 5.1 f)
Clause 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.15.1.1
A.15.2.1
A.15.2.2
A.10.4.2 SC-18
A.12.2.2
A.6.1.4 CA-1 NIST SP 800-53 R3 CA-1
A.6.2.1 CM-1 NIST SP 800-53 R3 CM-1
A.12.1.1 CM-9 NIST SP 800-53 R3 PL-1
A.12.4.1 PL-1 NIST SP 800-53 R3 PL-2
A.12.4.2 PL-2 NIST SP 800-53 R3 SA-1
A.12.4.3 SA-1 NIST SP 800-53 R3 SA-3
A.12.5.5 SA-3 NIST SP 800-53 R3 SA-4
A.15.1.3 SA-4
A.15.1.4
NIST SP 800-53 R3 AC-1 12.1.2 A.1, L.1 L.2 1.2.4 CIP-009-3 S3.1
NIST SP 800-53 R3 AT-1 - R4
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7 x3.1.0
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 CM-1
S4.3.0
NIST SP 800-53 R3 CA-5 I.3, L.9, I.4 CIP-009-3 S3.1
NIST SP 800-53 R3 CP-1 L.10 L.2 - R1.2
NIST SP 800-53 R3 RA-1
x3.1.0
S3.8.0
NIST SP 800-53 R3 AC-1 9.5 D.2.2 G.13 1.1.2 Command CIP-003-3 S3.2.a
NIST SP 800-53 R3 AC-16 9.6 5.1.0 ment #8 - R4 - R4.1
NIST SP 800-53 R3 MP-1 9.7.1 7.1.2 Command
NIST SP 800-53 R3 MP-3 9.7.2 8.1.0 ment #9
NIST SP 800-53 R3 PE-16 9.10 8.2.5 Command
NIST SP 800-53 R3 SC-9 8.2.6 ment #10
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 CP-2 3.1 D.2.2.9 5.1.0 Command CIP-003-3 A3.3.0
NIST SP 800-53 R3 CP-2 (1) 3.1.1 5.1.1 ment #11 - R4.1
NIST SP 800-53 R3 CP-2 (2) 3.2 5.2.2
NIST SP 800-53 R3 CP-6 9.9.1 8.2.6
NIST SP 800-53 R3 CP-6 (1) 9.5
NIST SP 800-53 R3 CP-6 (3) 9.6 A3.4.0
NIST SP 800-53 R3 CP-7 10.7
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3) I3.20.0
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2) I3.21.0
NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
C3.21.0
NIST SP 800-53 R3 AC-2 1.2 I.2.18 7.2.1 Command C3.5.0
NIST SP 800-53 R3 AC-2 (1) 6.5.5 8.1.0 ment #4
NIST SP 800-53 R3 AC-2 (2) 11.1 8.1.1 Command
NIST SP 800-53 R3 AC-2 (3) 11.2 8.2.1 ment #5
NIST SP 800-53 R3 AC-2 (4) 11.3 8.2.2 Command S3.4.0
NIST SP 800-53 R3 AC-2 (7) 11.4 8.2.5 ment #6
NIST SP 800-53 R3 AC-3 A.1 8.2.6 Command
NIST SP 800-53 R3 AC-3 (3) ment #7
NIST SP 800-53 R3 AC-4 Command
NIST SP 800-53 R3 AC-6 ment #8
NIST SP 800-53 R3 AC-6 (1) Command
NIST SP 800-53 R3 AC-6 (2) ment #9
NIST SP 800-53 R3 AC-11 Command
NIST SP 800-53 R3 AC-11 ment #10
(1) Command
NIST SP 800-53 R3 SA-8 ment #11
NIST SP 800-53 R3 SC-28
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
S3.8.e
NIST SP 800-53 R3 AC-17 8.3 H.1.1, B.1 8.2.2 Command CIP-004-3 S3.2.b
NIST SP 800-53 R3 AC-17 G.9.13, ment #6 R3.1
(1) G.9.20, Command
NIST SP 800-53 R3 AC-17 G.9.21 ment #7
(2) Command
NIST SP 800-53 R3 AC-17 ment #8
(3)
NIST SP 800-53 R3 AC-17
(4)
NIST SP 800-53 R3 AC-17
(5)
NIST SP 800-53 R3 AC-17
(7)
NIST SP 800-53 R3 AC-17
(8)
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20
(1)
NIST SP 800-53 R3 AC-20
(2)
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 CM-7 1.1 G.9.17, G.2 8.2.5 Command CIP-004-3 S3.4
NIST SP 800-53 R3 CM-7 1.1.2 G.9.7, G.4 ment #1 R2.2.4
(1) 1.1.3 G.10, G.15 Command
NIST SP 800-53 R3 SC-7 1.1.5 G.9.11, G.16 ment #2
NIST SP 800-53 R3 SC-7 (1) 1.1.6 G.14.1, G.17 Command
NIST SP 800-53 R3 SC-7 (2) 1.2 G.15.1, G.18 ment #3
NIST SP 800-53 R3 SC-7 (3) 1.2.1 G.9.2, I.3 Command
NIST SP 800-53 R3 SC-7 (4) 2.2.2 G.9.3, ment #9
NIST SP 800-53 R3 SC-7 (5) 2.2.3 G.9.13 Command
NIST SP 800-53 R3 SC-7 (7) ment #10
NIST SP 800-53 R3 SC-7 (8) Command
NIST SP 800-53 R3 SC-7 ment #11
(12)
NIST SP 800-53 R3 SC-7
(13)
NIST SP 800-53 R3 SC-7
(18)
NIST SP 800-53 R3 AU-1 10.1 G.14.7, G.7 8.2.1 Command CIP-007-3 S3.7
NIST SP 800-53 R3 AU-2 10.2 G.14.8, G.8 8.2.2 ment #6 - R6.5
NIST SP 800-53 R3 AU-2 (3) 10.3 G.14.9, G.9 Command
NIST SP 800-53 R3 AU-2 (4) 10.5 G.14.10,G. J.1 ment #7
NIST SP 800-53 R3 AU-3 10.6 14.11, L.2 Command
NIST SP 800-53 R3 AU-3 (1) 10.7 G.14.12, ment #11
NIST SP 800-53 R3 AU-4 11.4 G.15.5,
NIST SP 800-53 R3 AU-5 12.5.2 G.15.7,
NIST SP 800-53 R3 AU-6 12.9.5 G.15.8,
NIST SP 800-53 R3 AU-6 (1) G.16.8,
NIST SP 800-53 R3 AU-6 (3) G.16.9,
NIST SP 800-53 R3 AU-7 G.16.10,
NIST SP 800-53 R3 AU-7 (1) G.15.9,
NIST SP 800-53 R3 AU-9 G.17.5,
NIST SP 800-53 R3 AU-11 G.17.7,
NIST SP 800-53 R3 AU-12 G.17.8,
NIST SP 800-53 R3 PE-2 G.17.6,
NIST SP 800-53 R3 PE-3 G.17.9,
NIST SP 800-53 R3 SI-4 G.18.2,
NIST SP 800-53 R3 SI-4 (2) G.18.3,
NIST SP 800-53 R3 SI-4 (4) G.18.5,
NIST SP 800-53 R3 SI-4 (5) G.18.6,
NIST SP 800-53 R3 SI-4 (6) G.19.2.6,
NIST SP 800-53 R3 SC-18 G.19.3.1,
G.9.6.2,
G.9.6.3,
G.9.6.4,
G.9.19,
H.2.16,
H.3.3, J.1,
J.2, L.5,
L.9, L.10
NIST SP 800-53 R3 PE-2 9.1 F.1.2.3, H.6 8.2.1 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-3 F.1.2.4, 8.2.2 ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-4 F.1.2.5, 8.2.3 Command R1.3 -
NIST SP 800-53 R3 PE-5 F.1.2.6, ment #2 R1.4 -R2 -
NIST SP 800-53 R3 PE-6 F.1.2.8, Command R2.2
NIST SP 800-53 R3 PE-6 (1) F.1.2. 9, ment #3
F.1.2.10, Command
F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.7,
F.1.8,
F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18
NIST SP 800-53 R3 PE-2 9.1 F.1.2.3, F.2 8.2.3 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-3 F.1.2.4, ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-6 F.1.2.5, Command R1.3 -
NIST SP 800-53 R3 PE-6 (1) F.1.2.6, ment #2 R1.4 -
NIST SP 800-53 R3 PE-18 F.1.2.8, Command R1.6 -
F.1.2. 9, ment #3 R1.6.1 -
F.1.2.10, Command R2 - R2.2
F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.3,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.6,
F.1.7,F.1.8
, F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18
NIST SP 800-53 R3 PE-2 9.1 F.1.2.3, F.2 8.2.3 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-3 9.1.1 F.1.2.4, ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-6 9.1.2 F.1.2.5, Command R1.3 -
NIST SP 800-53 R3 PE-6 (1) 9.1.3 F.1.2.6, ment #2 R1.4 -
NIST SP 800-53 R3 PE-7 9.2 F.1.2.8, Command R1.6 -
NIST SP 800-53 R3 PE-7 (1) F.1.2. 9, ment #3 R1.6.1 -
NIST SP 800-53 R3 PE-8 F.1.2.10, Command R2 - R2.2
NIST SP 800-53 R3 PE-18 F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.3,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.6,
F.1.7,F.1.8
, F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18
NIST SP 800-53 R3 PE-7 F.1.2.3, F.2 8.2.3 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-7 (1) F.1.2.4, ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-16 F.1.2.5, Command R1.3 -
NIST SP 800-53 R3 PE-18 F.1.2.6, ment #2 R1.4
F.1.2.8, Command
F.1.2. 9, ment #3
F.1.2.10, Command
F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.3,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.6,
F.1.7,F.1.8
, F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18
S1.2.b-c
NIST SP 800-53 R3 CM-2 1.1 L.2, L.5, L.2 1.2.6 Command S1.1.0
NIST SP 800-53 R3 CM-2 1.1.1 L.7 L.8, 8.2.1 ment #2
(1) 1.1.2 L.9, L.10 8.2.7 Command
NIST SP 800-53 R3 CM-2 1.1.3 ment #4
(3) 1.1.4 Command S1.2.0(a-i)
NIST SP 800-53 R3 CM-2 1.1.5 ment #5
(5) 1.1.6 Command
NIST SP 800-53 R3 SA-2 2.2 ment #11
NIST SP 800-53 R3 SA-4 2.2.1
NIST SP 800-53 R3 SA-4 (1) 2.2.2
NIST SP 800-53 R3 SA-4 (4) 2.2.3
NIST SP 800-53 R3 SA-4 (7) 2.2.4
NIST SP 800-53 R3 AC-1 12.1.3 B.1.33. B.2 1.2.1 Command CIP-003-3 S1.1.0
NIST SP 800-53 R3 AT-1 B.1.34, 8.2.7 ment #1 - R3.2 -
NIST SP 800-53 R3 AU-1 10.2.3 Command R3.3 -
NIST SP 800-53 R3 CA-1 ment #2 R1.3
NIST SP 800-53 R3 CM-1 Command R3 - R3.1 -
NIST SP 800-53 R3 CP-1 ment #3 R3.2 -
NIST SP 800-53 R3 IA-1 R3.3
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 AC-1 3.5.1 B.1.8, B.1 8.1.0 Command CIP-007-3 S3.2.0
NIST SP 800-53 R3 IA-1 8.5.1 B.1.21, ment #6 - R5.1 -
12.5.4 B.1.28, Command R5.1.2
E.6.2, ment #7
H.1.1, Command
K.1.4.5, ment #8
NIST SP 800-53 R3 AC-3 7.1 H.2.4, 8.2.2 Command CIP-003-3 S3.2.0
NIST SP 800-53 R3 AC-3 (3) 7.1.1 H.2.5, ment #6 - R5.1.1 -
NIST SP 800-53 R3 AC-5 7.1.2 Command R5.3
NIST SP 800-53 R3 AC-6 7.1.3 ment #7 CIP-004-3
NIST SP 800-53 R3 AC-6 (1) 7.2.1 Command R2.3
NIST SP 800-53 R3 AC-6 (2) 7.2.2 ment #8 CIP-007-3
NIST SP 800-53 R3 IA-2 8.5.1 Command R5.1 -
NIST SP 800-53 R3 IA-2 (1) 12.5.4 ment #9 R5.1.2
NIST SP 800-53 R3 IA-2 (2) Command
NIST SP 800-53 R3 IA-2 (3) ment #10
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-4 (4)
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SI-9
NIST SP 800-53 R3 AC-2 8.5.4 E.6.2, H.2 8.2.1 Command CIP-004-3 S3.2.0
NIST SP 800-53 R3 AC-2 (1) 8.5.5 E.6.3 ment #6 R2.2.3
NIST SP 800-53 R3 AC-2 (2) Command CIP-007-3
NIST SP 800-53 R3 AC-2 (3) ment #7 - R5.1.3
NIST SP 800-53 R3 AC-2 (4) Command -R5.2.1 -
NIST SP 800-53 R3 AC-2 (7) ment #8 R5.2.3
NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 AC-2 H.2.6, 8.2.1 Command CIP-004-3 S3.2.0
NIST SP 800-53 R3 AC-2 (1) H.2.7, 8.2.7 ment #6 R2.2.2
NIST SP 800-53 R3 AC-2 (2) H.2.9, Command CIP-007-3
NIST SP 800-53 R3 AC-2 (3) ment #7 - R5 -
NIST SP 800-53 R3 AC-2 (4) Command R.1.3
NIST SP 800-53 R3 AC-2 (7) ment #8
NIST SP 800-53 R3 AU-6 Command
NIST SP 800-53 R3 AU-6 (1) ment #10
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7
NIST SP 800-53 R3 AT-1 12.6 E.4 E.1 1.2.10 Command CIP-004-3 S1.2.k
NIST SP 800-53 R3 AT-2 12.6.1 8.2.1 ment #3 - R1 - R2 -
NIST SP 800-53 R3 AT-3 12.6.2 Command R2.1
NIST SP 800-53 R3 AT-4 ment #6
S2.2.0
NIST SP 800-53 R3 IR-1 12.9 J.1.1, J.1.2 J.1 1.2.4 Command CIP-007-3 IS3.7.0
NIST SP 800-53 R3 IR-2 12.9.1 1.2.7 ment #2 - R6.1
NIST SP 800-53 R3 IR-3 12.9.2 7.1.2 Command CIP-008-3
NIST SP 800-53 R3 IR-4 12.9.3 7.2.2 ment #6 - R1
NIST SP 800-53 R3 IR-4 (1) 12.9.4 7.2.4 Command
NIST SP 800-53 R3 IR-5 12.9.5 10.2.1 ment #8
NIST SP 800-53 R3 IR-7 12.9.6 10.2.4 S3.9.0
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-8
NIST SP 800-53 R3 IR-2 12.5.2 J.1.1, E.4 J.1 1.2.7 Command CIP-003-3 A2.3.0
NIST SP 800-53 R3 IR-6 12.5.3 E.1 1.2.10 ment #2 - R4.1 C2.3.0
NIST SP 800-53 R3 IR-6 (1) 7.1.2 Command CIP-004-3 I2.3.0
NIST SP 800-53 R3 IR-7 7.2.2 ment #6 R3.3 S2.3.0
NIST SP 800-53 R3 IR-7 (1) 7.2.4 Command
NIST SP 800-53 R3 IR-7 (2) 10.2.4 ment #8
NIST SP 800-53 R3 SI-4 S2.4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6) C3.6.0
NIST SP 800-53 R3 SI-5
I3.4.0
A3.4.0
NIST SP 800-53 R3 CP-1 K.2 Command CIP-007-3 A3.1.0
NIST SP 800-53 R3 CP-2 ment #1 - R8 - R8.1
NIST SP 800-53 R3 RA-3 Command - R8.2 -
ment #2 R8.3
Command
ment #3 A3.3.0
A3.4.0