CSF 1.1 to 2.

0 Core Transition Changes Overview

This spreadsheet provides information regarding the transition of individual Categories and Subcategories from N
to version 2.0 and is a supplement to the PDF available at: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecur
20/final. This spreadsheet is intended as an aid to anyone who is converting a CSF 1.1 Profile, mapping, or other C
structured content to use the CSF 2.0 Core structure.
Please report any errors or issues to [email protected].
This tab includes an explanation of the contents of each column from the second tab of the spreadsheet. The seco
detailed analysis of the changes in each Category and Subcategory from CSF version 1.1 to version 2.0.
Note that Subcategory identifiers in version 2.0 use leading zeros (e.g., ID.AM-01 instead of ID.AM-1) to facilitate t
identifier. The change analysis in the second tab does not note the addition of leading zeros to identifiers.

CSF 1.1 columns:

CSF 1.1 Identifier
CSF 1.1 Description
CSF 1.1 SORT-ID

Transition columns:
Relocation
 Noteworthy Modifications

CSF 2.0 columns:

CSF 2.0 Identifier
CSF 2.0 Description
New in CSF 2.0

CSF 2.0 SORT-ID

Implementation Examples
 CSF 1.1 to 2.0 Core Transition Changes Overview
rovides information regarding the transition of individual Categories and Subcategories from NIST CSF version 1.1
is a supplement to the PDF available at: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-
adsheet is intended as an aid to anyone who is converting a CSF 1.1 Profile, mapping, or other CSF 1.1 Core-
to use the CSF 2.0 Core structure.
errors or issues to [email protected].
n explanation of the contents of each column from the second tab of the spreadsheet. The second tab provides a
f the changes in each Category and Subcategory from CSF version 1.1 to version 2.0.
gory identifiers in version 2.0 use leading zeros (e.g., ID.AM-01 instead of ID.AM-1) to facilitate text sorting by
nge analysis in the second tab does not note the addition of leading zeros to identifiers.

The identifier of the CSF 1.1 Category or Subcategory

The text description for the CSF 1.1 Category or Subcategory
An identifier that can be used to sort the spreadsheet contents to be in the same order that the
Categories and Subcategories are defined in the CSF 1.1 publication

Possible values: Y, N, or N/A

===================
Y indicates that the CSF 1.1 Category or Subcategory (element) has had part or all of its meaning
relocated to other places in CSF 2.0. There are two types of relocations:
1. Moved to: The CSF 1.1 element's wording is present in CSF 2.0 with minor changes or no
changes, but its identifier in CSF 2.0 is different (unrelated to adding a leading zero).
2. Incorporated into: The CSF 1.1 element's content has been merged into one or more CSF 2.0
elements without preserving the original element's full wording.

A single CSF 1.1 element could have multiple relocations within CSF 2.0—for example,
incorporating a small part of its meaning into a different CSF 2.0 element, while moving the rest
of its meaning and existing wording into a separate CSF 2.0 element. In some cases, a single CSF
1.1 element is incorporated into several CSF 2.0 elements.
===================
N indicates that the CSF 1.1 element has not been relocated in CSF 2.0 and can be found at the
same identifier. However, the element might or might not have significant changes to its
wording.
===================
N/A indicates that there is no CSF 1.1 element in this row.
A description of any noteworthy modifications to the wording of the Category or Subcategory
(element) from 1.1 to 2.0. The following is a list of keywords used for the modifications, each
comparing a single CSF 1.1 element to a CSF 2.0 counterpart:
Added: Expanded the scope for CSF 2.0
Removed: Reduced the scope for CSF 2.0
Changed: Replaced some CSF 1.1 wording with different CSF 2.0 wording
Clarified: Shortened and/or simplified the CSF 1.1 wording
Centralized: Merged the meaning of multiple CSF 1.1 elements within a single CSF 2.0 element
None: No noteworthy modifications; minor editorial changes that did not change the meaning
might have been made
N/A: There is no CSF 1.1 element in this row

The identifier of the CSF 2.0 Category or Subcategory

The text description for the CSF 2.0 Category or Subcategory
Y or N. Y indicates that the topics covered by this Category or Subcategory are not clearly present
in any CSF 1.1 Categories or Subcategories.
An identifier that can be used to sort the spreadsheet contents to be in the same order that the
Categories and Subcategories are defined in the CSF 2.0 publication
The implementation examples released by NIST for each CSF 2.0 Subcategory
 Type of Change
No significant change
Significant Change
Minor Change
New Requirement
Withdrawn Requirement
New Organization-defined Parameter (ODP)

Tailoring Symbol
NCO

NFO
FED
CUI
ORC
NA
Moderate Baseline Security Controls
CSF version 1.1
framework-csf-
1.1 Core-

tab provides a

sorting by
 CSF 1.1 CSF 1.1 Description CSF 1.1 Relocation
Identifier SORT-ID
ID.GV The policies, procedures, and processes v11-015 Y (moved to)
to manage and monitor the
organization’s regulatory, legal, risk,
environmental, and operational
requirements are understood and inform
the management of cybersecurity risk.

ID.BE The organization’s mission, objectives, v11-009 Y (moved to)

stakeholders, and activities are
understood and prioritized; this
information is used to inform
cybersecurity roles, responsibilities, and
risk management decisions.

ID.BE-2 The organization’s place in critical v11-011 Y (incorporated

infrastructure and its industry sector is into)
identified and communicated

ID.BE-3 Priorities for organizational mission, v11-012 Y (incorporated

objectives, and activities are established into)
and communicated

ID.GV-2 Cybersecurity roles and responsibilities v11-017 Y (incorporated

are coordinated and aligned with internal into)
roles and external partners

ID.SC-2 Suppliers and third party partners of v11-033 Y (incorporated

information systems, components, and into)
services are identified, prioritized, and
assessed using a cyber supply chain risk
assessment process
ID.GV-3 Legal and regulatory requirements v11-018 Y (moved to)
regarding cybersecurity, including privacy
and civil liberties obligations, are
understood and managed

ID.BE-4 Dependencies and critical functions for v11-013 Y (incorporated

delivery of critical services are into)
established

ID.BE-5 Resilience requirements to support v11-014 Y (incorporated

delivery of critical services are into)
established for all operating states (e.g.
under duress/attack, during recovery,
normal operations)

ID.BE-1 The organization’s role in the supply v11-010 Y (incorporated

chain is identified and communicated into)
ID.BE-4 Dependencies and critical functions for v11-013 Y (incorporated
delivery of critical services are into)
established

ID.RM The organization’s priorities, constraints, v11-027 Y (moved to)

risk tolerances, and assumptions are
established and used to support
operational risk decisions.

ID.RM-1 Risk management processes are v11-028 Y (moved to)

established, managed, and agreed to by
organizational stakeholders

ID.RM-2 Organizational risk tolerance is v11-029 Y (moved to)

determined and clearly expressed

ID.RM-3 The organization’s determination of risk v11-030 Y (incorporated

tolerance is informed by its role in critical into)
infrastructure and sector specific risk
analysis
ID.GV-4 Governance and risk management v11-019 Y (moved to)
processes address cybersecurity risks

ID.RM-2 Organizational risk tolerance is v11-029 Y (incorporated

determined and clearly expressed into)

ID.SC-1 Cyber supply chain risk management v11-032 Y (incorporated

processes are identified, established, into)
assessed, managed, and agreed to by
organizational stakeholders

ID.RM-1 Risk management processes are v11-028 Y (incorporated

established, managed, and agreed to by into)
organizational stakeholders

v11-137 N/A
ID.GV-2 Cybersecurity roles and responsibilities v11-017 Y (incorporated
are coordinated and aligned with internal into)
roles and external partners

v11-138 N/A

ID.AM-6 Cybersecurity roles and responsibilities v11-008 Y (incorporated

for the entire workforce and third-party into)
stakeholders (e.g., suppliers, customers,
partners) are established

ID.GV-2 Cybersecurity roles and responsibilities v11-017 Y (incorporated

are coordinated and aligned with internal into)
roles and external partners
DE.DP-1 Roles and responsibilities for detection v11-100 Y (incorporated
are well defined to ensure accountability into)

ID.RM-1 Risk management processes are v11-028 Y (incorporated

established, managed, and agreed to by into)
organizational stakeholders

PR.IP-11 Cybersecurity is included in human v11-072 Y (moved to)

resources practices (e.g., deprovisioning,
personnel screening)

ID.GV-1 Organizational cybersecurity policy is v11-016 Y (moved to)

established and communicated
ID.GV-1 Organizational cybersecurity policy is v11-016 Y (incorporated
established and communicated into)

ID.GV-1 Organizational cybersecurity policy is v11-016 Y (incorporated

established and communicated into)

PR.IP Security policies (that address purpose, v11-061 Y (incorporated

scope, roles, responsibilities, into)
management commitment, and
coordination among organizational
entities), processes, and procedures are
maintained and used to manage
protection of information systems and
assets

v11-139 N/A
 v11-140 N/A

v11-141 N/A

v11-142 N/A

ID.SC The organization’s priorities, constraints, v11-031 Y (moved to)

risk tolerances, and assumptions are
established and used to support risk
decisions associated with managing
supply chain risk. The organization has
established and implemented the
processes to identify, assess and manage
supply chain risks.

ID.SC-1 Cyber supply chain risk management v11-032 Y (moved to)

processes are identified, established,
assessed, managed, and agreed to by
organizational stakeholders
ID.AM-6 Cybersecurity roles and responsibilities v11-008 Y (incorporated
for the entire workforce and third-party into)
stakeholders (e.g., suppliers, customers,
partners) are established

ID.SC-2 Suppliers and third party partners of v11-033 Y (incorporated

information systems, components, and into)
services are identified, prioritized, and
assessed using a cyber supply chain risk
assessment process

ID.SC-2 Suppliers and third party partners of v11-033 Y (moved to)

information systems, components, and
services are identified, prioritized, and
assessed using a cyber supply chain risk
assessment process
ID.SC-3 Contracts with suppliers and third-party v11-034 Y (moved to)
partners are used to implement
appropriate measures designed to meet
the objectives of an organization’s
cybersecurity program and Cyber Supply
Chain Risk Management Plan.

ID.SC-1 Cyber supply chain risk management v11-032 Y (incorporated

processes are identified, established, into)
assessed, managed, and agreed to by
organizational stakeholders
ID.SC-2 Suppliers and third party partners of v11-033 Y (incorporated
information systems, components, and into)
services are identified, prioritized, and
assessed using a cyber supply chain risk
assessment process

ID.SC-4 Suppliers and third-party partners are v11-035 Y (moved to)

routinely assessed using audits, test
results, or other forms of evaluations to
confirm they are meeting their
contractual obligations.

ID.SC-5 Response and recovery planning and v11-036 Y (moved to)

testing are conducted with suppliers and
third-party providers
ID.SC-1 Cyber supply chain risk management v11-032 Y (incorporated
processes are identified, established, into)
assessed, managed, and agreed to by
organizational stakeholders

ID.SC-1 Cyber supply chain risk management v11-032 Y (incorporated

processes are identified, established, into)
assessed, managed, and agreed to by
organizational stakeholders

ID Develop an organizational understanding v11-001 N

to manage cybersecurity risk to systems,
people, assets, data, and capabilities

ID.AM The data, personnel, devices, systems, v11-002 N

and facilities that enable the organization
to achieve business purposes are
identified and managed consistent with
their relative importance to
organizational objectives and the
organization’s risk strategy
ID.AM-1 Physical devices and systems within the v11-003 N
organization are inventoried

ID.AM-2 Software platforms and applications v11-004 N

within the organization are inventoried

ID.AM-3 Organizational communication and data v11-005 N

flows are mapped

DE.AE-1 A baseline of network operations and v11-085 Y (moved to)

expected data flows for users and
systems is established and managed

ID.AM-4 External information systems are v11-006 N

catalogued

ID.AM-5 Resources (e.g., hardware, devices, data, v11-007 N

time, personnel, and software) are
prioritized based on their classification,
criticality, and business value
ID.AM-3 Organizational communication and data v11-005 Y (incorporated
flows are mapped into)

PR.DS Information and records (data) are v11-052 Y (incorporated

managed consistent with the into)
organization’s risk strategy to protect the
confidentiality, integrity, and availability
of information
PR.DS-3 Assets are formally managed throughout v11-055 Y (incorporated
removal, transfers, and disposition into)

PR.IP-2 A System Development Life Cycle to v11-063 Y (moved to)

manage systems is implemented
PR.IP-6 Data is destroyed according to policy v11-067 Y (incorporated
into)

PR.MA Maintenance and repairs of industrial v11-074 Y (incorporated

control and information system into)
components are performed consistent
with policies and procedures
PR.MA-1 Maintenance and repair of organizational v11-075 Y (incorporated
assets are performed and logged, with into)
approved and controlled tools

PR.MA-2 Remote maintenance of organizational v11-076 Y (incorporated

assets is approved, logged, and into)
performed in a manner that prevents
unauthorized access
ID.RA The organization understands the v11-020 N
cybersecurity risk to organizational
operations (including mission, functions,
image, or reputation), organizational
assets, and individuals

ID.RA-1 Asset vulnerabilities are identified and v11-021 N

documented

PR.IP-12 A vulnerability management plan is v11-073 Y (incorporated

developed and implemented into)

DE.CM-8 Vulnerability scans are performed v11-098 Y (incorporated

into)

ID.RA-2 Cyber threat intelligence is received from v11-022 N

information sharing forums and sources
ID.RA-3 Threats, both internal and external, are v11-023 N
identified and documented

ID.RA-4 Potential business impacts and v11-024 N

likelihoods are identified

ID.RA-5 Threats, vulnerabilities, likelihoods, and v11-025 N

impacts are used to determine risk

ID.RA-6 Risk responses are identified and v11-026 N

prioritized

RS.MI-3 Newly identified vulnerabilities are v11-123 Y (incorporated

mitigated or documented as accepted into)
risks
PR.IP-3 Configuration change control processes v11-064 Y (moved to)
are in place

RS.AN-5 Processes are established to receive, v11-119 Y (moved to)

analyze and respond to vulnerabilities
disclosed to the organization from
internal and external sources (e.g.
internal testing, security bulletins, or
security researchers)

PR.DS-8 Integrity checking mechanisms are used v11-060 Y (incorporated

to verify hardware integrity into)

ID.SC-2 Suppliers and third party partners of v11-033 Y (incorporated

information systems, components, and into)
services are identified, prioritized, and
assessed using a cyber supply chain risk
assessment process

ID.SC-4 Suppliers and third-party partners are v11-035 Y (moved to)

routinely assessed using audits, test
results, or other forms of evaluations to
confirm they are meeting their
contractual obligations.

PR.IP-7 Protection processes are improved v11-068 Y (incorporated

into)

DE.DP-5 Detection processes are continuously v11-104 Y (incorporated

improved into)

RC.IM Recovery planning and processes are v11-130 Y (incorporated

improved by incorporating lessons into)
learned into future activities
 v11-143 N/A

ID.SC-5 Response and recovery planning and v11-036 Y (incorporated

testing are conducted with suppliers and into)
third-party providers
PR.IP-10 Response and recovery plans are tested v11-071 Y (moved to)

DE.DP Detection processes and procedures are v11-099 Y (incorporated

maintained and tested to ensure into)
awareness of anomalous events
DE.DP-3 Detection processes are tested v11-102 Y (incorporated
into)

PR.IP Security policies (that address purpose, v11-061 Y (incorporated

scope, roles, responsibilities, into)
management commitment, and
coordination among organizational
entities), processes, and procedures are
maintained and used to manage
protection of information systems and
assets

PR.IP-7 Protection processes are improved v11-068 Y (incorporated

into)

PR.IP-8 Effectiveness of protection technologies v11-069 Y (incorporated

is shared into)
DE.DP-5 Detection processes are continuously v11-104 Y (incorporated
improved into)

RS.IM Organizational response activities are v11-124 Y (incorporated

improved by incorporating lessons into)
learned from current and previous
detection/response activities

RS.IM-1 Response plans incorporate lessons v11-125 Y (incorporated

learned into)

RS.IM-2 Response strategies are updated v11-126 Y (incorporated

into)

RC.IM-1 Recovery plans incorporate lessons v11-131 Y (incorporated

learned into)

RC.IM-2 Recovery strategies are updated v11-132 Y (incorporated

into)
PR.IP-9 Response plans (Incident Response and v11-070 Y (moved to)
Business Continuity) and recovery plans
(Incident Recovery and Disaster
Recovery) are in place and managed

PR.IP-10 Response and recovery plans are tested v11-071 Y (incorporated

into)
RS.IM-1 Response plans incorporate lessons v11-125 Y (incorporated
learned into)

RC.IM-1 Recovery plans incorporate lessons v11-131 Y (incorporated

learned into)

PR Develop and implement appropriate v11-037 N

safeguards to ensure delivery of critical
services

PR.AC Access to physical and logical assets and v11-038 Y (moved to)
associated facilities is limited to
authorized users, processes, and devices,
and is managed consistent with the
assessed risk of unauthorized access to
authorized activities and transactions.
PR.AC-1 Identities and credentials are issued, v11-039 Y (moved to)
managed, verified, revoked, and audited
for authorized devices, users and
processes

PR.AC-6 Identities are proofed and bound to v11-044 Y (moved to)

credentials and asserted in interactions

PR.AC-3 Remote access is managed v11-041 Y (incorporated

into)

PR.AC-7 Users, devices, and other assets are v11-045 Y (moved to)
authenticated (e.g., single-factor, multi-
factor) commensurate with the risk of the
transaction (e.g., individuals’ security and
privacy risks and other organizational
risks)

v11-144 N/A
PR.AC-1 Identities and credentials are issued, v11-039 Y (incorporated
managed, verified, revoked, and audited into)
for authorized devices, users and
processes

PR.AC-3 Remote access is managed v11-041 Y (incorporated

into)

PR.AC-4 Access permissions and authorizations v11-042 Y (moved to)

are managed, incorporating the
principles of least privilege and
separation of duties

PR.AC-2 Physical access to assets is managed and v11-040 Y (moved to)

protected
PR.PT-4 Communications and control networks v11-081 Y (incorporated
are protected into)

PR.AT The organization’s personnel and v11-046 N

partners are provided cybersecurity
awareness education and are trained to
perform their cybersecurity-related
duties and responsibilities consistent with
related policies, procedures, and
agreements

PR.AT-1 All users are informed and trained v11-047 N

PR.AT-3 Third-party stakeholders (e.g., suppliers, v11-049 Y (incorporated
customers, partners) understand their into)
roles and responsibilities

RS.CO-1 Personnel know their roles and order of v11-109 Y (incorporated

operations when a response is needed into)

PR.AT-2 Privileged users understand their roles v11-048 N

and responsibilities
PR.AT-3 Third-party stakeholders (e.g., suppliers, v11-049 Y (incorporated
customers, partners) understand their into)
roles and responsibilities

PR.AT-4 Senior executives understand their roles v11-050 Y (incorporated

and responsibilities into)

PR.AT-5 Physical and cybersecurity personnel v11-051 Y (incorporated

understand their roles and into)
responsibilities

PR.DS Information and records (data) are v11-052 N

managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability
of information
PR.DS-1 Data-at-rest is protected v11-053 N

PR.DS-5 Protections against data leaks are v11-057 Y (incorporated

implemented into)

PR.DS-6 Integrity checking mechanisms are used v11-058 Y (incorporated

to verify software, firmware, and into)
information integrity
PR.PT-2 Removable media is protected and its use v11-079 Y (incorporated
restricted according to policy into)

PR.DS-2 Data-in-transit is protected v11-054 N

PR.DS-5 Protections against data leaks are v11-057 Y (incorporated

implemented into)

PR.DS-5 Protections against data leaks are v11-057 Y (incorporated

implemented into)
PR.IP-4 Backups of information are conducted, v11-065 Y (moved to)
maintained, and tested

PR.IP Security policies (that address purpose, v11-061 Y (incorporated

scope, roles, responsibilities, into)
management commitment, and
coordination among organizational
entities), processes, and procedures are
maintained and used to manage
protection of information systems and
assets

PR.MA Maintenance and repairs of industrial v11-074 Y (incorporated

control and information system into)
components are performed consistent
with policies and procedures

PR.IP-1 A baseline configuration of information v11-062 Y (incorporated

technology/industrial control systems is into)
created and maintained incorporating
security principles (e.g. concept of least
functionality)

PR.IP-3 Configuration change control processes v11-064 Y (moved to)

are in place
PR.PT-2 Removable media is protected and its use v11-079 Y (incorporated
restricted according to policy into)

PR.PT-3 The principle of least functionality is v11-080 Y (incorporated

incorporated by configuring systems to into)
provide only essential capabilities

PR.IP-12 A vulnerability management plan is v11-073 Y (incorporated

developed and implemented into)
PR.MA-2 Remote maintenance of organizational v11-076 Y (incorporated
assets is approved, logged, and into)
performed in a manner that prevents
unauthorized access

PR.DS-3 Assets are formally managed throughout v11-055 Y (incorporated

removal, transfers, and disposition into)

PR.MA-1 Maintenance and repair of organizational v11-075 Y (incorporated

assets are performed and logged, with into)
approved and controlled tools

PR.PT-1 Audit/log records are determined, v11-078 Y (moved to)

documented, implemented, and
reviewed in accordance with policy

DE.CM-7 Monitoring for unauthorized personnel, v11-097 Y (incorporated

connections, devices, and software is into)
performed
PR.IP-2 A System Development Life Cycle to v11-063 Y (incorporated
manage systems is implemented into)

PR.IP Security policies (that address purpose, v11-061 Y (incorporated

scope, roles, responsibilities, into)
management commitment, and
coordination among organizational
entities), processes, and procedures are
maintained and used to manage
protection of information systems and
assets

PR.PT Technical security solutions are managed v11-077 Y (incorporated

to ensure the security and resilience of into)
systems and assets, consistent with
related policies, procedures, and
agreements
PR.AC-3 Remote access is managed v11-041 Y (incorporated
into)

PR.AC-5 Network integrity is protected (e.g., v11-043 Y (moved to)

network segregation, network
segmentation)
PR.DS-7 The development and testing v11-059 Y (incorporated
environment(s) are separate from the into)
production environment

PR.PT-4 Communications and control networks v11-081 Y (moved to)

are protected

PR.IP-5 Policy and regulations regarding the v11-066 Y (incorporated

physical operating environment for into)
organizational assets are met

PR.PT-5 Mechanisms (e.g., failsafe, load v11-082 Y (moved to)

balancing, hot swap) are implemented to
achieve resilience requirements in
normal and adverse situations

PR.DS-4 Adequate capacity to ensure availability v11-056 Y (moved to)

is maintained

DE Develop and implement appropriate v11-083 N

activities to identify the occurrence of a
cybersecurity event
DE.CM The information system and assets are v11-090 N
monitored to identify cybersecurity
events and verify the effectiveness of
protective measures

DE.CM-1 The network is monitored to detect v11-091 N

potential cybersecurity events

DE.CM-4 Malicious code is detected v11-094 Y (incorporated

into)

DE.CM-5 Unauthorized mobile code is detected v11-095 Y (incorporated

into)
DE.CM-7 Monitoring for unauthorized personnel, v11-097 Y (incorporated
connections, devices, and software is into)
performed

DE.CM-2 The physical environment is monitored to v11-092 N

detect potential cybersecurity events

DE.CM-3 Personnel activity is monitored to detect v11-093 N

potential cybersecurity events

DE.CM-7 Monitoring for unauthorized personnel, v11-097 Y (incorporated

connections, devices, and software is into)
performed

DE.CM-6 External service provider activity is v11-096 N

monitored to detect potential
cybersecurity events
DE.CM-7 Monitoring for unauthorized personnel, v11-097 Y (incorporated
connections, devices, and software is into)
performed

PR.DS-6 Integrity checking mechanisms are used v11-058 Y (incorporated

to verify software, firmware, and into)
information integrity

PR.DS-8 Integrity checking mechanisms are used v11-060 Y (incorporated

to verify hardware integrity into)

DE.CM-4 Malicious code is detected v11-094 Y (incorporated

into)
DE.CM-5 Unauthorized mobile code is detected v11-095 Y (incorporated
into)

DE.CM-7 Monitoring for unauthorized personnel, v11-097 Y (incorporated

connections, devices, and software is into)
performed

DE.AE Anomalous activity is detected and the v11-084 N

potential impact of events is understood.

DE.DP-2 Detection activities comply with all v11-101 Y (incorporated

applicable requirements into)
DE.AE-2 Detected events are analyzed to v11-086 N
understand attack targets and methods

DE.AE-3 Event data are collected and correlated v11-087 N

from multiple sources and sensors

DE.AE-4 Impact of events is determined v11-088 N

DE.DP-4 Event detection information is v11-103 Y (incorporated

communicated into)

DE.AE-3 Event data are collected and correlated v11-087 Y (incorporated

from multiple sources and sensors into)

DE.AE-5 Incident alert thresholds are established v11-089 Y (moved to)

RS Develop and implement appropriate v11-105 N
activities to take action regarding a
detected cybersecurity incident

RS.RP Response processes and procedures are v11-106 Y (incorporated

executed and maintained, to ensure into)
response to detected cybersecurity
incidents.

RS.RP-1 Response plan is executed during or after v11-107 Y (moved to)

an incident

RS.CO-4 Coordination with stakeholders occurs v11-112 Y (incorporated

consistent with response plans into)

RS.AN-1 Notifications from detection systems are v11-115 Y (incorporated

investigated into)

RS.AN-2 The impact of the incident is understood v11-116 Y (incorporated

into)

RS.AN-2 The impact of the incident is understood v11-116 Y (incorporated

into)
RS.AN-4 Incidents are categorized consistent with v11-118 Y (moved to)
response plans

RS.CO-4 Coordination with stakeholders occurs v11-112 Y (incorporated

consistent with response plans into)

RS.AN-2 The impact of the incident is understood v11-116 Y (incorporated

into)

RC.RP-1 Recovery plan is executed during or after v11-129 Y (incorporated

a cybersecurity incident into)

RS.AN Analysis is conducted to ensure effective v11-114 N

response and support recovery activities

RS.AN-3 Forensics are performed v11-117 N

RS.AN-3 Forensics are performed v11-117 Y (incorporated

into)
 v11-145 N/A

RS.AN-2 The impact of the incident is understood v11-116 Y (incorporated

into)

RS.CO Response activities are coordinated with v11-108 N

internal and external stakeholders (e.g.
external support from law enforcement
agencies)

RS.CO-2 Incidents are reported consistent with v11-110 N

established criteria

RS.CO-3 Information is shared consistent with v11-111 Y (incorporated

response plans into)

RS.CO-3 Information is shared consistent with v11-111 N

response plans
RS.CO-5 Voluntary information sharing occurs v11-113 Y (incorporated
with external stakeholders to achieve into)
broader cybersecurity situational
awareness

RS.MI Activities are performed to prevent v11-120 N

expansion of an event, mitigate its
effects, and resolve the incident

RS.MI-1 Incidents are contained v11-121 N

RS.MI-2 Incidents are mitigated v11-122 N

RC Develop and implement appropriate v11-127 N

activities to maintain plans for resilience
and to restore any capabilities or services
that were impaired due to a
cybersecurity incident
RC.RP Recovery processes and procedures are v11-128 N
executed and maintained to ensure
restoration of systems or assets affected
by cybersecurity incidents

RC.RP-1 Recovery plan is executed during or after v11-129 N

a cybersecurity incident

RC.RP-1 Recovery plan is executed during or after v11-129 Y (incorporated

a cybersecurity incident into)

PR.IP-4 Backups of information are conducted, v11-065 Y (incorporated

maintained, and tested into)

v11-146 N/A

v11-147 N/A

v11-148 N/A

RC.CO Restoration activities are coordinated v11-133 N

with internal and external parties (e.g.
coordinating centers, Internet Service
Providers, owners of attacking systems,
victims, other CSIRTs, and vendors
RC.CO-3 Recovery activities are communicated to v11-136 N
internal and external stakeholders as well
as executive and management teams

RS.CO-2 Incidents are reported consistent with v11-110 Y (incorporated

established criteria into)

RC.CO-1 Public relations are managed v11-134 Y (incorporated

into)

RC.CO-2 Reputation is repaired after an incident v11-135 Y (incorporated

into)
 Noteworthy Modifications
Removed "procedures" and
"processes"; added "strategy" and
"expectations"
Added "communicated" and
"monitored"
Changed "stakeholders" to
"stakeholder expectations"
Removed "objectives" and "activities"
Added "dependencies" and "legal,
regulatory, and contractual
requirements"
Removed "prioritized"
Clarified the original wording
Clarified the original wording
Changed scope to include all
stakeholder needs and expectations
for cybersecurity, not just roles and
responsibilities
Changed scope to be specific to
identification of certain external
stakeholders
CSF 2.0 CSF 2.0 Description New in CSF 2.0
Identifier CSF 2.0 SORT-ID
GV The organization’s cybersecurity risk N v20-001
management strategy, expectations, and
policy are established, communicated,
and monitored
GV.OC The circumstances — mission, N v20-002
stakeholder expectations, dependencies,
and legal, regulatory, and contractual
requirements — surrounding the
organization’s cybersecurity risk
management decisions are understood
GV.OC-01 The organizational mission is understood N v20-003
and informs cybersecurity risk
management
GV.OC-01 The organizational mission is understood N v20-003
and informs cybersecurity risk
management
GV.OC-02 Internal and external stakeholders are N v20-004
understood, and their needs and
expectations regarding cybersecurity risk
management are understood and
considered
GV.OC-02 Internal and external stakeholders are N v20-004
understood, and their needs and
expectations regarding cybersecurity risk
management are understood and
considered
Added contractual requirements
Changed scope to be specific to what GV.OC-04
stakeholders depend on
Added delivery of critical objectives
and capabilities
Clarified the original wording
GV.OC-03 Legal, regulatory, and contractual N v20-005
requirements regarding cybersecurity —
including privacy and civil liberties
obligations — are understood and
managed
Critical objectives, capabilities, and N v20-006
services that stakeholders depend on or
expect from the organization are
understood and communicated
GV.OC-04 Critical objectives, capabilities, and N v20-006
services that stakeholders depend on or
expect from the organization are
understood and communicated
GV.OC-05 Outcomes, capabilities, and services that N v20-007
the organization depends on are
understood and communicated
Changed scope to be specific to what GV.OC-05 Outcomes, capabilities, and services that N v20-007
the organization itself depends on the organization depends on are
understood and communicated

Added "risk…appetite statement" GV.RM The organization’s priorities, constraints, N v20-008

Added "communicated" risk tolerance and appetite statements,
and assumptions are established,
communicated, and used to support
operational risk decisions

Changed "processes" to "objectives" GV.RM-01 Risk management objectives are N v20-009

Removed "managed" established and agreed to by
organizational stakeholders

Added "risk appetite" GV.RM-02 Risk appetite and risk tolerance N v20-010
Added "maintained" statements are established,
communicated, and maintained

Removed "role in critical GV.RM-02 Risk appetite and risk tolerance N v20-010
infrastructure and sector specific risk statements are established,
analysis" communicated, and maintained
Added "risk appetite"
Changed "informed" to "established,
communicated, and maintained"
Removed "governance" GV.RM-03 Cybersecurity risk management activities N v20-011
Clarified the original wording and outcomes are included in enterprise
risk management processes

Changed scope to be specific to risk GV.RM-04 Strategic direction that describes N v20-012
tolerance as expressed through risk appropriate risk response options is
response strategy established and communicated

Changed scope to specifically mention GV.RM-05 Lines of communication across the N v20-013
communication of cybersecurity organization are established for
supply chain risks cybersecurity risks, including risks from
suppliers and other third parties

Changed scope to be specific to how GV.RM-06 A standardized method for calculating, N v20-014
cybersecurity risks are calculated, documenting, categorizing, and
documented, categorized, and prioritizing cybersecurity risks is
prioritized established and communicated

N/A GV.RM-07 Strategic opportunities (i.e., positive Y v20-015

risks) are characterized and are included
in organizational cybersecurity risk
discussions
Changed "aligned" to
"communicated"
Added "authorities"
Added "foster accountability,
performance assessment, and
continuous improvement"
N/A
Added "authorities"
Added "communicated, understood,
and enforced"
Removed third parties from scope
Added "authorities"
Changed "coordinated and aligned" to
"established, communicated,
understood, and enforced"
GV.RR Cybersecurity roles, responsibilities, and N v20-016
authorities to foster accountability,
performance assessment, and
continuous improvement are established
and communicated
GV.RR-01 Organizational leadership is responsible Y v20-017
and accountable for cybersecurity risk
and fosters a culture that is risk-aware,
ethical, and continually improving
GV.RR-02 Roles, responsibilities, and authorities N v20-018
related to cybersecurity risk
management are established,
communicated, understood, and
enforced
GV.RR-02 Roles, responsibilities, and authorities N v20-018
related to cybersecurity risk
management are established,
communicated, understood, and
enforced
Centralized all role and responsibility GV.RR-02
items in GV.RR
Roles, responsibilities, and authorities N v20-018
related to cybersecurity risk
management are established,
communicated, understood, and
enforced

Changed scope to be specific to GV.RR-03 Adequate resources are allocated N v20-019

allocating adequate resources for risk commensurate with the cybersecurity
management processes risk strategy, roles, responsibilities, and
policies

Removed examples from description GV.RR-04 Cybersecurity is included in human N v20-020

resources practices

Added "enforced" GV.PO Organizational cybersecurity policy is N v20-021

established, communicated, and
enforced
Added details on establishing policy
Added "enforced"
Added maintenance of policy
Added policy enforcement
Changed the scope to only include
policy maintenance
N/A
GV.PO-01 Policy for managing cybersecurity risks is N v20-022
established based on organizational
context, cybersecurity strategy, and
priorities and is communicated and
enforced
GV.PO-02 Policy for managing cybersecurity risks is N v20-023
reviewed, updated, communicated, and
enforced to reflect changes in
requirements, threats, technology, and
organizational mission
GV.PO-02 Policy for managing cybersecurity risks is N v20-023
reviewed, updated, communicated, and
enforced to reflect changes in
requirements, threats, technology, and
organizational mission
GV.OV Results of organization-wide Y v20-024
cybersecurity risk management activities
and performance are used to inform,
improve, and adjust the risk
management strategy
N/A GV.OV-01 Cybersecurity risk management strategy Y v20-025
outcomes are reviewed to inform and
adjust strategy and direction

N/A GV.OV-02 The cybersecurity risk management Y v20-026

strategy is reviewed and adjusted to
ensure coverage of organizational
requirements and risks

N/A GV.OV-03 Organizational cybersecurity risk Y v20-027

management performance is evaluated
and reviewed for adjustments needed

Clarified the wording by simplifying it GV.SC Cyber supply chain risk management N v20-028
Added "identified, managed, processes are identified, established,
monitored, and improved" processes managed, monitored, and improved by
organizational stakeholders

Added "program, strategy, objectives, GV.SC-01
policies" to "processes"
Removed "identified," "assessed,"
and "managed"
A cybersecurity supply chain risk N v20-029
management program, strategy,
objectives, policies, and processes are
established and agreed to by
organizational stakeholders
Removed workforce from scope GV.SC-02 Cybersecurity roles and responsibilities N v20-030
Added "communicated" and for suppliers, customers, and partners
"coordinated" are established, communicated, and
coordinated internally and externally

Changed scope to be specific to GV.SC-03 Cybersecurity supply chain risk N v20-031

integrating cyber supply chain risk management is integrated into
management into cybersecurity risk cybersecurity and enterprise risk
management management, risk assessment, and
improvement processes

Changed the scope to only identifying GV.SC-04 Suppliers are known and prioritized by N v20-032
and prioritizing suppliers criticality
Clarified the original wording
Changed scope to be specific to
addressing risks before entering into
an agreement
GV.SC-05 Requirements to address cybersecurity N v20-033
risks in supply chains are established,
prioritized, and integrated into contracts
and other types of agreements with
suppliers and other relevant third parties
GV.SC-06 Planning and due diligence are N v20-034
performed to reduce risks before
entering into formal supplier or other
third-party relationships
Changed the scope to only GV.SC-07
understanding supplier-related risk
throughout the supplier life cycle
Changed the focus from suppliers and GV.SC-07
partners to the risks they and their
products and services pose
Changed "assessed" to "understood,
recorded, prioritized, assessed,
responded to, and monitored"
Removed the testing component of GV.SC-08
ID.SC-5 (moved to ID.IM-02)
The risks posed by a supplier, their N v20-035
products and services, and other third
parties are understood, recorded,
prioritized, assessed, responded to, and
monitored over the course of the
relationship
The risks posed by a supplier, their N v20-035
products and services, and other third
parties are understood, recorded,
prioritized, assessed, responded to, and
monitored over the course of the
relationship
Relevant suppliers and other third N v20-036
parties are included in incident planning,
response, and recovery activities
Changed scope to be specific to GV.SC-09
integrating cyber supply chain risk
management into cybersecurity and
enterprise risk management programs
Changed scope to be specific to risk GV.SC-10
management plans addressing post-
agreement processes
Clarified the original wording ID
Added "data" and "services" as types ID.AM
of assets
Supply chain security practices are N v20-037
integrated into cybersecurity and
enterprise risk management programs,
and their performance is monitored
throughout the technology product and
service life cycle
Cybersecurity supply chain risk N v20-038
management plans include provisions for
activities that occur after the conclusion
of a partnership or service agreement
The organization’s current cybersecurity N v20-039
risks are understood
Assets (e.g., data, hardware, software, N v20-040
systems, facilities, services, people) that
enable the organization to achieve
business purposes are identified and
managed consistent with their relative
importance to organizational objectives
and the organization’s risk strategy
Changed "within the organization" to ID.AM-01 Inventories of hardware managed by the N v20-041
"managed by the organization" organization are maintained
Changed "physical devices and
systems" to "hardware"

Added "services" and "systems" ID.AM-02 Inventories of software, services, and N v20-042
Changed "within the organization" to systems managed by the organization
"managed by the organization" are maintained

Clarified the original wording ID.AM-03 Representations of the organization’s N v20-043

Added "authorized" and authorized network communication and
"maintained" internal and external network data flows
are maintained

Clarified the original wording ID.AM-03 Representations of the organization’s N v20-043

authorized network communication and
internal and external network data flows
are maintained

Clarified the original wording ID.AM-04 Inventories of services provided by N v20-044

Changed from "systems" to "services" suppliers are maintained

Changed "resources" to "assets" ID.AM-05 Assets are prioritized based on N v20-045

which includes all asset types as classification, criticality, resources, and
specified in ID.AM impact on the mission
Added "resources" and "impact on
the mission"; removed "business
value"
Removed data flow mapping from ID.AM-07 Inventories of data and corresponding N v20-046
scope metadata for designated data types are
Added explicit mention of data and maintained
metadata inventories

Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Changed the scope to include the ID.AM-08 Systems, hardware, software, services, N v20-047
entire life cycle and data are managed throughout their
Changed "assets" to "systems, life cycles
hardware, software, services, and
data"
Removed "formally"

Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles

Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles

Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Clarified original wording ID.RA
Changed "cybersecurity risk to
organizational operations" to
"cybersecurity risk to the
organization"
Added "validated" ID.RA-01
Changed "documented" to "recorded"
Centralized all vulnerability ID.RA-01
management items in ID.RA
Centralized all vulnerability ID.RA-01
management items in ID.RA
None ID.RA-02
The cybersecurity risk to the N v20-048
organization, assets, and individuals is
understood by the organization
Vulnerabilities in assets are identified, N v20-049
validated, and recorded
Vulnerabilities in assets are identified, N v20-049
validated, and recorded
Vulnerabilities in assets are identified, N v20-049
validated, and recorded
Cyber threat intelligence is received N v20-050
from information sharing forums and
sources
Changed "documented" to "recorded" ID.RA-03 Internal and external threats to the N v20-051
organization are identified and recorded

Added "recorded" ID.RA-04 Potential impacts and likelihoods of N v20-052

Clarified the original wording threats exploiting vulnerabilities are
identified and recorded

Changed "determine risk" to ID.RA-05 Threats, vulnerabilities, likelihoods, and N v20-053

"understand inherent risk" impacts are used to understand inherent
Added "inform risk response risk and inform risk response
prioritization" prioritization

Added "planned, tracked, and ID.RA-06 Risk responses are chosen, prioritized, N v20-054
communicated" planned, tracked, and communicated
Changed "identified" to "chosen"

Changed scope from two forms of risk ID.RA-06 Risk responses are chosen, prioritized, N v20-054
responses (mitigating or accepting) to planned, tracked, and communicated
all forms
Changed scope to include the full risk
response life cycle
Changed the scope to change ID.RA-07 Changes and exceptions are managed, N v20-055
management assessed for risk impact, recorded, and
tracked

Removed examples from the ID.RA-08 Processes for receiving, analyzing, and N v20-056
description responding to vulnerability disclosures
Clarified the original wording by are established
simplifying it

Added software integrity ID.RA-09 The authenticity and integrity of N v20-057

Added authenticity checking hardware and software are assessed
prior to acquisition and use

Changed the scope to only assessing ID.RA-10 Critical suppliers are assessed prior to N v20-058
critical suppliers before acquisition acquisition

Changed the scope to only include ID.RA-10 Critical suppliers are assessed prior to N v20-058
performing assessments before acquisition
certain acquisitions

Centralized all improvement items in ID.IM Improvements to organizational N v20-059

ID.IM cybersecurity risk management
processes, procedures and activities are
identified across all CSF Functions

Centralized all improvement items in ID.IM Improvements to organizational N v20-059

ID.IM cybersecurity risk management
processes, procedures and activities are
identified across all CSF Functions

Centralized all improvement items in ID.IM Improvements to organizational N v20-059

ID.IM cybersecurity risk management
processes, procedures and activities are
identified across all CSF Functions
N/A ID.IM-01 Improvements are identified from Y v20-060
evaluations

Centralized improvement through ID.IM-02 Improvements are identified from N v20-061

testing items in ID.IM-02 security tests and exercises, including
those done in coordination with
suppliers and relevant third parties
Centralized all improvement items in ID.IM-02 Improvements are identified from N v20-061
ID.IM security tests and exercises, including
those done in coordination with
suppliers and relevant third parties

Centralized all improvement items in ID.IM-02 Improvements are identified from N v20-061
ID.IM security tests and exercises, including
those done in coordination with
suppliers and relevant third parties
Centralized all improvement items in ID.IM-02 Improvements are identified from N v20-061
ID.IM security tests and exercises, including
those done in coordination with
suppliers and relevant third parties

Changed the scope to only include ID.IM-03 Improvements are identified from N v20-062
process and procedure maintenance execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities

Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Changed list of plans to be broader ID.IM-04
Changed "plans…are in place and
managed" to "plans…are established,
communicated, maintained, and
improved"
Centralized all improvement items in ID.IM-04
ID.IM
Incident response plans and other N v20-063
cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Incident response plans and other N v20-063
cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Centralized all improvement items in ID.IM-04
ID.IM
Centralized all improvement items in ID.IM-04
ID.IM
Clarified original wording PR
Changed scope from "ensure delivery
of critical services" to all service
delivery
Changed "develop and implement" to
"used"
Removed "associated facilities" PR.AA
(redundant: type of physical asset)
Changed "users, processes, and
devices" to "users, services, and
hardware"
Incident response plans and other N v20-063
cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Incident response plans and other N v20-063
cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Safeguards to manage the organization’s N v20-064
cybersecurity risks are used
Access to physical and logical assets is N v20-065
limited to authorized users, services, and
hardware and managed commensurate
with the assessed risk of unauthorized
access
Changed "issued, managed, verified, PR.AA-01 Identities and credentials for authorized N v20-066
revoked, and audited" to "managed" users, services, and hardware are
(managed includes the others) managed by the organization
Changed "devices, users and
processes" to "users, services, and
hardware"

Removed "and asserted in" PR.AA-02 Identities are proofed and bound to N v20-067
Added "based on the context of" credentials based on the context of
interactions

Clarified original wording PR.AA-03 Users, services, and hardware are N v20-068
Changed the scope to only include the authenticated
authentication component of remote
access management

Removed examples from description PR.AA-03 Users, services, and hardware are N v20-068
Changed "Users, devices, and other authenticated
assets" to "Users, services, and
hardware"
Removed "commensurate with the
risk of the transaction" (unnecessarily
specific)

N/A PR.AA-04 Identity assertions are protected, Y v20-069

conveyed, and verified
Changed the scope to only include PR.AA-05
authorization and access control
considerations for identities and
credentials
Added "incorporate the principles of
least privilege and separation of
duties"
Changed the scope to only include the PR.AA-05
authorization component of remote
access management
Added "entitlements" PR.AA-05
Added "defined in a policy" and
"enforced, and reviewed"
Changed "protected" to "monitored, PR.AA-06
and enforced commensurate with
risk"
Access permissions, entitlements, and N v20-070
authorizations are defined in a policy,
managed, enforced, and reviewed, and
incorporate the principles of least
privilege and separation of duties
Access permissions, entitlements, and N v20-070
authorizations are defined in a policy,
managed, enforced, and reviewed, and
incorporate the principles of least
privilege and separation of duties
Access permissions, entitlements, and N v20-070
authorizations are defined in a policy,
managed, enforced, and reviewed, and
incorporate the principles of least
privilege and separation of duties
Physical access to assets is managed, N v20-071
monitored, and enforced commensurate
with risk
Changed scope to be specific to PR.AA-06 Physical access to assets is managed, N v20-071
physical access control (excluding monitored, and enforced commensurate
logical access control) with risk

Removed third parties from the scope PR.AT The organization’s personnel are N v20-072
Clarified the original wording by provided with cybersecurity awareness
simplifying it and training so that they can perform
their cybersecurity-related tasks

Changed scope from "users" to PR.AT-01 Personnel are provided with awareness N v20-073
"personnel" and training so that they possess the
Added the desired outcome knowledge and skills to perform general
tasks with cybersecurity risks in mind
Centralized all training and awareness PR.AT-01
items in PR.AT-01 and PR.AT-02
Centralized all training and awareness PR.AT-01
items in PR.AT
Changed scope from "privileged PR.AT-02
users" the broader "individuals in
specialized roles"
Added the desired outcome
Personnel are provided with awareness N v20-073
and training so that they possess the
knowledge and skills to perform general
tasks with cybersecurity risks in mind
Personnel are provided with awareness N v20-073
and training so that they possess the
knowledge and skills to perform general
tasks with cybersecurity risks in mind
Individuals in specialized roles are N v20-074
provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Centralized all training and awareness PR.AT-02
items in PR.AT-01 and PR.AT-02
Centralized all training and awareness PR.AT-02
items in PR.AT-01 and PR.AT-02
Centralized all training and awareness PR.AT-02
items in PR.AT-01 and PR.AT-02
Clarified the original wording by PR.DS
simplifying it
Individuals in specialized roles are N v20-074
provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Individuals in specialized roles are N v20-074
provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Individuals in specialized roles are N v20-074
provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Data are managed consistent with the N v20-075
organization’s risk strategy to protect the
confidentiality, integrity, and availability
of information
Added "confidentiality, integrity, and PR.DS-01 The confidentiality, integrity, and N v20-076
availability" availability of data-at-rest are protected

Centralized all data-at-rest protection PR.DS-01 The confidentiality, integrity, and N v20-076
items in PR.DS-01 availability of data-at-rest are protected

Centralized all data-at-rest protection PR.DS-01 The confidentiality, integrity, and N v20-076
items in PR.DS-01 availability of data-at-rest are protected
Removed "integrity checking
mechanisms" (redundant)
Centralized all data-at-rest protection PR.DS-01 The confidentiality, integrity, and N v20-076
items in PR.DS-01 availability of data-at-rest are protected

Added "confidentiality, integrity, and PR.DS-02 The confidentiality, integrity, and N v20-077
availability" availability of data-in-transit are
protected

Centralized all data-in-transit PR.DS-02 The confidentiality, integrity, and N v20-077

protection items in PR.DS-02 availability of data-in-transit are
protected

Centralized all data-in-use protection PR.DS-10 The confidentiality, integrity, and N v20-078
items in PR.DS-10 availability of data-in-use are protected
Added "protected"
Changed the scope to only include
using policies, processes, and
procedures to protect physical and
virtual platforms
Centralized maintenance items in
PR.PS
Removed "industrial control and
information system components" to
broaden to all computing
technologies
Changed the wording to generalize
and broaden its scope
Changed the scope to configuration
management
PR.DS-11 Backups of data are created, protected, N v20-079
maintained, and tested
PR.PS The hardware, software (e.g., firmware, N v20-080
operating systems, applications), and
services of physical and virtual platforms
are managed consistent with the
organization’s risk strategy to protect
their confidentiality, integrity, and
availability
PR.PS The hardware, software (e.g., firmware, N v20-080
operating systems, applications), and
services of physical and virtual platforms
are managed consistent with the
organization’s risk strategy to protect
their confidentiality, integrity, and
availability
PR.PS-01 Configuration management practices are N v20-081
established and applied
PR.PS-01 Configuration management practices are N v20-081
established and applied
Centralized all configuration items in PR.PS-01 Configuration management practices are N v20-081
PR.PS-01 established and applied

Centralized all configuration items in PR.PS-01 Configuration management practices are N v20-081
PR.PS-01 established and applied

Centralized software maintenance PR.PS-02 Software is maintained, replaced, and N v20-082

items in PR.PS-02 removed commensurate with risk
Centralized software maintenance PR.PS-02 Software is maintained, replaced, and N v20-082
items in PR.PS-02 removed commensurate with risk

Changed scope from assets to PR.PS-03 Hardware is maintained, replaced, and N v20-083
hardware removed commensurate with risk

Centralized hardware maintenance PR.PS-03 Hardware is maintained, replaced, and N v20-083

items in PR.PS-01 removed commensurate with risk

Changed "determined, documented, PR.PS-04 Log records are generated and made N v20-084
implemented" to "generated" available for continuous monitoring
Removed log review from scope

Changed scope to be specific to PR.PS-05 Installation and execution of N v20-085

stopping unauthorized software unauthorized software are prevented
Changed the scope to only include PR.PS-06 Secure software development practices N v20-086
secure software development are integrated, and their performance is
monitored throughout the software
development life cycle

Changed the scope to only include PR.IR Security architectures are managed with N v20-087
using policies, processes, and the organization’s risk strategy to protect
procedures to manage security asset confidentiality, integrity, and
architectures that protect assets availability, and organizational resilience

Changed "technical security solutions" PR.IR Security architectures are managed with N v20-087
to "security architectures" the organization’s risk strategy to protect
Clarified the original wording by asset confidentiality, integrity, and
simplifying it availability, and organizational resilience

Changed the scope to only include the PR.IR-01 Networks and environments are N v20-088
network access component of remote protected from unauthorized logical
access management access and usage

Added protection of computing PR.IR-01 Networks and environments are N v20-088

environments protected from unauthorized logical
Added "protected from unauthorized access and usage
logical access and usage" (not
physical)
Changed scope to include protection PR.IR-01 Networks and environments are N v20-088
of all environments protected from unauthorized logical
access and usage

Changed scope to be specific to PR.IR-01 Networks and environments are N v20-088

logical access control (excluding protected from unauthorized logical
physical access control) access and usage

Changed the wording to generalize PR.IR-02 The organization’s technology assets are N v20-089
and broaden its scope protected from environmental threats

Removed examples from description PR.IR-03 Mechanisms are implemented to N v20-090

achieve resilience requirements in
normal and adverse situations

Added "resource" PR.IR-04 Adequate resource capacity to ensure N v20-091

availability is maintained

Clarified the original wording DE Possible cybersecurity attacks and N v20-092

Added "analyzed" compromises are found and analyzed
Removed "information system" DE.CM Assets are monitored to find anomalies, N v20-093
(redundant) indicators of compromise, and other
Changed what monitoring is looking potentially adverse events
for

Added "network services" DE.CM-01 Networks and network services are N v20-094
Changed "cybersecurity events" to monitored to find potentially adverse
"adverse events" events

Changed from what events are DE.CM-01 Networks and network services are N v20-094
detected to where events are monitored to find potentially adverse
detected (on networks) events

Changed from what events are DE.CM-01 Networks and network services are N v20-094
detected to where events are monitored to find potentially adverse
detected (on networks) events
Changed scope to be specific to DE.CM-01 Networks and network services are N v20-094
monitoring networks and network monitored to find potentially adverse
services events

Changed "cybersecurity events" to DE.CM-02 The physical environment is monitored N v20-095

"adverse events" to find potentially adverse events

Added "technology usage" DE.CM-03 Personnel activity and technology usage N v20-096
Changed "cybersecurity events" to are monitored to find potentially adverse
"adverse events" events

Changed scope to be specific to DE.CM-03 Personnel activity and technology usage N v20-096
monitoring personnel are monitored to find potentially adverse
events

Added "services" DE.CM-06 External service provider activities and N v20-097

Changed "cybersecurity events" to services are monitored to find
"adverse events" potentially adverse events
Changed scope to be specific to DE.CM-06 External service provider activities and N v20-097
monitoring external services and their services are monitored to find
providers potentially adverse events

Removed "firmware" (already part of DE.CM-09
software)
Removed "integrity checking
mechanisms" (redundant)
Centralized software continuous
monitoring in DE.CM-09
Computing hardware and software, N v20-098
runtime environments, and their data
are monitored to find potentially adverse
events

Changed scope to include all DE.CM-09 Computing hardware and software, N v20-098
hardware monitoring runtime environments, and their data
are monitored to find potentially adverse
events

Changed from what events are DE.CM-09 Computing hardware and software, N v20-098
detected to where events are runtime environments, and their data
detected (on devices) are monitored to find potentially adverse
events
Changed from what events are DE.CM-09
detected to where events are
detected (on devices)
Changed scope to be specific to DE.CM-09
monitoring hardware, software, and
data
Changed scope to include all types of
potentially adverse events, not just
unauthorized entities
Added analysis to scope DE.AE
Clarified what anomalous activity is
Removed "comply with all applicable DE.AE
requirements" (unnecessary)
Changed scope from all detection
activities to analysis of certain types
of detected events
Computing hardware and software, N v20-098
runtime environments, and their data
are monitored to find potentially adverse
events
Computing hardware and software, N v20-098
runtime environments, and their data
are monitored to find potentially adverse
events
Anomalies, indicators of compromise, N v20-099
and other potentially adverse events are
analyzed to characterize the events and
detect cybersecurity incidents
Anomalies, indicators of compromise, N v20-099
and other potentially adverse events are
analyzed to characterize the events and
detect cybersecurity incidents
Changed "detected events" to DE.AE-02 Potentially adverse events are analyzed N v20-100
"potentially adverse events" to to better understand associated
narrow scope activities
Changed "attack targets and
methods" to "associated activities" to
broaden scope

Changed "event data" to DE.AE-03 Information is correlated from multiple N v20-101

"information" (broadening) sources
Removed "collected" and "sensors"
(redundant)

Clarified the original wording DE.AE-04 The estimated impact and scope of N v20-102
adverse events are understood

Clarified the original wording DE.AE-06 Information on adverse events is N v20-103

provided to authorized staff and tools

Changed scope to be specific to DE.AE-07 Cyber threat intelligence and other N v20-104
correlation through contextual contextual information are integrated
information, including cyber threat into the analysis
intelligence

Changed "incident alert thresholds" DE.AE-08 Incidents are declared when adverse N v20-105
to "defined incident criteria" and events meet the defined incident criteria
added the use of the criteria
Clarified the original wording RS Actions regarding a detected N v20-106
cybersecurity incident are taken

Changed the wording to generalize RS.MA Responses to detected cybersecurity N v20-107

and broaden its scope incidents are managed

Added "once an incident is declared" RS.MA-01 The incident response plan is executed in N v20-108
Added "in coordination with relevant coordination with relevant third parties
third parties" (coordination within the once an incident is declared
organization is already implied)

Changed the wording to generalize RS.MA-01 The incident response plan is executed in N v20-108
and broaden its scope (to include coordination with relevant third parties
response plan execution) once an incident is declared
Added "in coordination with relevant
third parties" (coordination within the
organization is already implied)

Changed "notifications from detection RS.MA-02 Incident reports are triaged and N v20-109
systems" to "incident reports" to validated
indicate that an incident has already
been declared or reported

Changed scope to be specific to RS.MA-02 Incident reports are triaged and N v20-109
incident triage validated

Changed scope to be specific to RS.MA-03 Incidents are categorized and prioritized N v20-110
incident categorization and
prioritization
Added "prioritized" RS.MA-03 Incidents are categorized and prioritized N v20-110
Removed "consistent with response
plans" (redundant)

Changed scope to be specific to RS.MA-04 Incidents are escalated or elevated as N v20-111

coordination involving incident needed
escalation and elevation

Changed scope to be specific to RS.MA-04 Incidents are escalated or elevated as N v20-111

incident escalation and elevation needed

Changed scope to only include RS.MA-05 The criteria for initiating incident N v20-112
determining if recovery should be recovery are applied
initiated

Added support for forensic activities RS.AN Investigations are conducted to ensure N v20-113
Changed "analysis" to "investigations" effective response and support forensics
and recovery activities

Changed scope from forensics to RS.AN-03 Analysis is performed to establish what N v20-114
analysis (which can also include has taken place during an incident and
forensics) the root cause of the incident

Changed scope from forensics to RS.AN-06 Actions performed during an N v20-115

recording investigation activities investigation are recorded, and the
(which can also include forensics) records’ integrity and provenance are
preserved
N/A RS.AN-07 Incident data and metadata are Y v20-116
collected, and their integrity and
provenance are preserved

Changed scope to be specific to RS.AN-08 An incident’s magnitude is estimated N v20-117

incident magnitude and validated

Removed examples from description RS.CO Response activities are coordinated with N v20-118
Added "as required by laws, internal and external stakeholders as
regulations, or policies" required by laws, regulations, or policies

Changed scope to be specific to RS.CO-02 Internal and external stakeholders are N v20-119
stakeholder notification notified of incidents

Changed scope to be specific to RS.CO-02 Internal and external stakeholders are N v20-119
stakeholder notification notified of incidents

Changed scope to be specific to RS.CO-03 Information is shared with designated N v20-120

information sharing with stakeholders internal and external stakeholders
Changed scope to be information RS.CO-03 Information is shared with designated N v20-120
sharing with all stakeholders internal and external stakeholders

Removed "resolve the incident" RS.MI Activities are performed to prevent N v20-121
expansion of an event and mitigate its
effects

None RS.MI-01 Incidents are contained N v20-122

Changed "mitigated" to "eradicated" RS.MI-02 Incidents are eradicated N v20-123

Changed the wording to generalize RC Assets and operations affected by a N v20-124

and broaden its scope cybersecurity incident are restored
Clarified the original wording RC.RP Restoration activities are performed to N v20-125
ensure operational availability of
systems and services affected by
cybersecurity incidents

Changed "recovery plan" to "recovery RC.RP-01 The recovery portion of the incident N v20-126
portion of the incident response plan" response plan is executed once initiated
Added "once initiated from the from the incident response process
incident response process"

Changed scope to management of RC.RP-02 Recovery actions are selected, scoped, N v20-127
actions performed during recovery prioritized, and performed

Changed the scope to be specific to RC.RP-03 The integrity of backups and other N v20-128
testing/verifying backups before use restoration assets is verified before using
them for restoration

N/A RC.RP-04 Critical mission functions and Y v20-129

cybersecurity risk management are
considered to establish post-incident
operational norms

N/A RC.RP-05 The integrity of restored assets is Y v20-130

verified, systems and services are
restored, and normal operating status is
confirmed

N/A RC.RP-06 The end of incident recovery is declared Y v20-131

based on criteria, and incident-related
documentation is completed

Removed examples from description RC.CO Restoration activities are coordinated N v20-132
with internal and external parties
Added "progress in restoring RC.CO-03 Recovery activities and progress in N v20-133
operational capabilities" restoring operational capabilities are
Removed redundancy in the list of communicated to designated internal
parties to communicate with and external stakeholders

Changed scope to be specific to public RC.CO-04 Public updates on incident recovery are N v20-134
notification shared using approved methods and
messaging

Changed scope to be specific to using RC.CO-04 Public updates on incident recovery are N v20-134
public updates on incident recovery shared using approved methods and
to help manage public relations messaging

Changed scope to be specific to using RC.CO-04 Public updates on incident recovery are N v20-134
public updates on incident recovery shared using approved methods and
to help repair the organization’s messaging
reputation
 Implementation Examples

Ex1: Share the organization’s mission (e.g., through vision

and mission statements, marketing, and service strategies) to
provide a basis for identifying risks that may impede that
mission

Ex1: Share the organization’s mission (e.g., through vision

and mission statements, marketing, and service strategies) to
provide a basis for identifying risks that may impede that
mission

Ex1: Identify relevant internal stakeholders and their

cybersecurity-related expectations (e.g., performance and
risk expectations of officers, directors, and advisors; cultural
expectations of employees)
Ex2: Identify relevant external stakeholders and their
cybersecurity-related expectations (e.g., privacy expectations
of customers, business expectations of partnerships,
compliance expectations of regulators, ethics expectations of
society)

Ex1: Identify relevant internal stakeholders and their

cybersecurity-related expectations (e.g., performance and
risk expectations of officers, directors, and advisors; cultural
expectations of employees)
Ex2: Identify relevant external stakeholders and their
cybersecurity-related expectations (e.g., privacy expectations
of customers, business expectations of partnerships,
compliance expectations of regulators, ethics expectations of
society)
Ex1: Determine a process to track and manage legal and
regulatory requirements regarding protection of individuals’
information (e.g., Health Insurance Portability and
Accountability Act, California Consumer Privacy Act, General
Data Protection Regulation)
Ex2: Determine a process to track and manage contractual
requirements for cybersecurity management of supplier,
customer, and partner information
Ex3: Align the organization’s cybersecurity strategy with
legal, regulatory, and contractual requirements

Ex1: Establish criteria for determining the criticality of

capabilities and services as viewed by internal and external
stakeholders
Ex2: Determine (e.g., from a business impact analysis) assets
and business operations that are vital to achieving mission
objectives and the potential impact of a loss (or partial loss)
of such operations
Ex3: Establish and communicate resilience objectives (e.g.,
recovery time objectives) for delivering critical capabilities
and services in various operating states (e.g., under attack,
during recovery, normal operation)

Ex1: Establish criteria for determining the criticality of

capabilities and services as viewed by internal and external
stakeholders
Ex2: Determine (e.g., from a business impact analysis) assets
and business operations that are vital to achieving mission
objectives and the potential impact of a loss (or partial loss)
of such operations
Ex3: Establish and communicate resilience objectives (e.g.,
recovery time objectives) for delivering critical capabilities
and services in various operating states (e.g., under attack,
during recovery, normal operation)

Ex1: Create an inventory of the organization’s dependencies

on external resources (e.g., facilities, cloud-based hosting
providers) and their relationships to organizational assets and
business functions
Ex2: Identify and document external dependencies that are
potential points of failure for the organization’s critical
capabilities and services, and share that information with
appropriate personnel
Ex1: Create an inventory of the organization’s dependencies
on external resources (e.g., facilities, cloud-based hosting
providers) and their relationships to organizational assets and
business functions
Ex2: Identify and document external dependencies that are
potential points of failure for the organization’s critical
capabilities and services, and share that information with
appropriate personnel

Ex1: Update near-term and long-term cybersecurity risk

management objectives as part of annual strategic planning
and when major changes occur
Ex2: Establish measurable objectives for cybersecurity risk
management (e.g., manage the quality of user training,
ensure adequate risk protection for industrial control
systems)
Ex3: Senior leaders agree about cybersecurity objectives and
use them for measuring and managing risk and performance

Ex1: Determine and communicate risk appetite statements

that convey expectations about the appropriate level of risk
for the organization
Ex2: Translate risk appetite statements into specific,
measurable, and broadly understandable risk tolerance
statements
Ex3: Refine organizational objectives and risk appetite
periodically based on known risk exposure and residual risk

Ex1: Determine and communicate risk appetite statements

that convey expectations about the appropriate level of risk
for the organization
Ex2: Translate risk appetite statements into specific,
measurable, and broadly understandable risk tolerance
statements
Ex3: Refine organizational objectives and risk appetite
periodically based on known risk exposure and residual risk
Ex1: Aggregate and manage cybersecurity risks alongside
other enterprise risks (e.g., compliance, financial, operational,
regulatory, reputational, safety)
Ex2: Include cybersecurity risk managers in enterprise risk
management planning
Ex3: Establish criteria for escalating cybersecurity risks within
enterprise risk management

Ex1: Specify criteria for accepting and avoiding cybersecurity

risk for various classifications of data
Ex2: Determine whether to purchase cybersecurity insurance
Ex3: Document conditions under which shared responsibility
models are acceptable (e.g., outsourcing certain cybersecurity
functions, having a third party perform financial transactions
on behalf of the organization, using public cloud-based
services)

Ex1: Determine how to update senior executives, directors,

and management on the organization’s cybersecurity posture
at agreed-upon intervals
Ex2: Identify how all departments across the organization —
such as management, operations, internal auditors, legal,
acquisition, physical security, and HR — will communicate
with each other about cybersecurity risks

Ex1: Establish criteria for using a quantitative approach to

cybersecurity risk analysis, and specify probability and
exposure formulas
Ex2: Create and use templates (e.g., a risk register) to
document cybersecurity risk information (e.g., risk
description, exposure, treatment, and ownership)
Ex3: Establish criteria for risk prioritization at the appropriate
levels within the enterprise
Ex4: Use a consistent list of risk categories to support
integrating, aggregating, and comparing cybersecurity risks

Ex1: Define and communicate guidance and methods for

identifying opportunities and including them in risk
discussions (e.g., strengths, weaknesses, opportunities, and
threats [SWOT] analysis)
Ex2: Identify stretch goals and document them
Ex3: Calculate, document, and prioritize positive risks
alongside negative risks
Ex1: Leaders (e.g., directors) agree on their roles and
responsibilities in developing, implementing, and assessing
the organization’s cybersecurity strategy
Ex2: Share leaders’ expectations regarding a secure and
ethical culture, especially when current events present the
opportunity to highlight positive or negative examples of
cybersecurity risk management
Ex3: Leaders direct the CISO to maintain a comprehensive
cybersecurity risk strategy and review and update it at least
annually and after major events
Ex4: Conduct reviews to ensure adequate authority and
coordination among those responsible for managing
cybersecurity risk

Ex1: Document risk management roles and responsibilities in

policy
Ex2: Document who is responsible and accountable for
cybersecurity risk management activities and how those
teams and individuals are to be consulted and informed
Ex3: Include cybersecurity responsibilities and performance
requirements in personnel descriptions
Ex4: Document performance goals for personnel with
cybersecurity risk management responsibilities, and
periodically measure performance to identify areas for
improvement
Ex5: Clearly articulate cybersecurity responsibilities within
operations, risk functions, and internal audit functions

Ex1: Document risk management roles and responsibilities in

policy
Ex2: Document who is responsible and accountable for
cybersecurity risk management activities and how those
teams and individuals are to be consulted and informed
Ex3: Include cybersecurity responsibilities and performance
requirements in personnel descriptions
Ex4: Document performance goals for personnel with
cybersecurity risk management responsibilities, and
periodically measure performance to identify areas for
improvement
Ex5: Clearly articulate cybersecurity responsibilities within
operations, risk functions, and internal audit functions
Ex1: Document risk management roles and responsibilities in
policy
Ex2: Document who is responsible and accountable for
cybersecurity risk management activities and how those
teams and individuals are to be consulted and informed
Ex3: Include cybersecurity responsibilities and performance
requirements in personnel descriptions
Ex4: Document performance goals for personnel with
cybersecurity risk management responsibilities, and
periodically measure performance to identify areas for
improvement
Ex5: Clearly articulate cybersecurity responsibilities within
operations, risk functions, and internal audit functions

Ex1: Conduct periodic management reviews to ensure that

those given cybersecurity risk management responsibilities
have the necessary authority
Ex2: Identify resource allocation and investment in line with
risk tolerance and response
Ex3: Provide adequate and sufficient people, process, and
technical resources to support the cybersecurity strategy

Ex1: Integrate cybersecurity risk management considerations

into human resources processes (e.g., personnel screening,
onboarding, change notification, offboarding)
Ex2: Consider cybersecurity knowledge to be a positive factor
in hiring, training, and retention decisions
Ex3: Conduct background checks prior to onboarding new
personnel for sensitive roles, and periodically repeat
background checks for personnel with such roles
Ex4: Define and enforce obligations for personnel to be
aware of, adhere to, and uphold security policies as they
relate to their roles
Ex1: Create, disseminate, and maintain an understandable,
usable risk management policy with statements of
management intent, expectations, and direction
Ex2: Periodically review policy and supporting processes and
procedures to ensure that they align with risk management
strategy objectives and priorities, as well as the high-level
direction of the cybersecurity policy
Ex3: Require approval from senior management on policy
Ex4: Communicate cybersecurity risk management policy and
supporting processes and procedures across the organization
Ex5: Require personnel to acknowledge receipt of policy
when first hired, annually, and whenever policy is updated

Ex1: Update policy based on periodic reviews of

cybersecurity risk management results to ensure that policy
and supporting processes and procedures adequately
maintain risk at an acceptable level
Ex2: Provide a timeline for reviewing changes to the
organization’s risk environment (e.g., changes in risk or in the
organization’s mission objectives), and communicate
recommended policy updates
Ex3: Update policy to reflect changes in legal and regulatory
requirements
Ex4: Update policy to reflect changes in technology (e.g.,
adoption of artificial intelligence) and changes to the business
(e.g., acquisition of a new business, new contract
requirements)

Ex1: Update policy based on periodic reviews of

cybersecurity risk management results to ensure that policy
and supporting processes and procedures adequately
maintain risk at an acceptable level
Ex2: Provide a timeline for reviewing changes to the
organization’s risk environment (e.g., changes in risk or in the
organization’s mission objectives), and communicate
recommended policy updates
Ex3: Update policy to reflect changes in legal and regulatory
requirements
Ex4: Update policy to reflect changes in technology (e.g.,
adoption of artificial intelligence) and changes to the business
(e.g., acquisition of a new business, new contract
requirements)
Ex1: Measure how well the risk management strategy and
risk results have helped leaders make decisions and achieve
organizational objectives
Ex2: Examine whether cybersecurity risk strategies that
impede operations or innovation should be adjusted

Ex1: Review audit findings to confirm whether the existing

cybersecurity strategy has ensured compliance with internal
and external requirements
Ex2: Review the performance oversight of those in
cybersecurity-related roles to determine whether policy
changes are necessary
Ex3: Review strategy in light of cybersecurity incidents

Ex1: Review key performance indicators (KPIs) to ensure that

organization-wide policies and procedures achieve objectives
Ex2: Review key risk indicators (KRIs) to identify risks the
organization faces, including likelihood and potential impact
Ex3: Collect and communicate metrics on cybersecurity risk
management with senior leadership

Ex1: Establish a strategy that expresses the objectives of the

cybersecurity supply chain risk management program
Ex2: Develop the cybersecurity supply chain risk
management program, including a plan (with milestones),
policies, and procedures that guide implementation and
improvement of the program, and share the policies and
procedures with the organizational stakeholders
Ex3: Develop and implement program processes based on
the strategy, objectives, policies, and procedures that are
agreed upon and performed by the organizational
stakeholders
Ex4: Establish a cross-organizational mechanism that ensures
alignment between functions that contribute to cybersecurity
supply chain risk management, such as cybersecurity, IT,
operations, legal, human resources, and engineering
Ex1: Identify one or more specific roles or positions that will
be responsible and accountable for planning, resourcing, and
executing cybersecurity supply chain risk management
activities
Ex2: Document cybersecurity supply chain risk management
roles and responsibilities in policy
Ex3: Create responsibility matrixes to document who will be
responsible and accountable for cybersecurity supply chain
risk management activities and how those teams and
individuals will be consulted and informed
Ex4: Include cybersecurity supply chain risk management
responsibilities and performance requirements in personnel
descriptions to ensure clarity and improve accountability
Ex5: Document performance goals for personnel with
cybersecurity risk management-specific responsibilities, and
periodically measure them to demonstrate and improve
performance
Ex6: Develop roles and responsibilities for suppliers,
customers, and business partners to address shared
responsibilities for applicable cybersecurity risks, and
integrate them into organizational policies and applicable
third-party agreements
Ex7: Internally communicate cybersecurity supply chain risk
management roles and responsibilities for third parties
Ex8: Establish rules and protocols for information sharing and
reporting processes between the organization and its
suppliers

Ex1: Identify areas of alignment and overlap with

cybersecurity and enterprise risk management
Ex2: Establish integrated control sets for cybersecurity risk
management and cybersecurity supply chain risk
management
Ex3: Integrate cybersecurity supply chain risk management
into improvement processes
Ex4: Escalate material cybersecurity risks in supply chains to
senior management, and address them at the enterprise risk
management level

Ex1: Develop criteria for supplier criticality based on, for

example, the sensitivity of data processed or possessed by
suppliers, the degree of access to the organization’s systems,
and the importance of the products or services to the
organization’s mission
Ex2: Keep a record of all suppliers, and prioritize suppliers
based on the criticality criteria
Ex1: Establish security requirements for suppliers, products,
and services commensurate with their criticality level and
potential impact if compromised
Ex2: Include all cybersecurity and supply chain requirements
that third parties must follow and how compliance with the
requirements may be verified in default contractual language
Ex3: Define the rules and protocols for information sharing
between the organization and its suppliers and sub-tier
suppliers in agreements
Ex4: Manage risk by including security requirements in
agreements based on their criticality and potential impact if
compromised
Ex5: Define security requirements in service-level
agreements (SLAs) for monitoring suppliers for acceptable
security performance throughout the supplier relationship
lifecycle
Ex6: Contractually require suppliers to disclose cybersecurity
features, functions, and vulnerabilities of their products and
services for the life of the product or the term of service
Ex7: Contractually require suppliers to provide and maintain
a current component inventory (e.g., software or hardware
bill of materials) for critical products
Ex8: Contractually require suppliers to vet their employees
and guard against insider threats
Ex9: Contractually require suppliers to provide evidence of
performing acceptable security practices through, for
example, self-attestation, conformance to known standards,
certifications, or inspections
Ex10: Specify in contracts and other agreements the rights
and responsibilities of the organization, its suppliers, and their
supply chains, with respect to potential cybersecurity risks

Ex1: Perform thorough due diligence on prospective

suppliers that is consistent with procurement planning and
commensurate with the level of risk, criticality, and
complexity of each supplier relationship
Ex2: Assess the suitability of the technology and
cybersecurity capabilities and the risk management practices
of prospective suppliers
Ex3: Conduct supplier risk assessments against business and
applicable cybersecurity requirements
Ex4: Assess the authenticity, integrity, and security of critical
products prior to acquisition and use
Ex1: Adjust assessment formats and frequencies based on
the third party’s reputation and the criticality of the products
or services they provide
Ex2: Evaluate third parties’ evidence of compliance with
contractual cybersecurity requirements, such as self-
attestations, warranties, certifications, and other artifacts
Ex3: Monitor critical suppliers to ensure that they are
fulfilling their security obligations throughout the supplier
relationship lifecycle using a variety of methods and
techniques, such as inspections, audits, tests, or other forms
of evaluation
Ex4: Monitor critical suppliers, services, and products for
changes to their risk profiles, and reevaluate supplier
criticality and risk impact accordingly
Ex5: Plan for unexpected supplier and supply chain-related
interruptions to ensure business continuity

Ex1: Adjust assessment formats and frequencies based on

the third party’s reputation and the criticality of the products
or services they provide
Ex2: Evaluate third parties’ evidence of compliance with
contractual cybersecurity requirements, such as self-
attestations, warranties, certifications, and other artifacts
Ex3: Monitor critical suppliers to ensure that they are
fulfilling their security obligations throughout the supplier
relationship lifecycle using a variety of methods and
techniques, such as inspections, audits, tests, or other forms
of evaluation
Ex4: Monitor critical suppliers, services, and products for
changes to their risk profiles, and reevaluate supplier
criticality and risk impact accordingly
Ex5: Plan for unexpected supplier and supply chain-related
interruptions to ensure business continuity

Ex1: Define and use rules and protocols for reporting incident
response and recovery activities and the status between the
organization and its suppliers
Ex2: Identify and document the roles and responsibilities of
the organization and its suppliers for incident response
Ex3: Include critical suppliers in incident response exercises
and simulations
Ex4: Define and coordinate crisis communication methods
and protocols between the organization and its critical
suppliers
Ex5: Conduct collaborative lessons learned sessions with
critical suppliers
Ex1: Policies and procedures require provenance records for
all acquired technology products and services
Ex2: Periodically provide risk reporting to leaders about how
acquired components are proven to be untampered and
authentic
Ex3: Communicate regularly among cybersecurity risk
managers and operations personnel about the need to
acquire software patches, updates, and upgrades only from
authenticated and trustworthy software providers
Ex4: Review policies to ensure that they require approved
supplier personnel to perform maintenance on supplier
products
Ex5: Policies and procedure require checking upgrades to
critical hardware for unauthorized changes

Ex1: Establish processes for terminating critical relationships

under both normal and adverse circumstances
Ex2: Define and implement plans for component end-of-life
maintenance support and obsolescence
Ex3: Verify that supplier access to organization resources is
deactivated promptly when it is no longer needed
Ex4: Verify that assets containing the organization’s data are
returned or properly disposed of in a timely, controlled, and
safe manner
Ex5: Develop and execute a plan for terminating or
transitioning supplier relationships that takes supply chain
security risk and resiliency into account
Ex6: Mitigate risks to data and systems created by supplier
termination
Ex7: Manage data leakage risks associated with supplier
termination
Ex1: Maintain inventories for all types of hardware, including
IT, IoT, OT, and mobile devices
Ex2: Constantly monitor networks to detect new hardware
and automatically update inventories

Ex1: Maintain inventories for all types of software and

services, including commercial-off-the-shelf, open-source,
custom applications, API services, and cloud-based
applications and services
Ex2: Constantly monitor all platforms, including containers
and virtual machines, for software and service inventory
changes
Ex3: Maintain an inventory of the organization’s systems

Ex1: Maintain baselines of communication and data flows

within the organization’s wired and wireless networks
Ex2: Maintain baselines of communication and data flows
between the organization and third parties
Ex3: Maintain baselines of communication and data flows for
the organization’s infrastructure-as-a-service (IaaS) usage
Ex4: Maintain documentation of expected network ports,
protocols, and services that are typically used among
authorized systems

Ex1: Maintain baselines of communication and data flows

within the organization’s wired and wireless networks
Ex2: Maintain baselines of communication and data flows
between the organization and third parties
Ex3: Maintain baselines of communication and data flows for
the organization’s infrastructure-as-a-service (IaaS) usage
Ex4: Maintain documentation of expected network ports,
protocols, and services that are typically used among
authorized systems

Ex1: Inventory all external services used by the organization,

including third-party infrastructure-as-a-service (IaaS),
platform-as-a-service (PaaS), and software-as-a-service (SaaS)
offerings; APIs; and other externally hosted application
services
Ex2: Update the inventory when a new external service is
going to be utilized to ensure adequate cybersecurity risk
management monitoring of the organization’s use of that
service

Ex1: Define criteria for prioritizing each class of assets

Ex2: Apply the prioritization criteria to assets
Ex3: Track the asset priorities and update them periodically
or when significant changes to the organization occur
Ex1: Maintain a list of the designated data types of interest
(e.g., personally identifiable information, protected health
information, financial account numbers, organization
intellectual property, operational technology data)
Ex2: Continuously discover and analyze ad hoc data to
identify new instances of designated data types
Ex3: Assign data classifications to designated data types
through tags or labels
Ex4: Track the provenance, data owner, and geolocation of
each instance of designated data types

Ex1: Integrate cybersecurity considerations throughout the

life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage
Ex1: Integrate cybersecurity considerations throughout the
life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage

Ex1: Integrate cybersecurity considerations throughout the

life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage
Ex1: Integrate cybersecurity considerations throughout the
life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage

Ex1: Integrate cybersecurity considerations throughout the

life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage
Ex1: Integrate cybersecurity considerations throughout the
life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage

Ex1: Integrate cybersecurity considerations throughout the

life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life
cycles
Ex3: Identify unofficial uses of technology to meet mission
objectives (i.e., “shadow IT”)
Ex4: Periodically identify redundant systems, hardware,
software, and services that unnecessarily increase the
organization’s attack surface
Ex5: Properly configure and secure systems, hardware,
software, and services prior to their deployment in
production
Ex6: Update inventories when systems, hardware, software,
and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization’s
data retention policy using the prescribed destruction
method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being
retired, decommissioned, reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper, storage media, and
other physical forms of data storage
Ex1: Use vulnerability management technologies to identify
unpatched and misconfigured software
Ex2: Assess network and system architectures for design and
implementation weaknesses that affect cybersecurity
Ex3: Review, analyze, or test organization-developed
software to identify design, coding, and default configuration
vulnerabilities
Ex4: Assess facilities that house critical computing assets for
physical vulnerabilities and resilience issues
Ex5: Monitor sources of cyber threat intelligence for
information on new vulnerabilities in products and services
Ex6: Review processes and procedures for weaknesses that
could be exploited to affect cybersecurity

Ex1: Use vulnerability management technologies to identify

unpatched and misconfigured software
Ex2: Assess network and system architectures for design and
implementation weaknesses that affect cybersecurity
Ex3: Review, analyze, or test organization-developed
software to identify design, coding, and default configuration
vulnerabilities
Ex4: Assess facilities that house critical computing assets for
physical vulnerabilities and resilience issues
Ex1: Use vulnerability management technologies to identify
unpatched and misconfigured software
Ex2: Assess network and system architectures for design and
implementation weaknesses that affect cybersecurity
Ex3: Review, analyze, or test organization-developed
software to identify design, coding, and default configuration
vulnerabilities
Ex4: Assess facilities that house critical computing assets for
physical
Ex1: vulnerabilities
Configure and resilience
cybersecurity tools andissues
technologies with
detection or response capabilities to securely ingest cyber
threat intelligence feeds
Ex2: Receive and review advisories from reputable third
parties on current threat actors and their tactics, techniques,
and procedures (TTPs)
Ex3: Monitor sources of cyber threat intelligence for
information on the types of vulnerabilities that emerging
technologies may have
Ex1: Use cyber threat intelligence to maintain awareness of
the types of threat actors likely to target the organization and
the TTPs they are likely to use
Ex2: Perform threat hunting to look for signs of threat actors
within the environment
Ex3: Implement processes for identifying internal threat
actors

Ex1: Business leaders and cybersecurity risk management

practitioners work together to estimate the likelihood and
impact of risk scenarios and record them in risk registers
Ex2: Enumerate the potential business impacts of
unauthorized access to the organization’s communications,
systems, and data processed in or by those systems
Ex3: Account for the potential impacts of cascading failures
for systems of systems

Ex1: Develop threat models to better understand risks to the

data and identify appropriate risk responses
Ex2: Prioritize cybersecurity resource allocations and
investments based on estimated likelihoods and impacts

Ex1: Apply the vulnerability management plan’s criteria for

deciding whether to accept, transfer, mitigate, or avoid risk
Ex2: Apply the vulnerability management plan’s criteria for
selecting compensating controls to mitigate risk
Ex3: Track the progress of risk response implementation
(e.g., plan of action and milestones [POA&M], risk register,
risk detail report)
Ex4: Use risk assessment findings to inform risk response
decisions and actions
Ex5: Communicate planned risk responses to affected
stakeholders in priority order

Ex1: Apply the vulnerability management plan’s criteria for

deciding whether to accept, transfer, mitigate, or avoid risk
Ex2: Apply the vulnerability management plan’s criteria for
selecting compensating controls to mitigate risk
Ex3: Track the progress of risk response implementation
(e.g., plan of action and milestones [POA&M], risk register,
risk detail report)
Ex4: Use risk assessment findings to inform risk response
decisions and actions
Ex5: Communicate planned risk responses to affected
stakeholders in priority order
Ex1: Implement and follow procedures for the formal
documentation, review, testing, and approval of proposed
changes and requested exceptions
Ex2: Document the possible risks of making or not making
each proposed change, and provide guidance on rolling back
changes
Ex3: Document the risks related to each requested exception
and the plan for responding to those risks
Ex4: Periodically review risks that were accepted based upon
planned future actions or milestones

Ex1: Conduct vulnerability information sharing between the

organization and its suppliers following the rules and
protocols defined in contracts
Ex2: Assign responsibilities and verify the execution of
procedures for processing, analyzing the impact of, and
responding to cybersecurity threat, vulnerability, or incident
disclosures by suppliers, customers, partners, and
government cybersecurity organizations

Ex1: Assess the authenticity and cybersecurity of critical

technology products and services prior to acquisition and use

Ex1: Conduct supplier risk assessments against business and

applicable cybersecurity requirements, including the supply
chain

Ex1: Conduct supplier risk assessments against business and

applicable cybersecurity requirements, including the supply
chain
Ex1: Perform self-assessments of critical services that take
current threats and TTPs into consideration
Ex2: Invest in third-party assessments or independent audits
of the effectiveness of the organization’s cybersecurity
program to identify areas that need improvement
Ex3: Constantly evaluate compliance with selected
cybersecurity requirements through automated means

Ex1: Identify improvements for future incident response

activities based on findings from incident response
assessments (e.g., tabletop exercises and simulations, tests,
internal reviews, independent audits)
Ex2: Identify improvements for future business continuity,
disaster recovery, and incident response activities based on
exercises performed in coordination with critical service
providers and product suppliers
Ex3: Involve internal stakeholders (e.g., senior executives,
legal department, HR) in security tests and exercises as
appropriate
Ex4: Perform penetration testing to identify opportunities to
improve the security posture of selected high-risk systems as
approved by leadership
Ex5: Exercise contingency plans for responding to and
recovering from the discovery that products or services did
not originate with the contracted supplier or partner or were
altered before receipt
Ex6: Collect and analyze performance metrics using security
tools and services to inform improvements to the
cybersecurity program
Ex1: Identify improvements for future incident response
activities based on findings from incident response
assessments (e.g., tabletop exercises and simulations, tests,
internal reviews, independent audits)
Ex2: Identify improvements for future business continuity,
disaster recovery, and incident response activities based on
exercises performed in coordination with critical service
providers and product suppliers
Ex3: Involve internal stakeholders (e.g., senior executives,
legal department, HR) in security tests and exercises as
appropriate
Ex4: Perform penetration testing to identify opportunities to
improve the security posture of selected high-risk systems as
approved by leadership
Ex5: Exercise contingency plans for responding to and
recovering from the discovery that products or services did
not originate with the contracted supplier or partner or were
altered before receipt
Ex6: Collect and analyze performance metrics using security
tools and services to inform improvements to the
cybersecurity program

Ex1: Identify improvements for future incident response

activities based on findings from incident response
assessments (e.g., tabletop exercises and simulations, tests,
internal reviews, independent audits)
Ex2: Identify improvements for future business continuity,
disaster recovery, and incident response activities based on
exercises performed in coordination with critical service
providers and product suppliers
Ex3: Involve internal stakeholders (e.g., senior executives,
legal department, HR) in security tests and exercises as
appropriate
Ex4: Perform penetration testing to identify opportunities to
improve the security posture of selected high-risk systems as
approved by leadership
Ex5: Exercise contingency plans for responding to and
recovering from the discovery that products or services did
not originate with the contracted supplier or partner or were
altered before receipt
Ex6: Collect and analyze performance metrics using security
tools and services to inform improvements to the
cybersecurity program
Ex1: Identify improvements for future incident response
activities based on findings from incident response
assessments (e.g., tabletop exercises and simulations, tests,
internal reviews, independent audits)
Ex2: Identify improvements for future business continuity,
disaster recovery, and incident response activities based on
exercises performed in coordination with critical service
providers and product suppliers
Ex3: Involve internal stakeholders (e.g., senior executives,
legal department, HR) in security tests and exercises as
appropriate
Ex4: Perform penetration testing to identify opportunities to
improve the security posture of selected high-risk systems as
approved by leadership
Ex5: Exercise contingency plans for responding to and
recovering from the discovery that products or services did
not originate with the contracted supplier or partner or were
altered before receipt
Ex6: Collect and analyze performance metrics using security
tools and services to inform improvements to the
cybersecurity program

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time
Ex1: Conduct collaborative lessons learned sessions with
suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time

Ex1: Conduct collaborative lessons learned sessions with

suppliers
Ex2: Annually review cybersecurity policies, processes, and
procedures to take lessons learned into account
Ex3: Use metrics to assess operational cybersecurity
performance over time
Ex1: Establish contingency plans (e.g., incident response,
business continuity, disaster recovery) for responding to and
recovering from adverse events that can interfere with
operations, expose confidential information, or otherwise
endanger the organization’s mission and viability
Ex2: Include contact and communication information,
processes for handling common scenarios, and criteria for
prioritization, escalation, and elevation in all contingency
plans
Ex3: Create a vulnerability management plan to identify and
assess all types of vulnerabilities and to prioritize, test, and
implement risk responses
Ex4: Communicate cybersecurity plans (including updates) to
those responsible for carrying them out and to affected
parties
Ex5: Review and update all cybersecurity plans annually or
when a need for significant improvements is identified

Ex1: Establish contingency plans (e.g., incident response,

business continuity, disaster recovery) for responding to and
recovering from adverse events that can interfere with
operations, expose confidential information, or otherwise
endanger the organization’s mission and viability
Ex2: Include contact and communication information,
processes for handling common scenarios, and criteria for
prioritization, escalation, and elevation in all contingency
plans
Ex3: Create a vulnerability management plan to identify and
assess all types of vulnerabilities and to prioritize, test, and
implement risk responses
Ex4: Communicate cybersecurity plans (including updates) to
those responsible for carrying them out and to affected
parties
Ex5: Review and update all cybersecurity plans annually or
when a need for significant improvements is identified
Ex1: Establish contingency plans (e.g., incident response,
business continuity, disaster recovery) for responding to and
recovering from adverse events that can interfere with
operations, expose confidential information, or otherwise
endanger the organization’s mission and viability
Ex2: Include contact and communication information,
processes for handling common scenarios, and criteria for
prioritization, escalation, and elevation in all contingency
plans
Ex3: Create a vulnerability management plan to identify and
assess all types of vulnerabilities and to prioritize, test, and
implement risk responses
Ex4: Communicate cybersecurity plans (including updates) to
those responsible for carrying them out and to affected
parties
Ex5: Review and update all cybersecurity plans annually or
when a need for significant improvements is identified

Ex1: Establish contingency plans (e.g., incident response,

business continuity, disaster recovery) for responding to and
recovering from adverse events that can interfere with
operations, expose confidential information, or otherwise
endanger the organization’s mission and viability
Ex2: Include contact and communication information,
processes for handling common scenarios, and criteria for
prioritization, escalation, and elevation in all contingency
plans
Ex3: Create a vulnerability management plan to identify and
assess all types of vulnerabilities and to prioritize, test, and
implement risk responses
Ex4: Communicate cybersecurity plans (including updates) to
those responsible for carrying them out and to affected
parties
Ex5: Review and update all cybersecurity plans annually or
when a need for significant improvements is identified
Ex1: Initiate requests for new access or additional access for
employees, contractors, and others, and track, review, and
fulfill the requests, with permission from system or data
owners when needed
Ex2: Issue, manage, and revoke cryptographic certificates
and identity tokens, cryptographic keys (i.e., key
management), and other credentials
Ex3: Select a unique identifier for each device from
immutable hardware characteristics or an identifier securely
provisioned to the device
Ex4: Physically label authorized hardware with an identifier
for inventory and servicing purposes

Ex1: Verify a person’s claimed identity at enrollment time

using government-issued identity credentials (e.g., passport,
visa, driver’s license)
Ex2: Issue a different credential for each person (i.e., no
credential sharing)

Ex1: Require multifactor authentication

Ex2: Enforce policies for the minimum strength of passwords,
PINs, and similar authenticators
Ex3: Periodically reauthenticate users, services, and
hardware based on risk (e.g., in zero trust architectures)
Ex4: Ensure that authorized personnel can access accounts
essential for protecting safety under emergency conditions

Ex1: Require multifactor authentication

Ex2: Enforce policies for the minimum strength of passwords,
PINs, and similar authenticators
Ex3: Periodically reauthenticate users, services, and
hardware based on risk (e.g., in zero trust architectures)
Ex4: Ensure that authorized personnel can access accounts
essential for protecting safety under emergency conditions

Ex1: Protect identity assertions that are used to convey

authentication and user information through single sign-on
systems
Ex2: Protect identity assertions that are used to convey
authentication and user information between federated
systems
Ex3: Implement standards-based approaches for identity
assertions in all contexts, and follow all guidance for the
generation (e.g., data models, metadata), protection (e.g.,
digital signing, encryption), and verification (e.g., signature
validation) of identity assertions
Ex1: Review logical and physical access privileges periodically
and whenever someone changes roles or leaves the
organization, and promptly rescind privileges that are no
longer needed
Ex2: Take attributes of the requester and the requested
resource into account for authorization decisions (e.g.,
geolocation, day/time, requester endpoint’s cyber health)
Ex3: Restrict access and privileges to the minimum necessary
(e.g., zero trust architecture)
Ex4: Periodically review the privileges associated with critical
business functions to confirm proper separation of duties

Ex1: Review logical and physical access privileges periodically

and whenever someone changes roles or leaves the
organization, and promptly rescind privileges that are no
longer needed
Ex2: Take attributes of the requester and the requested
resource into account for authorization decisions (e.g.,
geolocation, day/time, requester endpoint’s cyber health)
Ex3: Restrict access and privileges to the minimum necessary
(e.g., zero trust architecture)
Ex4: Periodically review the privileges associated with critical
business functions to confirm proper separation of duties

Ex1: Review logical and physical access privileges periodically

and whenever someone changes roles or leaves the
organization, and promptly rescind privileges that are no
longer needed
Ex2: Take attributes of the requester and the requested
resource into account for authorization decisions (e.g.,
geolocation, day/time, requester endpoint’s cyber health)
Ex3: Restrict access and privileges to the minimum necessary
(e.g., zero trust architecture)
Ex4: Periodically review the privileges associated with critical
business functions to confirm proper separation of duties

Ex1: Use security guards, security cameras, locked entrances,

alarm systems, and other physical controls to monitor
facilities and restrict access
Ex2: Employ additional physical security controls for areas
that contain high-risk assets
Ex3: Escort guests, vendors, and other third parties within
areas that contain business-critical assets
Ex1: Use security guards, security cameras, locked entrances,
alarm systems, and other physical controls to monitor
facilities and restrict access
Ex2: Employ additional physical security controls for areas
that contain high-risk assets
Ex3: Escort guests, vendors, and other third parties within
areas that contain business-critical assets

Ex1: Provide basic cybersecurity awareness and training to

employees, contractors, partners, suppliers, and all other
users of the organization’s non-public resources
Ex2: Train personnel to recognize social engineering attempts
and other common attacks, report attacks and suspicious
activity, comply with acceptable use policies, and perform
basic cyber hygiene tasks (e.g., patching software, choosing
passwords, protecting credentials)
Ex3: Explain the consequences of cybersecurity policy
violations, both to individual users and the organization as a
whole
Ex4: Periodically assess or test users on their understanding
of basic cybersecurity practices
Ex5: Require annual refreshers to reinforce existing practices
and introduce new practices
Ex1: Provide basic cybersecurity awareness and training to
employees, contractors, partners, suppliers, and all other
users of the organization’s non-public resources
Ex2: Train personnel to recognize social engineering attempts
and other common attacks, report attacks and suspicious
activity, comply with acceptable use policies, and perform
basic cyber hygiene tasks (e.g., patching software, choosing
passwords, protecting credentials)
Ex3: Explain the consequences of cybersecurity policy
violations, both to individual users and the organization as a
whole
Ex4: Periodically assess or test users on their understanding
of basic cybersecurity practices
Ex5: Require annual refreshers to reinforce existing practices
and introduce new practices

Ex1: Provide basic cybersecurity awareness and training to

employees, contractors, partners, suppliers, and all other
users of the organization’s non-public resources
Ex2: Train personnel to recognize social engineering attempts
and other common attacks, report attacks and suspicious
activity, comply with acceptable use policies, and perform
basic cyber hygiene tasks (e.g., patching software, choosing
passwords, protecting credentials)
Ex3: Explain the consequences of cybersecurity policy
violations, both to individual users and the organization as a
whole
Ex4: Periodically assess or test users on their understanding
of basic cybersecurity practices
Ex5: Require annual refreshers to reinforce existing practices
and introduce new practices

Ex1: Identify the specialized roles within the organization

that require additional cybersecurity training, such as physical
and cybersecurity personnel, finance personnel, senior
leadership, and anyone with access to business-critical data
Ex2: Provide role-based cybersecurity awareness and training
to all those in specialized roles, including contractors,
partners, suppliers, and other third parties
Ex3: Periodically assess or test users on their understanding
of cybersecurity practices for their specialized roles
Ex4: Require annual refreshers to reinforce existing practices
and introduce new practices
Ex1: Identify the specialized roles within the organization
that require additional cybersecurity training, such as physical
and cybersecurity personnel, finance personnel, senior
leadership, and anyone with access to business-critical data
Ex2: Provide role-based cybersecurity awareness and training
to all those in specialized roles, including contractors,
partners, suppliers, and other third parties
Ex3: Periodically assess or test users on their understanding
of cybersecurity practices for their specialized roles
Ex4: Require annual refreshers to reinforce existing practices
and introduce new practices

Ex1: Identify the specialized roles within the organization

that require additional cybersecurity training, such as physical
and cybersecurity personnel, finance personnel, senior
leadership, and anyone with access to business-critical data
Ex2: Provide role-based cybersecurity awareness and training
to all those in specialized roles, including contractors,
partners, suppliers, and other third parties
Ex3: Periodically assess or test users on their understanding
of cybersecurity practices for their specialized roles
Ex4: Require annual refreshers to reinforce existing practices
and introduce new practices

Ex1: Identify the specialized roles within the organization

that require additional cybersecurity training, such as physical
and cybersecurity personnel, finance personnel, senior
leadership, and anyone with access to business-critical data
Ex2: Provide role-based cybersecurity awareness and training
to all those in specialized roles, including contractors,
partners, suppliers, and other third parties
Ex3: Periodically assess or test users on their understanding
of cybersecurity practices for their specialized roles
Ex4: Require annual refreshers to reinforce existing practices
and introduce new practices
Ex1: Use encryption, digital signatures, and cryptographic
hashes to protect the confidentiality and integrity of stored
data in files, databases, virtual machine disk images,
container images, and other resources
Ex2: Use full disk encryption to protect data stored on user
endpoints
Ex3: Confirm the integrity of software by validating
signatures
Ex4: Restrict the use of removable media to prevent data
exfiltration
Ex5: Physically secure removable media containing
unencrypted sensitive information, such as within locked
offices or file cabinets

Ex1: Use encryption, digital signatures, and cryptographic

hashes to protect the confidentiality and integrity of stored
data in files, databases, virtual machine disk images,
container images, and other resources
Ex2: Use full disk encryption to protect data stored on user
endpoints
Ex3: Confirm the integrity of software by validating
signatures
Ex4: Restrict the use of removable media to prevent data
exfiltration
Ex5: Physically secure removable media containing
unencrypted sensitive information, such as within locked
offices or file cabinets

Ex1: Use encryption, digital signatures, and cryptographic

hashes to protect the confidentiality and integrity of stored
data in files, databases, virtual machine disk images,
container images, and other resources
Ex2: Use full disk encryption to protect data stored on user
endpoints
Ex3: Confirm the integrity of software by validating
signatures
Ex4: Restrict the use of removable media to prevent data
exfiltration
Ex5: Physically secure removable media containing
unencrypted sensitive information, such as within locked
offices or file cabinets
Ex1: Use encryption, digital signatures, and cryptographic
hashes to protect the confidentiality and integrity of stored
data in files, databases, virtual machine disk images,
container images, and other resources
Ex2: Use full disk encryption to protect data stored on user
endpoints
Ex3: Confirm the integrity of software by validating
signatures
Ex4: Restrict the use of removable media to prevent data
exfiltration
Ex5: Physically secure removable media containing
unencrypted sensitive information, such as within locked
offices or file cabinets

Ex1: Use encryption, digital signatures, and cryptographic

hashes to protect the confidentiality and integrity of network
communications
Ex2: Automatically encrypt or block outbound emails and
other communications that contain sensitive data, depending
on the data classification
Ex3: Block access to personal email, file sharing, file storage
services, and other personal communications applications
and services from organizational systems and networks
Ex4: Prevent reuse of sensitive data from production
environments (e.g., customer records) in development,
testing, and other non-production environments

Ex1: Use encryption, digital signatures, and cryptographic

hashes to protect the confidentiality and integrity of network
communications
Ex2: Automatically encrypt or block outbound emails and
other communications that contain sensitive data, depending
on the data classification
Ex3: Block access to personal email, file sharing, file storage
services, and other personal communications applications
and services from organizational systems and networks
Ex4: Prevent reuse of sensitive data from production
environments (e.g., customer records) in development,
testing, and other non-production environments

Ex1: Remove data that must remain confidential (e.g., from

processors and memory) as soon as it is no longer needed
Ex2: Protect data in use from access by other users and
processes of the same platform
Ex1: Continuously back up critical data in near-real-time, and
back up other data frequently at agreed-upon schedules
Ex2: Test backups and restores for all types of data sources at
least annually
Ex3: Securely store some backups offline and offsite so that
an incident or disaster will not damage them
Ex4: Enforce geographic separation and geolocation
restrictions for data backup storage

Ex1: Establish, test, deploy, and maintain hardened baselines

that enforce the organization’s cybersecurity policies and
provide only essential capabilities (i.e., principle of least
functionality)
Ex2: Review all default configuration settings that may
potentially impact cybersecurity when installing or upgrading
software
Ex3: Monitor implemented software for deviations from
approved baselines

Ex1: Establish, test, deploy, and maintain hardened baselines

that enforce the organization’s cybersecurity policies and
provide only essential capabilities (i.e., principle of least
functionality)
Ex2: Review all default configuration settings that may
potentially impact cybersecurity when installing or upgrading
software
Ex3: Monitor implemented software for deviations from
approved baselines
Ex1: Establish, test, deploy, and maintain hardened baselines
that enforce the organization’s cybersecurity policies and
provide only essential capabilities (i.e., principle of least
functionality)
Ex2: Review all default configuration settings that may
potentially impact cybersecurity when installing or upgrading
software
Ex3: Monitor implemented software for deviations from
approved baselines

Ex1: Establish, test, deploy, and maintain hardened baselines

that enforce the organization’s cybersecurity policies and
provide only essential capabilities (i.e., principle of least
functionality)
Ex2: Review all default configuration settings that may
potentially impact cybersecurity when installing or upgrading
software
Ex3: Monitor implemented software for deviations from
approved baselines

Ex1: Perform routine and emergency patching within the

timeframes specified in the vulnerability management plan
Ex2: Update container images, and deploy new container
instances to replace rather than update existing instances
Ex3: Replace end-of-life software and service versions with
supported, maintained versions
Ex4: Uninstall and remove unauthorized software and
services that pose undue risks
Ex5: Uninstall and remove any unnecessary software
components (e.g., operating system utilities) that attackers
might misuse
Ex6: Define and implement plans for software and service
end-of-life maintenance support and obsolescence
Ex1: Perform routine and emergency patching within the
timeframes specified in the vulnerability management plan
Ex2: Update container images, and deploy new container
instances to replace rather than update existing instances
Ex3: Replace end-of-life software and service versions with
supported, maintained versions
Ex4: Uninstall and remove unauthorized software and
services that pose undue risks
Ex5: Uninstall and remove any unnecessary software
components (e.g., operating system utilities) that attackers
might misuse
Ex6: Define and implement plans for software and service
end-of-life maintenance support and obsolescence

Ex1: Replace hardware when it lacks needed security

capabilities or when it cannot support software with needed
security capabilities
Ex2: Define and implement plans for hardware end-of-life
maintenance support and obsolescence
Ex3: Perform hardware disposal in a secure, responsible, and
auditable manner

Ex1: Replace hardware when it lacks needed security

capabilities or when it cannot support software with needed
security capabilities
Ex2: Define and implement plans for hardware end-of-life
maintenance support and obsolescence
Ex3: Perform hardware disposal in a secure, responsible, and
auditable manner

Ex1: Configure all operating systems, applications, and

services (including cloud-based services) to generate log
records
Ex2: Configure log generators to securely share their logs
with the organization’s logging infrastructure systems and
services
Ex3: Configure log generators to record the data needed by
zero-trust architectures
Ex1: When risk warrants it, restrict software execution to
permitted products only or deny the execution of prohibited
and unauthorized software
Ex2: Verify the source of new software and the software’s
integrity before installing it
Ex3: Configure platforms to use only approved DNS services
that block access to known malicious domains
Ex4: Configure platforms to allow the installation of
organization-approved software only
Ex1: Protect all components of organization-developed
software from tampering and unauthorized access
Ex2: Secure all software produced by the organization, with
minimal vulnerabilities in their releases
Ex3: Maintain the software used in production environments,
and securely dispose of software once it is no longer needed

Ex1: Logically segment organization networks and cloud-

based platforms according to trust boundaries and platform
types (e.g., IT, IoT, OT, mobile, guests), and permit required
communications only between segments
Ex2: Logically segment organization networks from external
networks, and permit only necessary communications to
enter the organization’s networks from the external networks
Ex3: Implement zero trust architectures to restrict network
access to each resource to the minimum necessary
Ex4: Check the cyber health of endpoints before allowing
them to access and use production resources

Ex1: Logically segment organization networks and cloud-

based platforms according to trust boundaries and platform
types (e.g., IT, IoT, OT, mobile, guests), and permit required
communications only between segments
Ex2: Logically segment organization networks from external
networks, and permit only necessary communications to
enter the organization’s networks from the external networks
Ex3: Implement zero trust architectures to restrict network
access to each resource to the minimum necessary
Ex4: Check the cyber health of endpoints before allowing
them to access and use production resources
Ex1: Logically segment organization networks and cloud-
based platforms according to trust boundaries and platform
types (e.g., IT, IoT, OT, mobile, guests), and permit required
communications only between segments
Ex2: Logically segment organization networks from external
networks, and permit only necessary communications to
enter the organization’s networks from the external networks
Ex3: Implement zero trust architectures to restrict network
access to each resource to the minimum necessary
Ex4: Check the cyber health of endpoints before allowing
them to access and use production resources

Ex1: Logically segment organization networks and cloud-

based platforms according to trust boundaries and platform
types (e.g., IT, IoT, OT, mobile, guests), and permit required
communications only between segments
Ex2: Logically segment organization networks from external
networks, and permit only necessary communications to
enter the organization’s networks from the external networks
Ex3: Implement zero trust architectures to restrict network
access to each resource to the minimum necessary
Ex4: Check the cyber health of endpoints before allowing
them to access and use production resources

Ex1: Protect organizational equipment from known

environmental threats, such as flooding, fire, wind, and
excessive heat and humidity
Ex2: Include protection from environmental threats and
provisions for adequate operating infrastructure in
requirements for service providers that operate systems on
the organization’s behalf

Ex1: Avoid single points of failure in systems and

infrastructure
Ex2: Use load balancing to increase capacity and improve
reliability
Ex3: Use high-availability components like redundant storage
and power supplies to improve system reliability

Ex1: Monitor usage of storage, power, compute, network

bandwidth, and other resources
Ex2: Forecast future needs, and scale resources accordingly
Ex1: Monitor DNS, BGP, and other network services for
adverse events
Ex2: Monitor wired and wireless networks for connections
from unauthorized endpoints
Ex3: Monitor facilities for unauthorized or rogue wireless
networks
Ex4: Compare actual network flows against baselines to
detect deviations
Ex5: Monitor network communications to identify changes in
security postures for zero trust purposes

Ex1: Monitor DNS, BGP, and other network services for

adverse events
Ex2: Monitor wired and wireless networks for connections
from unauthorized endpoints
Ex3: Monitor facilities for unauthorized or rogue wireless
networks
Ex4: Compare actual network flows against baselines to
detect deviations
Ex5: Monitor network communications to identify changes in
security postures for zero trust purposes

Ex1: Monitor DNS, BGP, and other network services for

adverse events
Ex2: Monitor wired and wireless networks for connections
from unauthorized endpoints
Ex3: Monitor facilities for unauthorized or rogue wireless
networks
Ex4: Compare actual network flows against baselines to
detect deviations
Ex5: Monitor network communications to identify changes in
security postures for zero trust purposes
Ex1: Monitor DNS, BGP, and other network services for
adverse events
Ex2: Monitor wired and wireless networks for connections
from unauthorized endpoints
Ex3: Monitor facilities for unauthorized or rogue wireless
networks
Ex4: Compare actual network flows against baselines to
detect deviations
Ex5: Monitor network communications to identify changes in
security postures for zero trust purposes

Ex1: Monitor logs from physical access control systems (e.g.,

badge readers) to find unusual access patterns (e.g.,
deviations from the norm) and failed access attempts
Ex2: Review and monitor physical access records (e.g., from
visitor registration, sign-in sheets)
Ex3: Monitor physical access controls (e.g., locks, latches,
hinge pins, alarms) for signs of tampering
Ex4: Monitor the physical environment using alarm systems,
cameras, and security guards

Ex1: Use behavior analytics software to detect anomalous

user activity to mitigate insider threats
Ex2: Monitor logs from logical access control systems to find
unusual access patterns and failed access attempts
Ex3: Continuously monitor deception technology, including
user accounts, for any usage

Ex1: Use behavior analytics software to detect anomalous

user activity to mitigate insider threats
Ex2: Monitor logs from logical access control systems to find
unusual access patterns and failed access attempts
Ex3: Continuously monitor deception technology, including
user accounts, for any usage

Ex1: Monitor remote and onsite administration and

maintenance activities that external providers perform on
organizational systems
Ex2: Monitor activity from cloud-based services, internet
service providers, and other service providers for deviations
from expected behavior
Ex1: Monitor remote and onsite administration and
maintenance activities that external providers perform on
organizational systems
Ex2: Monitor activity from cloud-based services, internet
service providers, and other service providers for deviations
from expected behavior

Ex1: Monitor email, web, file sharing, collaboration services,

and other common attack vectors to detect malware,
phishing, data leaks and exfiltration, and other adverse
events
Ex2: Monitor authentication attempts to identify attacks
against credentials and unauthorized credential reuse
Ex3: Monitor software configurations for deviations from
security baselines
Ex4: Monitor hardware and software for signs of tampering
Ex5: Use technologies with a presence on endpoints to detect
cyber health issues (e.g., missing patches, malware infections,
unauthorized software), and redirect the endpoints to a
remediation environment before access is authorized

Ex1: Monitor email, web, file sharing, collaboration services,

and other common attack vectors to detect malware,
phishing, data leaks and exfiltration, and other adverse
events
Ex2: Monitor authentication attempts to identify attacks
against credentials and unauthorized credential reuse
Ex3: Monitor software configurations for deviations from
security baselines
Ex4: Monitor hardware and software for signs of tampering
Ex5: Use technologies with a presence on endpoints to detect
cyber health issues (e.g., missing patches, malware infections,
unauthorized software), and redirect the endpoints to a
remediation environment before access is authorized

Ex1: Monitor email, web, file sharing, collaboration services,

and other common attack vectors to detect malware,
phishing, data leaks and exfiltration, and other adverse
events
Ex2: Monitor authentication attempts to identify attacks
against credentials and unauthorized credential reuse
Ex3: Monitor software configurations for deviations from
security baselines
Ex4: Monitor hardware and software for signs of tampering
Ex5: Use technologies with a presence on endpoints to detect
cyber health issues (e.g., missing patches, malware infections,
unauthorized software), and redirect the endpoints to a
remediation environment before access is authorized
Ex1: Monitor email, web, file sharing, collaboration services,
and other common attack vectors to detect malware,
phishing, data leaks and exfiltration, and other adverse
events
Ex2: Monitor authentication attempts to identify attacks
against credentials and unauthorized credential reuse
Ex3: Monitor software configurations for deviations from
security baselines
Ex4: Monitor hardware and software for signs of tampering
Ex5: Use technologies with a presence on endpoints to detect
cyber health issues (e.g., missing patches, malware infections,
unauthorized software), and redirect the endpoints to a
remediation environment before access is authorized

Ex1: Monitor email, web, file sharing, collaboration services,

and other common attack vectors to detect malware,
phishing, data leaks and exfiltration, and other adverse
events
Ex2: Monitor authentication attempts to identify attacks
against credentials and unauthorized credential reuse
Ex3: Monitor software configurations for deviations from
security baselines
Ex4: Monitor hardware and software for signs of tampering
Ex5: Use technologies with a presence on endpoints to detect
cyber health issues (e.g., missing patches, malware infections,
unauthorized software), and redirect the endpoints to a
remediation environment before access is authorized
Ex1: Use security information and event management (SIEM)
or other tools to continuously monitor log events for known
malicious and suspicious activity
Ex2: Utilize up-to-date cyber threat intelligence in log
analysis tools to improve detection accuracy and characterize
threat actors, their methods, and indicators of compromise
Ex3: Regularly conduct manual reviews of log events for
technologies that cannot be sufficiently monitored through
automation
Ex4: Use log analysis tools to generate reports on their
findings

Ex1: Constantly transfer log data generated by other sources

to a relatively small number of log servers
Ex2: Use event correlation technology (e.g., SIEM) to collect
information captured by multiple sources
Ex3: Utilize cyber threat intelligence to help correlate events
among log sources

Ex1: Use SIEMs or other tools to estimate impact and scope,

and review and refine the estimates
Ex2: A person creates their own estimates of impact and
scope
Ex1: Use cybersecurity software to generate alerts and
provide them to the security operations center (SOC),
incident responders, and incident response tools
Ex2: Incident responders and other authorized personnel can
access log analysis findings at all times
Ex3: Automatically create and assign tickets in the
organization’s ticketing system when certain types of alerts
occur
Ex4: Manually create and assign tickets in the organization’s
ticketing system when technical staff discover indicators of
compromise

Ex1: Securely provide cyber threat intelligence feeds to

detection technologies, processes, and personnel
Ex2: Securely provide information from asset inventories to
detection technologies, processes, and personnel
Ex3: Rapidly acquire and analyze vulnerability disclosures for
the organization’s technologies from suppliers, vendors, and
third-party security advisories

Ex1: Apply incident criteria to known and assumed

characteristics of activity in order to determine whether an
incident should be declared
Ex2: Take known false positives into account when applying
incident criteria
Ex1: Detection technologies automatically report confirmed
incidents
Ex2: Request incident response assistance from the
organization’s incident response outsourcer
Ex3: Designate an incident lead for each incident
Ex4: Initiate execution of additional cybersecurity plans as
needed to support incident response (for example, business
continuity and disaster recovery)

Ex1: Detection technologies automatically report confirmed

incidents
Ex2: Request incident response assistance from the
organization’s incident response outsourcer
Ex3: Designate an incident lead for each incident
Ex4: Initiate execution of additional cybersecurity plans as
needed to support incident response (for example, business
continuity and disaster recovery)

Ex1: Preliminarily review incident reports to confirm that

they are cybersecurity-related and necessitate incident
response activities
Ex2: Apply criteria to estimate the severity of an incident

Ex1: Preliminarily review incident reports to confirm that

they are cybersecurity-related and necessitate incident
response activities
Ex2: Apply criteria to estimate the severity of an incident

Ex1: Further review and categorize incidents based on the

type of incident (e.g., data breach, ransomware, DDoS,
account compromise)
Ex2: Prioritize incidents based on their scope, likely impact,
and time-critical nature
Ex3: Select incident response strategies for active incidents
by balancing the need to quickly recover from an incident
with the need to observe the attacker or conduct a more
thorough investigation
Ex1: Further review and categorize incidents based on the
type of incident (e.g., data breach, ransomware, DDoS,
account compromise)
Ex2: Prioritize incidents based on their scope, likely impact,
and time-critical nature
Ex3: Select incident response strategies for active incidents
by balancing the need to quickly recover from an incident
with the need to observe the attacker or conduct a more
thorough investigation

Ex1: Track and validate the status of all ongoing incidents

Ex2: Coordinate incident escalation or elevation with
designated internal and external stakeholders

Ex1: Track and validate the status of all ongoing incidents

Ex2: Coordinate incident escalation or elevation with
designated internal and external stakeholders

Ex1: Apply incident recovery criteria to known and assumed

characteristics of the incident to determine whether incident
recovery processes should be initiated
Ex2: Take the possible operational disruption of incident
recovery activities into account

Ex1: Determine the sequence of events that occurred during

the incident and which assets and resources were involved in
each event
Ex2: Attempt to determine what vulnerabilities, threats, and
threat actors were directly or indirectly involved in the
incident
Ex3: Analyze the incident to find the underlying, systemic
root causes
Ex4: Check any cyber deception technology for additional
information on attacker behavior

Ex1: Require each incident responder and others (e.g.,

system administrators, cybersecurity engineers) who perform
incident response tasks to record their actions and make the
record immutable
Ex2: Require the incident lead to document the incident in
detail and be responsible for preserving the integrity of the
documentation and the sources of all information being
reported
Ex1: Collect, preserve, and safeguard the integrity of all
pertinent incident data and metadata (e.g., data source,
date/time of collection) based on evidence preservation and
chain-of-custody procedures

Ex1: Review other potential targets of the incident to search

for indicators of compromise and evidence of persistence
Ex2: Automatically run tools on targets to look for indicators
of compromise and evidence of persistence

Ex1: Follow the organization’s breach notification procedures

after discovering a data breach incident, including notifying
affected customers
Ex2: Notify business partners and customers of incidents in
accordance with contractual requirements
Ex3: Notify law enforcement agencies and regulatory bodies
of incidents based on criteria in the incident response plan
and management approval

Ex1: Follow the organization’s breach notification procedures

after discovering a data breach incident, including notifying
affected customers
Ex2: Notify business partners and customers of incidents in
accordance with contractual requirements
Ex3: Notify law enforcement agencies and regulatory bodies
of incidents based on criteria in the incident response plan
and management approval

Ex1: Securely share information consistent with response

plans and information sharing agreements
Ex2: Voluntarily share information about an attacker’s
observed TTPs, with all sensitive data removed, with an
Information Sharing and Analysis Center (ISAC)
Ex3: Notify HR when malicious insider activity occurs
Ex4: Regularly update senior leadership on the status of
major incidents
Ex5: Follow the rules and protocols defined in contracts for
incident information sharing between the organization and its
suppliers
Ex6: Coordinate crisis communication methods between the
organization and its critical suppliers
Ex1: Securely share information consistent with response
plans and information sharing agreements
Ex2: Voluntarily share information about an attacker’s
observed TTPs, with all sensitive data removed, with an
Information Sharing and Analysis Center (ISAC)
Ex3: Notify HR when malicious insider activity occurs
Ex4: Regularly update senior leadership on the status of
major incidents
Ex5: Follow the rules and protocols defined in contracts for
incident information sharing between the organization and its
suppliers
Ex6: Coordinate crisis communication methods between the
organization and its critical suppliers

Ex1: Cybersecurity technologies (e.g., antivirus software) and

cybersecurity features of other technologies (e.g., operating
systems, network infrastructure devices) automatically
perform containment actions
Ex2: Allow incident responders to manually select and
perform containment actions
Ex3: Allow a third party (e.g., internet service provider,
managed security service provider) to perform containment
actions on behalf of the organization
Ex4: Automatically transfer compromised endpoints to a
remediation virtual local area network (VLAN)

Ex1: Cybersecurity technologies and cybersecurity features of

other technologies (e.g., operating systems, network
infrastructure devices) automatically perform eradication
actions
Ex2: Allow incident responders to manually select and
perform eradication actions
Ex3: Allow a third party (e.g., managed security service
provider) to perform eradication actions on behalf of the
organization
Ex1: Begin recovery procedures during or after incident
response processes
Ex2: Make all individuals with recovery responsibilities aware
of the plans for recovery and the authorizations required to
implement each aspect of the plans

Ex1: Select recovery actions based on the criteria defined in

the incident response plan and available resources
Ex2: Change planned recovery actions based on a
reassessment of organizational needs and resources

Ex1: Check restoration assets for indicators of compromise,

file corruption, and other integrity issues before use

Ex1: Use business impact and system categorization records

(including service delivery objectives) to validate that
essential services are restored in the appropriate order
Ex2: Work with system owners to confirm the successful
restoration of systems and the return to normal operations
Ex3: Monitor the performance of restored systems to verify
the adequacy of the restoration

Ex1: Check restored assets for indicators of compromise and

remediation of root causes of the incident before production
use
Ex2: Verify the correctness and adequacy of the restoration
actions taken before putting a restored system online

Ex1: Prepare an after-action report that documents the

incident itself, the response and recovery actions taken, and
lessons learned
Ex2: Declare the end of incident recovery once the criteria
are met
Ex1: Securely share recovery information, including
restoration progress, consistent with response plans and
information sharing agreements
Ex2: Regularly update senior leadership on recovery status
and restoration progress for major incidents
Ex3: Follow the rules and protocols defined in contracts for
incident information sharing between the organization and its
suppliers
Ex4: Coordinate crisis communication between the
organization and its critical suppliers

Ex1: Follow the organization’s breach notification procedures

for recovering from a data breach incident
Ex2: Explain the steps being taken to recover from the
incident and to prevent a recurrence

Ex1: Follow the organization’s breach notification procedures

for recovering from a data breach incident
Ex2: Explain the steps being taken to recover from the
incident and to prevent a recurrence

Ex1: Follow the organization’s breach notification procedures

for recovering from a data breach incident
Ex2: Explain the steps being taken to recover from the
incident and to prevent a recurrence