CSF 1.1 To 2.0 Core Transition Changes
CSF 1.1 To 2.0 Core Transition Changes
Transition columns:
Relocation
Noteworthy Modifications
Implementation Examples
CSF 1.1 to 2.0 Core Transition Changes Overview
rovides information regarding the transition of individual Categories and Subcategories from NIST CSF version 1.1
is a supplement to the PDF available at: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-
adsheet is intended as an aid to anyone who is converting a CSF 1.1 Profile, mapping, or other CSF 1.1 Core-
to use the CSF 2.0 Core structure.
errors or issues to [email protected].
n explanation of the contents of each column from the second tab of the spreadsheet. The second tab provides a
f the changes in each Category and Subcategory from CSF version 1.1 to version 2.0.
gory identifiers in version 2.0 use leading zeros (e.g., ID.AM-01 instead of ID.AM-1) to facilitate text sorting by
nge analysis in the second tab does not note the addition of leading zeros to identifiers.
A single CSF 1.1 element could have multiple relocations within CSF 2.0—for example,
incorporating a small part of its meaning into a different CSF 2.0 element, while moving the rest
of its meaning and existing wording into a separate CSF 2.0 element. In some cases, a single CSF
1.1 element is incorporated into several CSF 2.0 elements.
===================
N indicates that the CSF 1.1 element has not been relocated in CSF 2.0 and can be found at the
same identifier. However, the element might or might not have significant changes to its
wording.
===================
N/A indicates that there is no CSF 1.1 element in this row.
A description of any noteworthy modifications to the wording of the Category or Subcategory
(element) from 1.1 to 2.0. The following is a list of keywords used for the modifications, each
comparing a single CSF 1.1 element to a CSF 2.0 counterpart:
Added: Expanded the scope for CSF 2.0
Removed: Reduced the scope for CSF 2.0
Changed: Replaced some CSF 1.1 wording with different CSF 2.0 wording
Clarified: Shortened and/or simplified the CSF 1.1 wording
Centralized: Merged the meaning of multiple CSF 1.1 elements within a single CSF 2.0 element
None: No noteworthy modifications; minor editorial changes that did not change the meaning
might have been made
N/A: There is no CSF 1.1 element in this row
Tailoring Symbol
NCO
NFO
FED
CUI
ORC
NA
Moderate Baseline Security Controls
CSF version 1.1
framework-csf-
1.1 Core-
tab provides a
sorting by
CSF 1.1 CSF 1.1 Description CSF 1.1 Relocation
Identifier SORT-ID
ID.GV The policies, procedures, and processes v11-015 Y (moved to)
to manage and monitor the
organization’s regulatory, legal, risk,
environmental, and operational
requirements are understood and inform
the management of cybersecurity risk.
v11-137 N/A
ID.GV-2 Cybersecurity roles and responsibilities v11-017 Y (incorporated
are coordinated and aligned with internal into)
roles and external partners
v11-138 N/A
v11-139 N/A
v11-140 N/A
v11-141 N/A
v11-142 N/A
PR.AC Access to physical and logical assets and v11-038 Y (moved to)
associated facilities is limited to
authorized users, processes, and devices,
and is managed consistent with the
assessed risk of unauthorized access to
authorized activities and transactions.
PR.AC-1 Identities and credentials are issued, v11-039 Y (moved to)
managed, verified, revoked, and audited
for authorized devices, users and
processes
PR.AC-7 Users, devices, and other assets are v11-045 Y (moved to)
authenticated (e.g., single-factor, multi-
factor) commensurate with the risk of the
transaction (e.g., individuals’ security and
privacy risks and other organizational
risks)
v11-144 N/A
PR.AC-1 Identities and credentials are issued, v11-039 Y (incorporated
managed, verified, revoked, and audited into)
for authorized devices, users and
processes
v11-146 N/A
v11-147 N/A
v11-148 N/A
Clarified the original wording GV.OC-01 The organizational mission is understood N v20-003
and informs cybersecurity risk
management
Clarified the original wording GV.OC-01 The organizational mission is understood N v20-003
and informs cybersecurity risk
management
Changed scope to include all GV.OC-02 Internal and external stakeholders are N v20-004
stakeholder needs and expectations understood, and their needs and
for cybersecurity, not just roles and expectations regarding cybersecurity risk
responsibilities management are understood and
considered
Changed scope to be specific to GV.OC-02 Internal and external stakeholders are N v20-004
identification of certain external understood, and their needs and
stakeholders expectations regarding cybersecurity risk
management are understood and
considered
Added contractual requirements GV.OC-03 Legal, regulatory, and contractual N v20-005
requirements regarding cybersecurity —
including privacy and civil liberties
obligations — are understood and
managed
Changed scope to be specific to what GV.OC-04 Critical objectives, capabilities, and N v20-006
stakeholders depend on services that stakeholders depend on or
expect from the organization are
understood and communicated
Added delivery of critical objectives GV.OC-04 Critical objectives, capabilities, and N v20-006
and capabilities services that stakeholders depend on or
expect from the organization are
understood and communicated
Clarified the original wording GV.OC-05 Outcomes, capabilities, and services that N v20-007
the organization depends on are
understood and communicated
Changed scope to be specific to what GV.OC-05 Outcomes, capabilities, and services that N v20-007
the organization itself depends on the organization depends on are
understood and communicated
Added "risk appetite" GV.RM-02 Risk appetite and risk tolerance N v20-010
Added "maintained" statements are established,
communicated, and maintained
Removed "role in critical GV.RM-02 Risk appetite and risk tolerance N v20-010
infrastructure and sector specific risk statements are established,
analysis" communicated, and maintained
Added "risk appetite"
Changed "informed" to "established,
communicated, and maintained"
Removed "governance" GV.RM-03 Cybersecurity risk management activities N v20-011
Clarified the original wording and outcomes are included in enterprise
risk management processes
Changed scope to be specific to risk GV.RM-04 Strategic direction that describes N v20-012
tolerance as expressed through risk appropriate risk response options is
response strategy established and communicated
Changed scope to specifically mention GV.RM-05 Lines of communication across the N v20-013
communication of cybersecurity organization are established for
supply chain risks cybersecurity risks, including risks from
suppliers and other third parties
Changed scope to be specific to how GV.RM-06 A standardized method for calculating, N v20-014
cybersecurity risks are calculated, documenting, categorizing, and
documented, categorized, and prioritizing cybersecurity risks is
prioritized established and communicated
Added maintenance of policy GV.PO-02 Policy for managing cybersecurity risks is N v20-023
Added policy enforcement reviewed, updated, communicated, and
enforced to reflect changes in
requirements, threats, technology, and
organizational mission
Changed the scope to only include GV.PO-02 Policy for managing cybersecurity risks is N v20-023
policy maintenance reviewed, updated, communicated, and
enforced to reflect changes in
requirements, threats, technology, and
organizational mission
Clarified the wording by simplifying it GV.SC Cyber supply chain risk management N v20-028
Added "identified, managed, processes are identified, established,
monitored, and improved" processes managed, monitored, and improved by
organizational stakeholders
Added "program, strategy, objectives, GV.SC-01 A cybersecurity supply chain risk N v20-029
policies" to "processes" management program, strategy,
Removed "identified," "assessed," objectives, policies, and processes are
and "managed" established and agreed to by
organizational stakeholders
Removed workforce from scope GV.SC-02 Cybersecurity roles and responsibilities N v20-030
Added "communicated" and for suppliers, customers, and partners
"coordinated" are established, communicated, and
coordinated internally and externally
Changed the scope to only identifying GV.SC-04 Suppliers are known and prioritized by N v20-032
and prioritizing suppliers criticality
Clarified the original wording GV.SC-05 Requirements to address cybersecurity N v20-033
risks in supply chains are established,
prioritized, and integrated into contracts
and other types of agreements with
suppliers and other relevant third parties
Changed scope to be specific to GV.SC-06 Planning and due diligence are N v20-034
addressing risks before entering into performed to reduce risks before
an agreement entering into formal supplier or other
third-party relationships
Changed the scope to only GV.SC-07 The risks posed by a supplier, their N v20-035
understanding supplier-related risk products and services, and other third
throughout the supplier life cycle parties are understood, recorded,
prioritized, assessed, responded to, and
monitored over the course of the
relationship
Changed the focus from suppliers and GV.SC-07 The risks posed by a supplier, their N v20-035
partners to the risks they and their products and services, and other third
products and services pose parties are understood, recorded,
Changed "assessed" to "understood, prioritized, assessed, responded to, and
recorded, prioritized, assessed, monitored over the course of the
responded to, and monitored" relationship
Removed the testing component of GV.SC-08 Relevant suppliers and other third N v20-036
ID.SC-5 (moved to ID.IM-02) parties are included in incident planning,
response, and recovery activities
Changed scope to be specific to GV.SC-09 Supply chain security practices are N v20-037
integrating cyber supply chain risk integrated into cybersecurity and
management into cybersecurity and enterprise risk management programs,
enterprise risk management programs and their performance is monitored
throughout the technology product and
service life cycle
Changed scope to be specific to risk GV.SC-10 Cybersecurity supply chain risk N v20-038
management plans addressing post- management plans include provisions for
agreement processes activities that occur after the conclusion
of a partnership or service agreement
Added "data" and "services" as types ID.AM Assets (e.g., data, hardware, software, N v20-040
of assets systems, facilities, services, people) that
enable the organization to achieve
business purposes are identified and
managed consistent with their relative
importance to organizational objectives
and the organization’s risk strategy
Changed "within the organization" to ID.AM-01 Inventories of hardware managed by the N v20-041
"managed by the organization" organization are maintained
Changed "physical devices and
systems" to "hardware"
Added "services" and "systems" ID.AM-02 Inventories of software, services, and N v20-042
Changed "within the organization" to systems managed by the organization
"managed by the organization" are maintained
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Changed the scope to include the ID.AM-08 Systems, hardware, software, services, N v20-047
entire life cycle and data are managed throughout their
Changed "assets" to "systems, life cycles
hardware, software, services, and
data"
Removed "formally"
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Centralized life cycle management ID.AM-08 Systems, hardware, software, services, N v20-047
items in ID.AM-08 and data are managed throughout their
life cycles
Clarified original wording ID.RA The cybersecurity risk to the N v20-048
Changed "cybersecurity risk to organization, assets, and individuals is
organizational operations" to understood by the organization
"cybersecurity risk to the
organization"
Added "planned, tracked, and ID.RA-06 Risk responses are chosen, prioritized, N v20-054
communicated" planned, tracked, and communicated
Changed "identified" to "chosen"
Changed scope from two forms of risk ID.RA-06 Risk responses are chosen, prioritized, N v20-054
responses (mitigating or accepting) to planned, tracked, and communicated
all forms
Changed scope to include the full risk
response life cycle
Changed the scope to change ID.RA-07 Changes and exceptions are managed, N v20-055
management assessed for risk impact, recorded, and
tracked
Removed examples from the ID.RA-08 Processes for receiving, analyzing, and N v20-056
description responding to vulnerability disclosures
Clarified the original wording by are established
simplifying it
Changed the scope to only assessing ID.RA-10 Critical suppliers are assessed prior to N v20-058
critical suppliers before acquisition acquisition
Changed the scope to only include ID.RA-10 Critical suppliers are assessed prior to N v20-058
performing assessments before acquisition
certain acquisitions
Centralized all improvement items in ID.IM-02 Improvements are identified from N v20-061
ID.IM security tests and exercises, including
those done in coordination with
suppliers and relevant third parties
Centralized all improvement items in ID.IM-02 Improvements are identified from N v20-061
ID.IM security tests and exercises, including
those done in coordination with
suppliers and relevant third parties
Changed the scope to only include ID.IM-03 Improvements are identified from N v20-062
process and procedure maintenance execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Centralized all improvement items in ID.IM-03 Improvements are identified from N v20-062
ID.IM execution of operational processes,
procedures, and activities
Changed list of plans to be broader ID.IM-04 Incident response plans and other N v20-063
Changed "plans…are in place and cybersecurity plans that affect
managed" to "plans…are established, operations are established,
communicated, maintained, and communicated, maintained, and
improved" improved
Centralized all improvement items in ID.IM-04 Incident response plans and other N v20-063
ID.IM cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Centralized all improvement items in ID.IM-04 Incident response plans and other N v20-063
ID.IM cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Centralized all improvement items in ID.IM-04 Incident response plans and other N v20-063
ID.IM cybersecurity plans that affect
operations are established,
communicated, maintained, and
improved
Removed "associated facilities" PR.AA Access to physical and logical assets is N v20-065
(redundant: type of physical asset) limited to authorized users, services, and
Changed "users, processes, and hardware and managed commensurate
devices" to "users, services, and with the assessed risk of unauthorized
hardware" access
Changed "issued, managed, verified, PR.AA-01 Identities and credentials for authorized N v20-066
revoked, and audited" to "managed" users, services, and hardware are
(managed includes the others) managed by the organization
Changed "devices, users and
processes" to "users, services, and
hardware"
Removed "and asserted in" PR.AA-02 Identities are proofed and bound to N v20-067
Added "based on the context of" credentials based on the context of
interactions
Clarified original wording PR.AA-03 Users, services, and hardware are N v20-068
Changed the scope to only include the authenticated
authentication component of remote
access management
Removed examples from description PR.AA-03 Users, services, and hardware are N v20-068
Changed "Users, devices, and other authenticated
assets" to "Users, services, and
hardware"
Removed "commensurate with the
risk of the transaction" (unnecessarily
specific)
Changed the scope to only include the PR.AA-05 Access permissions, entitlements, and N v20-070
authorization component of remote authorizations are defined in a policy,
access management managed, enforced, and reviewed, and
incorporate the principles of least
privilege and separation of duties
Removed third parties from the scope PR.AT The organization’s personnel are N v20-072
Clarified the original wording by provided with cybersecurity awareness
simplifying it and training so that they can perform
their cybersecurity-related tasks
Changed scope from "users" to PR.AT-01 Personnel are provided with awareness N v20-073
"personnel" and training so that they possess the
Added the desired outcome knowledge and skills to perform general
tasks with cybersecurity risks in mind
Centralized all training and awareness PR.AT-01 Personnel are provided with awareness N v20-073
items in PR.AT-01 and PR.AT-02 and training so that they possess the
knowledge and skills to perform general
tasks with cybersecurity risks in mind
Centralized all training and awareness PR.AT-01 Personnel are provided with awareness N v20-073
items in PR.AT and training so that they possess the
knowledge and skills to perform general
tasks with cybersecurity risks in mind
Changed scope from "privileged PR.AT-02 Individuals in specialized roles are N v20-074
users" the broader "individuals in provided with awareness and training so
specialized roles" that they possess the knowledge and
Added the desired outcome skills to perform relevant tasks with
cybersecurity risks in mind
Centralized all training and awareness PR.AT-02 Individuals in specialized roles are N v20-074
items in PR.AT-01 and PR.AT-02 provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Centralized all training and awareness PR.AT-02 Individuals in specialized roles are N v20-074
items in PR.AT-01 and PR.AT-02 provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Centralized all training and awareness PR.AT-02 Individuals in specialized roles are N v20-074
items in PR.AT-01 and PR.AT-02 provided with awareness and training so
that they possess the knowledge and
skills to perform relevant tasks with
cybersecurity risks in mind
Clarified the original wording by PR.DS Data are managed consistent with the N v20-075
simplifying it organization’s risk strategy to protect the
confidentiality, integrity, and availability
of information
Added "confidentiality, integrity, and PR.DS-01 The confidentiality, integrity, and N v20-076
availability" availability of data-at-rest are protected
Centralized all data-at-rest protection PR.DS-01 The confidentiality, integrity, and N v20-076
items in PR.DS-01 availability of data-at-rest are protected
Centralized all data-at-rest protection PR.DS-01 The confidentiality, integrity, and N v20-076
items in PR.DS-01 availability of data-at-rest are protected
Removed "integrity checking
mechanisms" (redundant)
Centralized all data-at-rest protection PR.DS-01 The confidentiality, integrity, and N v20-076
items in PR.DS-01 availability of data-at-rest are protected
Added "confidentiality, integrity, and PR.DS-02 The confidentiality, integrity, and N v20-077
availability" availability of data-in-transit are
protected
Centralized all data-in-use protection PR.DS-10 The confidentiality, integrity, and N v20-078
items in PR.DS-10 availability of data-in-use are protected
Added "protected" PR.DS-11 Backups of data are created, protected, N v20-079
maintained, and tested
Changed the scope to only include PR.PS The hardware, software (e.g., firmware, N v20-080
using policies, processes, and operating systems, applications), and
procedures to protect physical and services of physical and virtual platforms
virtual platforms are managed consistent with the
organization’s risk strategy to protect
their confidentiality, integrity, and
availability
Centralized maintenance items in PR.PS The hardware, software (e.g., firmware, N v20-080
PR.PS operating systems, applications), and
Removed "industrial control and services of physical and virtual platforms
information system components" to are managed consistent with the
broaden to all computing organization’s risk strategy to protect
technologies their confidentiality, integrity, and
availability
Changed the wording to generalize PR.PS-01 Configuration management practices are N v20-081
and broaden its scope established and applied
Changed the scope to configuration PR.PS-01 Configuration management practices are N v20-081
management established and applied
Centralized all configuration items in PR.PS-01 Configuration management practices are N v20-081
PR.PS-01 established and applied
Centralized all configuration items in PR.PS-01 Configuration management practices are N v20-081
PR.PS-01 established and applied
Changed scope from assets to PR.PS-03 Hardware is maintained, replaced, and N v20-083
hardware removed commensurate with risk
Changed "determined, documented, PR.PS-04 Log records are generated and made N v20-084
implemented" to "generated" available for continuous monitoring
Removed log review from scope
Changed the scope to only include PR.IR Security architectures are managed with N v20-087
using policies, processes, and the organization’s risk strategy to protect
procedures to manage security asset confidentiality, integrity, and
architectures that protect assets availability, and organizational resilience
Changed "technical security solutions" PR.IR Security architectures are managed with N v20-087
to "security architectures" the organization’s risk strategy to protect
Clarified the original wording by asset confidentiality, integrity, and
simplifying it availability, and organizational resilience
Changed the scope to only include the PR.IR-01 Networks and environments are N v20-088
network access component of remote protected from unauthorized logical
access management access and usage
Changed the wording to generalize PR.IR-02 The organization’s technology assets are N v20-089
and broaden its scope protected from environmental threats
Added "network services" DE.CM-01 Networks and network services are N v20-094
Changed "cybersecurity events" to monitored to find potentially adverse
"adverse events" events
Changed from what events are DE.CM-01 Networks and network services are N v20-094
detected to where events are monitored to find potentially adverse
detected (on networks) events
Changed from what events are DE.CM-01 Networks and network services are N v20-094
detected to where events are monitored to find potentially adverse
detected (on networks) events
Changed scope to be specific to DE.CM-01 Networks and network services are N v20-094
monitoring networks and network monitored to find potentially adverse
services events
Added "technology usage" DE.CM-03 Personnel activity and technology usage N v20-096
Changed "cybersecurity events" to are monitored to find potentially adverse
"adverse events" events
Changed scope to be specific to DE.CM-03 Personnel activity and technology usage N v20-096
monitoring personnel are monitored to find potentially adverse
events
Removed "firmware" (already part of DE.CM-09 Computing hardware and software, N v20-098
software) runtime environments, and their data
Removed "integrity checking are monitored to find potentially adverse
mechanisms" (redundant) events
Centralized software continuous
monitoring in DE.CM-09
Changed scope to include all DE.CM-09 Computing hardware and software, N v20-098
hardware monitoring runtime environments, and their data
are monitored to find potentially adverse
events
Changed from what events are DE.CM-09 Computing hardware and software, N v20-098
detected to where events are runtime environments, and their data
detected (on devices) are monitored to find potentially adverse
events
Changed from what events are DE.CM-09 Computing hardware and software, N v20-098
detected to where events are runtime environments, and their data
detected (on devices) are monitored to find potentially adverse
events
Removed "comply with all applicable DE.AE Anomalies, indicators of compromise, N v20-099
requirements" (unnecessary) and other potentially adverse events are
Changed scope from all detection analyzed to characterize the events and
activities to analysis of certain types detect cybersecurity incidents
of detected events
Changed "detected events" to DE.AE-02 Potentially adverse events are analyzed N v20-100
"potentially adverse events" to to better understand associated
narrow scope activities
Changed "attack targets and
methods" to "associated activities" to
broaden scope
Clarified the original wording DE.AE-04 The estimated impact and scope of N v20-102
adverse events are understood
Changed scope to be specific to DE.AE-07 Cyber threat intelligence and other N v20-104
correlation through contextual contextual information are integrated
information, including cyber threat into the analysis
intelligence
Changed "incident alert thresholds" DE.AE-08 Incidents are declared when adverse N v20-105
to "defined incident criteria" and events meet the defined incident criteria
added the use of the criteria
Clarified the original wording RS Actions regarding a detected N v20-106
cybersecurity incident are taken
Added "once an incident is declared" RS.MA-01 The incident response plan is executed in N v20-108
Added "in coordination with relevant coordination with relevant third parties
third parties" (coordination within the once an incident is declared
organization is already implied)
Changed the wording to generalize RS.MA-01 The incident response plan is executed in N v20-108
and broaden its scope (to include coordination with relevant third parties
response plan execution) once an incident is declared
Added "in coordination with relevant
third parties" (coordination within the
organization is already implied)
Changed "notifications from detection RS.MA-02 Incident reports are triaged and N v20-109
systems" to "incident reports" to validated
indicate that an incident has already
been declared or reported
Changed scope to be specific to RS.MA-02 Incident reports are triaged and N v20-109
incident triage validated
Changed scope to be specific to RS.MA-03 Incidents are categorized and prioritized N v20-110
incident categorization and
prioritization
Added "prioritized" RS.MA-03 Incidents are categorized and prioritized N v20-110
Removed "consistent with response
plans" (redundant)
Changed scope to only include RS.MA-05 The criteria for initiating incident N v20-112
determining if recovery should be recovery are applied
initiated
Added support for forensic activities RS.AN Investigations are conducted to ensure N v20-113
Changed "analysis" to "investigations" effective response and support forensics
and recovery activities
Changed scope from forensics to RS.AN-03 Analysis is performed to establish what N v20-114
analysis (which can also include has taken place during an incident and
forensics) the root cause of the incident
Removed examples from description RS.CO Response activities are coordinated with N v20-118
Added "as required by laws, internal and external stakeholders as
regulations, or policies" required by laws, regulations, or policies
Changed scope to be specific to RS.CO-02 Internal and external stakeholders are N v20-119
stakeholder notification notified of incidents
Changed scope to be specific to RS.CO-02 Internal and external stakeholders are N v20-119
stakeholder notification notified of incidents
Removed "resolve the incident" RS.MI Activities are performed to prevent N v20-121
expansion of an event and mitigate its
effects
Changed "recovery plan" to "recovery RC.RP-01 The recovery portion of the incident N v20-126
portion of the incident response plan" response plan is executed once initiated
Added "once initiated from the from the incident response process
incident response process"
Changed scope to management of RC.RP-02 Recovery actions are selected, scoped, N v20-127
actions performed during recovery prioritized, and performed
Changed the scope to be specific to RC.RP-03 The integrity of backups and other N v20-128
testing/verifying backups before use restoration assets is verified before using
them for restoration
Removed examples from description RC.CO Restoration activities are coordinated N v20-132
with internal and external parties
Added "progress in restoring RC.CO-03 Recovery activities and progress in N v20-133
operational capabilities" restoring operational capabilities are
Removed redundancy in the list of communicated to designated internal
parties to communicate with and external stakeholders
Changed scope to be specific to public RC.CO-04 Public updates on incident recovery are N v20-134
notification shared using approved methods and
messaging
Changed scope to be specific to using RC.CO-04 Public updates on incident recovery are N v20-134
public updates on incident recovery shared using approved methods and
to help manage public relations messaging
Changed scope to be specific to using RC.CO-04 Public updates on incident recovery are N v20-134
public updates on incident recovery shared using approved methods and
to help repair the organization’s messaging
reputation
Implementation Examples
Ex1: Define and use rules and protocols for reporting incident
response and recovery activities and the status between the
organization and its suppliers
Ex2: Identify and document the roles and responsibilities of
the organization and its suppliers for incident response
Ex3: Include critical suppliers in incident response exercises
and simulations
Ex4: Define and coordinate crisis communication methods
and protocols between the organization and its critical
suppliers
Ex5: Conduct collaborative lessons learned sessions with
critical suppliers
Ex1: Policies and procedures require provenance records for
all acquired technology products and services
Ex2: Periodically provide risk reporting to leaders about how
acquired components are proven to be untampered and
authentic
Ex3: Communicate regularly among cybersecurity risk
managers and operations personnel about the need to
acquire software patches, updates, and upgrades only from
authenticated and trustworthy software providers
Ex4: Review policies to ensure that they require approved
supplier personnel to perform maintenance on supplier
products
Ex5: Policies and procedure require checking upgrades to
critical hardware for unauthorized changes