FrameworksNIST CSF 2.0
risk managementv2.0Published
NIST Cybersecurity Framework 2.0
NIST CSF 2.0
The NIST CSF 2.0 provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or cybersecurity sophistication — to better understand, assess, prioritize, and communicate its cybersecurity efforts. Version 2.0 added the Govern function and expanded guidance for supply chain risk management.
Issuing Body
National Institute of Standards and Technology (NIST)
Version
2.0
Published
2024-02-26
Controls
70
Mapped Laws
64
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| ID.AM-01 | Asset Inventory — Hardware Inventories of hardware managed by the organization are maintained. | Identify | |
| PR.AA-01 | Identity Management Identities and credentials for authorized users, services, and hardware are managed by the organization. | Protect | |
| RS.MA-01 | Incident Execution The incident response plan is executed in coordination with relevant third parties once an incident is declared. | Respond | |
| GV.OC-01 | Organizational Context The organizational mission is understood and informs cybersecurity risk management. | Govern | |
| RC.RP-01 | Recovery Plan The recovery portion of the incident response plan is executed once initiated from the incident response process. | Recover | |
| DE.AE-02 | Event Analysis Potentially adverse events are analyzed to better characterize them. | Detect | |
| GV.OC-02 | Internal Stakeholders Internal stakeholders with cybersecurity risk management roles and responsibilities are identified. | Govern | |
| DE.AE-03 | Information Correlation Information is correlated from multiple sources. | Detect | |
| PR.AA-02 | Identity Proofing Identities are proofed and bound to credentials based on the context of interactions. | Protect | |
| RS.MA-02 | Incident Triage Incidents are triaged to support analysis and prioritization of handling. | Respond | |
| RC.RP-02 | Recovery Actions Recovery actions are selected, scoped, prioritized, and performed. | Recover | |
| ID.AM-02 | Asset Inventory — Software Inventories of software, services, and systems managed by the organization are maintained. | Identify | |
| ID.AM-03 | Network Representation Representations of the organization's authorized network communication and internal and external network data flows are maintained. | Identify | |
| RS.MA-03 | Incident Escalation Incidents are escalated or elevated as needed. | Respond | |
| GV.OC-03 | Legal Requirements Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed. | Govern | |
| PR.AA-03 | Authentication Users, services, and hardware are authenticated. | Protect | |
| DE.AE-04 | Impact Estimation The estimated impact and scope of adverse events are understood. | Detect | |
| RC.RP-03 | Restoration Integrity The integrity of backups and other restoration assets is verified before using them for restoration. | Recover | |
| GV.OC-04 | Critical Objectives Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated. | Govern | |
| RC.RP-04 | Critical Services Restoration Critical mission functions and cybersecurity services are re-established. | Recover | |
| DE.AE-06 | Incident Alerting A plan is in place to communicate suspected cybersecurity incidents and vulnerabilities to designated internal and external stakeholders. | Detect | |
| RS.MA-04 | Incident Criteria Incidents are categorized and classified. | Respond | |
| ID.AM-04 | External Systems Inventories of services provided by suppliers, partners, and third parties are maintained. | Identify | |
| PR.AA-04 | Identity Assertions Identity assertions are protected, conveyed, and verified. | Protect | |
| RC.RP-05 | Recovery Completion The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed. | Recover | |
| DE.AE-07 | Cyber Intelligence Cyber threat intelligence and other contextual information are integrated into the analysis. | Detect | |
| ID.AM-05 | Asset Prioritization Assets are prioritized based on classification, criticality, resources, and impact on the mission. | Identify | |
| GV.OC-05 | Outcomes and Dependencies Outcomes, capabilities, and services that the organization depends on are understood and communicated. | Govern | |
| PR.AA-05 | Access Rights Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed. | Protect | |
| RS.MA-05 | Incident Termination The criteria for initiating and terminating incident response are established. | Respond | |
| ID.AM-07 | Data Inventory Inventories of data and corresponding metadata for designated data types are maintained. | Identify | |
| PR.AA-06 | Physical Access Physical access to assets is managed, monitored, and enforced commensurate with risk. | Protect | |
| DE.AE-08 | Incident Declaration Incidents are declared when adverse events meet the defined incident criteria. | Detect | |
| RS.AN-03 | Analysis Tasks Analysis is performed to establish what has taken place during an incident and the root cause of the incident. | Respond | |
| GV.RM-01 | Risk Management Strategy Risk management objectives are established and agreed to by organizational stakeholders. | Govern | |
| RC.RP-06 | Incident Closure The end of incident recovery is declared based on criteria, and incident-related documentation is completed. | Recover | |
| RC.CO-03 | Recovery Communications Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders. | Recover | |
| GV.RM-02 | Risk Appetite Risk appetite and risk tolerance statements are established, communicated, and maintained. | Govern | |
| PR.AT-01 | Awareness Training Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind. | Protect | |
| RS.AN-06 | Actions Cataloged Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved. | Respond | |
| DE.CM-01 | Networks Monitoring Networks and network services are monitored to find potentially adverse events. | Detect | |
| ID.RA-01 | Vulnerability Identification Vulnerabilities in assets are identified, validated, and recorded. | Identify | |
| RS.AN-07 | Incident Scope The magnitude of an incident and its impact on the organization and its stakeholders are understood. | Respond | |
| GV.RM-03 | Cybersecurity Risk Management Cybersecurity risk management activities and outcomes are included in enterprise risk management processes. | Govern | |
| RC.CO-04 | Public Communications Public updates on incident recovery are shared using approved messaging and channels. | Recover | |
| PR.DS-01 | Data-at-Rest Protection The confidentiality, integrity, and availability of data-at-rest are protected. | Protect | |
| DE.CM-02 | Physical Environment Monitoring The physical environment is monitored to find potentially adverse events. | Detect | |
| ID.RA-02 | Cyber Threat Intelligence Cyber threat intelligence is received from information sharing forums and sources. | Identify | |
| GV.RM-06 | Policies and Procedures Policies, processes, procedures, and practices covering the organization's cybersecurity expectations are established and communicated. | Govern | |
| ID.RA-03 | Threat Identification Internal and external threats to the organization are identified and recorded. | Identify | |
| RS.AN-08 | Notifications Notifications are provided to relevant internal and external stakeholders as required by laws, regulations, or policies. | Respond | |
| DE.CM-03 | Personnel Activity Monitoring Personnel activity and technology usage are monitored to find potentially adverse events. | Detect | |
| PR.DS-02 | Data-in-Transit Protection The confidentiality, integrity, and availability of data-in-transit are protected. | Protect | |
| RS.CO-02 | Internal Reporting Internal stakeholders are notified of incidents. | Respond | |
| GV.RM-07 | Cybersecurity Program Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions. | Govern | |
| PR.DS-10 | Data-in-Use Protection The confidentiality, integrity, and availability of data-in-use are protected. | Protect | |
| ID.RA-05 | Risk Assessment Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform prioritization. | Identify | |
| DE.CM-06 | External Service Provider Monitoring External service provider activities and services are monitored to find potentially adverse events. | Detect | |
| DE.CM-09 | Computing Hardware and Software Monitoring Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. | Detect | |
| RS.CO-03 | External Reporting Information is shared with designated external stakeholders in accordance with response plans. | Respond | |
| GV.RR-01 | Roles and Responsibilities Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving. | Govern | |
| ID.RA-06 | Risk Response Risk responses are chosen, prioritized, planned, tracked, and communicated. | Identify | |
| PR.IR-01 | Network Integrity Networks and environments are protected from unauthorized logical access and usage. | Protect | |
| RS.MI-01 | Incident Containment Incidents are contained. | Respond | |
| ID.IM-01 | Improvement Plan Improvements are identified from evaluations. | Identify | |
| PR.IR-02 | Secure Development The organization's technology development and change management processes include cybersecurity practices. | Protect | |
| GV.RR-02 | Cybersecurity Roles Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, and enforced. | Govern | |
| RS.MI-02 | Incident Eradication Incidents are eradicated. | Respond | |
| PR.IR-03 | Hardware and Software Integrity Hardware and software are managed consistently and comprehensively to understand, assess, and manage their integrity. | Protect | |
| PR.IR-04 | Adequate Capacity Adequate resource capacity to ensure availability is maintained. | Protect |