Version 2.0

NIST CSF

NIST Cybersecurity Framework

Official Docs

A voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity risk. Version 2.0 added the Govern function to emphasize organizational governance.

20 controls·6 categories

GOVERN

GV.OC-01

Organizational Context

Organizational Context

The organizational mission is understood and informs cybersecurity risk management.

GV.RM-01

Risk Management Strategy

Risk Management Strategy

Risk management objectives are established and agreed to by organizational stakeholders.

GV.PO-01

Policy

Policy

Policy for managing cybersecurity risks is established based on organizational context.

IDENTIFY

ID.AM-01

Asset Management

Asset Management

Inventories of hardware managed by the organization are maintained.

ID.AM-02

Software Inventory

Asset Management

Inventories of software, services, and systems managed by the organization are maintained.

ID.RA-01

Risk Assessment

Risk Assessment

Vulnerabilities in assets are identified, validated, and recorded.

ID.RA-02

Cyber Threat Intelligence

Risk Assessment

Cyber threat intelligence is received from information sharing forums and sources.

PROTECT

PR.AA-01

Identity Management

Identity Management & Access Control

Identities and credentials for authorized users, services, and hardware are managed.

PR.AA-02

Access Control

Identity Management & Access Control

Access to assets is managed, incorporating the principles of least privilege and separation of duties.

PR.DS-01

Data Security at Rest

Data Security

The confidentiality, integrity, and availability of data-at-rest are protected.

PR.DS-02

Data Security in Transit

Data Security

The confidentiality, integrity, and availability of data-in-transit are protected.

PR.PS-01

Configuration Management

Platform Security

Configuration management practices are established and applied.

DETECT

DE.CM-01

Continuous Monitoring

Continuous Monitoring

Networks and network services are monitored to find potentially adverse events.

DE.CM-06

External Service Monitoring

Continuous Monitoring

External service provider activities and services are monitored to find potentially adverse events.

DE.AE-02

Adverse Event Analysis

Adverse Event Analysis

Potentially adverse events are analyzed to better characterize the events.

RESPOND

RS.MA-01

Incident Management

Incident Management

The incident response plan is executed in coordination with relevant third parties once an incident is declared.

RS.CO-02

Incident Reporting

Incident Response Reporting & Communication

Internal and external stakeholders are notified of incidents.

RS.AN-03

Incident Analysis

Incident Analysis

Analysis is performed to establish what has taken place during an incident and the root cause of the incident.

RECOVER

RC.RP-01

Recovery Plan

Incident Recovery Plan Execution

The recovery portion of the incident response plan is executed once initiated from the incident response process.

RC.CO-03

Recovery Communication

Incident Recovery Communication

Recovery activities and progress in restoring operational capabilities are communicated to designated stakeholders.