NCSC CAF to NIST Mappings
Mappings to NIST CSF are taken from the mapping spreadsheet available at UK Government Security whilst mappings from CSF to SP800-53 are from NIST.
Explore the CAF further here.
| CAF ID | CAF Outcome | NIST CSF | NIST SP800-53 Controls |
|---|---|---|---|
| A1.a | Board Direction | ID.RM-2, ID.BE-3, ID.GV-4 | PM-9, SA-14, PM-11, SA-2, PM-3, PM-10, PM-7 |
| A1.b | Roles and Responsibilities | ID.GV-2, PR.AT-5, DE.DP-1, PR.AT-3, ID.GV-4, PR.AT-1, RS.CO-1, PR.AT-2, ID.AM-6, PR.AT-4 | PS-7, PM-2, PM-1, PM-13, AT-3, IR-2, CA-7, CA-2, PM-14, SA-16, SA-9, SA-2, PM-3, PM-10, PM-7, PM-9, PM-11, AT-2, CP-2, IR-3, IR-8, CP-3 |
| A1.c | Decision-making | ID.RM-2, ID.GV-4, ID.RM-1, ID.GV-2 | PM-9, SA-2, PM-3, PM-10, PM-7, PM-11, PS-7, PM-2, PM-1 |
| A2.a | Risk Management Process | ID.GV-4, ID.RM-2, ID.RA-3, RS.MI-3, ID.RA-4, ID.RA-6, ID.BE-2, PR.IP-2, ID.RM-3, ID.RA-1, ID.RM-1, DE.AE-4 | SA-2, PM-3, PM-10, PM-7, PM-9, PM-11, PM-16, PM-12, SI-5, RA-3, RA-5, CA-7, RA-2, SA-14, PM-4, PM-8, SA-8, SI-14, SI-13, SA-10, SA-11, SA-3, SA-12, SI-12, SI-17, SA-17, SI-16, PL-8, SA-4, SA-15, SI-2, SI-4, SA-5, CA-8, CA-2, CP-2, IR-4 |
| A2.b | Assurance | ID.RA-5, DE.DP-2, DE.DP-3, ID.RA-1, ID.RA-6, ID.GV-4, PR.IP-12 | RA-3, RA-2, PM-16, SA-18, CA-7, PM-14, CA-2, AC-25, SI-4, PE-3, SI-3, RA-5, SI-2, SI-5, SA-5, CA-8, SA-11, PM-9, PM-4, SA-2, PM-3, PM-10, PM-7, PM-11 |
| A3.a | Asset Management | PR.AC-2, PR.IP-6, PR.IP-5, PR.DS-4, PR.DS-3, ID.AM-2, ID.AM-1, PR.MA-1, ID.AM-5, ID.BE-4 | PE-8, PE-5, PE-3, PE-6, PE-4, PE-2, MP-6, PE-13, PE-14, PE-15, PE-10, PE-18, PE-12, SC-5, CP-2, AU-4, CM-8, PE-16, PM-5, MA-3, MA-5, MA-2, MA-6, SA-14, RA-2, SC-6, CP-8, PE-11, PE-9, PM-8 |
| A4.a | Supply Chain | ID.SC-4, RS.MI-1, RS.CO-4, ID.RA-4, PR.AC-3, RS.MI-2, ID.SC-2, DE.AE-1, PR.AT-2, DE.DP-4, RS.CO-3, ID.SC-5, DE.CM-6, DE.DP-1, ID.GV-2, ID.AM-6, RS.CO-1, ID.BE-1, ID.SC-1, ID.AM-3, ID.SC-3, PR.AT-3, PR.MA-2, DE.CM-7 | SA-12, SA-9, AU-12, AU-2, PS-7, AU-16, AU-6, IR-4, IR-8, CP-2, PM-11, RA-3, PM-9, RA-2, SA-14, SC-15, AC-1, AC-20, AC-17, AC-19, SA-15, SI-4, CA-3, CM-2, AC-4, AT-3, PM-13, RA-5, CA-2, CA-7, PE-6, IR-3, IR-6, CP-4, IR-9, SA-4, PM-14, PM-2, PM-1, CP-3, PL-8, CA-9, SA-11, SA-16, MA-4, CM-3, PE-3, PE-20, CM-8 |
| B1.a | Policy and Process Development | RS.AN-5, PR.IP-7, RC.IM-1, DE.DP-2, RC.IM-2 | PM-15, SI-5, PM-6, CP-2, IR-8, CA-2, CA-7, PL-2, IR-4, SA-18, PM-14, AC-25, SI-4 |
| B1.b | Policy and Process Implementation | PR.IP-8, RS.CO-1, PR.IP-11, RC.CO-3, ID.GV-2, PR.AT-1 | SI-4, CA-7, AC-21, CP-2, IR-3, IR-8, CP-3, PS-3, PS-6, PS-7, PS-2, SA-21, PS-1, PS-8, PS-4, PS-5, IR-4, PM-2, PM-1, PM-13, AT-2 |
| B2.a | Identity Verification, Authentication and Authorisation | PR.DS-5, PR.AC-1, PR.AC-7, PR.AC-4, PR.AC-6, PR.AC-3, DE.AE-1, PR.PT-3, PR.MA-2, DE.CM-2 | PE-19, SC-31, AC-5, AC-6, AC-4, SI-4, SC-7, PS-6, SC-13, SC-8, PS-3, AC-2, IA-1, AC-1, IA-7, IA-11, IA-8, IA-6, IA-9, IA-3, IA-4, IA-5, IA-10, IA-2, AC-14, AC-9, AC-12, AC-8, AC-7, AC-11, AC-24, AC-3, AC-16, AC-19, PE-2, SC-15, AC-20, AC-17, CA-3, CM-2, CM-7, MA-4, PE-3, CA-7, PE-6, PE-20 |
| B2.b | Device Management | PR.MA-2, PR.AC-1, PR.AC-3, DE.CM-6, PR.AC-4, PR.AC-7, PR.PT-3 | MA-4, AC-2, IA-1, AC-1, IA-7, IA-11, IA-8, IA-6, IA-9, IA-3, IA-4, IA-5, IA-10, IA-2, SC-15, AC-20, AC-17, AC-19, SA-9, PS-7, SA-4, SI-4, CA-7, AC-24, AC-3, AC-5, AC-14, AC-6, AC-16, AC-9, AC-12, AC-8, AC-7, AC-11, CM-7 |
| B2.c | Privileged User Management | DE.CM-3, PR.MA-2, PR.AC-5, DE.CM-6, RS.AN-1, PR.AC-3, PR.PT-3, PR.AC-6, PR.AC-1, PR.AC-7, PR.DS-5, PR.AC-4, DE.CM-7 | AU-12, CM-10, CA-7, AC-2, CM-11, AU-13, MA-4, SC-7, AC-4, AC-10, SA-9, PS-7, SA-4, SI-4, IR-5, PE-6, IR-4, AU-6, SC-15, AC-1, AC-20, AC-17, AC-19, CM-7, AC-3, IA-5, IA-2, IA-4, PE-2, PS-3, AC-24, AC-16, IA-1, IA-8, IA-7, IA-11, IA-6, IA-9, IA-3, IA-10, AC-14, AC-9, AC-12, AC-8, AC-7, AC-11, PE-19, SC-31, AC-5, AC-6, PS-6, SC-13, SC-8, CM-3, PE-3, PE-20, CM-8 |
| B2.d | Identity and Access Management (IdAM) | DE.CM-7, PR.IP-11, PR.AC-6, PR.AC-4, PR.MA-2, DE.CM-3, DE.AE-3, DE.CM-1, PR.DS-5, PR.PT-3, PR.AC-1, RS.AN-1, PR.AC-7 | CM-3, CA-7, PE-3, PE-20, PE-6, AU-12, CM-8, SI-4, PS-3, PS-6, PS-7, PS-2, SA-21, PS-1, PS-8, PS-4, PS-5, IA-5, AC-19, IA-2, IA-4, AC-3, PE-2, AC-1, AC-24, AC-2, AC-16, IA-1, IA-8, AC-5, AC-14, AC-6, MA-4, CM-10, CM-11, AU-13, IR-4, AU-6, IR-5, IR-8, SC-5, SC-7, PE-19, SC-31, AC-4, SC-13, SC-8, CM-7, IA-7, IA-11, IA-6, IA-9, IA-3, IA-10, AC-9, AC-12, AC-8, AC-7, AC-11 |
| B3.a | Understanding Data | PR.IP-6, ID.RA-3, PR.DS-5, ID.AM-4, PR.PT-2, ID.BE-4, ID.AM-2, ID.AM-3, PR.DS-4, ID.AM-1 | MP-6, PM-16, PM-12, SI-5, RA-3, PE-19, SC-31, AC-5, AC-6, AC-4, SI-4, SC-7, PS-6, SC-13, SC-8, PS-3, SA-9, AC-20, MP-5, MP-4, MP-3, MP-8, MP-2, MP-7, SA-14, CP-8, PE-11, PE-9, PM-8, PM-5, CM-8, PL-8, CA-9, CA-3, SC-5, CP-2, AU-4 |
| B3.b | Data in Transit | PR.DS-2, DE.AE-1, PR.DS-5, PR.IP-5, PR.DS-4, PR.DS-6, PR.AC-5, PR.PT-5, ID.BE-4, PR.PT-4, ID.AM-3 | SC-11, SC-8, SC-12, SI-4, CA-3, CM-2, AC-4, PE-19, SC-31, AC-5, AC-6, SC-7, PS-6, SC-13, PS-3, PE-13, PE-14, PE-15, PE-10, PE-18, PE-12, SC-5, CP-2, AU-4, SC-16, SI-7, AC-10, SC-6, CP-8, CP-11, CP-13, PL-8, SA-14, CP-7, PE-11, PE-9, PM-8, SC-37, SC-36, SC-40, SC-25, SC-32, SC-20, SC-22, AC-18, SC-19, SC-23, SC-41, SC-39, AC-17, SC-29, SC-21, SC-24, SC-38, SC-43, CA-9 |
| B3.c | Stored Data | PR.PT-2, PR.AC-2, PR.IP-5, PR.IP-4, PR.PT-5, PR.DS-5, PR.DS-1, PR.AC-7 | MP-5, MP-4, MP-3, MP-8, MP-2, MP-7, PE-8, PE-5, PE-3, PE-6, PE-4, PE-2, PE-13, PE-14, PE-15, PE-10, PE-18, PE-12, CP-4, CP-6, CP-9, SC-6, CP-8, CP-11, CP-13, PL-8, SA-14, CP-7, PE-19, SC-31, AC-5, AC-6, AC-4, SI-4, SC-7, PS-6, SC-13, SC-8, PS-3, SC-12, SC-28, IA-4, IA-1, AC-14, AC-9, IA-10, AC-12, IA-3, IA-5, AC-8, IA-9, IA-11, AC-7, IA-2, AC-11, IA-8 |
| B3.d | Mobile Data | ID.AM-4, PR.IP-6, PR.DS-3, DE.CM-5, PR.PT-2 | SA-9, AC-20, MP-6, CM-8, PE-16, SC-18, SI-4, SC-44, MP-5, MP-4, MP-3, MP-8, MP-2, MP-7 |
| B3.e | Media Equipment Sanitisation | PR.IP-6, PR.DS-3, PR.PT-2 | MP-6, CM-8, PE-16, MP-5, MP-4, MP-3, MP-8, MP-2, MP-7 |
| B4.a | Secure by Design | PR.PT-4, PR.PT-5, DE.CM-4, RS.MI-2, PR.DS-5, PR.DS-1, PR.DS-2, DE.CM-7, PR.DS-7, DE.CM-6, RS.MI-1, PR.IP-2, PR.DS-6, PR.AC-5, DE.AE-1 | SC-37, SC-36, AC-4, SC-40, SC-25, SC-32, SC-20, SC-22, AC-18, SC-19, SC-23, SC-41, SC-39, AC-17, SC-29, SC-7, SC-21, SC-24, CP-8, SC-38, SC-43, SC-6, CP-11, CP-13, PL-8, SA-14, CP-7, SI-8, SI-3, IR-4, PE-19, SC-31, AC-5, AC-6, SI-4, PS-6, SC-13, SC-8, PS-3, SC-12, MP-8, SC-28, SC-11, CM-3, CA-7, PE-3, PE-20, PE-6, AU-12, CM-8, CM-2, SA-9, PS-7, SA-4, SA-8, SI-14, SI-13, SA-10, SA-11, SA-3, SA-12, SI-12, SI-17, SA-17, SI-16, SA-15, SC-16, SI-7, AC-10, CA-3 |
| B4.b | Secure Configuration | PR.IP-12, PR.PT-4, PR.DS-5, DE.CM-5, ID.AM-4, PR.DS-6, PR.IP-3, RS.AN-5, PR.IP-1, PR.MA-1, PR.DS-8, PR.AC-5, DE.AE-1 | RA-5, RA-3, SI-2, SC-37, SC-36, AC-4, SC-40, SC-25, SC-32, SC-20, SC-22, AC-18, SC-19, SC-23, SC-41, SC-39, AC-17, SC-29, SC-7, SC-21, SC-24, CP-8, SC-38, SC-43, PE-19, SC-31, AC-5, AC-6, SI-4, PS-6, SC-13, SC-8, PS-3, SC-18, SC-44, SA-9, AC-20, SC-16, SI-7, CM-3, CM-4, SA-10, PM-15, SI-5, CM-5, CM-9, CM-7, CM-2, CM-6, MA-3, MA-5, MA-2, MA-6, AC-10, CA-3 |
| B4.c | Secure Management | PR.DS-5, DE.CM-7, PR.MA-1, DE.CM-4, PR.PT-4, RS.MI-1, DE.CM-5, PR.IP-1, PR.AC-7, RS.MI-2, PR.DS-6 | PE-19, SC-31, AC-5, AC-6, AC-4, SI-4, SC-7, PS-6, SC-13, SC-8, PS-3, CM-3, CA-7, PE-3, PE-20, PE-6, AU-12, CM-8, MA-3, MA-5, MA-2, MA-6, SI-8, SI-3, SC-37, SC-36, SC-40, SC-25, SC-32, SC-20, SC-22, AC-18, SC-19, SC-23, SC-41, SC-39, AC-17, SC-29, SC-21, SC-24, CP-8, SC-38, SC-43, IR-4, SC-18, SC-44, CM-5, CM-4, CM-9, CM-7, CM-2, SA-10, CM-6, IA-4, IA-1, AC-14, AC-9, IA-10, AC-12, IA-3, IA-5, AC-8, IA-9, IA-11, AC-7, IA-2, AC-11, IA-8, SC-16, SI-7 |
| B4.d | Vulnerability Management | PR.DS-6, DE.CM-4, DE.CM-8, ID.RA-1, RS.MI-2, RS.MI-1, ID.RA-3, PR.IP-12, PR.PT-4, PR.IP-3, RS.MI-3, PR.DS-8, ID.RA-5, PR.IP-1, RS.AN-5, DE.DP-3 | SC-16, SI-7, SI-8, SI-3, RA-5, SI-2, SI-5, SI-4, SA-5, RA-3, CA-8, SA-11, CA-2, CA-7, IR-4, PM-16, PM-12, SC-37, SC-36, AC-4, SC-40, SC-25, SC-32, SC-20, SC-22, AC-18, SC-19, SC-23, SC-41, SC-39, AC-17, SC-29, SC-7, SC-21, SC-24, CP-8, SC-38, SC-43, CM-3, CM-4, SA-10, RA-2, CM-5, CM-9, CM-7, CM-2, CM-6, PM-15, PM-14, PE-3 |
| B5.a | Resilience Preparation | PR.IP-9, DE.CM-4, RS.MI-1, RS.CO-1, PR.PT-5, ID.SC-5, PR.IP-4, PR.IP-10, PR.IP-3, ID.RA-2, RS.AN-5 | IR-8, CP-2, PE-17, IR-7, CP-7, CP-13, CP-12, IR-9, SI-8, SI-3, IR-4, IR-3, CP-3, SC-6, CP-8, CP-11, PL-8, SA-14, IR-6, CP-4, CP-6, CP-9, PM-14, CM-3, CM-4, SA-10, PM-16, PM-15, SI-5 |
| B5.b | Design for Resilience | PR.PT-5, PR.DS-4, PR.IP-5, PR.DS-5, PR.DS-7, PR.AC-5, ID.BE-4, PR.DS-2, RS.MI-1, PR.AC-2, RS.MI-2 | SC-6, CP-8, CP-11, CP-13, PL-8, SA-14, CP-7, SC-5, CP-2, AU-4, PE-13, PE-14, PE-15, PE-10, PE-18, PE-12, PE-19, SC-31, AC-5, AC-6, AC-4, SI-4, SC-7, PS-6, SC-13, SC-8, PS-3, CM-2, AC-10, PE-11, PE-9, PM-8, SC-11, SC-12, IR-4, PE-8, PE-5, PE-3, PE-6, PE-4, PE-2 |
| B5.c | Backups | PR.PT-5, PR.IP-4 | SC-6, CP-8, CP-11, CP-13, PL-8, SA-14, CP-7, CP-4, CP-6, CP-9 |
| B6.a | Cyber Security Culture | RS.CO-2, PR.AT-2, PR.AT-4, RS.CO-3, ID.BE-3, DE.DP-4, PR.AT-5, PR.IP-11, DE.DP-1, ID.GV-2, PR.AT-1 | IR-8, AU-6, IR-6, AT-3, PM-13, RA-5, IR-4, CA-2, CP-2, PE-6, CA-7, SI-4, SA-14, PM-11, IR-2, PS-3, PS-6, PS-7, PS-2, SA-21, PS-1, PS-8, PS-4, PS-5, PM-14, PM-2, PM-1, AT-2 |
| B6.b | Cyber Security Training | DE.DP-1, PR.AT-2, PR.AT-4, PR.AT-5, PR.AT-1, PR.IP-11 | CA-7, CA-2, PM-14, AT-3, PM-13, IR-2, AT-2, PS-3, PS-6, PS-7, PS-2, SA-21, PS-1, PS-8, PS-4, PS-5 |
| C1.a | Monitoring Coverage | DE.CM-7, DE.CM-4, DE.CM-1, DE.CM-5, DE.AE-1, DE.AE-3, DE.CM-6, DE.CM-3, RS.MI-1, PR.DS-6, DE.CM-2 | CM-3, CA-7, PE-3, PE-20, PE-6, AU-12, CM-8, SI-4, SI-8, SI-3, SC-5, SC-7, AC-2, SC-18, SC-44, CA-3, CM-2, AC-4, IR-4, AU-6, IR-5, IR-8, SA-9, PS-7, SA-4, CM-10, CM-11, AU-13, SC-16, SI-7 |
| C1.b | Securing Logs | DE.AE-3, DE.CM-3 | IR-4, AU-6, IR-5, CA-7, SI-4, IR-8, AU-12, CM-10, AC-2, CM-11, AU-13 |
| C1.c | Generating Alerts | DE.AE-2, DE.CM-2, DE.CM-3, RS.AN-1, DE.AE-5, RS.MI-1, DE.AE-3, DE.CM-1, DE.DP-3, DE.CM-7 | CA-7, IR-4, SI-4, AU-6, PE-3, PE-6, PE-20, AU-12, CM-10, AC-2, CM-11, AU-13, IR-5, IR-8, SC-5, SC-7, CM-3, PM-14, SI-3, CA-2, CM-8 |
| C1.d | Identifying Security Incidents | PR.IP-8, RS.MI-1, RS.AN-5, DE.DP-5, ID.RA-2, DE.DP-4 | SI-4, CA-7, AC-21, IR-4, PM-15, SI-5, PM-14, PL-2, RA-5, CA-2, PM-16, AU-6 |
| C1.e | Monitoring Tools and Skills | RS.CO-3, DE.AE-2, DE.DP-5, RS.CO-2, RS.AN-1 | RA-5, IR-4, CA-2, IR-8, CP-2, PE-6, CA-7, SI-4, AU-6, PM-14, PL-2, IR-6, IR-5 |
| C2.a | System Abnormalities for Attack Detection | ||
| C2.b | Proactive Attack Discovery | DE.CM-4, DE.CM-5 | SI-8, SI-3, SC-18, SI-4, SC-44 |
| D1.a | Response Plan | PR.IP-9, RS.AN-4, RS.CO-3, RC.CO-3, ID.GV-2, ID.SC-5, RS.CO-4, RC.RP-1, DE.AE-2, RS.CO-1 | IR-8, CP-2, PE-17, IR-7, CP-7, CP-13, CP-12, IR-9, IR-5, IR-4, RA-5, CA-2, PE-6, CA-7, SI-4, PS-7, PM-2, PM-1, IR-3, IR-6, CP-4, CP-10, AU-6, CP-3 |
| D1.b | Response and Recovery Capability | ID.SC-5, PR.IP-9, RS.AN-3, RS.CO-1, PR.PT-5, RS.CO-3 | IR-4, IR-3, IR-6, CP-4, IR-8, CP-2, IR-9, PE-17, IR-7, CP-7, CP-13, CP-12, AU-7, CP-3, SC-6, CP-8, CP-11, PL-8, SA-14, RA-5, CA-2, PE-6, CA-7, SI-4 |
| D1.c | Testing and Exercising | ID.SC-5, RC.IM-2, RC.IM-1, PR.IP-4, PR.IP-10 | IR-4, IR-3, IR-6, CP-4, IR-8, CP-2, IR-9, CP-6, CP-9, PM-14 |
| D2.a | Incident Root Cause Analysis | DE.DP-5, DE.AE-3, RS.AN-2, RS.IM-1, DE.AE-2, RS.CO-3, DE.DP-4 | CA-7, PM-14, SI-4, PL-2, RA-5, CA-2, IR-4, AU-6, IR-5, IR-8, CP-2, PE-6 |
| D2.b | Using Incidents to Drive Improvements | RS.AN-2, DE.DP-5, RC.IM-2, PR.IP-8, RS.IM-2, PR.IP-7, RC.IM-1, RS.IM-1 | IR-4, CP-2, CA-7, PM-14, SI-4, PL-2, RA-5, CA-2, IR-8, AC-21, PM-6 |