CAF Outcome B2.d: Identity and Access Management (IdAM)

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B2.d: Identity and Access Management (IdAM) to CSF mappings generated from UK Cabinet Office table.

Control ID	Description
PR.PT-1	Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
DE.CM-7	Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.IP-11	Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
PR.AC-6	Identities are proofed and bound to credentials and asserted in interactions
PR.AC-4	Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PR.MA-2	Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
DE.CM-3	Personnel activity is monitored to detect potential cybersecurity events
DE.AE-3	Event data are collected and correlated from multiple sources and sensors
DE.CM-1	The network is monitored to detect potential cybersecurity events
PR.DS-5	Protections against data leaks are implemented
PR.PT-3	The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
PR.AC-1	Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
RS.AN-1	Notifications from detection systems are investigated
PR.AC-7	Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Authorization enforcement (SR 2.1)
ISA/IEC 62443-3-3:2013
Account management (SR 1.3)
ISA/IEC 62443-3-3:2013
Session integrity (SR 3.8)
ISA/IEC 62443-3-3:2013
Software process and device identification and authentication (SR 1.2)
ISA/IEC 62443-3-3:2013
Identifier management (SR 1.4)
ISA/IEC 62443-3-3:2013
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013
Human User Identification and Authentication (SR 1.1)
ISA/IEC 62443-3-3:2013
Auditable events (SR 2.8)
ISA/IEC 62443-3-3:2013

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Screening (7.1.1)
ISO 27001:2013
Removal or adjustment of access rights (9.2.6)
ISO 27001:2013
User access provisioning (9.2.2)
ISO 27001:2013
Event Logging (12.4.1)
ISO 27001:2013
Review of user access rights (9.2.5)
ISO 27001:2013
Management of privileged access rights (9.2.3)
ISO 27001:2013
Access to networks and network services (9.1.2)
ISO 27001:2013
User registration and de-registration (9.2.1)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
CM-3: Configuration Change Control
CA-7: Continuous Monitoring
PE-3: Physical Access Control
PE-20: Asset Monitoring and Tracking
PE-6: Monitoring Physical Access
AU-12: Audit Record Generation
CM-8: System Component Inventory
SI-4: System Monitoring
PS-3: Personnel Screening
PS-6: Access Agreements
PS-7: External Personnel Security
PS-2: Position Risk Designation
SA-21: Developer Screening
PS-1: Policy and Procedures
PS-8: Personnel Sanctions
PS-4: Personnel Termination
PS-5: Personnel Transfer
IA-5: Authenticator Management
AC-19: Access Control for Mobile Devices
IA-2: Identification and Authentication (organizational Users)
IA-4: Identifier Management
AC-3: Access Enforcement
PE-2: Physical Access Authorizations
AC-1: Policy and Procedures
AC-24: Access Control Decisions
AC-2: Account Management
AC-16: Security and Privacy Attributes
IA-1: Policy and Procedures
IA-8: Identification and Authentication (non-organizational Users)
AC-5: Separation of Duties
AC-14: Permitted Actions Without Identification or Authentication
AC-6: Least Privilege
MA-4: Nonlocal Maintenance
CM-10: Software Usage Restrictions
CM-11: User-installed Software
AU-13: Monitoring for Information Disclosure
IR-4: Incident Handling
AU-6: Audit Record Review, Analysis, and Reporting
IR-5: Incident Monitoring
IR-8: Incident Response Plan
SC-5: Denial-of-service Protection
SC-7: Boundary Protection
PE-19: Information Leakage
SC-31: Covert Channel Analysis
AC-4: Information Flow Enforcement
SC-13: Cryptographic Protection
SC-8: Transmission Confidentiality and Integrity
CM-7: Least Functionality
IA-7: Cryptographic Module Authentication
IA-11: Re-authentication
IA-6: Authentication Feedback
IA-9: Service Identification and Authentication
IA-3: Device Identification and Authentication
IA-10: Adaptive Authentication
AC-9: Previous Logon Notification
AC-12: Session Termination
AC-8: System Use Notification
AC-7: Unsuccessful Logon Attempts
AC-11: Device Lock

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID	Title	Associated Tactics
T1548.002	Bypass User Account Control	Defense Evasion, Privilege Escalation
T1525	Implant Internal Image	Persistence
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1574.010	Services File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1027	Obfuscated Files or Information	Defense Evasion
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1574.005	Executable Installer File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1204.003	Malicious Image	Execution
T1562.007	Disable or Modify Cloud Firewall	Defense Evasion
T1552.004	Private Keys	Credential Access
T1505.004	IIS Components	Persistence
T1560	Archive Collected Data	Collection
T1563.002	RDP Hijacking	Lateral Movement
T1593.003	Code Repositories	Reconnaissance
T1552.001	Credentials In Files	Credential Access
T1606.001	Web Cookies	Credential Access
T1564.008	Email Hiding Rules	Defense Evasion
T1578.005	Modify Cloud Compute Configurations	Defense Evasion
T1552	Unsecured Credentials	Credential Access
T1053.002	At	Execution, Persistence, Privilege Escalation
T1087.004	Cloud Account	Discovery
T1176	Browser Extensions	Persistence
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1562.012	Disable or Modify Linux Audit System	Defense Evasion
T1562.002	Disable Windows Event Logging	Defense Evasion
T1505.005	Terminal Services DLL	Persistence
T1059.006	Python	Execution
T1653	Power Settings	Persistence
T1505	Server Software Component	Persistence
T1610	Deploy Container	Defense Evasion, Execution
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1114.003	Email Forwarding Rule	Collection
T1546.006	LC_LOAD_DYLIB Addition	Persistence, Privilege Escalation
T1612	Build Image on Host	Defense Evasion
T1213	Data from Information Repositories	Collection
T1053.003	Cron	Execution, Persistence, Privilege Escalation
T1114	Email Collection	Collection
T1213.002	Sharepoint	Collection
T1566.002	Spearphishing Link	Initial Access
T1578	Modify Cloud Compute Infrastructure	Defense Evasion
T1528	Steal Application Access Token	Credential Access
T1543.004	Launch Daemon	Persistence, Privilege Escalation
T1027.011	Fileless Storage	Defense Evasion
T1543.003	Windows Service	Persistence, Privilege Escalation
T1021.001	Remote Desktop Protocol	Lateral Movement
T1550.001	Application Access Token	Defense Evasion, Lateral Movement
T1070.008	Clear Mailbox Data	Defense Evasion
T1593	Search Open Websites/Domains	Reconnaissance
T1606.002	SAML Tokens	Credential Access
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1606	Forge Web Credentials	Credential Access
T1560.001	Archive via Utility	Collection
T1505.002	Transport Agent	Persistence
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1530	Data from Cloud Storage	Collection
T1552.008	Chat Messages	Credential Access
T1562	Impair Defenses	Defense Evasion
T1484	Domain Policy Modification	Defense Evasion, Privilege Escalation
T1213.003	Code Repositories	Collection
T1578.003	Delete Cloud Instance	Defense Evasion
T1505.001	SQL Stored Procedures	Persistence
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1556.007	Hybrid Identity	Credential Access, Defense Evasion, Persistence
T1552.006	Group Policy Preferences	Credential Access
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1578.002	Create Cloud Instance	Defense Evasion
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1482	Domain Trust Discovery	Discovery
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1649	Steal or Forge Authentication Certificates	Credential Access
T1558.004	AS-REP Roasting	Credential Access
T1542.004	ROMMONkit	Defense Evasion, Persistence
T1213.001	Confluence	Collection
T1552.002	Credentials in Registry	Credential Access
T1556.006	Multi-Factor Authentication	Credential Access, Defense Evasion, Persistence
T1484.001	Group Policy Modification	Defense Evasion, Privilege Escalation
T1021.005	VNC	Lateral Movement
T1556.008	Network Provider DLL	Credential Access, Defense Evasion, Persistence
T1578.001	Create Snapshot	Defense Evasion
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1003.006	DCSync	Credential Access
T1003	OS Credential Dumping	Credential Access
T1550.003	Pass the Ticket	Defense Evasion, Lateral Movement
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1558.001	Golden Ticket	Credential Access
T1003.005	Cached Domain Credentials	Credential Access
T1134.005	SID-History Injection	Defense Evasion, Privilege Escalation
T1558	Steal or Forge Kerberos Tickets	Credential Access
T1072	Software Deployment Tools	Execution, Lateral Movement

CAF Outcome B2.d: Identity and Access Management (IdAM)

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Audit

Active Directory Configuration

Related ISA/IEC 62443 Controls

Authorization enforcement (SR 2.1)

Account management (SR 1.3)

Session integrity (SR 3.8)

Software process and device identification and authentication (SR 1.2)

Identifier management (SR 1.4)

Authenticator management (SR 1.5)

Human User Identification and Authentication (SR 1.1)

Auditable events (SR 2.8)

Related ISO 27001 Controls

Screening (7.1.1)

Removal or adjustment of access rights (9.2.6)

User access provisioning (9.2.2)

Event Logging (12.4.1)

Review of user access rights (9.2.5)

Management of privileged access rights (9.2.3)

Access to networks and network services (9.1.2)

User registration and de-registration (9.2.1)

Related SP800-53 Controls

MITRE ATT&CK Techniques