CAF Outcome B2.b: Device Management

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B2.b: Device Management to CSF mappings generated from UK Cabinet Office table.

Control ID	Description
PR.MA-2	Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
PR.AC-1	Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PR.AC-3	Remote access is managed
DE.CM-6	External service provider activity is monitored to detect potential cybersecurity events
PR.AC-4	Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PR.AC-7	Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
PR.PT-3	The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Limit Hardware Installation

Block users or groups from installing or using unapproved hardware on systems, including USB devices.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

General purpose person-to-person communication restrictions (SR 5.3)
ISA/IEC 62443-3-3:2013
Wireless access management (SR 1.6)
ISA/IEC 62443-3-3:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
MA-4: Nonlocal Maintenance
AC-2: Account Management
IA-1: Policy and Procedures
AC-1: Policy and Procedures
IA-7: Cryptographic Module Authentication
IA-11: Re-authentication
IA-8: Identification and Authentication (non-organizational Users)
IA-6: Authentication Feedback
IA-9: Service Identification and Authentication
IA-3: Device Identification and Authentication
IA-4: Identifier Management
IA-5: Authenticator Management
IA-10: Adaptive Authentication
IA-2: Identification and Authentication (organizational Users)
SC-15: Collaborative Computing Devices and Applications
AC-20: Use of External Systems
AC-17: Remote Access
AC-19: Access Control for Mobile Devices
SA-9: External System Services
PS-7: External Personnel Security
SA-4: Acquisition Process
SI-4: System Monitoring
CA-7: Continuous Monitoring
AC-24: Access Control Decisions
AC-3: Access Enforcement
AC-5: Separation of Duties
AC-14: Permitted Actions Without Identification or Authentication
AC-6: Least Privilege
AC-16: Security and Privacy Attributes
AC-9: Previous Logon Notification
AC-12: Session Termination
AC-8: System Use Notification
AC-7: Unsuccessful Logon Attempts
AC-11: Device Lock
CM-7: Least Functionality

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID	Title	Associated Tactics
T1052.001	Exfiltration over USB	Exfiltration
T1091	Replication Through Removable Media	Initial Access, Lateral Movement
T1052	Exfiltration Over Physical Medium	Exfiltration
T1200	Hardware Additions	Initial Access
T1553.004	Install Root Certificate	Defense Evasion
T1546.008	Accessibility Features	Persistence, Privilege Escalation
T1563.002	RDP Hijacking	Lateral Movement
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1556.008	Network Provider DLL	Credential Access, Defense Evasion, Persistence
T1021.001	Remote Desktop Protocol	Lateral Movement
T1011.001	Exfiltration Over Bluetooth	Exfiltration
T1087.001	Local Account	Discovery
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1092	Communication Through Removable Media	Command and Control
T1136	Create Account	Persistence
T1003.002	Security Account Manager	Credential Access
T1053.002	At	Execution, Persistence, Privilege Escalation
T1197	BITS Jobs	Defense Evasion, Persistence
T1003.005	Cached Domain Credentials	Credential Access
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1087	Account Discovery	Discovery
T1135	Network Share Discovery	Discovery
T1003	OS Credential Dumping	Credential Access
T1490	Inhibit System Recovery	Impact
T1011	Exfiltration Over Other Network Medium	Exfiltration
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1556.002	Password Filter DLL	Credential Access, Defense Evasion, Persistence
T1574.006	Dynamic Linker Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1552	Unsecured Credentials	Credential Access
T1543.003	Windows Service	Persistence, Privilege Escalation
T1548.001	Setuid and Setgid	Defense Evasion, Privilege Escalation
T1098	Account Manipulation	Persistence, Privilege Escalation
T1562.003	Impair Command History Logging	Defense Evasion
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1136.002	Domain Account	Persistence
T1087.002	Domain Account	Discovery
T1553	Subvert Trust Controls	Defense Evasion
T1552.003	Bash History	Credential Access
T1003.001	LSASS Memory	Credential Access
T1564.002	Hidden Users	Defense Evasion
T1036.007	Double File Extension	Defense Evasion