NIST Cyber Security Framework (CSF) Subcategories (V1)
Control ID | Description |
---|---|
RS.RP-1 | Response plan is executed during or after an incident |
RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
RS.MI-2 | Incidents are mitigated |
RS.MI-1 | Incidents are contained |
RS.IM-2 | Response strategies are updated |
RS.IM-1 | Response plans incorporate lessons learned |
RS.CO-5 | Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness |
RS.CO-4 | Coordination with stakeholders occurs consistent with response plans |
RS.CO-3 | Information is shared consistent with response plans |
RS.CO-2 | Incidents are reported consistent with established criteria |
RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) |
RS.AN-4 | Incidents are categorized consistent with response plans |
RS.AN-3 | Forensics are performed |
RS.AN-2 | The impact of the incident is understood |
RS.AN-1 | Notifications from detection systems are investigated |
RC.RP-1 | Recovery plan is executed during or after a cybersecurity incident |
RC.IM-2 | Recovery strategies are updated |
RC.IM-1 | Recovery plans incorporate lessons learned |
RC.CO-3 | Recovery activities are communicated to internal and external stakeholders as well as executive and management teams |
RC.CO-2 | Reputation is repaired after an incident |
RC.CO-1 | Public relations are managed |
PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
PR.PT-4 | Communications and control networks are protected |
PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
PR.PT-2 | Removable media is protected and its use restricted according to policy |
PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
PR.MA-1 | Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools |
PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
PR.IP-8 | Effectiveness of protection technologies is shared |
PR.IP-7 | Protection processes are improved |
PR.IP-6 | Data is destroyed according to policy |
PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met |
PR.IP-4 | Backups of information are conducted, maintained, and tested |
PR.IP-3 | Configuration change control processes are in place |
PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
PR.IP-12 | A vulnerability management plan is developed and implemented |
PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
PR.IP-10 | Response and recovery plans are tested |
PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity |
PR.DS-7 | The development and testing environment(s) are separate from the production environment |
PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
PR.DS-5 | Protections against data leaks are implemented |
PR.DS-4 | Adequate capacity to ensure availability is maintained |
PR.DS-3 | Assets are formally managed throughout removal, transfers, and disposition |
PR.DS-2 | Data-in-transit is protected |
PR.DS-1 | Data-at-rest is protected |
PR.AT-5 | Physical and cybersecurity personnel understand their roles and responsibilities |