NIST CSF: PR.AC-5 Subcategory
From NIST's Cyber Security Framework (version 1):
Network integrity is protected (e.g., network segregation, network segmentation)
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Information transfer policies and procedures (13.2.1)
ISO 27001:2013 -
Securing application services on public networks (14.1.2)
ISO 27001:2013 -
Segregation in networks (13.1.3)
ISO 27001:2013 -
Network controls (13.1.1)
ISO 27001:2013 -
Protecting application services transactions (14.1.3)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Session integrity (SR 3.8)
ISA/IEC 62443-3-3:2013 -
Communication integrity (SR 3.1)
ISA/IEC 62443-3-3:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1499.004 | Application or System Exploitation | Impact |
| T1498.002 | Reflection Amplification | Impact |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1001.001 | Junk Data | Command and Control |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1136.003 | Cloud Account | Persistence |
| T1114.003 | Email Forwarding Rule | Collection |
| T1055.011 | Extra Window Memory Injection | Defense Evasion, Privilege Escalation |
| T1505.004 | IIS Components | Persistence |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1204.003 | Malicious Image | Execution |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1204 | User Execution | Execution |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1102.003 | One-Way Communication | Command and Control |
| T1552 | Unsecured Credentials | Credential Access |
| T1499 | Endpoint Denial of Service | Impact |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1080 | Taint Shared Content | Lateral Movement |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1071.003 | Mail Protocols | Command and Control |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1612 | Build Image on Host | Defense Evasion |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1218.012 | Verclsid | Defense Evasion |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1071 | Application Layer Protocol | Command and Control |
| T1199 | Trusted Relationship | Initial Access |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1566.002 | Spearphishing Link | Initial Access |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1571 | Non-Standard Port | Command and Control |
| T1187 | Forced Authentication | Credential Access |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1530 | Data from Cloud Storage | Collection |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B4.b | Secure Configuration | You securely configure the network and information systems that support the operation of essential functions. |
| B2.c | Privileged User Management | You closely manage privileged user access to networks and information systems supporting the essential function. |
| B3.b | Data in Transit | You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties. |
| B5.b | Design for Resilience | You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated. |
| B4.a | Secure by Design | You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability. |