diff --git a/backend/library/libraries/nist_csf-2.0-en.yaml b/backend/library/libraries/nist_csf-2.0-en.yaml new file mode 100644 index 000000000..6452a17c4 --- /dev/null +++ b/backend/library/libraries/nist_csf-2.0-en.yaml @@ -0,0 +1,2779 @@ +urn: urn:intuitem:risk:library:nist-csf-2.0 +locale: en +ref_id: NIST-CSF-2.0 +name: NIST CSF version 2.0 +description: National Institute of Standards and Technology - Cybersecurity Framework +copyright: With the exception of material marked as copyrighted, information presented + on NIST sites are considered public information and may be distributed or copied. +version: 1 +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-csf-2.0 + ref_id: NIST-CSF-2.0 + name: NIST CSF v2.0 + description: NIST Cybersecurity Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + assessable: false + depth: 1 + ref_id: GV + name: GOVERN + description: The organization's cybersecurity risk management strategy, expectations, + and policy are established, communicated, and monitored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OC + name: Organizational Context + description: The circumstances - mission, stakeholder expectations, dependencies, + and legal, regulatory, and contractual requirements - surrounding the organization's + cybersecurity risk management decisions are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-01 + description: The organizational mission is understood and informs cybersecurity + risk management + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Share the organization''s mission (e.g., through vision and mission statements, + marketing, and service strategies) to provide a basis for identifying risks + that may impede that mission' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-02 + description: Internal and external stakeholders are understood, and their needs + and expectations regarding cybersecurity risk management are understood and + considered + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify relevant internal stakeholders and their cybersecurity-related + expectations (e.g., performance and risk expectations of officers, directors, + and advisors; cultural expectations of employees) + + Ex2: Identify relevant external stakeholders and their cybersecurity-related + expectations (e.g., privacy expectations of customers, business expectations + of partnerships, compliance expectations of regulators, ethics expectations + of society)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-03 + description: Legal, regulatory, and contractual requirements regarding cybersecurity + - including privacy and civil liberties obligations - are understood and managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine a process to track and manage legal and regulatory requirements + regarding protection of individuals'' information (e.g., Health Insurance + Portability and Accountability Act, California Consumer Privacy Act, General + Data Protection Regulation) + + Ex2: Determine a process to track and manage contractual requirements for + cybersecurity management of supplier, customer, and partner information + + Ex3: Align the organization''s cybersecurity strategy with legal, regulatory, + and contractual requirements' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-04 + description: Critical objectives, capabilities, and services that stakeholders + depend on or expect from the organization are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Establish criteria for determining the criticality of capabilities and + services as viewed by internal and external stakeholders + + Ex2: Determine (e.g., from a business impact analysis) assets and business + operations that are vital to achieving mission objectives and the potential + impact of a loss (or partial loss) of such operations + + Ex3: Establish and communicate resilience objectives (e.g., recovery time + objectives) for delivering critical capabilities and services in various operating + states (e.g., under attack, during recovery, normal operation)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-05 + description: Outcomes, capabilities, and services that the organization depends + on are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + name: Examples + description: 'Ex1: Create an inventory of the organization''s dependencies on + external resources (e.g., facilities, cloud-based hosting providers) and their + relationships to organizational assets and business functions + + Ex2: Identify and document external dependencies that are potential points + of failure for the organization''s critical capabilities and services, and + share that information with appropriate personnel + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RM + name: Risk Management Strategy + description: The organization's priorities, constraints, risk tolerance and + appetite statements, and assumptions are established, communicated, and used + to support operational risk decisions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-01 + description: Risk management objectives are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update near-term and long-term cybersecurity risk management objectives + as part of annual strategic planning and when major changes occur + + Ex2: Establish measurable objectives for cybersecurity risk management (e.g., + manage the quality of user training, ensure adequate risk protection for industrial + control systems) + + Ex3: Senior leaders agree about cybersecurity objectives and use them for + measuring and managing risk and performance' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-02 + description: Risk appetite and risk tolerance statements are established, communicated, + and maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine and communicate risk appetite statements that convey expectations + about the appropriate level of risk for the organization + + Ex2: Translate risk appetite statements into specific, measurable, and broadly + understandable risk tolerance statements + + Ex3: Refine organizational objectives and risk appetite periodically based + on known risk exposure and residual risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-03 + description: Cybersecurity risk management activities and outcomes are included + in enterprise risk management processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks + (e.g., compliance, financial, operational, regulatory, reputational, safety) + + Ex2: Include cybersecurity risk managers in enterprise risk management planning + + Ex3: Establish criteria for escalating cybersecurity risks within enterprise + risk management' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-04 + description: Strategic direction that describes appropriate risk response options + is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various + classifications of data + + Ex2: Determine whether to purchase cybersecurity insurance + + Ex3: Document conditions under which shared responsibility models are acceptable + (e.g., outsourcing certain cybersecurity functions, having a third party perform + financial transactions on behalf of the organization, using public cloud-based + services)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-05 + description: Lines of communication across the organization are established + for cybersecurity risks, including risks from suppliers and other third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine how to update senior executives, directors, and management + on the organization''s cybersecurity posture at agreed-upon intervals + + Ex2: Identify how all departments across the organization - such as management, + operations, internal auditors, legal, acquisition, physical security, and + HR - will communicate with each other about cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-06 + description: A standardized method for calculating, documenting, categorizing, + and prioritizing cybersecurity risks is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish criteria for using a quantitative approach to cybersecurity + risk analysis, and specify probability and exposure formulas + + Ex2: Create and use templates (e.g., a risk register) to document cybersecurity + risk information (e.g., risk description, exposure, treatment, and ownership) + + Ex3: Establish criteria for risk prioritization at the appropriate levels + within the enterprise + + Ex4: Use a consistent list of risk categories to support integrating, aggregating, + and comparing cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-07 + description: Strategic opportunities (i.e., positive risks) are characterized + and are included in organizational cybersecurity risk discussions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define and communicate guidance and methods for identifying opportunities + and including them in risk discussions (e.g., strengths, weaknesses, opportunities, + and threats [SWOT] analysis) + + Ex2: Identify stretch goals and document them + + Ex3: Calculate, document, and prioritize positive risks alongside negative + risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RR + name: Roles, Responsibilities, and Authorities + description: Cybersecurity roles, responsibilities, and authorities to foster + accountability, performance assessment, and continuous improvement are established + and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-01 + description: Organizational leadership is responsible and accountable for cybersecurity + risk and fosters a culture that is risk-aware, ethical, and continually improving + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in + developing, implementing, and assessing the organization''s cybersecurity + strategy + + Ex2: Share leaders'' expectations regarding a secure and ethical culture, + especially when current events present the opportunity to highlight positive + or negative examples of cybersecurity risk management + + Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk + strategy and review and update it at least annually and after major events + + Ex4: Conduct reviews to ensure adequate authority and coordination among those + responsible for managing cybersecurity risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-02 + description: Roles, responsibilities, and authorities related to cybersecurity + risk management are established, communicated, understood, and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Document risk management roles and responsibilities in policy + + Ex2: Document who is responsible and accountable for cybersecurity risk management + activities and how those teams and individuals are to be consulted and informed + + Ex3: Include cybersecurity responsibilities and performance requirements in + personnel descriptions + + Ex4: Document performance goals for personnel with cybersecurity risk management + responsibilities, and periodically measure performance to identify areas for + improvement + + Ex5: Clearly articulate cybersecurity responsibilities within operations, + risk functions, and internal audit functions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-03 + description: Adequate resources are allocated commensurate with the cybersecurity + risk strategy, roles, responsibilities, and policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct periodic management reviews to ensure that those given cybersecurity + risk management responsibilities have the necessary authority + + Ex2: Identify resource allocation and investment in line with risk tolerance + and response + + Ex3: Provide adequate and sufficient people, process, and technical resources + to support the cybersecurity strategy' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-04 + description: Cybersecurity is included in human resources practices + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Integrate cybersecurity risk management considerations into human resources + processes (e.g., personnel screening, onboarding, change notification, offboarding) + + Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, + and retention decisions + + Ex3: Conduct background checks prior to onboarding new personnel for sensitive + roles, and periodically repeat background checks for personnel with such roles + + Ex4: Define and enforce obligations for personnel to be aware of, adhere to, + and uphold security policies as they relate to their roles' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.PO + name: Policy + description: Organizational cybersecurity policy is established, communicated, + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-01 + description: Policy for managing cybersecurity risks is established based on + organizational context, cybersecurity strategy, and priorities and is communicated + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Create, disseminate, and maintain an understandable, usable risk management + policy with statements of management intent, expectations, and direction + + Ex2: Periodically review policy and supporting processes and procedures to + ensure that they align with risk management strategy objectives and priorities, + as well as the high-level direction of the cybersecurity policy + + Ex3: Require approval from senior management on policy + + Ex4: Communicate cybersecurity risk management policy and supporting processes + and procedures across the organization + + Ex5: Require personnel to acknowledge receipt of policy when first hired, + annually, and whenever policy is updated' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-02 + description: Policy for managing cybersecurity risks is reviewed, updated, communicated, + and enforced to reflect changes in requirements, threats, technology, and + organizational mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update policy based on periodic reviews of cybersecurity risk management + results to ensure that policy and supporting processes and procedures adequately + maintain risk at an acceptable level + + Ex2: Provide a timeline for reviewing changes to the organization''s risk + environment (e.g., changes in risk or in the organization''s mission objectives), + and communicate recommended policy updates + + Ex3: Update policy to reflect changes in legal and regulatory requirements + + Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial + intelligence) and changes to the business (e.g., acquisition of a new business, + new contract requirements)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OV + name: Oversight + description: Results of organization-wide cybersecurity risk management activities + and performance are used to inform, improve, and adjust the risk management + strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-01 + description: Cybersecurity risk management strategy outcomes are reviewed to + inform and adjust strategy and direction + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Measure how well the risk management strategy and risk results have helped + leaders make decisions and achieve organizational objectives + + Ex2: Examine whether cybersecurity risk strategies that impede operations + or innovation should be adjusted' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-02 + description: The cybersecurity risk management strategy is reviewed and adjusted + to ensure coverage of organizational requirements and risks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review audit findings to confirm whether the existing cybersecurity strategy + has ensured compliance with internal and external requirements + + Ex2: Review the performance oversight of those in cybersecurity-related roles + to determine whether policy changes are necessary + + Ex3: Review strategy in light of cybersecurity incidents' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-03 + description: Organizational cybersecurity risk management performance is evaluated + and reviewed for adjustments needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review key performance indicators (KPIs) to ensure that organization-wide + policies and procedures achieve objectives + + Ex2: Review key risk indicators (KRIs) to identify risks the organization + faces, including likelihood and potential impact + + Ex3: Collect and communicate metrics on cybersecurity risk management with + senior leadership' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.SC + name: Cybersecurity Supply Chain Risk Management + description: Cyber supply chain risk management processes are identified, established, + managed, monitored, and improved by organizational stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-01 + description: A cybersecurity supply chain risk management program, strategy, + objectives, policies, and processes are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + name: Examples + description: 'Ex1: Establish a strategy that expresses the objectives of the + cybersecurity supply chain risk management program + + Ex2: Develop the cybersecurity supply chain risk management program, including + a plan (with milestones), policies, and procedures that guide implementation + and improvement of the program, and share the policies and procedures with + the organizational stakeholders + + Ex3: Develop and implement program processes based on the strategy, objectives, + policies, and procedures that are agreed upon and performed by the organizational + stakeholders + + Ex4: Establish a cross-organizational mechanism that ensures alignment between + functions that contribute to cybersecurity supply chain risk management, such + as cybersecurity, IT, operations, legal, human resources, and engineering + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-02 + description: Cybersecurity roles and responsibilities for suppliers, customers, + and partners are established, communicated, and coordinated internally and + externally + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + name: Examples + description: 'Ex1: Identify one or more specific roles or positions that will + be responsible and accountable for planning, resourcing, and executing cybersecurity + supply chain risk management activities + + Ex2: Document cybersecurity supply chain risk management roles and responsibilities + in policy + + Ex3: Create responsibility matrixes to document who will be responsible and + accountable for cybersecurity supply chain risk management activities and + how those teams and individuals will be consulted and informed + + Ex4: Include cybersecurity supply chain risk management responsibilities and + performance requirements in personnel descriptions to ensure clarity and improve + accountability + + Ex5: Document performance goals for personnel with cybersecurity risk management-specific + responsibilities, and periodically measure them to demonstrate and improve + performance + + Ex6: Develop roles and responsibilities for suppliers, customers, and business + partners to address shared responsibilities for applicable cybersecurity risks, + and integrate them into organizational policies and applicable third-party + agreements + + Ex7: Internally communicate cybersecurity supply chain risk management roles + and responsibilities for third parties + + Ex8: Establish rules and protocols for information sharing and reporting processes + between the organization and its suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-03 + description: Cybersecurity supply chain risk management is integrated into cybersecurity + and enterprise risk management, risk assessment, and improvement processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + name: Examples + description: 'Ex1: Identify areas of alignment and overlap with cybersecurity + and enterprise risk management + + Ex2: Establish integrated control sets for cybersecurity risk management and + cybersecurity supply chain risk management + + Ex3: Integrate cybersecurity supply chain risk management into improvement + processes + + Ex4: Escalate material cybersecurity risks in supply chains to senior management, + and address them at the enterprise risk management level + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-04 + description: Suppliers are known and prioritized by criticality + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + name: Examples + description: 'Ex1: Develop criteria for supplier criticality based on, for example, + the sensitivity of data processed or possessed by suppliers, the degree of + access to the organization''s systems, and the importance of the products + or services to the organization''s mission + + Ex2: Keep a record of all suppliers, and prioritize suppliers based on the + criticality criteria + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-05 + description: Requirements to address cybersecurity risks in supply chains are + established, prioritized, and integrated into contracts and other types of + agreements with suppliers and other relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + name: Examples + description: 'Ex1: Establish security requirements for suppliers, products, + and services commensurate with their criticality level and potential impact + if compromised + + Ex2: Include all cybersecurity and supply chain requirements that third parties + must follow and how compliance with the requirements may be verified in default + contractual language + + Ex3: Define the rules and protocols for information sharing between the organization + and its suppliers and sub-tier suppliers in agreements + + Ex4: Manage risk by including security requirements in agreements based on + their criticality and potential impact if compromised + + Ex5: Define security requirements in service-level agreements (SLAs) for monitoring + suppliers for acceptable security performance throughout the supplier relationship + lifecycle + + Ex6: Contractually require suppliers to disclose cybersecurity features, functions, + and vulnerabilities of their products and services for the life of the product + or the term of service + + Ex7: Contractually require suppliers to provide and maintain a current component + inventory (e.g., software or hardware bill of materials) for critical products + + Ex8: Contractually require suppliers to vet their employees and guard against + insider threats + + Ex9: Contractually require suppliers to provide evidence of performing acceptable + security practices through, for example, self-attestation, conformance to + known standards, certifications, or inspections + + Ex10: Specify in contracts and other agreements the rights and responsibilities + of the organization, its suppliers, and their supply chains, with respect + to potential cybersecurity risks + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-06 + description: Planning and due diligence are performed to reduce risks before + entering into formal supplier or other third-party relationships + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + name: Examples + description: 'Ex1: Perform thorough due diligence on prospective suppliers that + is consistent with procurement planning and commensurate with the level of + risk, criticality, and complexity of each supplier relationship + + Ex2: Assess the suitability of the technology and cybersecurity capabilities + and the risk management practices of prospective suppliers + + Ex3: Conduct supplier risk assessments against business and applicable cybersecurity + requirements + + Ex4: Assess the authenticity, integrity, and security of critical products + prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-07 + description: The risks posed by a supplier, their products and services, and + other third parties are understood, recorded, prioritized, assessed, responded + to, and monitored over the course of the relationship + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + name: Examples + description: 'Ex1: Adjust assessment formats and frequencies based on the third + party''s reputation and the criticality of the products or services they provide + + Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity + requirements, such as self-attestations, warranties, certifications, and other + artifacts + + Ex3: Monitor critical suppliers to ensure that they are fulfilling their security + obligations throughout the supplier relationship lifecycle using a variety + of methods and techniques, such as inspections, audits, tests, or other forms + of evaluation + + Ex4: Monitor critical suppliers, services, and products for changes to their + risk profiles, and reevaluate supplier criticality and risk impact accordingly + + Ex5: Plan for unexpected supplier and supply chain-related interruptions to + ensure business continuity + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-08 + description: Relevant suppliers and other third parties are included in incident + planning, response, and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + name: Examples + description: 'Ex1: Define and use rules and protocols for reporting incident + response and recovery activities and the status between the organization and + its suppliers + + Ex2: Identify and document the roles and responsibilities of the organization + and its suppliers for incident response + + Ex3: Include critical suppliers in incident response exercises and simulations + + Ex4: Define and coordinate crisis communication methods and protocols between + the organization and its critical suppliers + + Ex5: Conduct collaborative lessons learned sessions with critical suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-09 + description: Supply chain security practices are integrated into cybersecurity + and enterprise risk management programs, and their performance is monitored + throughout the technology product and service life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + name: Examples + description: 'Ex1: Policies and procedures require provenance records for all + acquired technology products and services + + Ex2: Periodically provide risk reporting to leaders about how acquired components + are proven to be untampered and authentic + + Ex3: Communicate regularly among cybersecurity risk managers and operations + personnel about the need to acquire software patches, updates, and upgrades + only from authenticated and trustworthy software providers + + Ex4: Review policies to ensure that they require approved supplier personnel + to perform maintenance on supplier products + + Ex5: Policies and procedure require checking upgrades to critical hardware + for unauthorized changes + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-10 + description: Cybersecurity supply chain risk management plans include provisions + for activities that occur after the conclusion of a partnership or service + agreement + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + name: Examples + description: 'Ex1: Establish processes for terminating critical relationships + under both normal and adverse circumstances + + Ex2: Define and implement plans for component end-of-life maintenance support + and obsolescence + + Ex3: Verify that supplier access to organization resources is deactivated + promptly when it is no longer needed + + Ex4: Verify that assets containing the organization''s data are returned or + properly disposed of in a timely, controlled, and safe manner + + Ex5: Develop and execute a plan for terminating or transitioning supplier + relationships that takes supply chain security risk and resiliency into account + + Ex6: Mitigate risks to data and systems created by supplier termination + + Ex7: Manage data leakage risks associated with supplier termination + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY + description: The organization's current cybersecurity risks are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.AM + name: Asset Management + description: Assets (e.g., data, hardware, software, systems, facilities, services, + people) that enable the organization to achieve business purposes are identified + and managed consistent with their relative importance to organizational objectives + and the organization's risk strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-01 + description: Inventories of hardware managed by the organization are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, + and mobile devices + + Ex2: Constantly monitor networks to detect new hardware and automatically + update inventories' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-02 + description: Inventories of software, services, and systems managed by the organization + are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of software and services, including + commercial-off-the-shelf, open-source, custom applications, API services, + and cloud-based applications and services + + Ex2: Constantly monitor all platforms, including containers and virtual machines, + for software and service inventory changes + + Ex3: Maintain an inventory of the organization''s systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-03 + description: Representations of the organization's authorized network communication + and internal and external network data flows are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Maintain baselines of communication and data flows within the organization''s + wired and wireless networks + + Ex2: Maintain baselines of communication and data flows between the organization + and third parties + + Ex3: Maintain baselines of communication and data flows for the organization''s + infrastructure-as-a-service (IaaS) usage + + Ex4: Maintain documentation of expected network ports, protocols, and services + that are typically used among authorized systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-04 + description: Inventories of services provided by suppliers are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + name: Examples + description: 'Ex1: Inventory all external services used by the organization, + including third-party infrastructure-as-a-service (IaaS), platform-as-a-service + (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally + hosted application services + + Ex2: Update the inventory when a new external service is going to be utilized + to ensure adequate cybersecurity risk management monitoring of the organization''s + use of that service + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-05 + description: Assets are prioritized based on classification, criticality, resources, + and impact on the mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define criteria for prioritizing each class of assets + + Ex2: Apply the prioritization criteria to assets + + Ex3: Track the asset priorities and update them periodically or when significant + changes to the organization occur' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-07 + description: Inventories of data and corresponding metadata for designated data + types are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain a list of the designated data types of interest (e.g., personally + identifiable information, protected health information, financial account + numbers, organization intellectual property, operational technology data) + + Ex2: Continuously discover and analyze ad hoc data to identify new instances + of designated data types + + Ex3: Assign data classifications to designated data types through tags or + labels + + Ex4: Track the provenance, data owner, and geolocation of each instance of + designated data types' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-08 + description: Systems, hardware, software, services, and data are managed throughout + their life cycles + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Integrate cybersecurity considerations throughout the life cycles of + systems, hardware, software, and services + + Ex2: Integrate cybersecurity considerations into product life cycles + + Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., + shadow IT) + + Ex4: Periodically identify redundant systems, hardware, software, and services + that unnecessarily increase the organization''s attack surface + + Ex5: Properly configure and secure systems, hardware, software, and services + prior to their deployment in production + + Ex6: Update inventories when systems, hardware, software, and services are + moved or transferred within the organization + + Ex7: Securely destroy stored data based on the organization''s data retention + policy using the prescribed destruction method, and keep and manage a record + of the destructions + + Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, + reassigned, or sent for repairs or replacement + + Ex9: Offer methods for destroying paper, storage media, and other physical + forms of data storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.RA + name: Risk Assessment + description: The cybersecurity risk to the organization, assets, and individuals + is understood by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-01 + description: Vulnerabilities in assets are identified, validated, and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use vulnerability management technologies to identify unpatched and misconfigured + software + + Ex2: Assess network and system architectures for design and implementation + weaknesses that affect cybersecurity + + Ex3: Review, analyze, or test organization-developed software to identify + design, coding, and default configuration vulnerabilities + + Ex4: Assess facilities that house critical computing assets for physical vulnerabilities + and resilience issues + + Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities + in products and services + + Ex6: Review processes and procedures for weaknesses that could be exploited + to affect cybersecurity' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-02 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure cybersecurity tools and technologies with detection or response + capabilities to securely ingest cyber threat intelligence feeds + + Ex2: Receive and review advisories from reputable third parties on current + threat actors and their tactics, techniques, and procedures (TTPs) + + Ex3: Monitor sources of cyber threat intelligence for information on the types + of vulnerabilities that emerging technologies may have' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-03 + description: Internal and external threats to the organization are identified + and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use cyber threat intelligence to maintain awareness of the types of threat + actors likely to target the organization and the TTPs they are likely to use + + Ex2: Perform threat hunting to look for signs of threat actors within the + environment + + Ex3: Implement processes for identifying internal threat actors' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-04 + description: Potential impacts and likelihoods of threats exploiting vulnerabilities + are identified and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Business leaders and cybersecurity risk management practitioners work + together to estimate the likelihood and impact of risk scenarios and record + them in risk registers + + Ex2: Enumerate the potential business impacts of unauthorized access to the + organization''s communications, systems, and data processed in or by those + systems + + Ex3: Account for the potential impacts of cascading failures for systems of + systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-05 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + understand inherent risk and inform risk response prioritization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Develop threat models to better understand risks to the data and identify + appropriate risk responses + + Ex2: Prioritize cybersecurity resource allocations and investments based on + estimated likelihoods and impacts' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-06 + description: Risk responses are chosen, prioritized, planned, tracked, and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply the vulnerability management plan''s criteria for deciding whether + to accept, transfer, mitigate, or avoid risk + + Ex2: Apply the vulnerability management plan''s criteria for selecting compensating + controls to mitigate risk + + Ex3: Track the progress of risk response implementation (e.g., plan of action + and milestones [POA&M], risk register, risk detail report) + + Ex4: Use risk assessment findings to inform risk response decisions and actions + + Ex5: Communicate planned risk responses to affected stakeholders in priority + order' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-07 + description: Changes and exceptions are managed, assessed for risk impact, recorded, + and tracked + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + name: Examples + description: 'Ex1: Implement and follow procedures for the formal documentation, + review, testing, and approval of proposed changes and requested exceptions + + Ex2: Document the possible risks of making or not making each proposed change, + and provide guidance on rolling back changes + + Ex3: Document the risks related to each requested exception and the plan for + responding to those risks + + Ex4: Periodically review risks that were accepted based upon planned future + actions or milestones' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-08 + description: Processes for receiving, analyzing, and responding to vulnerability + disclosures are established + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct vulnerability information sharing between the organization and + its suppliers following the rules and protocols defined in contracts + + Ex2: Assign responsibilities and verify the execution of procedures for processing, + analyzing the impact of, and responding to cybersecurity threat, vulnerability, + or incident disclosures by suppliers, customers, partners, and government + cybersecurity organizations' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-09 + description: The authenticity and integrity of hardware and software are assessed + prior to acquisition and use + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + name: Examples + description: 'Ex1: Assess the authenticity and cybersecurity of critical technology + products and services prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-10 + description: Critical suppliers are assessed prior to acquisition + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + name: Examples + description: 'Ex1: Conduct supplier risk assessments against business and applicable + cybersecurity requirements, including the supply chain' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.IM + name: Improvement + description: Improvements to organizational cybersecurity risk management processes, + procedures and activities are identified across all CSF Functions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-01 + description: Improvements are identified from evaluations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform self-assessments of critical services that take current threats + and TTPs into consideration + + Ex2: Invest in third-party assessments or independent audits of the effectiveness + of the organization''s cybersecurity program to identify areas that need improvement + + Ex3: Constantly evaluate compliance with selected cybersecurity requirements + through automated means' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-02 + description: Improvements are identified from security tests and exercises, + including those done in coordination with suppliers and relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify improvements for future incident response activities based on + findings from incident response assessments (e.g., tabletop exercises and + simulations, tests, internal reviews, independent audits) + + Ex2: Identify improvements for future business continuity, disaster recovery, + and incident response activities based on exercises performed in coordination + with critical service providers and product suppliers + + Ex3: Involve internal stakeholders (e.g., senior executives, legal department, + HR) in security tests and exercises as appropriate + + Ex4: Perform penetration testing to identify opportunities to improve the + security posture of selected high-risk systems as approved by leadership + + Ex5: Exercise contingency plans for responding to and recovering from the + discovery that products or services did not originate with the contracted + supplier or partner or were altered before receipt + + Ex6: Collect and analyze performance metrics using security tools and services + to inform improvements to the cybersecurity program' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-03 + description: Improvements are identified from execution of operational processes, + procedures, and activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Conduct collaborative lessons learned sessions with suppliers + + Ex2: Annually review cybersecurity policies, processes, and procedures to + take lessons learned into account + + Ex3: Use metrics to assess operational cybersecurity performance over time' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-04 + description: Incident response plans and other cybersecurity plans that affect + operations are established, communicated, maintained, and improved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish contingency plans (e.g., incident response, business continuity, + disaster recovery) for responding to and recovering from adverse events that + can interfere with operations, expose confidential information, or otherwise + endanger the organization''s mission and viability + + Ex2: Include contact and communication information, processes for handling + common scenarios, and criteria for prioritization, escalation, and elevation + in all contingency plans + + Ex3: Create a vulnerability management plan to identify and assess all types + of vulnerabilities and to prioritize, test, and implement risk responses + + Ex4: Communicate cybersecurity plans (including updates) to those responsible + for carrying them out and to affected parties + + Ex5: Review and update all cybersecurity plans annually or when a need for + significant improvements is identified' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT + description: Safeguards to manage the organization's cybersecurity risks are + used + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AA + name: Identity Management, Authentication, and Access Control + description: Access to physical and logical assets is limited to authorized + users, services, and hardware and managed commensurate with the assessed + risk of unauthorized access + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-01 + description: Identities and credentials for authorized users, services, and + hardware are managed by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Initiate requests for new access or additional access for employees, + contractors, and others, and track, review, and fulfill the requests, with + permission from system or data owners when needed + + Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, + cryptographic keys (i.e., key management), and other credentials + + Ex3: Select a unique identifier for each device from immutable hardware characteristics + or an identifier securely provisioned to the device + + Ex4: Physically label authorized hardware with an identifier for inventory + and servicing purposes' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-02 + description: Identities are proofed and bound to credentials based on the context + of interactions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Verify a person''s claimed identity at enrollment time using government-issued + identity credentials (e.g., passport, visa, driver''s license) + + Ex2: Issue a different credential for each person (i.e., no credential sharing)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-03 + description: Users, services, and hardware are authenticated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require multifactor authentication + + Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar + authenticators + + Ex3: Periodically reauthenticate users, services, and hardware based on risk + (e.g., in zero trust architectures) + + Ex4: Ensure that authorized personnel can access accounts essential for protecting + safety under emergency conditions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-04 + description: Identity assertions are protected, conveyed, and verified + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect identity assertions that are used to convey authentication and + user information through single sign-on systems + + Ex2: Protect identity assertions that are used to convey authentication and + user information between federated systems + + Ex3: Implement standards-based approaches for identity assertions in all contexts, + and follow all guidance for the generation (e.g., data models, metadata), + protection (e.g., digital signing, encryption), and verification (e.g., signature + validation) of identity assertions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-05 + description: Access permissions, entitlements, and authorizations are defined + in a policy, managed, enforced, and reviewed, and incorporate the principles + of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review logical and physical access privileges periodically and whenever + someone changes roles or leaves the organization, and promptly rescind privileges + that are no longer needed + + Ex2: Take attributes of the requester and the requested resource into account + for authorization decisions (e.g., geolocation, day/time, requester endpoint''s + cyber health) + + Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust + architecture) + + Ex4: Periodically review the privileges associated with critical business + functions to confirm proper separation of duties' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-06 + description: Physical access to assets is managed, monitored, and enforced commensurate + with risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use security guards, security cameras, locked entrances, alarm systems, + and other physical controls to monitor facilities and restrict access + + Ex2: Employ additional physical security controls for areas that contain high-risk + assets + + Ex3: Escort guests, vendors, and other third parties within areas that contain + business-critical assets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AT + name: Awareness and Training + description: The organization's personnel are provided with cybersecurity awareness + and training so that they can perform their cybersecurity-related tasks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-01 + description: Personnel are provided with awareness and training so that they + possess the knowledge and skills to perform general tasks with cybersecurity + risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Provide basic cybersecurity awareness and training to employees, contractors, + partners, suppliers, and all other users of the organization''s non-public + resources + + Ex2: Train personnel to recognize social engineering attempts and other common + attacks, report attacks and suspicious activity, comply with acceptable use + policies, and perform basic cyber hygiene tasks (e.g., patching software, + choosing passwords, protecting credentials) + + Ex3: Explain the consequences of cybersecurity policy violations, both to + individual users and the organization as a whole + + Ex4: Periodically assess or test users on their understanding of basic cybersecurity + practices + + Ex5: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-02 + description: Individuals in specialized roles are provided with awareness and + training so that they possess the knowledge and skills to perform relevant + tasks with cybersecurity risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify the specialized roles within the organization that require additional + cybersecurity training, such as physical and cybersecurity personnel, finance + personnel, senior leadership, and anyone with access to business-critical + data + + Ex2: Provide role-based cybersecurity awareness and training to all those + in specialized roles, including contractors, partners, suppliers, and other + third parties + + Ex3: Periodically assess or test users on their understanding of cybersecurity + practices for their specialized roles + + Ex4: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.DS + name: Data Security + description: Data are managed consistent with the organization's risk strategy + to protect the confidentiality, integrity, and availability of information + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-01 + description: The confidentiality, integrity, and availability of data-at-rest + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of stored data in files, databases, virtual + machine disk images, container images, and other resources + + Ex2: Use full disk encryption to protect data stored on user endpoints + + Ex3: Confirm the integrity of software by validating signatures + + Ex4: Restrict the use of removable media to prevent data exfiltration + + Ex5: Physically secure removable media containing unencrypted sensitive information, + such as within locked offices or file cabinets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-02 + description: The confidentiality, integrity, and availability of data-in-transit + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of network communications + + Ex2: Automatically encrypt or block outbound emails and other communications + that contain sensitive data, depending on the data classification + + Ex3: Block access to personal email, file sharing, file storage services, + and other personal communications applications and services from organizational + systems and networks + + Ex4: Prevent reuse of sensitive data from production environments (e.g., customer + records) in development, testing, and other non-production environments' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-10 + description: The confidentiality, integrity, and availability of data-in-use + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Remove data that must remain confidential (e.g., from processors and + memory) as soon as it is no longer needed + + Ex2: Protect data in use from access by other users and processes of the same + platform' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-11 + description: Backups of data are created, protected, maintained, and tested + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Continuously back up critical data in near-real-time, and back up other + data frequently at agreed-upon schedules + + Ex2: Test backups and restores for all types of data sources at least annually + + Ex3: Securely store some backups offline and offsite so that an incident or + disaster will not damage them + + Ex4: Enforce geographic separation and geolocation restrictions for data backup + storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.PS + name: Platform Security + description: The hardware, software (e.g., firmware, operating systems, applications), + and services of physical and virtual platforms are managed consistent with + the organization's risk strategy to protect their confidentiality, integrity, + and availability + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-01 + description: Configuration management practices are established and applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish, test, deploy, and maintain hardened baselines that enforce + the organization''s cybersecurity policies and provide only essential capabilities + (i.e., principle of least functionality) + + Ex2: Review all default configuration settings that may potentially impact + cybersecurity when installing or upgrading software + + Ex3: Monitor implemented software for deviations from approved baselines' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-02 + description: Software is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform routine and emergency patching within the timeframes specified + in the vulnerability management plan + + Ex2: Update container images, and deploy new container instances to replace + rather than update existing instances + + Ex3: Replace end-of-life software and service versions with supported, maintained + versions + + Ex4: Uninstall and remove unauthorized software and services that pose undue + risks + + Ex5: Uninstall and remove any unnecessary software components (e.g., operating + system utilities) that attackers might misuse + + Ex6: Define and implement plans for software and service end-of-life maintenance + support and obsolescence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-03 + description: Hardware is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Replace hardware when it lacks needed security capabilities or when it + cannot support software with needed security capabilities + + Ex2: Define and implement plans for hardware end-of-life maintenance support + and obsolescence + + Ex3: Perform hardware disposal in a secure, responsible, and auditable manner' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-04 + description: Log records are generated and made available for continuous monitoring + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure all operating systems, applications, and services (including + cloud-based services) to generate log records + + Ex2: Configure log generators to securely share their logs with the organization''s + logging infrastructure systems and services + + Ex3: Configure log generators to record the data needed by zero-trust architectures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-05 + description: Installation and execution of unauthorized software are prevented + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: When risk warrants it, restrict software execution to permitted products + only or deny the execution of prohibited and unauthorized software + + Ex2: Verify the source of new software and the software''s integrity before + installing it + + Ex3: Configure platforms to use only approved DNS services that block access + to known malicious domains + + Ex4: Configure platforms to allow the installation of organization-approved + software only' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-06 + description: Secure software development practices are integrated, and their + performance is monitored throughout the software development life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect all components of organization-developed software from tampering + and unauthorized access + + Ex2: Secure all software produced by the organization, with minimal vulnerabilities + in their releases + + Ex3: Maintain the software used in production environments, and securely dispose + of software once it is no longer needed' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.IR + name: Technology Infrastructure Resilience + description: Security architectures are managed with the organization's risk + strategy to protect asset confidentiality, integrity, and availability, and + organizational resilience + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-01 + description: Networks and environments are protected from unauthorized logical + access and usage + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Logically segment organization networks and cloud-based platforms according + to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), + and permit required communications only between segments + + Ex2: Logically segment organization networks from external networks, and permit + only necessary communications to enter the organization''s networks from the + external networks + + Ex3: Implement zero trust architectures to restrict network access to each + resource to the minimum necessary + + Ex4: Check the cyber health of endpoints before allowing them to access and + use production resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-02 + description: The organization's technology assets are protected from environmental + threats + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Protect organizational equipment from known environmental threats, such + as flooding, fire, wind, and excessive heat and humidity + + Ex2: Include protection from environmental threats and provisions for adequate + operating infrastructure in requirements for service providers that operate + systems on the organization''s behalf' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-03 + description: Mechanisms are implemented to achieve resilience requirements in + normal and adverse situations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Avoid single points of failure in systems and infrastructure + + Ex2: Use load balancing to increase capacity and improve reliability + + Ex3: Use high-availability components like redundant storage and power supplies + to improve system reliability' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-04 + description: Adequate resource capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + name: Examples + description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth, + and other resources + + Ex2: Forecast future needs, and scale resources accordingly' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT + description: Possible cybersecurity attacks and compromises are found and analyzed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.CM + name: Continuous Monitoring + description: Assets are monitored to find anomalies, indicators of compromise, + and other potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-01 + description: Networks and network services are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + name: Examples + description: 'Ex1: Monitor DNS, BGP, and other network services for adverse + events + + Ex2: Monitor wired and wireless networks for connections from unauthorized + endpoints + + Ex3: Monitor facilities for unauthorized or rogue wireless networks + + Ex4: Compare actual network flows against baselines to detect deviations + + Ex5: Monitor network communications to identify changes in security postures + for zero trust purposes + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-02 + description: The physical environment is monitored to find potentially adverse + events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + name: Examples + description: 'Ex1: Monitor logs from physical access control systems (e.g., + badge readers) to find unusual access patterns (e.g., deviations from the + norm) and failed access attempts + + Ex2: Review and monitor physical access records (e.g., from visitor registration, + sign-in sheets) + + Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) + for signs of tampering + + Ex4: Monitor the physical environment using alarm systems, cameras, and security + guards + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-03 + description: Personnel activity and technology usage are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + name: Examples + description: 'Ex1: Use behavior analytics software to detect anomalous user + activity to mitigate insider threats + + Ex2: Monitor logs from logical access control systems to find unusual access + patterns and failed access attempts + + Ex3: Continuously monitor deception technology, including user accounts, for + any usage + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-06 + description: External service provider activities and services are monitored + to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + name: Examples + description: 'Ex1: Monitor remote and onsite administration and maintenance + activities that external providers perform on organizational systems + + Ex2: Monitor activity from cloud-based services, internet service providers, + and other service providers for deviations from expected behavior + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-09 + description: Computing hardware and software, runtime environments, and their + data are monitored to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + name: Examples + description: 'Ex1: Monitor email, web, file sharing, collaboration services, + and other common attack vectors to detect malware, phishing, data leaks and + exfiltration, and other adverse events + + Ex2: Monitor authentication attempts to identify attacks against credentials + and unauthorized credential reuse + + Ex3: Monitor software configurations for deviations from security baselines + + Ex4: Monitor hardware and software for signs of tampering + + Ex5: Use technologies with a presence on endpoints to detect cyber health + issues (e.g., missing patches, malware infections, unauthorized software), + and redirect the endpoints to a remediation environment before access is authorized + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.AE + name: Adverse Event Analysis + description: Anomalies, indicators of compromise, and other potentially adverse + events are analyzed to characterize the events and detect cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-02 + description: Potentially adverse events are analyzed to better understand associated + activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + name: Examples + description: 'Ex1: Use security information and event management (SIEM) or other + tools to continuously monitor log events for known malicious and suspicious + activity + + Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to + improve detection accuracy and characterize threat actors, their methods, + and indicators of compromise + + Ex3: Regularly conduct manual reviews of log events for technologies that + cannot be sufficiently monitored through automation + + Ex4: Use log analysis tools to generate reports on their findings + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-03 + description: Information is correlated from multiple sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + name: Examples + description: 'Ex1: Constantly transfer log data generated by other sources to + a relatively small number of log servers + + Ex2: Use event correlation technology (e.g., SIEM) to collect information + captured by multiple sources + + Ex3: Utilize cyber threat intelligence to help correlate events among log + sources + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-04 + description: The estimated impact and scope of adverse events are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + name: Examples + description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and + review and refine the estimates + + Ex2: A person creates their own estimates of impact and scope + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-06 + description: Information on adverse events is provided to authorized staff and + tools + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + name: Examples + description: 'Ex1: Use cybersecurity software to generate alerts and provide + them to the security operations center (SOC), incident responders, and incident + response tools + + Ex2: Incident responders and other authorized personnel can access log analysis + findings at all times + + Ex3: Automatically create and assign tickets in the organization''s ticketing + system when certain types of alerts occur + + Ex4: Manually create and assign tickets in the organization''s ticketing system + when technical staff discover indicators of compromise + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-07 + description: Cyber threat intelligence and other contextual information are + integrated into the analysis + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + name: Examples + description: 'Ex1: Securely provide cyber threat intelligence feeds to detection + technologies, processes, and personnel + + Ex2: Securely provide information from asset inventories to detection technologies, + processes, and personnel + + Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s + technologies from suppliers, vendors, and third-party security advisories + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-08 + description: Incidents are declared when adverse events meet the defined incident + criteria + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + name: Examples + description: 'Ex1: Apply incident criteria to known and assumed characteristics + of activity in order to determine whether an incident should be declared + + Ex2: Take known false positives into account when applying incident criteria + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND + description: Actions regarding a detected cybersecurity incident are taken + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MA + name: Incident Management + description: Responses to detected cybersecurity incidents are managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-01 + description: The incident response plan is executed in coordination with relevant + third parties once an incident is declared + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + name: Examples + description: 'Ex1: Detection technologies automatically report confirmed incidents + + Ex2: Request incident response assistance from the organization''s incident + response outsourcer + + Ex3: Designate an incident lead for each incident + + Ex4: Initiate execution of additional cybersecurity plans as needed to support + incident response (for example, business continuity and disaster recovery) + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-02 + description: Incident reports are triaged and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related + and necessitate incident response activities + + Ex2: Apply criteria to estimate the severity of an incident' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-03 + description: Incidents are categorized and prioritized + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Further review and categorize incidents based on the type of incident + (e.g., data breach, ransomware, DDoS, account compromise) + + Ex2: Prioritize incidents based on their scope, likely impact, and time-critical + nature + + Ex3: Select incident response strategies for active incidents by balancing + the need to quickly recover from an incident with the need to observe the + attacker or conduct a more thorough investigation' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-04 + description: Incidents are escalated or elevated as needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Track and validate the status of all ongoing incidents + + Ex2: Coordinate incident escalation or elevation with designated internal + and external stakeholders' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-05 + description: The criteria for initiating incident recovery are applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply incident recovery criteria to known and assumed characteristics + of the incident to determine whether incident recovery processes should be + initiated + + Ex2: Take the possible operational disruption of incident recovery activities + into account' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.AN + name: Incident Analysis + description: Investigations are conducted to ensure effective response and support + forensics and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-03 + description: Analysis is performed to establish what has taken place during + an incident and the root cause of the incident + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Determine the sequence of events that occurred during the incident and + which assets and resources were involved in each event + + Ex2: Attempt to determine what vulnerabilities, threats, and threat actors + were directly or indirectly involved in the incident + + Ex3: Analyze the incident to find the underlying, systemic root causes + + Ex4: Check any cyber deception technology for additional information on attacker + behavior' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-06 + description: Actions performed during an investigation are recorded, and the + records' integrity and provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require each incident responder and others (e.g., system administrators, + cybersecurity engineers) who perform incident response tasks to record their + actions and make the record immutable + + Ex2: Require the incident lead to document the incident in detail and be responsible + for preserving the integrity of the documentation and the sources of all information + being reported' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-07 + description: Incident data and metadata are collected, and their integrity and + provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident + data and metadata (e.g., data source, date/time of collection) based on evidence + preservation and chain-of-custody procedures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-08 + description: An incident's magnitude is estimated and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review other potential targets of the incident to search for indicators + of compromise and evidence of persistence + + Ex2: Automatically run tools on targets to look for indicators of compromise + and evidence of persistence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.CO + name: Incident Response Reporting and Communication + description: Response activities are coordinated with internal and external + stakeholders as required by laws, regulations, or policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-02 + description: Internal and external stakeholders are notified of incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Follow the organization''s breach notification procedures after discovering + a data breach incident, including notifying affected customers + + Ex2: Notify business partners and customers of incidents in accordance with + contractual requirements + + Ex3: Notify law enforcement agencies and regulatory bodies of incidents based + on criteria in the incident response plan and management approval' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-03 + description: Information is shared with designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share information consistent with response plans and information + sharing agreements + + Ex2: Voluntarily share information about an attacker''s observed TTPs, with + all sensitive data removed, with an Information Sharing and Analysis Center + (ISAC) + + Ex3: Notify HR when malicious insider activity occurs + + Ex4: Regularly update senior leadership on the status of major incidents + + Ex5: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex6: Coordinate crisis communication methods between the organization and + its critical suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MI + name: Incident Mitigation + description: Activities are performed to prevent expansion of an event and mitigate + its effects + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-01 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity + features of other technologies (e.g., operating systems, network infrastructure + devices) automatically perform containment actions + + Ex2: Allow incident responders to manually select and perform containment + actions + + Ex3: Allow a third party (e.g., internet service provider, managed security + service provider) to perform containment actions on behalf of the organization + + Ex4: Automatically transfer compromised endpoints to a remediation virtual + local area network (VLAN)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-02 + description: Incidents are eradicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies and cybersecurity features of other technologies + (e.g., operating systems, network infrastructure devices) automatically perform + eradication actions + + Ex2: Allow incident responders to manually select and perform eradication + actions + + Ex3: Allow a third party (e.g., managed security service provider) to perform + eradication actions on behalf of the organization' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER + description: Assets and operations affected by a cybersecurity incident are + restored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.RP + name: Incident Recovery Plan Execution + description: Restoration activities are performed to ensure operational availability + of systems and services affected by cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-01 + description: The recovery portion of the incident response plan is executed + once initiated from the incident response process + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Begin recovery procedures during or after incident response processes + + Ex2: Make all individuals with recovery responsibilities aware of the plans + for recovery and the authorizations required to implement each aspect of the + plans' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-02 + description: Recovery actions are selected, scoped, prioritized, and performed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Select recovery actions based on the criteria defined in the incident + response plan and available resources + + Ex2: Change planned recovery actions based on a reassessment of organizational + needs and resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-03 + description: The integrity of backups and other restoration assets is verified + before using them for restoration + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restoration assets for indicators of compromise, file corruption, + and other integrity issues before use' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-04 + description: Critical mission functions and cybersecurity risk management are + considered to establish post-incident operational norms + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use business impact and system categorization records (including service + delivery objectives) to validate that essential services are restored in the + appropriate order + + Ex2: Work with system owners to confirm the successful restoration of systems + and the return to normal operations + + Ex3: Monitor the performance of restored systems to verify the adequacy of + the restoration' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-05 + description: The integrity of restored assets is verified, systems and services + are restored, and normal operating status is confirmed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restored assets for indicators of compromise and remediation of + root causes of the incident before production use + + Ex2: Verify the correctness and adequacy of the restoration actions taken + before putting a restored system online' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-06 + description: The end of incident recovery is declared based on criteria, and + incident-related documentation is completed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Prepare an after-action report that documents the incident itself, the + response and recovery actions taken, and lessons learned + + Ex2: Declare the end of incident recovery once the criteria are met' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.CO + name: Incident Recovery Communication + description: Restoration activities are coordinated with internal and external + parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-03 + description: Recovery activities and progress in restoring operational capabilities + are communicated to designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share recovery information, including restoration progress, + consistent with response plans and information sharing agreements + + Ex2: Regularly update senior leadership on recovery status and restoration + progress for major incidents + + Ex3: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex4: Coordinate crisis communication between the organization and its critical + suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-04 + description: Public updates on incident recovery are shared using approved methods + and messaging + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Follow the organization''s breach notification procedures for recovering + from a data breach incident + + Ex2: Explain the steps being taken to recover from the incident and to prevent + a recurrence' diff --git a/tools/convert_framework.py b/tools/convert_framework.py index 027d4ad17..ca8354caa 100644 --- a/tools/convert_framework.py +++ b/tools/convert_framework.py @@ -75,6 +75,7 @@ library_vars_dict = defaultdict(dict) library_vars_dict_reverse = defaultdict(dict) library_vars_dict_arg = defaultdict(dict) +urn_unicity_checker = set() if len(sys.argv) <= 1: print("missing input file parameter") @@ -155,9 +156,12 @@ def read_header(row): annotation = row[header['annotation']].value if 'annotation' in header else None level = row[header['level']].value if 'level' in header else None maturity = row[header['maturity']].value if 'maturity' in header else None - ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else \ - name.lower().replace(' ', '-') if name else f"node{counter}" + ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else f"node{counter}" urn = f"{root_nodes_urn}:{ref_id_urn}" + if urn in urn_unicity_checker: + print("URN duplicate:", urn) + exit(1) + urn_unicity_checker.add(urn) if depth == current_depth + 1: parent_for_depth[depth]=current_node_urn parent_urn = parent_for_depth[depth] diff --git a/tools/csf2-tools/csf20.xlsx b/tools/csf2-tools/csf20.xlsx new file mode 100644 index 000000000..f0d9dda83 Binary files /dev/null and b/tools/csf2-tools/csf20.xlsx differ diff --git a/tools/csf2-tools/csfv2.py b/tools/csf2-tools/csfv2.py new file mode 100644 index 000000000..715f7950f --- /dev/null +++ b/tools/csf2-tools/csfv2.py @@ -0,0 +1,87 @@ +import openpyxl +import sys +import re +import yaml +from pprint import pprint +from collections import defaultdict + +if len(sys.argv) <= 1: + print("missing input file parameter") + exit() +input_file_name = sys.argv[1] +ref_name = re.sub(r"\.\w+$", "", input_file_name).lower() +output_file_name = ref_name + ".yaml" + +print("parsing", input_file_name) + +# Define variable to load the dataframe +dataframe = openpyxl.load_workbook(input_file_name) +wb_output = openpyxl.Workbook() +ws = wb_output.active + +def error(message): + print("Error:", message) + exit(1) + + +def read_header(row): + i = 0 + header = {} + for v in row: + v = str(v.value).lower() + header[v] = i + i += 1 + return header + +ws.cell(row=1, column=1, value='assessable') +ws.cell(row=1, column=2, value='depth') +ws.cell(row=1, column=3, value='ref_id') +ws.cell(row=1, column=4, value='name') +ws.cell(row=1, column=5, value='description') +line = 2 +for tab in dataframe: + print("parsing tab", tab.title) + title = tab.title + print("...processing content") + for row in tab: + if any([r.value for r in row]): + (v1, v2, v3, v4) = (r.value for r in row[0:4]) + if v1: + if ':' in v1: + print(v1) + q = re.match("(\w+) \((\w+)\): (.*)", v1) + function_name = q.group(1) + function_id = q.group(2) + function_description = q.group(3) + ws.cell(row=line, column=2, value=1) + ws.cell(row=line, column=3, value=function_id) + ws.cell(row=line, column=4, value=function_name) + ws.cell(row=line, column=5, value=function_description) + line += 1 + elif v2: + q = re.match("([\w\s,]+) \((\w+.\w+)\): (.*)", v2) + category_name = q.group(1) + category_id = q.group(2) + category_description = q.group(3) + ws.cell(row=line, column=2, value=2) + ws.cell(row=line, column=3, value=category_id) + ws.cell(row=line, column=4, value=category_name) + ws.cell(row=line, column=5, value=category_description) + line += 1 + elif v3: + q = re.match("(\w+.\w+-\d+): (.*)", v3) + subcategory_id = q.group(1) + subcategory_description = q.group(2) + ws.cell(row=line, column=1, value='x') + ws.cell(row=line, column=2, value=3) + ws.cell(row=line, column=3, value=subcategory_id) + ws.cell(row=line, column=5, value=subcategory_description) + line += 1 + ws.cell(row=line, column=2, value=4) + ws.cell(row=line, column=4, value='Examples') + ws.cell(row=line, column=5, value=v4) + line += 1 + + + +wb_output.save('nist_csf-2.0-en.xlsx') diff --git a/tools/nist_csf-2.0-en.xlsx b/tools/nist_csf-2.0-en.xlsx new file mode 100644 index 000000000..850428a2e Binary files /dev/null and b/tools/nist_csf-2.0-en.xlsx differ diff --git a/tools/nist_csf-2.0-en.yaml b/tools/nist_csf-2.0-en.yaml new file mode 100644 index 000000000..6452a17c4 --- /dev/null +++ b/tools/nist_csf-2.0-en.yaml @@ -0,0 +1,2779 @@ +urn: urn:intuitem:risk:library:nist-csf-2.0 +locale: en +ref_id: NIST-CSF-2.0 +name: NIST CSF version 2.0 +description: National Institute of Standards and Technology - Cybersecurity Framework +copyright: With the exception of material marked as copyrighted, information presented + on NIST sites are considered public information and may be distributed or copied. +version: 1 +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-csf-2.0 + ref_id: NIST-CSF-2.0 + name: NIST CSF v2.0 + description: NIST Cybersecurity Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + assessable: false + depth: 1 + ref_id: GV + name: GOVERN + description: The organization's cybersecurity risk management strategy, expectations, + and policy are established, communicated, and monitored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OC + name: Organizational Context + description: The circumstances - mission, stakeholder expectations, dependencies, + and legal, regulatory, and contractual requirements - surrounding the organization's + cybersecurity risk management decisions are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-01 + description: The organizational mission is understood and informs cybersecurity + risk management + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Share the organization''s mission (e.g., through vision and mission statements, + marketing, and service strategies) to provide a basis for identifying risks + that may impede that mission' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-02 + description: Internal and external stakeholders are understood, and their needs + and expectations regarding cybersecurity risk management are understood and + considered + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify relevant internal stakeholders and their cybersecurity-related + expectations (e.g., performance and risk expectations of officers, directors, + and advisors; cultural expectations of employees) + + Ex2: Identify relevant external stakeholders and their cybersecurity-related + expectations (e.g., privacy expectations of customers, business expectations + of partnerships, compliance expectations of regulators, ethics expectations + of society)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-03 + description: Legal, regulatory, and contractual requirements regarding cybersecurity + - including privacy and civil liberties obligations - are understood and managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine a process to track and manage legal and regulatory requirements + regarding protection of individuals'' information (e.g., Health Insurance + Portability and Accountability Act, California Consumer Privacy Act, General + Data Protection Regulation) + + Ex2: Determine a process to track and manage contractual requirements for + cybersecurity management of supplier, customer, and partner information + + Ex3: Align the organization''s cybersecurity strategy with legal, regulatory, + and contractual requirements' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-04 + description: Critical objectives, capabilities, and services that stakeholders + depend on or expect from the organization are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Establish criteria for determining the criticality of capabilities and + services as viewed by internal and external stakeholders + + Ex2: Determine (e.g., from a business impact analysis) assets and business + operations that are vital to achieving mission objectives and the potential + impact of a loss (or partial loss) of such operations + + Ex3: Establish and communicate resilience objectives (e.g., recovery time + objectives) for delivering critical capabilities and services in various operating + states (e.g., under attack, during recovery, normal operation)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc + ref_id: GV.OC-05 + description: Outcomes, capabilities, and services that the organization depends + on are understood and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 + name: Examples + description: 'Ex1: Create an inventory of the organization''s dependencies on + external resources (e.g., facilities, cloud-based hosting providers) and their + relationships to organizational assets and business functions + + Ex2: Identify and document external dependencies that are potential points + of failure for the organization''s critical capabilities and services, and + share that information with appropriate personnel + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RM + name: Risk Management Strategy + description: The organization's priorities, constraints, risk tolerance and + appetite statements, and assumptions are established, communicated, and used + to support operational risk decisions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-01 + description: Risk management objectives are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update near-term and long-term cybersecurity risk management objectives + as part of annual strategic planning and when major changes occur + + Ex2: Establish measurable objectives for cybersecurity risk management (e.g., + manage the quality of user training, ensure adequate risk protection for industrial + control systems) + + Ex3: Senior leaders agree about cybersecurity objectives and use them for + measuring and managing risk and performance' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-02 + description: Risk appetite and risk tolerance statements are established, communicated, + and maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine and communicate risk appetite statements that convey expectations + about the appropriate level of risk for the organization + + Ex2: Translate risk appetite statements into specific, measurable, and broadly + understandable risk tolerance statements + + Ex3: Refine organizational objectives and risk appetite periodically based + on known risk exposure and residual risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-03 + description: Cybersecurity risk management activities and outcomes are included + in enterprise risk management processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks + (e.g., compliance, financial, operational, regulatory, reputational, safety) + + Ex2: Include cybersecurity risk managers in enterprise risk management planning + + Ex3: Establish criteria for escalating cybersecurity risks within enterprise + risk management' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-04 + description: Strategic direction that describes appropriate risk response options + is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various + classifications of data + + Ex2: Determine whether to purchase cybersecurity insurance + + Ex3: Document conditions under which shared responsibility models are acceptable + (e.g., outsourcing certain cybersecurity functions, having a third party perform + financial transactions on behalf of the organization, using public cloud-based + services)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-05 + description: Lines of communication across the organization are established + for cybersecurity risks, including risks from suppliers and other third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Determine how to update senior executives, directors, and management + on the organization''s cybersecurity posture at agreed-upon intervals + + Ex2: Identify how all departments across the organization - such as management, + operations, internal auditors, legal, acquisition, physical security, and + HR - will communicate with each other about cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-06 + description: A standardized method for calculating, documenting, categorizing, + and prioritizing cybersecurity risks is established and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish criteria for using a quantitative approach to cybersecurity + risk analysis, and specify probability and exposure formulas + + Ex2: Create and use templates (e.g., a risk register) to document cybersecurity + risk information (e.g., risk description, exposure, treatment, and ownership) + + Ex3: Establish criteria for risk prioritization at the appropriate levels + within the enterprise + + Ex4: Use a consistent list of risk categories to support integrating, aggregating, + and comparing cybersecurity risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm + ref_id: GV.RM-07 + description: Strategic opportunities (i.e., positive risks) are characterized + and are included in organizational cybersecurity risk discussions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define and communicate guidance and methods for identifying opportunities + and including them in risk discussions (e.g., strengths, weaknesses, opportunities, + and threats [SWOT] analysis) + + Ex2: Identify stretch goals and document them + + Ex3: Calculate, document, and prioritize positive risks alongside negative + risks' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.RR + name: Roles, Responsibilities, and Authorities + description: Cybersecurity roles, responsibilities, and authorities to foster + accountability, performance assessment, and continuous improvement are established + and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-01 + description: Organizational leadership is responsible and accountable for cybersecurity + risk and fosters a culture that is risk-aware, ethical, and continually improving + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in + developing, implementing, and assessing the organization''s cybersecurity + strategy + + Ex2: Share leaders'' expectations regarding a secure and ethical culture, + especially when current events present the opportunity to highlight positive + or negative examples of cybersecurity risk management + + Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk + strategy and review and update it at least annually and after major events + + Ex4: Conduct reviews to ensure adequate authority and coordination among those + responsible for managing cybersecurity risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-02 + description: Roles, responsibilities, and authorities related to cybersecurity + risk management are established, communicated, understood, and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Document risk management roles and responsibilities in policy + + Ex2: Document who is responsible and accountable for cybersecurity risk management + activities and how those teams and individuals are to be consulted and informed + + Ex3: Include cybersecurity responsibilities and performance requirements in + personnel descriptions + + Ex4: Document performance goals for personnel with cybersecurity risk management + responsibilities, and periodically measure performance to identify areas for + improvement + + Ex5: Clearly articulate cybersecurity responsibilities within operations, + risk functions, and internal audit functions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-03 + description: Adequate resources are allocated commensurate with the cybersecurity + risk strategy, roles, responsibilities, and policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct periodic management reviews to ensure that those given cybersecurity + risk management responsibilities have the necessary authority + + Ex2: Identify resource allocation and investment in line with risk tolerance + and response + + Ex3: Provide adequate and sufficient people, process, and technical resources + to support the cybersecurity strategy' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr + ref_id: GV.RR-04 + description: Cybersecurity is included in human resources practices + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Integrate cybersecurity risk management considerations into human resources + processes (e.g., personnel screening, onboarding, change notification, offboarding) + + Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, + and retention decisions + + Ex3: Conduct background checks prior to onboarding new personnel for sensitive + roles, and periodically repeat background checks for personnel with such roles + + Ex4: Define and enforce obligations for personnel to be aware of, adhere to, + and uphold security policies as they relate to their roles' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.PO + name: Policy + description: Organizational cybersecurity policy is established, communicated, + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-01 + description: Policy for managing cybersecurity risks is established based on + organizational context, cybersecurity strategy, and priorities and is communicated + and enforced + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Create, disseminate, and maintain an understandable, usable risk management + policy with statements of management intent, expectations, and direction + + Ex2: Periodically review policy and supporting processes and procedures to + ensure that they align with risk management strategy objectives and priorities, + as well as the high-level direction of the cybersecurity policy + + Ex3: Require approval from senior management on policy + + Ex4: Communicate cybersecurity risk management policy and supporting processes + and procedures across the organization + + Ex5: Require personnel to acknowledge receipt of policy when first hired, + annually, and whenever policy is updated' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po + ref_id: GV.PO-02 + description: Policy for managing cybersecurity risks is reviewed, updated, communicated, + and enforced to reflect changes in requirements, threats, technology, and + organizational mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Update policy based on periodic reviews of cybersecurity risk management + results to ensure that policy and supporting processes and procedures adequately + maintain risk at an acceptable level + + Ex2: Provide a timeline for reviewing changes to the organization''s risk + environment (e.g., changes in risk or in the organization''s mission objectives), + and communicate recommended policy updates + + Ex3: Update policy to reflect changes in legal and regulatory requirements + + Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial + intelligence) and changes to the business (e.g., acquisition of a new business, + new contract requirements)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.OV + name: Oversight + description: Results of organization-wide cybersecurity risk management activities + and performance are used to inform, improve, and adjust the risk management + strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-01 + description: Cybersecurity risk management strategy outcomes are reviewed to + inform and adjust strategy and direction + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Measure how well the risk management strategy and risk results have helped + leaders make decisions and achieve organizational objectives + + Ex2: Examine whether cybersecurity risk strategies that impede operations + or innovation should be adjusted' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-02 + description: The cybersecurity risk management strategy is reviewed and adjusted + to ensure coverage of organizational requirements and risks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review audit findings to confirm whether the existing cybersecurity strategy + has ensured compliance with internal and external requirements + + Ex2: Review the performance oversight of those in cybersecurity-related roles + to determine whether policy changes are necessary + + Ex3: Review strategy in light of cybersecurity incidents' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov + ref_id: GV.OV-03 + description: Organizational cybersecurity risk management performance is evaluated + and reviewed for adjustments needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review key performance indicators (KPIs) to ensure that organization-wide + policies and procedures achieve objectives + + Ex2: Review key risk indicators (KRIs) to identify risks the organization + faces, including likelihood and potential impact + + Ex3: Collect and communicate metrics on cybersecurity risk management with + senior leadership' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv + ref_id: GV.SC + name: Cybersecurity Supply Chain Risk Management + description: Cyber supply chain risk management processes are identified, established, + managed, monitored, and improved by organizational stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-01 + description: A cybersecurity supply chain risk management program, strategy, + objectives, policies, and processes are established and agreed to by organizational + stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 + name: Examples + description: 'Ex1: Establish a strategy that expresses the objectives of the + cybersecurity supply chain risk management program + + Ex2: Develop the cybersecurity supply chain risk management program, including + a plan (with milestones), policies, and procedures that guide implementation + and improvement of the program, and share the policies and procedures with + the organizational stakeholders + + Ex3: Develop and implement program processes based on the strategy, objectives, + policies, and procedures that are agreed upon and performed by the organizational + stakeholders + + Ex4: Establish a cross-organizational mechanism that ensures alignment between + functions that contribute to cybersecurity supply chain risk management, such + as cybersecurity, IT, operations, legal, human resources, and engineering + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-02 + description: Cybersecurity roles and responsibilities for suppliers, customers, + and partners are established, communicated, and coordinated internally and + externally + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 + name: Examples + description: 'Ex1: Identify one or more specific roles or positions that will + be responsible and accountable for planning, resourcing, and executing cybersecurity + supply chain risk management activities + + Ex2: Document cybersecurity supply chain risk management roles and responsibilities + in policy + + Ex3: Create responsibility matrixes to document who will be responsible and + accountable for cybersecurity supply chain risk management activities and + how those teams and individuals will be consulted and informed + + Ex4: Include cybersecurity supply chain risk management responsibilities and + performance requirements in personnel descriptions to ensure clarity and improve + accountability + + Ex5: Document performance goals for personnel with cybersecurity risk management-specific + responsibilities, and periodically measure them to demonstrate and improve + performance + + Ex6: Develop roles and responsibilities for suppliers, customers, and business + partners to address shared responsibilities for applicable cybersecurity risks, + and integrate them into organizational policies and applicable third-party + agreements + + Ex7: Internally communicate cybersecurity supply chain risk management roles + and responsibilities for third parties + + Ex8: Establish rules and protocols for information sharing and reporting processes + between the organization and its suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-03 + description: Cybersecurity supply chain risk management is integrated into cybersecurity + and enterprise risk management, risk assessment, and improvement processes + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 + name: Examples + description: 'Ex1: Identify areas of alignment and overlap with cybersecurity + and enterprise risk management + + Ex2: Establish integrated control sets for cybersecurity risk management and + cybersecurity supply chain risk management + + Ex3: Integrate cybersecurity supply chain risk management into improvement + processes + + Ex4: Escalate material cybersecurity risks in supply chains to senior management, + and address them at the enterprise risk management level + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-04 + description: Suppliers are known and prioritized by criticality + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 + name: Examples + description: 'Ex1: Develop criteria for supplier criticality based on, for example, + the sensitivity of data processed or possessed by suppliers, the degree of + access to the organization''s systems, and the importance of the products + or services to the organization''s mission + + Ex2: Keep a record of all suppliers, and prioritize suppliers based on the + criticality criteria + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-05 + description: Requirements to address cybersecurity risks in supply chains are + established, prioritized, and integrated into contracts and other types of + agreements with suppliers and other relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 + name: Examples + description: 'Ex1: Establish security requirements for suppliers, products, + and services commensurate with their criticality level and potential impact + if compromised + + Ex2: Include all cybersecurity and supply chain requirements that third parties + must follow and how compliance with the requirements may be verified in default + contractual language + + Ex3: Define the rules and protocols for information sharing between the organization + and its suppliers and sub-tier suppliers in agreements + + Ex4: Manage risk by including security requirements in agreements based on + their criticality and potential impact if compromised + + Ex5: Define security requirements in service-level agreements (SLAs) for monitoring + suppliers for acceptable security performance throughout the supplier relationship + lifecycle + + Ex6: Contractually require suppliers to disclose cybersecurity features, functions, + and vulnerabilities of their products and services for the life of the product + or the term of service + + Ex7: Contractually require suppliers to provide and maintain a current component + inventory (e.g., software or hardware bill of materials) for critical products + + Ex8: Contractually require suppliers to vet their employees and guard against + insider threats + + Ex9: Contractually require suppliers to provide evidence of performing acceptable + security practices through, for example, self-attestation, conformance to + known standards, certifications, or inspections + + Ex10: Specify in contracts and other agreements the rights and responsibilities + of the organization, its suppliers, and their supply chains, with respect + to potential cybersecurity risks + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-06 + description: Planning and due diligence are performed to reduce risks before + entering into formal supplier or other third-party relationships + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 + name: Examples + description: 'Ex1: Perform thorough due diligence on prospective suppliers that + is consistent with procurement planning and commensurate with the level of + risk, criticality, and complexity of each supplier relationship + + Ex2: Assess the suitability of the technology and cybersecurity capabilities + and the risk management practices of prospective suppliers + + Ex3: Conduct supplier risk assessments against business and applicable cybersecurity + requirements + + Ex4: Assess the authenticity, integrity, and security of critical products + prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-07 + description: The risks posed by a supplier, their products and services, and + other third parties are understood, recorded, prioritized, assessed, responded + to, and monitored over the course of the relationship + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 + name: Examples + description: 'Ex1: Adjust assessment formats and frequencies based on the third + party''s reputation and the criticality of the products or services they provide + + Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity + requirements, such as self-attestations, warranties, certifications, and other + artifacts + + Ex3: Monitor critical suppliers to ensure that they are fulfilling their security + obligations throughout the supplier relationship lifecycle using a variety + of methods and techniques, such as inspections, audits, tests, or other forms + of evaluation + + Ex4: Monitor critical suppliers, services, and products for changes to their + risk profiles, and reevaluate supplier criticality and risk impact accordingly + + Ex5: Plan for unexpected supplier and supply chain-related interruptions to + ensure business continuity + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-08 + description: Relevant suppliers and other third parties are included in incident + planning, response, and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 + name: Examples + description: 'Ex1: Define and use rules and protocols for reporting incident + response and recovery activities and the status between the organization and + its suppliers + + Ex2: Identify and document the roles and responsibilities of the organization + and its suppliers for incident response + + Ex3: Include critical suppliers in incident response exercises and simulations + + Ex4: Define and coordinate crisis communication methods and protocols between + the organization and its critical suppliers + + Ex5: Conduct collaborative lessons learned sessions with critical suppliers + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-09 + description: Supply chain security practices are integrated into cybersecurity + and enterprise risk management programs, and their performance is monitored + throughout the technology product and service life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 + name: Examples + description: 'Ex1: Policies and procedures require provenance records for all + acquired technology products and services + + Ex2: Periodically provide risk reporting to leaders about how acquired components + are proven to be untampered and authentic + + Ex3: Communicate regularly among cybersecurity risk managers and operations + personnel about the need to acquire software patches, updates, and upgrades + only from authenticated and trustworthy software providers + + Ex4: Review policies to ensure that they require approved supplier personnel + to perform maintenance on supplier products + + Ex5: Policies and procedure require checking upgrades to critical hardware + for unauthorized changes + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc + ref_id: GV.SC-10 + description: Cybersecurity supply chain risk management plans include provisions + for activities that occur after the conclusion of a partnership or service + agreement + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 + name: Examples + description: 'Ex1: Establish processes for terminating critical relationships + under both normal and adverse circumstances + + Ex2: Define and implement plans for component end-of-life maintenance support + and obsolescence + + Ex3: Verify that supplier access to organization resources is deactivated + promptly when it is no longer needed + + Ex4: Verify that assets containing the organization''s data are returned or + properly disposed of in a timely, controlled, and safe manner + + Ex5: Develop and execute a plan for terminating or transitioning supplier + relationships that takes supply chain security risk and resiliency into account + + Ex6: Mitigate risks to data and systems created by supplier termination + + Ex7: Manage data leakage risks associated with supplier termination + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY + description: The organization's current cybersecurity risks are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.AM + name: Asset Management + description: Assets (e.g., data, hardware, software, systems, facilities, services, + people) that enable the organization to achieve business purposes are identified + and managed consistent with their relative importance to organizational objectives + and the organization's risk strategy + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-01 + description: Inventories of hardware managed by the organization are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, + and mobile devices + + Ex2: Constantly monitor networks to detect new hardware and automatically + update inventories' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-02 + description: Inventories of software, services, and systems managed by the organization + are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain inventories for all types of software and services, including + commercial-off-the-shelf, open-source, custom applications, API services, + and cloud-based applications and services + + Ex2: Constantly monitor all platforms, including containers and virtual machines, + for software and service inventory changes + + Ex3: Maintain an inventory of the organization''s systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-03 + description: Representations of the organization's authorized network communication + and internal and external network data flows are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Maintain baselines of communication and data flows within the organization''s + wired and wireless networks + + Ex2: Maintain baselines of communication and data flows between the organization + and third parties + + Ex3: Maintain baselines of communication and data flows for the organization''s + infrastructure-as-a-service (IaaS) usage + + Ex4: Maintain documentation of expected network ports, protocols, and services + that are typically used among authorized systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-04 + description: Inventories of services provided by suppliers are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 + name: Examples + description: 'Ex1: Inventory all external services used by the organization, + including third-party infrastructure-as-a-service (IaaS), platform-as-a-service + (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally + hosted application services + + Ex2: Update the inventory when a new external service is going to be utilized + to ensure adequate cybersecurity risk management monitoring of the organization''s + use of that service + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-05 + description: Assets are prioritized based on classification, criticality, resources, + and impact on the mission + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Define criteria for prioritizing each class of assets + + Ex2: Apply the prioritization criteria to assets + + Ex3: Track the asset priorities and update them periodically or when significant + changes to the organization occur' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-07 + description: Inventories of data and corresponding metadata for designated data + types are maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Maintain a list of the designated data types of interest (e.g., personally + identifiable information, protected health information, financial account + numbers, organization intellectual property, operational technology data) + + Ex2: Continuously discover and analyze ad hoc data to identify new instances + of designated data types + + Ex3: Assign data classifications to designated data types through tags or + labels + + Ex4: Track the provenance, data owner, and geolocation of each instance of + designated data types' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am + ref_id: ID.AM-08 + description: Systems, hardware, software, services, and data are managed throughout + their life cycles + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Integrate cybersecurity considerations throughout the life cycles of + systems, hardware, software, and services + + Ex2: Integrate cybersecurity considerations into product life cycles + + Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., + shadow IT) + + Ex4: Periodically identify redundant systems, hardware, software, and services + that unnecessarily increase the organization''s attack surface + + Ex5: Properly configure and secure systems, hardware, software, and services + prior to their deployment in production + + Ex6: Update inventories when systems, hardware, software, and services are + moved or transferred within the organization + + Ex7: Securely destroy stored data based on the organization''s data retention + policy using the prescribed destruction method, and keep and manage a record + of the destructions + + Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, + reassigned, or sent for repairs or replacement + + Ex9: Offer methods for destroying paper, storage media, and other physical + forms of data storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.RA + name: Risk Assessment + description: The cybersecurity risk to the organization, assets, and individuals + is understood by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-01 + description: Vulnerabilities in assets are identified, validated, and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use vulnerability management technologies to identify unpatched and misconfigured + software + + Ex2: Assess network and system architectures for design and implementation + weaknesses that affect cybersecurity + + Ex3: Review, analyze, or test organization-developed software to identify + design, coding, and default configuration vulnerabilities + + Ex4: Assess facilities that house critical computing assets for physical vulnerabilities + and resilience issues + + Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities + in products and services + + Ex6: Review processes and procedures for weaknesses that could be exploited + to affect cybersecurity' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-02 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure cybersecurity tools and technologies with detection or response + capabilities to securely ingest cyber threat intelligence feeds + + Ex2: Receive and review advisories from reputable third parties on current + threat actors and their tactics, techniques, and procedures (TTPs) + + Ex3: Monitor sources of cyber threat intelligence for information on the types + of vulnerabilities that emerging technologies may have' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-03 + description: Internal and external threats to the organization are identified + and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use cyber threat intelligence to maintain awareness of the types of threat + actors likely to target the organization and the TTPs they are likely to use + + Ex2: Perform threat hunting to look for signs of threat actors within the + environment + + Ex3: Implement processes for identifying internal threat actors' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-04 + description: Potential impacts and likelihoods of threats exploiting vulnerabilities + are identified and recorded + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Business leaders and cybersecurity risk management practitioners work + together to estimate the likelihood and impact of risk scenarios and record + them in risk registers + + Ex2: Enumerate the potential business impacts of unauthorized access to the + organization''s communications, systems, and data processed in or by those + systems + + Ex3: Account for the potential impacts of cascading failures for systems of + systems' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-05 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + understand inherent risk and inform risk response prioritization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Develop threat models to better understand risks to the data and identify + appropriate risk responses + + Ex2: Prioritize cybersecurity resource allocations and investments based on + estimated likelihoods and impacts' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-06 + description: Risk responses are chosen, prioritized, planned, tracked, and communicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply the vulnerability management plan''s criteria for deciding whether + to accept, transfer, mitigate, or avoid risk + + Ex2: Apply the vulnerability management plan''s criteria for selecting compensating + controls to mitigate risk + + Ex3: Track the progress of risk response implementation (e.g., plan of action + and milestones [POA&M], risk register, risk detail report) + + Ex4: Use risk assessment findings to inform risk response decisions and actions + + Ex5: Communicate planned risk responses to affected stakeholders in priority + order' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-07 + description: Changes and exceptions are managed, assessed for risk impact, recorded, + and tracked + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 + name: Examples + description: 'Ex1: Implement and follow procedures for the formal documentation, + review, testing, and approval of proposed changes and requested exceptions + + Ex2: Document the possible risks of making or not making each proposed change, + and provide guidance on rolling back changes + + Ex3: Document the risks related to each requested exception and the plan for + responding to those risks + + Ex4: Periodically review risks that were accepted based upon planned future + actions or milestones' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-08 + description: Processes for receiving, analyzing, and responding to vulnerability + disclosures are established + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Conduct vulnerability information sharing between the organization and + its suppliers following the rules and protocols defined in contracts + + Ex2: Assign responsibilities and verify the execution of procedures for processing, + analyzing the impact of, and responding to cybersecurity threat, vulnerability, + or incident disclosures by suppliers, customers, partners, and government + cybersecurity organizations' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-09 + description: The authenticity and integrity of hardware and software are assessed + prior to acquisition and use + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 + name: Examples + description: 'Ex1: Assess the authenticity and cybersecurity of critical technology + products and services prior to acquisition and use + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra + ref_id: ID.RA-10 + description: Critical suppliers are assessed prior to acquisition + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 + name: Examples + description: 'Ex1: Conduct supplier risk assessments against business and applicable + cybersecurity requirements, including the supply chain' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id + ref_id: ID.IM + name: Improvement + description: Improvements to organizational cybersecurity risk management processes, + procedures and activities are identified across all CSF Functions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-01 + description: Improvements are identified from evaluations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform self-assessments of critical services that take current threats + and TTPs into consideration + + Ex2: Invest in third-party assessments or independent audits of the effectiveness + of the organization''s cybersecurity program to identify areas that need improvement + + Ex3: Constantly evaluate compliance with selected cybersecurity requirements + through automated means' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-02 + description: Improvements are identified from security tests and exercises, + including those done in coordination with suppliers and relevant third parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify improvements for future incident response activities based on + findings from incident response assessments (e.g., tabletop exercises and + simulations, tests, internal reviews, independent audits) + + Ex2: Identify improvements for future business continuity, disaster recovery, + and incident response activities based on exercises performed in coordination + with critical service providers and product suppliers + + Ex3: Involve internal stakeholders (e.g., senior executives, legal department, + HR) in security tests and exercises as appropriate + + Ex4: Perform penetration testing to identify opportunities to improve the + security posture of selected high-risk systems as approved by leadership + + Ex5: Exercise contingency plans for responding to and recovering from the + discovery that products or services did not originate with the contracted + supplier or partner or were altered before receipt + + Ex6: Collect and analyze performance metrics using security tools and services + to inform improvements to the cybersecurity program' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-03 + description: Improvements are identified from execution of operational processes, + procedures, and activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Conduct collaborative lessons learned sessions with suppliers + + Ex2: Annually review cybersecurity policies, processes, and procedures to + take lessons learned into account + + Ex3: Use metrics to assess operational cybersecurity performance over time' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im + ref_id: ID.IM-04 + description: Incident response plans and other cybersecurity plans that affect + operations are established, communicated, maintained, and improved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish contingency plans (e.g., incident response, business continuity, + disaster recovery) for responding to and recovering from adverse events that + can interfere with operations, expose confidential information, or otherwise + endanger the organization''s mission and viability + + Ex2: Include contact and communication information, processes for handling + common scenarios, and criteria for prioritization, escalation, and elevation + in all contingency plans + + Ex3: Create a vulnerability management plan to identify and assess all types + of vulnerabilities and to prioritize, test, and implement risk responses + + Ex4: Communicate cybersecurity plans (including updates) to those responsible + for carrying them out and to affected parties + + Ex5: Review and update all cybersecurity plans annually or when a need for + significant improvements is identified' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT + description: Safeguards to manage the organization's cybersecurity risks are + used + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AA + name: Identity Management, Authentication, and Access Control + description: Access to physical and logical assets is limited to authorized + users, services, and hardware and managed commensurate with the assessed + risk of unauthorized access + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-01 + description: Identities and credentials for authorized users, services, and + hardware are managed by the organization + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Initiate requests for new access or additional access for employees, + contractors, and others, and track, review, and fulfill the requests, with + permission from system or data owners when needed + + Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, + cryptographic keys (i.e., key management), and other credentials + + Ex3: Select a unique identifier for each device from immutable hardware characteristics + or an identifier securely provisioned to the device + + Ex4: Physically label authorized hardware with an identifier for inventory + and servicing purposes' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-02 + description: Identities are proofed and bound to credentials based on the context + of interactions + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Verify a person''s claimed identity at enrollment time using government-issued + identity credentials (e.g., passport, visa, driver''s license) + + Ex2: Issue a different credential for each person (i.e., no credential sharing)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-03 + description: Users, services, and hardware are authenticated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require multifactor authentication + + Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar + authenticators + + Ex3: Periodically reauthenticate users, services, and hardware based on risk + (e.g., in zero trust architectures) + + Ex4: Ensure that authorized personnel can access accounts essential for protecting + safety under emergency conditions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-04 + description: Identity assertions are protected, conveyed, and verified + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect identity assertions that are used to convey authentication and + user information through single sign-on systems + + Ex2: Protect identity assertions that are used to convey authentication and + user information between federated systems + + Ex3: Implement standards-based approaches for identity assertions in all contexts, + and follow all guidance for the generation (e.g., data models, metadata), + protection (e.g., digital signing, encryption), and verification (e.g., signature + validation) of identity assertions' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-05 + description: Access permissions, entitlements, and authorizations are defined + in a policy, managed, enforced, and reviewed, and incorporate the principles + of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review logical and physical access privileges periodically and whenever + someone changes roles or leaves the organization, and promptly rescind privileges + that are no longer needed + + Ex2: Take attributes of the requester and the requested resource into account + for authorization decisions (e.g., geolocation, day/time, requester endpoint''s + cyber health) + + Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust + architecture) + + Ex4: Periodically review the privileges associated with critical business + functions to confirm proper separation of duties' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa + ref_id: PR.AA-06 + description: Physical access to assets is managed, monitored, and enforced commensurate + with risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Use security guards, security cameras, locked entrances, alarm systems, + and other physical controls to monitor facilities and restrict access + + Ex2: Employ additional physical security controls for areas that contain high-risk + assets + + Ex3: Escort guests, vendors, and other third parties within areas that contain + business-critical assets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.AT + name: Awareness and Training + description: The organization's personnel are provided with cybersecurity awareness + and training so that they can perform their cybersecurity-related tasks + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-01 + description: Personnel are provided with awareness and training so that they + possess the knowledge and skills to perform general tasks with cybersecurity + risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Provide basic cybersecurity awareness and training to employees, contractors, + partners, suppliers, and all other users of the organization''s non-public + resources + + Ex2: Train personnel to recognize social engineering attempts and other common + attacks, report attacks and suspicious activity, comply with acceptable use + policies, and perform basic cyber hygiene tasks (e.g., patching software, + choosing passwords, protecting credentials) + + Ex3: Explain the consequences of cybersecurity policy violations, both to + individual users and the organization as a whole + + Ex4: Periodically assess or test users on their understanding of basic cybersecurity + practices + + Ex5: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at + ref_id: PR.AT-02 + description: Individuals in specialized roles are provided with awareness and + training so that they possess the knowledge and skills to perform relevant + tasks with cybersecurity risks in mind + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Identify the specialized roles within the organization that require additional + cybersecurity training, such as physical and cybersecurity personnel, finance + personnel, senior leadership, and anyone with access to business-critical + data + + Ex2: Provide role-based cybersecurity awareness and training to all those + in specialized roles, including contractors, partners, suppliers, and other + third parties + + Ex3: Periodically assess or test users on their understanding of cybersecurity + practices for their specialized roles + + Ex4: Require annual refreshers to reinforce existing practices and introduce + new practices' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.DS + name: Data Security + description: Data are managed consistent with the organization's risk strategy + to protect the confidentiality, integrity, and availability of information + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-01 + description: The confidentiality, integrity, and availability of data-at-rest + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of stored data in files, databases, virtual + machine disk images, container images, and other resources + + Ex2: Use full disk encryption to protect data stored on user endpoints + + Ex3: Confirm the integrity of software by validating signatures + + Ex4: Restrict the use of removable media to prevent data exfiltration + + Ex5: Physically secure removable media containing unencrypted sensitive information, + such as within locked offices or file cabinets' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-02 + description: The confidentiality, integrity, and availability of data-in-transit + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use encryption, digital signatures, and cryptographic hashes to protect + the confidentiality and integrity of network communications + + Ex2: Automatically encrypt or block outbound emails and other communications + that contain sensitive data, depending on the data classification + + Ex3: Block access to personal email, file sharing, file storage services, + and other personal communications applications and services from organizational + systems and networks + + Ex4: Prevent reuse of sensitive data from production environments (e.g., customer + records) in development, testing, and other non-production environments' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-10 + description: The confidentiality, integrity, and availability of data-in-use + are protected + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Remove data that must remain confidential (e.g., from processors and + memory) as soon as it is no longer needed + + Ex2: Protect data in use from access by other users and processes of the same + platform' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds + ref_id: PR.DS-11 + description: Backups of data are created, protected, maintained, and tested + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Continuously back up critical data in near-real-time, and back up other + data frequently at agreed-upon schedules + + Ex2: Test backups and restores for all types of data sources at least annually + + Ex3: Securely store some backups offline and offsite so that an incident or + disaster will not damage them + + Ex4: Enforce geographic separation and geolocation restrictions for data backup + storage' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.PS + name: Platform Security + description: The hardware, software (e.g., firmware, operating systems, applications), + and services of physical and virtual platforms are managed consistent with + the organization's risk strategy to protect their confidentiality, integrity, + and availability + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-01 + description: Configuration management practices are established and applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Establish, test, deploy, and maintain hardened baselines that enforce + the organization''s cybersecurity policies and provide only essential capabilities + (i.e., principle of least functionality) + + Ex2: Review all default configuration settings that may potentially impact + cybersecurity when installing or upgrading software + + Ex3: Monitor implemented software for deviations from approved baselines' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-02 + description: Software is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Perform routine and emergency patching within the timeframes specified + in the vulnerability management plan + + Ex2: Update container images, and deploy new container instances to replace + rather than update existing instances + + Ex3: Replace end-of-life software and service versions with supported, maintained + versions + + Ex4: Uninstall and remove unauthorized software and services that pose undue + risks + + Ex5: Uninstall and remove any unnecessary software components (e.g., operating + system utilities) that attackers might misuse + + Ex6: Define and implement plans for software and service end-of-life maintenance + support and obsolescence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-03 + description: Hardware is maintained, replaced, and removed commensurate with + risk + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Replace hardware when it lacks needed security capabilities or when it + cannot support software with needed security capabilities + + Ex2: Define and implement plans for hardware end-of-life maintenance support + and obsolescence + + Ex3: Perform hardware disposal in a secure, responsible, and auditable manner' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-04 + description: Log records are generated and made available for continuous monitoring + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Configure all operating systems, applications, and services (including + cloud-based services) to generate log records + + Ex2: Configure log generators to securely share their logs with the organization''s + logging infrastructure systems and services + + Ex3: Configure log generators to record the data needed by zero-trust architectures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-05 + description: Installation and execution of unauthorized software are prevented + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: When risk warrants it, restrict software execution to permitted products + only or deny the execution of prohibited and unauthorized software + + Ex2: Verify the source of new software and the software''s integrity before + installing it + + Ex3: Configure platforms to use only approved DNS services that block access + to known malicious domains + + Ex4: Configure platforms to allow the installation of organization-approved + software only' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps + ref_id: PR.PS-06 + description: Secure software development practices are integrated, and their + performance is monitored throughout the software development life cycle + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Protect all components of organization-developed software from tampering + and unauthorized access + + Ex2: Secure all software produced by the organization, with minimal vulnerabilities + in their releases + + Ex3: Maintain the software used in production environments, and securely dispose + of software once it is no longer needed' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr + ref_id: PR.IR + name: Technology Infrastructure Resilience + description: Security architectures are managed with the organization's risk + strategy to protect asset confidentiality, integrity, and availability, and + organizational resilience + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-01 + description: Networks and environments are protected from unauthorized logical + access and usage + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Logically segment organization networks and cloud-based platforms according + to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), + and permit required communications only between segments + + Ex2: Logically segment organization networks from external networks, and permit + only necessary communications to enter the organization''s networks from the + external networks + + Ex3: Implement zero trust architectures to restrict network access to each + resource to the minimum necessary + + Ex4: Check the cyber health of endpoints before allowing them to access and + use production resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-02 + description: The organization's technology assets are protected from environmental + threats + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Protect organizational equipment from known environmental threats, such + as flooding, fire, wind, and excessive heat and humidity + + Ex2: Include protection from environmental threats and provisions for adequate + operating infrastructure in requirements for service providers that operate + systems on the organization''s behalf' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-03 + description: Mechanisms are implemented to achieve resilience requirements in + normal and adverse situations + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Avoid single points of failure in systems and infrastructure + + Ex2: Use load balancing to increase capacity and improve reliability + + Ex3: Use high-availability components like redundant storage and power supplies + to improve system reliability' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir + ref_id: PR.IR-04 + description: Adequate resource capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 + name: Examples + description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth, + and other resources + + Ex2: Forecast future needs, and scale resources accordingly' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT + description: Possible cybersecurity attacks and compromises are found and analyzed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.CM + name: Continuous Monitoring + description: Assets are monitored to find anomalies, indicators of compromise, + and other potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-01 + description: Networks and network services are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 + name: Examples + description: 'Ex1: Monitor DNS, BGP, and other network services for adverse + events + + Ex2: Monitor wired and wireless networks for connections from unauthorized + endpoints + + Ex3: Monitor facilities for unauthorized or rogue wireless networks + + Ex4: Compare actual network flows against baselines to detect deviations + + Ex5: Monitor network communications to identify changes in security postures + for zero trust purposes + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-02 + description: The physical environment is monitored to find potentially adverse + events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 + name: Examples + description: 'Ex1: Monitor logs from physical access control systems (e.g., + badge readers) to find unusual access patterns (e.g., deviations from the + norm) and failed access attempts + + Ex2: Review and monitor physical access records (e.g., from visitor registration, + sign-in sheets) + + Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) + for signs of tampering + + Ex4: Monitor the physical environment using alarm systems, cameras, and security + guards + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-03 + description: Personnel activity and technology usage are monitored to find potentially + adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 + name: Examples + description: 'Ex1: Use behavior analytics software to detect anomalous user + activity to mitigate insider threats + + Ex2: Monitor logs from logical access control systems to find unusual access + patterns and failed access attempts + + Ex3: Continuously monitor deception technology, including user accounts, for + any usage + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-06 + description: External service provider activities and services are monitored + to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 + name: Examples + description: 'Ex1: Monitor remote and onsite administration and maintenance + activities that external providers perform on organizational systems + + Ex2: Monitor activity from cloud-based services, internet service providers, + and other service providers for deviations from expected behavior + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm + ref_id: DE.CM-09 + description: Computing hardware and software, runtime environments, and their + data are monitored to find potentially adverse events + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 + name: Examples + description: 'Ex1: Monitor email, web, file sharing, collaboration services, + and other common attack vectors to detect malware, phishing, data leaks and + exfiltration, and other adverse events + + Ex2: Monitor authentication attempts to identify attacks against credentials + and unauthorized credential reuse + + Ex3: Monitor software configurations for deviations from security baselines + + Ex4: Monitor hardware and software for signs of tampering + + Ex5: Use technologies with a presence on endpoints to detect cyber health + issues (e.g., missing patches, malware infections, unauthorized software), + and redirect the endpoints to a remediation environment before access is authorized + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de + ref_id: DE.AE + name: Adverse Event Analysis + description: Anomalies, indicators of compromise, and other potentially adverse + events are analyzed to characterize the events and detect cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-02 + description: Potentially adverse events are analyzed to better understand associated + activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 + name: Examples + description: 'Ex1: Use security information and event management (SIEM) or other + tools to continuously monitor log events for known malicious and suspicious + activity + + Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to + improve detection accuracy and characterize threat actors, their methods, + and indicators of compromise + + Ex3: Regularly conduct manual reviews of log events for technologies that + cannot be sufficiently monitored through automation + + Ex4: Use log analysis tools to generate reports on their findings + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-03 + description: Information is correlated from multiple sources + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 + name: Examples + description: 'Ex1: Constantly transfer log data generated by other sources to + a relatively small number of log servers + + Ex2: Use event correlation technology (e.g., SIEM) to collect information + captured by multiple sources + + Ex3: Utilize cyber threat intelligence to help correlate events among log + sources + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-04 + description: The estimated impact and scope of adverse events are understood + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 + name: Examples + description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and + review and refine the estimates + + Ex2: A person creates their own estimates of impact and scope + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-06 + description: Information on adverse events is provided to authorized staff and + tools + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 + name: Examples + description: 'Ex1: Use cybersecurity software to generate alerts and provide + them to the security operations center (SOC), incident responders, and incident + response tools + + Ex2: Incident responders and other authorized personnel can access log analysis + findings at all times + + Ex3: Automatically create and assign tickets in the organization''s ticketing + system when certain types of alerts occur + + Ex4: Manually create and assign tickets in the organization''s ticketing system + when technical staff discover indicators of compromise + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-07 + description: Cyber threat intelligence and other contextual information are + integrated into the analysis + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 + name: Examples + description: 'Ex1: Securely provide cyber threat intelligence feeds to detection + technologies, processes, and personnel + + Ex2: Securely provide information from asset inventories to detection technologies, + processes, and personnel + + Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s + technologies from suppliers, vendors, and third-party security advisories + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae + ref_id: DE.AE-08 + description: Incidents are declared when adverse events meet the defined incident + criteria + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 + name: Examples + description: 'Ex1: Apply incident criteria to known and assumed characteristics + of activity in order to determine whether an incident should be declared + + Ex2: Take known false positives into account when applying incident criteria + + 1st: 1st Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND + description: Actions regarding a detected cybersecurity incident are taken + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MA + name: Incident Management + description: Responses to detected cybersecurity incidents are managed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-01 + description: The incident response plan is executed in coordination with relevant + third parties once an incident is declared + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 + name: Examples + description: 'Ex1: Detection technologies automatically report confirmed incidents + + Ex2: Request incident response assistance from the organization''s incident + response outsourcer + + Ex3: Designate an incident lead for each incident + + Ex4: Initiate execution of additional cybersecurity plans as needed to support + incident response (for example, business continuity and disaster recovery) + + 3rd: 3rd Party Risk' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-02 + description: Incident reports are triaged and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related + and necessitate incident response activities + + Ex2: Apply criteria to estimate the severity of an incident' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-03 + description: Incidents are categorized and prioritized + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Further review and categorize incidents based on the type of incident + (e.g., data breach, ransomware, DDoS, account compromise) + + Ex2: Prioritize incidents based on their scope, likely impact, and time-critical + nature + + Ex3: Select incident response strategies for active incidents by balancing + the need to quickly recover from an incident with the need to observe the + attacker or conduct a more thorough investigation' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-04 + description: Incidents are escalated or elevated as needed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Track and validate the status of all ongoing incidents + + Ex2: Coordinate incident escalation or elevation with designated internal + and external stakeholders' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma + ref_id: RS.MA-05 + description: The criteria for initiating incident recovery are applied + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Apply incident recovery criteria to known and assumed characteristics + of the incident to determine whether incident recovery processes should be + initiated + + Ex2: Take the possible operational disruption of incident recovery activities + into account' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.AN + name: Incident Analysis + description: Investigations are conducted to ensure effective response and support + forensics and recovery activities + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-03 + description: Analysis is performed to establish what has taken place during + an incident and the root cause of the incident + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Determine the sequence of events that occurred during the incident and + which assets and resources were involved in each event + + Ex2: Attempt to determine what vulnerabilities, threats, and threat actors + were directly or indirectly involved in the incident + + Ex3: Analyze the incident to find the underlying, systemic root causes + + Ex4: Check any cyber deception technology for additional information on attacker + behavior' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-06 + description: Actions performed during an investigation are recorded, and the + records' integrity and provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Require each incident responder and others (e.g., system administrators, + cybersecurity engineers) who perform incident response tasks to record their + actions and make the record immutable + + Ex2: Require the incident lead to document the incident in detail and be responsible + for preserving the integrity of the documentation and the sources of all information + being reported' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-07 + description: Incident data and metadata are collected, and their integrity and + provenance are preserved + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident + data and metadata (e.g., data source, date/time of collection) based on evidence + preservation and chain-of-custody procedures' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an + ref_id: RS.AN-08 + description: An incident's magnitude is estimated and validated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Review other potential targets of the incident to search for indicators + of compromise and evidence of persistence + + Ex2: Automatically run tools on targets to look for indicators of compromise + and evidence of persistence' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.CO + name: Incident Response Reporting and Communication + description: Response activities are coordinated with internal and external + stakeholders as required by laws, regulations, or policies + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-02 + description: Internal and external stakeholders are notified of incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Follow the organization''s breach notification procedures after discovering + a data breach incident, including notifying affected customers + + Ex2: Notify business partners and customers of incidents in accordance with + contractual requirements + + Ex3: Notify law enforcement agencies and regulatory bodies of incidents based + on criteria in the incident response plan and management approval' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co + ref_id: RS.CO-03 + description: Information is shared with designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share information consistent with response plans and information + sharing agreements + + Ex2: Voluntarily share information about an attacker''s observed TTPs, with + all sensitive data removed, with an Information Sharing and Analysis Center + (ISAC) + + Ex3: Notify HR when malicious insider activity occurs + + Ex4: Regularly update senior leadership on the status of major incidents + + Ex5: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex6: Coordinate crisis communication methods between the organization and + its critical suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs + ref_id: RS.MI + name: Incident Mitigation + description: Activities are performed to prevent expansion of an event and mitigate + its effects + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-01 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity + features of other technologies (e.g., operating systems, network infrastructure + devices) automatically perform containment actions + + Ex2: Allow incident responders to manually select and perform containment + actions + + Ex3: Allow a third party (e.g., internet service provider, managed security + service provider) to perform containment actions on behalf of the organization + + Ex4: Automatically transfer compromised endpoints to a remediation virtual + local area network (VLAN)' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi + ref_id: RS.MI-02 + description: Incidents are eradicated + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Cybersecurity technologies and cybersecurity features of other technologies + (e.g., operating systems, network infrastructure devices) automatically perform + eradication actions + + Ex2: Allow incident responders to manually select and perform eradication + actions + + Ex3: Allow a third party (e.g., managed security service provider) to perform + eradication actions on behalf of the organization' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER + description: Assets and operations affected by a cybersecurity incident are + restored + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.RP + name: Incident Recovery Plan Execution + description: Restoration activities are performed to ensure operational availability + of systems and services affected by cybersecurity incidents + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-01 + description: The recovery portion of the incident response plan is executed + once initiated from the incident response process + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Begin recovery procedures during or after incident response processes + + Ex2: Make all individuals with recovery responsibilities aware of the plans + for recovery and the authorizations required to implement each aspect of the + plans' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-02 + description: Recovery actions are selected, scoped, prioritized, and performed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Select recovery actions based on the criteria defined in the incident + response plan and available resources + + Ex2: Change planned recovery actions based on a reassessment of organizational + needs and resources' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-03 + description: The integrity of backups and other restoration assets is verified + before using them for restoration + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restoration assets for indicators of compromise, file corruption, + and other integrity issues before use' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-04 + description: Critical mission functions and cybersecurity risk management are + considered to establish post-incident operational norms + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Use business impact and system categorization records (including service + delivery objectives) to validate that essential services are restored in the + appropriate order + + Ex2: Work with system owners to confirm the successful restoration of systems + and the return to normal operations + + Ex3: Monitor the performance of restored systems to verify the adequacy of + the restoration' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-05 + description: The integrity of restored assets is verified, systems and services + are restored, and normal operating status is confirmed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Check restored assets for indicators of compromise and remediation of + root causes of the incident before production use + + Ex2: Verify the correctness and adequacy of the restoration actions taken + before putting a restored system online' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp + ref_id: RC.RP-06 + description: The end of incident recovery is declared based on criteria, and + incident-related documentation is completed + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Prepare an after-action report that documents the incident itself, the + response and recovery actions taken, and lessons learned + + Ex2: Declare the end of incident recovery once the criteria are met' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc + ref_id: RC.CO + name: Incident Recovery Communication + description: Restoration activities are coordinated with internal and external + parties + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-03 + description: Recovery activities and progress in restoring operational capabilities + are communicated to designated internal and external stakeholders + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 + name: Examples + description: '1st: 1st Party Risk + + 3rd: 3rd Party Risk + + Ex1: Securely share recovery information, including restoration progress, + consistent with response plans and information sharing agreements + + Ex2: Regularly update senior leadership on recovery status and restoration + progress for major incidents + + Ex3: Follow the rules and protocols defined in contracts for incident information + sharing between the organization and its suppliers + + Ex4: Coordinate crisis communication between the organization and its critical + suppliers' + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co + ref_id: RC.CO-04 + description: Public updates on incident recovery are shared using approved methods + and messaging + - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 + name: Examples + description: '1st: 1st Party Risk + + Ex1: Follow the organization''s breach notification procedures for recovering + from a data breach incident + + Ex2: Explain the steps being taken to recover from the incident and to prevent + a recurrence'