NIST CSF v2.0
Cybersecurity Framework 2.0 for improving critical infrastructure security
This is a reference tool, not an authoritative source. For official documentation, visit www.nist.gov.
106 All
DE — Detect (11 outcomes)
DE.CM-01Networks and network services are monitored to find potentially adverse events
DE.CM-02The physical environment is monitored to find potentially adverse events
DE.CM-03Personnel activity and technology usage are monitored to find potentially adverse events
DE.CM-06External service provider activities and services are monitored to find potentially adverse events
DE.CM-09Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
DE.AE-02Potentially adverse events are analyzed to better understand associated activities
DE.AE-03Information is correlated from multiple sources
DE.AE-04The estimated impact and scope of adverse events are understood
DE.AE-06Information on adverse events is provided to authorized staff and tools
DE.AE-07Cyber threat intelligence and other contextual information are integrated into the analysis
DE.AE-08Incidents are declared when adverse events meet the defined incident criteria
GV — Govern (31 outcomes)
GV.OC-01The organizational mission is understood and informs cybersecurity risk management
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
GV.OC-03Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
GV.OC-04Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicated
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholders
GV.RM-02Risk appetite and risk tolerance statements are established, communicated, and maintained
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
GV.RM-04Strategic direction that describes appropriate risk response options is established and communicated
GV.RM-05Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
GV.RM-06A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
GV.RM-07Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
GV.RR-01Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
GV.RR-02Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
GV.RR-03Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
GV.RR-04Cybersecurity is included in human resources practices
GV.PO-01Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
GV.PO-02Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
GV.OV-01Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
GV.OV-02The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
GV.OV-03Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
GV.SC-01A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
GV.SC-02Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
GV.SC-04Suppliers are known and prioritized by criticality
GV.SC-05Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
GV.SC-06Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
GV.SC-07The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
GV.SC-08Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
ID — Identify (21 outcomes)
ID.AM-01Inventories of hardware managed by the organization are maintained
ID.AM-02Inventories of software, services, and systems managed by the organization are maintained
ID.AM-03Representations of the organization’s authorized network communication and internal and external network data flows are maintained
ID.AM-04Inventories of services provided by suppliers are maintained
ID.AM-05Assets are prioritized based on classification, criticality, resources, and impact on the mission
ID.AM-07Inventories of data and corresponding metadata for designated data types are maintained
ID.AM-08Systems, hardware, software, services, and data are managed throughout their life cycles
ID.RA-01Vulnerabilities in assets are identified, validated, and recorded
ID.RA-02Cyber threat intelligence is received from information sharing forums and sources
ID.RA-03Internal and external threats to the organization are identified and recorded
ID.RA-04Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
ID.RA-05Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
ID.RA-06Risk responses are chosen, prioritized, planned, tracked, and communicated
ID.RA-07Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
ID.RA-08Processes for receiving, analyzing, and responding to vulnerability disclosures are established
ID.RA-09The authenticity and integrity of hardware and software are assessed prior to acquisition and use
ID.RA-10Critical suppliers are assessed prior to acquisition
ID.IM-01Improvements are identified from evaluations
ID.IM-02Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
ID.IM-03Improvements are identified from execution of operational processes, procedures, and activities
ID.IM-04Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
PR — Protect (22 outcomes)
PR.AA-01Identities and credentials for authorized users, services, and hardware are managed by the organization
PR.AA-02Identities are proofed and bound to credentials based on the context of interactions
PR.AA-03Users, services, and hardware are authenticated
PR.AA-04Identity assertions are protected, conveyed, and verified
PR.AA-05Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
PR.AA-06Physical access to assets is managed, monitored, and enforced commensurate with risk
PR.AT-01Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
PR.AT-02Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
PR.DS-01The confidentiality, integrity, and availability of data-at-rest are protected
PR.DS-02The confidentiality, integrity, and availability of data-in-transit are protected
PR.DS-10The confidentiality, integrity, and availability of data-in-use are protected
PR.DS-11Backups of data are created, protected, maintained, and tested
PR.PS-01Configuration management practices are established and applied
PR.PS-02Software is maintained, replaced, and removed commensurate with risk
PR.PS-03Hardware is maintained, replaced, and removed commensurate with risk
PR.PS-04Log records are generated and made available for continuous monitoring
PR.PS-05Installation and execution of unauthorized software are prevented
PR.PS-06Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
PR.IR-01Networks and environments are protected from unauthorized logical access and usage
PR.IR-02The organization’s technology assets are protected from environmental threats
PR.IR-03Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
PR.IR-04Adequate resource capacity to ensure availability is maintained
RC — Recover (8 outcomes)
RC.RP-01The recovery portion of the incident response plan is executed once initiated from the incident response process
RC.RP-02Recovery actions are selected, scoped, prioritized, and performed
RC.RP-03The integrity of backups and other restoration assets is verified before using them for restoration
RC.RP-04Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
RC.RP-05The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
RC.RP-06The end of incident recovery is declared based on criteria, and incident-related documentation is completed
RC.CO-03Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
RC.CO-04Public updates on incident recovery are shared using approved methods and messaging
RS — Respond (13 outcomes)
RS.MA-01The incident response plan is executed in coordination with relevant third parties once an incident is declared
RS.MA-02Incident reports are triaged and validated
RS.MA-03Incidents are categorized and prioritized
RS.MA-04Incidents are escalated or elevated as needed
RS.MA-05The criteria for initiating incident recovery are applied
RS.AN-03Analysis is performed to establish what has taken place during an incident and the root cause of the incident
RS.AN-06Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved
RS.AN-07Incident data and metadata are collected, and their integrity and provenance are preserved
RS.AN-08An incident’s magnitude is estimated and validated
RS.CO-02Internal and external stakeholders are notified of incidents
RS.CO-03Information is shared with designated internal and external stakeholders
RS.MI-01Incidents are contained
RS.MI-02Incidents are eradicated