NIST Cybersecurity Framework

Title (CSF) Draft:

Public 2.0 Reference Tool
The NIST Cybersecurity
Read Me Framework
This (CSF) 2.0
is a download from the CSF 2.0 Reference Tool, which assists users in exploring the draft CSF 2.0 Core. This export is a user generated version of the C
Change Log Initial draft – not final
 Public Draft: The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

Function Category Subcategory Implementation Examples

GOVERN (GV): Establish
and monitor the Organizational Context
(GV.OC): The circumstances - GV.OC-01: The organizational 1st: 1st Party Risk
mission
GV.OC-02:is understood
Internal andand informs
external Ex1: Share
1st: 1st theRisk
Party organization's
stakeholders
GV.OC-03: Legal,are determined, and
regulatory, and 3rd: 3rdParty
1st: 1st PartyRisk
Risk
contractual requirements
GV.OC-04: Critical regarding
objectives, 3rd: 3rdParty
1st: 1st PartyRisk
Risk
capabilities, and services
GV.OC-05: Outcomes, that
capabilities, 3rd:
Ex1: 3rd Party
Create anRisk
inventory of the
Risk Management Strategy and services that the organization organization's dependencies on
(GV.RM): The organization's GV.RM-01: Risk management 1st: 1st Party Risk
objectives
GV.RM-02:are Riskestablished andrisk
appetite and Ex1: Update
1st: 1st Partynear-term
Risk and
tolerance
GV.RM-03:statements
Enterpriseare
risk 3rd: 3rdParty
1st: 1st PartyRisk
Risk
management processes
GV.RM-04: Strategic includethat
direction Ex1: Aggregate and manage
1st: 1st Party Risk
describes
GV.RM-05:appropriate risk response
Lines of communication Ex1: Specify
1st: 1st Partycriteria
Risk for
across
GV.RM-06:the organization
A standardizedare method 3rd: 3rdParty
1st: 1st PartyRisk
Risk
for calculating,
GV.RM-07: documenting,
Strategic opportunities Ex1: Establish
1st: 1st criteria for using
Party Risk
Cybersecurity Supply Chain (i.e., positive risks) are identified Ex1: Define and communicate
Risk Management (GV.SC): GV.SC-01: A cybersecurity supply Ex1: Establish a strategy that
chain risk management
GV.SC-02: Cybersecurityprogram,
roles and expresses theone
Ex1: Identify objectives
or moreof the
responsibilities for suppliers,
GV.SC-03: Cybersecurity supply specific roles areas
Ex1: Identify or positions that
of alignment
chain risk management
GV.SC-04: Suppliers are is integrated
known and and overlap with cybersecurity
Ex1: Develop criteria for
prioritized by criticality
GV.SC-05: Requirements to address supplier criticality
Ex1: Establish based on, for
security
cybersecurity risks inand
GV.SC-06: Planning supply
due chains requirements for suppliers,
Ex1: Perform thorough due
diligence
GV.SC-07:areTheperformed
risks posed toby
reduce
a diligence on prospective
Ex1: Adjust assessment formats
supplier, their products and
GV.SC-08: Relevant suppliers and and
Ex1:frequencies
Define and usebased onand
rules the
other thirdSupply
GV.SC-09: partieschain
are included
security in protocols forand
Ex1: Policies reporting incident
procedures
practices
GV.SC-10:are integrated into
Cybersecurity supply require provenance
Ex1: Establish records
processes for for
Roles, Responsibilities, and chain risk management plans terminating critical
Authorities (GV.RR):
CSF 2.0 Page 2 of 9
 Function Category Subcategory Implementation Examples
GV.RR-01: Organizational leadership 1st: 1st Party Risk
is responsible
GV.RR-02: andresponsibilities,
Roles, accountable for Ex1: Leaders
1st: 1st Party(e.g.,
Risk directors)
and authorities
GV.RR-03: related
Adequate to
resources are Ex1: Document
1st: 1st risk
Party Risk
allocated commensurate with
GV.RR-04: Cybersecurity is included 3rd: 3rdParty
1st: 1st PartyRisk
Risk
Policies, Processes, and in human resources practices Ex1: Integrate cybersecurity
Procedures (GV.PO): GV.PO-01: Policies, processes, and 1st: 1st Party Risk
procedures for managing
GV.PO-02: Policies, processes, and Ex1: Create,
1st: 1st Partydisseminate,
Risk and
Oversight (GV.OV): Results of procedures for managing Ex1: Update policies based on
organization-wide GV.OV-01: Cybersecurity risk 1st: 1st Party Risk
management
GV.OV-02: Thestrategy outcomes
cybersecurity riskare Ex1: Measure
1st: 1st how well the risk
Party Risk
management strategy is reviewed
GV.OV-03: Organizational Ex1: Review
1st: 1st Partyaudit
Risk findings to
GOVERN (GV) cybersecurity risk management Ex1: Review key performance
IDENTIFY (ID): Help
determine the current Asset Management (ID.AM):
Assets (e.g., data, hardware ID.AM-01: Inventories of hardware 1st: 1st Party Risk
managed
ID.AM-02:by the organization
Inventories are
of software, Ex1: Maintain
1st: 1st inventories for
Party Risk
services,
ID.AM-03: and systems managed
Representations by
of the Ex1: Maintain
1st: 1st inventories for
Party Risk
organization's authorized network
ID.AM-04: Inventories of services 3rd:
Ex1: InventoryRisk
3rd Party all external
provided
ID.AM-05:byAssets
suppliers are
are prioritized services
1st: 1st Party Riskthe
used by
based on classification,
ID.AM-06: Dropped (movedcriticality,
to Ex1: Define criteria for
GV.RR-02, GV.SC-02)
ID.AM-07: Inventories of data and 1st: 1st Party Risk
corresponding metadata
ID.AM-08: Systems, for
hardware, Ex1: Maintain
1st: 1st a list of the
Party Risk
Business Environment (ID.BE): software, and services are managed 3rd: 3rd Party Risk
Dropped (moved to GV.OC) ID.BE-01: Dropped (moved to
GV.OC-05)
ID.BE-02: Dropped (moved to
GV.OC-01)
ID.BE-03: Dropped (moved to
GV.OC-01)
ID.BE-04: Dropped (moved to
GV.OC-04, GV.OC-05)
ID.BE-05: Dropped (moved to
Governance (ID.GV): Dropped GV.OC-04)
(moved to GV) ID.GV-01: Dropped (moved to
GV.PO)
ID.GV-02: Dropped (moved to
GV.RR-02)
ID.GV-03: Dropped (moved to
GV.OC-03)
ID.GV-04: Dropped (moved to
GV.RM-03)
CSF 2.0 Page 3 of 9
 Function Category Subcategory Implementation Examples
Risk Assessment (ID.RA): The
organization understands the ID.RA-01: Vulnerabilities in assets 1st: 1st Party Risk
are identified,
ID.RA-02: Cybervalidated, and
threat intelligence Ex1: UseParty
1st: 1st vulnerability
Risk
is receivedInternal
ID.RA-03: from information
and externalsharing Ex1: Configure cybersecurity
1st: 1st Party Risk
threats
ID.RA-04:to Potential
the organization
impactsareand 3rd: 3rdParty
1st: 1st PartyRisk
Risk
likelihoods of threats exploiting
ID.RA-05: Threats, vulnerabilities, Ex1: Business leaders
1st: 1st Party Risk and
likelihoods,
ID.RA-06: Riskandresponses
impacts are
areused to
chosen Ex1: Develop
1st: 1st Party threat
Risk models to
from the available
ID.RA-07: Changes options,
and exceptions Ex1:
Ex1: Apply the vulnerability
Implement and follow
are
ID.RA-08: Processes for for
managed, assessed risk
receiving, procedures
1st: 1st Party Risk formal
for the
analyzing, and responding
ID.RA-09: The authenticity andto 3rd:
Ex1: 3rd Party
Assess theRisk
authenticity
Risk Management Strategy integrity of hardware and software and cybersecurity of critical
(ID.RM): Dropped (moved to ID.RM-01: Dropped (moved to
GV.RM-01)
ID.RM-02: Dropped (moved to
GV.RM-02)
ID.RM-03: Dropped (moved to
Supply Chain Risk GV.RM-02)
Management (ID.SC): Dropped ID.SC-01: Dropped (moved to
GV.SC-01)
ID.SC-02: Dropped (moved to
GV.SC-03, GV.SC-07)
ID.SC-03: Dropped (moved to
GV.SC-05)
ID.SC-04: Dropped (moved to
GV.SC-07)
ID.SC-05: Dropped (moved to
Improvement (ID.IM): GV.SC-08, ID.IM-02)
Improvements to ID.IM-01: Continuous evaluation is 1st: 1st Party Risk
applied toSecurity
ID.IM-02: identify tests
improvements
and Ex1: Perform
1st: 1st Party self-assessments
Risk
exercises,
ID.IM-03: Lessons learneddone
including those duringin 3rd: 3rd Party Risk
1st: 1st Party Risk
execution of operationalplans
ID.IM-04: Cybersecurity processes,
that Ex1: Conduct
1st: 1st collaborative
Party Risk
IDENTIFY (ID) affect operations are Ex1: Establish contingency
PROTECT (PR): Use
safeguards to prevent or Identity Management,
Authentication, and Access PR.AA-01: Identities and credentials 1st: 1st Party Risk
for authorized
PR.AA-02: users,are
Identities services, and
proofed Ex1: Initiate
1st: 1st Partyrequests
Risk for new
and boundUsers,
PR.AA-03: to credentials
services,based
and on 3rd: 3rdParty
1st: 1st PartyRisk
Risk
hardware
PR.AA-04:are authenticated
Identity assertions are Ex1: Require
1st: 1st Partymultifactor
Risk
protected, conveyed, and verified
PR.AA-05: Access permissions, Ex1:
1st: 1st Party Risk assertions
Protect identity
entitlements, and authorizations are Ex1: Review logical and
CSF 2.0 Page 4 of 9
 Function Category Subcategory Implementation Examples
PR.AA-06: Physical access to assets 1st: 1st Party Risk
Identity Management, is managed, monitored, and 3rd: 3rd Party Risk
Authentication and Access PR.AC-01: Dropped (moved to
PR.AA-01,
PR.AC-02: PR.AA-05)
Dropped (moved to
PR.AA-06)
PR.AC-03: Dropped (moved to
PR.AA-03,
PR.AC-04: PR.AA-05, PR.IR-01)
Dropped (moved to
PR.AA-05)
PR.AC-05: Dropped (moved to
PR.IR-01)
PR.AC-06: Dropped (moved to
PR.AA-02)
PR.AC-07: Dropped (moved to
Awareness and Training PR.AA-03)
(PR.AT): The organization's PR.AT-01: Users are provided 1st: 1st Party Risk
awareness and training
PR.AT-02: Individuals in so they
specialized Ex1: Provide
1st: 1st Partybasic
Risk
roles are provided
PR.AT-03: Droppedawareness
(moved toand 3rd: 3rd Party Risk
PR.AT-01, PR.AT-02)
PR.AT-04: Dropped (moved to
PR.AT-02)
PR.AT-05: Dropped (moved to
Data Security (PR.DS): Data is PR.AT-02)
managed consistent with the PR.DS-01: The confidentiality, 1st: 1st Party Risk
integrity,
PR.DS-02:and
Theavailability of data-at- Ex1:
confidentiality, UseParty
1st: 1st encryption,
Risk digital
integrity,
PR.DS-03:and availability
Dropped (moved of data-in-
to Ex1: Use encryption, digital
ID.AM-08)
PR.DS-04: Dropped (moved to PR.IR-
04)
PR.DS-05: Dropped (moved to
PR.DS-01,
PR.DS-06: PR-DS-02, PR.DS-10)
Dropped (moved to
PR.DS-01, DE.CM-09)
PR.DS-07: Dropped (moved to PR.IR-
01)
PR.DS-08: Dropped (moved to
ID.RA-09,
PR.DS-09:DE.CM-09)
Data is managed 1st: 1st Party Risk
throughout its confidentiality,
PR.DS-10: The life cycle, including 3rd: 3rdParty
1st: 1st PartyRisk
Risk
integrity,
PR.DS-11:and availability
Backups of dataofare
data-in- Ex1: Remove
1st: 1st Party data
Risk that must
Information Protection created, protected, maintained, and Ex1: Continuously back up
Processes and Procedures PR.IP-01: Dropped (moved to PR.PS-
01)
PR.IP-02: Dropped (moved to
ID.AM-08)
PR.IP-03: Dropped (moved to PR.PS-
01, ID.RA-07)
PR.IP-04: Dropped (moved to PR.DS-
11)
PR.IP-05: Dropped (moved to PR.IR-
02)
CSF 2.0 Page 5 of 9
 Function Category Subcategory Implementation Examples
PR.IP-06: Dropped (moved to PR.DS-
09)
PR.IP-07: Dropped (moved to ID.IM-
03)
PR.IP-08: Dropped (moved to ID.IM-
03)
PR.IP-09: Dropped (moved to ID.IM-
04)
PR.IP-10: Dropped (moved to ID.IM-
02)
PR.IP-11: Dropped (moved to
GV.RR-04)
PR.IP-12: Dropped (moved to ID.RA-
Maintenance (PR.MA): 01, PR.PS-02)
Dropped (moved to ID.AM-08) PR.MA-01: Dropped (moved to
ID.AM-08,
PR.MA-02:PR.PS-03)
Dropped (moved to
Protective Technology (PR.PT): ID.AM-08, PR.PS-02)
Dropped (moved to other PR.PT-01: Dropped (moved to
PR.PS-04)
PR.PT-02: Dropped (moved to
PR.DS-01,
PR.PT-03: PR.PS-01)
Dropped (moved to
PR.PS-01)
PR.PT-04: Dropped (moved to
PR.AA-07, PR.IR-01)(moved to PR.IR-
PR.PT-05: Dropped
Platform Security (PR.PS): The 04)
hardware, software (e.g., PR.PS-01: Configuration 1st: 1st Party Risk
management
PR.PS-02: Software is maintained, Ex1:
practices are applied Establish,
1st: 1st test, deploy, and
Party Risk
replaced,
PR.PS-03: and removed
Hardware is maintained, Ex1: Perform
1st: 1st Party routine
Risk and
replaced,
PR.PS-04: and
Log removed
records are generated 3rd: 3rdParty
1st: 1st PartyRisk
Risk
and made available for continuous Ex1: Configure
PR.PS-05: Installation and execution 1st: 1st Party Risk all operating
of unauthorized
PR.PS-06: Securesoftware
softwareare Ex1: When
1st: 1st riskRisk
Party warrants it,
Technology Infrastructure development practices are Ex1: Protect all components of
Resilience (PR.IR): Security PR.IR-01: Networks and 1st: 1st Party Risk
environments are protected from 3rd:
PR.IR-02: The organization's 3rdParty
1st: 1st PartyRisk
Risk
technology assets are protected
PR.IR-03: Mechanisms are 3rd: 3rdParty
1st: 1st PartyRisk
Risk
implemented to achieve
PR.IR-04: Adequate resilience Ex1:
resource Ex1: Avoid
Monitorsingle
usage points of
of storage,
PROTECT (PR) capacity to ensure availability is power, compute, network
DETECT (DE): Find and
analyze possible Continuous Monitoring
(DE.CM): Assets are monitored DE.CM-01: Networks and network Ex1: Monitor DNS, BGP, and
services
DE.CM-02:areThe
monitored
physicalto find other networklogs
Ex1: Monitor services
from for
physical
environment is monitored to find access control systems (e.g.,
CSF 2.0 Page 6 of 9
 Function Category Subcategory Implementation Examples
DE.CM-03: Personnel activity and Ex1: Use behavior analytics
technology usage are(moved
DE.CM-04: Dropped monitored
to to software to detect anomalous
DE.CM-01,
DE.CM-05: DE.CM-09)
Dropped (moved to
DE.CM-01, DE.CM-09)
DE.CM-06: External service provider Ex1: Monitor remote
activities
DE.CM-07: and services(moved
Dropped are monitored
to administration and
DE.CM-01, DE.CM-03, DE.CM-06,
DE.CM-08: Dropped (moved to
ID.RA-01)
DE.CM-09: Computing hardware Ex1: Monitor email, web, file
Adverse Event Analysis and software, runtime sharing, collaboration services,
(DE.AE): Anomalies, indicators DE.AE-01: Dropped (moved to
ID.AM-03)
DE.AE-02: Potentially adverse Ex1: Use security information
events
DE.AE-03: Information is correlated and
are analyzed to better Ex1:event management
Constantly transfer (SIEM)
log
from multiple sources data generated by other
DE.AE-04: The estimated impact and Ex1: Use SIEMs or other tools
scope of adverse
DE.AE-05: Droppedevents are to
(moved to estimate impact and scope,
DE.AE-08)
DE.AE-06: Information on adverse Ex1: Use cybersecurity
events is provided
DE.AE-07: to authorized
Cyber threat intelligence software to generate
Ex1: Securely provide alerts
cyber and
and other contextual
DE.AE-08: information
Incidents are declared threat intelligence
Ex1: Apply incidentfeeds to to
criteria
Detection Processes (DE.DP): when adverse events meet the known and assumed
Dropped (moved to other DE.DP-01: Dropped (moved to
GV.RR-02)
DE.DP-02: Dropped (moved to
DE.AE)
DE.DP-03: Dropped (moved to
ID.IM-02)
DE.DP-04: Dropped (moved to
DE.AE-06)
DE.DP-05: Dropped (moved to
DETECT (DE) ID.IM-03)
RESPOND (RS): Take
action regarding a Response Planning (RS.RP):
Dropped (moved to RS.MA) RS.RP-01: Dropped (moved to
Incident Management RS.MA-01)
(RS.MA): Responses to RS.MA-01: The incident response Ex1: Detection technologies
plan is executed
RS.MA-02: once
Incident an incident
reports are is automatically report confirmed
1st: 1st Party Risk
triaged and validated (formerly
RS.MA-03: Incidents are categorized Ex1:
1st: 1st Party Risk review
Preliminarily
and prioritized
RS.MA-04: (formerly
Incidents RS.AN-04,
are escalated Ex1: Further
1st: 1st Partyreview
Risk and
or elevatedThe
RS.MA-05: as needed
criteria(formerly
for initiating Ex1: Track
1st: 1st andRisk
Party validate the
Incident Analysis (RS.AN): incident recovery are applied Ex1: Apply incident recovery
Investigation is conducted to
CSF 2.0 Page 7 of 9
 Function Category Subcategory Implementation Examples
RS.AN-01: Dropped (moved to
RS.MA-02)
RS.AN-02: Dropped (moved to
RS.MA-02, RS.MA-03,
RS.AN-03: Analysis RS.MA-04)to
is performed 1st: 1st Party Risk
determine what has(moved
RS.AN-04: Dropped taken place
to Ex1: Determine the sequence
RS.MA-03)
RS.AN-05: Dropped (moved to
ID.RA-08)
RS.AN-06: Actions performed during 1st: 1st Party Risk
an investigation
RS.AN-07: aredata
Incident recorded
and and Ex1: Require
1st: 1st Partyeach
Risk incident
metadata
RS.AN-08:areThecollected,
incident'sand their
magnitude Ex1: Collect,
1st: 1st Partypreserve,
Risk and
Incident Response Reporting is estimated and validated Ex1: Review other potential
and Communication (RS.CO): RS.CO-01: Dropped (moved to
PR.AT-01)
RS.CO-02: Internal and external 1st: 1st Party Risk
stakeholders are notified
RS.CO-03: Information of
is shared 3rd: 3rdParty
1st: 1st PartyRisk
Risk
with designated
RS.CO-04: internal
Dropped (moved andto 3rd: 3rd Party Risk
RS.MA-01, RS.MA-04)
RS.CO-05: Dropped (moved to
Incident Mitigation (RS.MI): RS.CO-03)
Activities are performed to RS.MI-01: Incidents are contained 1st: 1st Party Risk
RS.MI-02: Incidents are eradicated 3rd: 3rdParty
1st: 1st PartyRisk
Risk
RS.MI-03: Dropped (moved to 3rd: 3rd Party Risk
Improvements (RS.IM): ID.RA-06)
Dropped (moved to ID.IM) RS.IM-01: Dropped (moved to
ID.IM-03)
RS.IM-02: Dropped (moved to
RESPOND (RS) ID.IM-03)
RECOVER (RC): Restore
assets and operations that Incident Recovery Plan
Execution (RC.RP): Restoration RC.RP-01: The recovery portion of 1st: 1st Party Risk
the incident
RC.RP-02: response
Recovery plan isare
actions Ex1: Begin
1st: 1st recovery
Party Risk procedures
determined,
RC.RP-03: The scoped, prioritized,
integrity of backupsand Ex1: Select
1st: 1st recovery
Party Risk actions
and other restoration
RC.RP-04: assets
Critical mission is
functions Ex1: Check
1st: 1st restoration
Party Risk assets
and cybersecurity
RC.RP-05: risk management
The integrity of restored Ex1: UseParty
1st: 1st business
Risk impact and
assets
RC.RP-06: The criteria for and
is verified, systems Ex1:
1st: 1st Party Risk assets for
Check restored
Incident Recovery determining the end of incident Ex1: Prepare an after-action
Communication (RC.CO): RC.CO-01: Dropped (moved to
RC.CO-04)
RC.CO-02: Dropped (moved to
RC.CO-04)
CSF 2.0 Page 8 of 9
 Function Category Subcategory Implementation Examples
RC.CO-03: Recovery activities and 1st: 1st Party Risk
progress
RC.CO-04:inPublic
restoring operational
updates on 3rd: 3rdParty
1st: 1st PartyRisk
Risk
Improvements (RC.IM): incident recovery are properly Ex1: Follow the organization's
Dropped (moved to ID.IM) RC.IM-01: Dropped (moved to
ID.IM-03)
RC.IM-02: Dropped (moved to
RECOVER (RC) ID.IM-03)

CSF 2.0 Page 9 of 9