NIST PFW v1.1 IPD

Control Description

NIST CSF v2.0

Control Description

Implementation Examples

ID.IM-P1

Systems/products/services that process data are inventoried.

ID.AM-01

Inventories of hardware managed by the organization are maintained

Ex1:  Maintain inventories for all types of hardware, including IT, IoT, OT, and mobile devices
Ex2:  Constantly monitor networks to detect new hardware and automatically update inventories

ID.AM-02

Inventories of software, services, and systems managed by the organization are maintained

Ex1:  Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services Ex2:  Constantly monitor all platforms, including containers and virtual machines, for software and service inventory changes
Ex3:  Maintain an inventory of the organization s systems

ID.IM-P2

Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried.

ID.AM-04

Inventories of services provided by suppliers are maintained

Ex1:  Inventory all external services used by the organization, including third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally hosted application services
Ex2:  Update the inventory when a new external service is going to be utilized to ensure adequate cybersecurity risk management monitoring of the organization s use of that service

ID.IM-P3

Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried.

ID.IM-P4

Data actions of the systems/products/services are inventoried.

ID.IM-P5

The purposes for the data actions are inventoried.

ID.IM-P6

Data elements within the data actions are inventoried.

ID.IM-P7

The data processing environment is identified (e.g., geographic location, internal, cloud, third parties).

ID.AM-01

Inventories of hardware managed by the organization are maintained

Ex1:  Maintain inventories for all types of hardware, including IT, IoT, OT, and mobile devices
Ex2:  Constantly monitor networks to detect new hardware and automatically update inventories

ID.AM-02

Inventories of software, services, and systems managed by the organization are maintained

Ex1:  Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services Ex2:  Constantly monitor all platforms, including containers and virtual machines, for software and service inventory changes
Ex3:  Maintain an inventory of the organization s systems

ID.AM-04

Inventories of services provided by suppliers are maintained

Ex1:  Inventory all external services used by the organization, including third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally hosted application services
Ex2:  Update the inventory when a new external service is going to be utilized to ensure adequate cybersecurity risk management monitoring of the organization s use of that service

ID.IM-P8

Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components; roles of the component owners/operators; and interactions of individuals or third parties with the systems/products/services.

ID.BE-P1

The organization s role(s) in the data processing ecosystem are identified, communicated, and understood.

ID.BE-P2

The organizational mission is identified, communicated, and understood and informs privacy risk management.

GV.OC-01

The organizational mission is understood and informs cybersecurity risk management

Ex1:  Share the organization s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission

ID.BE-P3

Systems/products/services that support organizational priorities are identified and key requirements communicated and understood.

ID.BE-P4

Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are identified and prioritized.

GV.SC-04

Suppliers are known and prioritized by criticality

Ex1:  Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization s systems, and the importance of the products or services to the organization s mission
Ex2:  Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria

ID.BE-P5

Objectives, capabilities, and services that stakeholders depend on or expect from the organization are identified, communicated, and understood.

GV.OC-04

Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated

Ex1:  Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders
Ex2:  Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations
Ex3:  Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation)

ID.BE-P6

Outcomes, capabilities, and services that the organization depends on are identified, communicated, and understood.

GV.OC-05

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Ex1:  Create an inventory of the organization s dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions
Ex2:  Identify and document external dependencies that are potential points of failure for the organization s critical capabilities and services, and share that information with appropriate personnel

ID.RA-P1

Contextual factors related to the systems/products/services and the data actions are identified (e.g., individuals demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to individuals and third parties).

ID.RA-P2

This Subcategory related to artificial intelligence systems is WITHDRAWN to keep PF 1.1 Core outcomes technology-neutral.

ID.RA-P3

Potential problematic data actions and associated problems are identified. 

ID.RA-P4

Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk.

ID.RA-04

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Ex1:  Business leaders and cybersecurity risk management practitioners work together to estimate the likelihood and impact of risk scenarios and record them in risk registers
Ex2:  Enumerate the potential business impacts of unauthorized access to the organization s communications, systems, and data processed in or by those systems
Ex3:  Account for the potential impacts of cascading failures for systems of systems

ID.RA-05

Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization

Ex1:  Develop threat models to better understand risks to the data and identify appropriate risk responses
Ex2:  Prioritize cybersecurity resource allocations and investments based on estimated likelihoods and impacts

ID.RA-P5

Risk responses are identified, prioritized, and implemented.

ID.RA-06

Risk responses are chosen, prioritized, planned, tracked, and communicated

Ex1:  Apply the vulnerability management plan s criteria for deciding whether to accept, transfer, mitigate, or avoid risk
Ex2:  Apply the vulnerability management plan s criteria for selecting compensating controls to mitigate risk
Ex3:  Track the progress of risk response implementation (e.g., plan of action and milestones [POA&M], risk register, risk detail report)
Ex4:  Use risk assessment findings to inform risk response decisions and actions
Ex5:  Communicate planned risk responses to affected stakeholders in priority order

ID.RA-P6

Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are assessed using a privacy risk assessment process.

GV.SC-06

Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

Ex1:  Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship
Ex2:  Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers
Ex3:  Conduct supplier risk assessments against business and applicable cybersecurity requirements
Ex4:  Assess the authenticity, integrity, and security of critical products prior to acquisition and use

GV.SC-07

The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

Ex1:  Adjust assessment formats and frequencies based on the third party s reputation and the criticality of the products or services they provide
Ex2:  Evaluate third parties evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
Ex3:  Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
Ex4:  Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
Ex5:  Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

ID.RA-10

Critical suppliers are assessed prior to acquisition

Ex1:  Conduct supplier risk assessments against business and applicable cybersecurity requirements, including the supply chain

GV.PO-P1

Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention periods, individuals prerogatives with respect to data processing) are established, communicated, and enforced.

GV.PO-P2

Processes to instill organizational privacy values within system/product/service development and operations are established and in place.

GV.PO-P5

Legal, regulatory, and contractual requirements regarding privacy are understood and managed.

GV.OC-03

Legal, regulatory, and contractual requirements regarding cybersecurity including privacy and civil liberties obligations are understood and managed

Ex1:  Determine a process to track and manage legal and regulatory requirements regarding protection of individuals information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation) Ex2:  Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information
Ex3:  Align the organization s cybersecurity strategy with legal, regulatory, and contractual requirements

GV.PO-P6

Governance and enterprise risk management policies, processes, and procedures address privacy risks.

GV.RM-03

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Ex1:  Aggregate and manage cybersecurity risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety)
Ex2:  Include cybersecurity risk managers in enterprise risk management planning
Ex3:  Establish criteria for escalating cybersecurity risks within enterprise risk management

GV.PO-P7

Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening).

GV.RR-04

Cybersecurity is included in human resources practices

Ex1:  Integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding)
Ex2:  Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions
Ex3:  Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles
Ex4:  Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles

GV.RM-P1

Risk management objectives and processes are established, managed, and agreed to by organizational stakeholders.

GV.RM-01

Risk management objectives are established and agreed to by organizational stakeholders

Ex1:  Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur
Ex2:  Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)
Ex3:  Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance

GV.RM-P2

The organization s risk appetite and risk tolerance are determined and communicated and are informed by the organization's role(s) in the data processing ecosystem.

GV.RM-02

Risk appetite and risk tolerance statements are established, communicated, and maintained

Ex1:  Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization
Ex2:  Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements
Ex3:  Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk

GV.RM-P4

Strategic direction that describes appropriate risk response options is established and communicated.

GV.RM-04

Strategic direction that describes appropriate risk response options is established and communicated

Ex1:  Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data
Ex2:  Determine whether to purchase cybersecurity insurance
Ex3:  Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services)

GV.RM-P5

Lines of communication across the organization are established for privacy risks, including risks from data processing ecosystem parties.

GV.RM-05

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Ex1:  Determine how to update senior executives, directors, and management on the organization s cybersecurity posture at agreed-upon intervals
Ex2:  Identify how all departments across the organization such as management, operations, internal auditors, legal, acquisition, physical security, and HR will communicate with each other about cybersecurity risks

GV.RM-P6

A standardized method for calculating, documenting, categorizing, and prioritizing privacy risks is established and communicated.

GV.RM-06

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Ex1:  Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas
Ex2:  Create and use templates (e.g., a risk register) to document cybersecurity risk information (e.g., risk description, exposure, treatment, and ownership)
Ex3:  Establish criteria for risk prioritization at the appropriate levels within the enterprise
Ex4:  Use a consistent list of risk categories to support integrating, aggregating, and comparing cybersecurity risks

GV.RM-P7

Strategic opportunities (i.e., positive risks) are characterized and included in organizational privacy risk discussions.

GV.RM-07

Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions

Ex1:  Define and communicate guidance and methods for identifying opportunities and including them in risk discussions (e.g., strengths, weaknesses, opportunities, and threats [SWOT] analysis)
Ex2:  Identify stretch goals and document them
Ex3:  Calculate, document, and prioritize positive risks alongside negative risks

GV.OV-P1

Privacy risk management strategy outcomes are reviewed to inform and adjust strategy and direction.

GV.OV-01

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction

Ex1:  Measure how well the risk management strategy and risk results have helped leaders make decisions and achieve organizational objectives
Ex2:  Examine whether cybersecurity risk strategies that impede operations or innovation should be adjusted

GV.OV-P2

The privacy risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.

GV.OV-02

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Ex1:  Review audit findings to confirm whether the existing cybersecurity strategy has ensured compliance with internal and external requirements
Ex2:  Review the performance oversight of those in cybersecurity-related roles to determine whether policy changes are necessary
Ex3:  Review strategy in light of cybersecurity incidents

GV.OV-P3

Organizational privacy risk management performance is measured and reviewed to confirm and adjust strategic direction.

GV.OV-03

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

Ex1:  Review key performance indicators (KPIs) to ensure that organization-wide policies and procedures achieve objectives
Ex2:  Review key risk indicators (KRIs) to identify risks the organization faces, including likelihood and potential impact
Ex3:  Collect and communicate metrics on cybersecurity risk management with senior leadership

GV.RR-P1

Organizational leadership is responsible and accountable for privacy risk and fosters a culture that is risk-aware, ethical, and continually improving.

GV.RR-01

Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving

Ex1:  Leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organization s cybersecurity strategy
Ex2:  Share leaders expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cybersecurity risk management
Ex3:  Leaders direct the CISO to maintain a comprehensive cybersecurity risk strategy and review and update it at least annually and after major events
Ex4:  Conduct reviews to ensure adequate authority and coordination among those responsible for managing cybersecurity risk

GV.RR-P2

Roles and responsibilities for the workforce are established with respect to privacy.

GV.RR-02

Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced

Ex1:  Document risk management roles and responsibilities in policy
Ex2:  Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed
Ex3:  Include cybersecurity responsibilities and performance requirements in personnel descriptions
Ex4:  Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
Ex5:  Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions

GV.RR-P3

Privacy roles and responsibilities are coordinated and aligned with external stakeholders (e.g., service providers, customers, partners).

GV.SC-02

Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

Ex1:  Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities
Ex2:  Document cybersecurity supply chain risk management roles and responsibilities in policy
Ex3:  Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed
Ex4:  Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability
Ex5:  Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance
Ex6:  Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements
Ex7:  Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties
Ex8:  Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers

GV.RR-P4

Adequate resources are allocated commensurate with privacy risk strategy, roles and responsibilities, and policies.

GV.RR-03

Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies

Ex1:  Conduct periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority
Ex2:  Identify resource allocation and investment in line with risk tolerance and response
Ex3:  Provide adequate and sufficient people, process, and technical resources to support the cybersecurity strategy

GV.DE-P1

Data processing ecosystem risk management strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders.

GV.PO-01

Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced

Ex1:  Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction
Ex2:  Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy
Ex3:  Require approval from senior management on policy
Ex4:  Communicate cybersecurity risk management policy and supporting processes and procedures across the organization
Ex5:  Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated

GV.DE-P2

Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization s privacy program.

GV.SC-05

Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

Ex1:  Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
Ex2:  Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language
Ex3:  Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements
Ex4:  Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
Ex5:  Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle
Ex6:  Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service
Ex7:  Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products
Ex8:  Contractually require suppliers to vet their employees and guard against insider threats
Ex9:  Contractually require suppliers to provide evidence of perform+E16ing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections
Ex10:  Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks

GV.DE-P3

Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks.

GV.DE-P4

Data processing ecosystem parties are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual, interoperability framework, or other obligations.

GV.SC-07

The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

Ex1:  Adjust assessment formats and frequencies based on the third party s reputation and the criticality of the products or services they provide
Ex2:  Evaluate third parties evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
Ex3:  Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
Ex4:  Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
Ex5:  Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

GV.DE-P5

Data processing ecosystem risk management is integrated into privacy and enterprise risk management, risk assessment, and improvement processes.

GV.PO-01

Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced

Ex1:  Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction
Ex2:  Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy
Ex3:  Require approval from senior management on policy
Ex4:  Communicate cybersecurity risk management policy and supporting processes and procedures across the organization
Ex5:  Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated

GV.AT-P1

Personnel are provided with awareness and training so that they possess the knowledge and skills to perform privacy-related tasks.

PR.AT-01

Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind

Ex1:  Provide basic cybersecurity awareness and training to employees, contractors, partners, suppliers, and all other users of the organization s non-public resources
Ex2:  Train personnel to recognize social engineering attempts and other common attacks, report attacks and suspicious activity, comply with acceptable use policies, and perform basic cyber hygiene tasks (e.g., patching software, choosing passwords, protecting credentials)
Ex3:  Explain the consequences of cybersecurity policy violations, both to individual users and the organization as a whole
Ex4:  Periodically assess or test users on their understanding of basic cybersecurity practices
Ex5:  Require annual refreshers to reinforce existing practices and introduce new practices

GV.AT-P2

Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform privacy-related tasks.

PR.AT-02

Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind

Ex1:  Identify the specialized roles within the organization that require additional cybersecurity training, such as physical and cybersecurity personnel, finance personnel, senior leadership, and anyone with access to business-critical data
Ex2:  Provide role-based cybersecurity awareness and training to all those in specialized roles, including contractors, partners, suppliers, and other third parties
Ex3:  Periodically assess or test users on their understanding of cybersecurity practices for their specialized roles
Ex4:  Require annual refreshers to reinforce existing practices and introduce new practices

GV.MT-P1

Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization s business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change.

GV.PO-02

Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

Ex1:  Update policy based on periodic reviews of cybersecurity risk management results to ensure that policy and supporting processes and procedures adequately maintain risk at an acceptable level
Ex4:  Update policy to reflect changes in technology (e.g., adoption of artificial intelligence) and changes to the business (e.g., acquisition of a new business, new contract requirements)

GV.MT-P2

Privacy values, policies, and training are reviewed and any updates are communicated.

GV.PO-02

Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

Ex2:  Provide a timeline for reviewing changes to the organization s risk environment (e.g., changes in risk or in the organization s mission objectives), and communicate recommended policy updates

GV.MT-P3

Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place.

GV.PO-02

Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

Ex3:  Update policy to reflect changes in legal and regulatory requirements

GV.MT-P4

Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place.

GV.MT-P5

Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events).

GV.MT-P6

Policies, processes, and procedures incorporate lessons learned from problematic data actions.

GV.MT-P7

Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place.

CT.PO-P1

Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place.

CT.PO-P2

Policies, processes, and procedures for enabling data review, transfer, sharing or disclosure, alteration, and deletion are established and in place (e.g., to maintain data quality, manage data retention).

CT.PO-P3

Policies, processes, and procedures for enabling individuals data processing preferences and requests are established and in place.

CT.PO-P4

A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems.

ID.AM-08

Systems, hardware, software, services, and data are managed throughout their life cycles

Ex1:  Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
Ex2:  Integrate cybersecurity considerations into product life cycles
Ex3:  Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT )
Ex4:  Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization s attack surface
Ex5:  Properly configure and secure systems, hardware, software, and services prior to their deployment in production
Ex6:  Update inventories when systems, hardware, software, and services are moved or transferred within the organization
Ex7:  Securely destroy stored data based on the organization s data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
Ex8:  Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
Ex9:  Offer methods for destroying paper, storage media, and other physical forms of data storage

CT.DM-P1

Data elements can be accessed for review.

CT.DM-P2

Data elements can be accessed for transmission or disclosure.

CT.DM-P3

Data elements can be accessed for alteration.

CT.DM-P4

Data elements can be accessed for deletion.

CT.DM-P5

Data are destroyed according to policy.

ID.AM-08

Systems, hardware, software, services, and data are managed throughout their life cycles

Ex7:  Securely destroy stored data based on the organization s data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
Ex8:  Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
Ex9:  Offer methods for destroying paper, storage media, and other physical forms of data storage

CT.DM-P6

Data are transmitted using standardized formats.

CT.DM-P7

Mechanisms for transmitting processing permissions are established and in place.

CT.DM-P8

Mechanisms for transmitting data elements in accordance with processing permissions are established and in place.

CT.DM-P9

Log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization.

PR.PS-04

Log records are generated and made available for continuous monitoring

Ex1:  Configure all operating systems, applications, and services (including cloud-based services) to generate log records
Ex2:  Configure log generators to securely share their logs with the organization s logging infrastructure systems and services
Ex3:  Configure log generators to record the data needed by zero-trust architectures

DE.AE-02

Potentially adverse events are analyzed to better understand associated activities

Ex1:  Use security information and event management (SIEM) or other tools to continuously monitor log events for known malicious and suspicious activity
Ex3:  Regularly conduct manual reviews of log events for technologies that cannot be sufficiently monitored through automation
Ex4:  Use log analysis tools to generate reports on their findings

CT.DM-P10

Technical measures implemented to manage data processing are tested and assessed.

CT.DM-P11

Stakeholder privacy preferences are included in algorithmic design objectives and outputs are evaluated against these preferences.

CT.DP-P1

Data are processed to limit observability, linkability, and singling out (e.g., data actions take place on local devices, privacy-preserving cryptography).

CT.DP-P2

Data are processed to limit the identification of individuals (e.g., de-identification privacy techniques, tokenization).

CT.DP-P3

Data are processed to limit the formulation of inferences about individuals behavior or activities (e.g., data processing is decentralized, distributed architectures).

CT.DP-P4

System or device configurations permit selective collection or disclosure of data elements.

CT.DP-P5

Attribute values are substituted with derived attribute values (e.g., providing an "age older than" statement rather than the actual age). 

CM.PO-P1

Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place.

CM.PO-P2

Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established.

CM.AW-P1

Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals data processing preferences and requests are established and in place.

CM.AW-P2

Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place.

CM.AW-P3

System/product/service design enables data processing visibility.

CM.AW-P4

Records of data disclosures and sharing are maintained and can be accessed for review or transmission/disclosure.

CM.AW-P5

Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem.

CM.AW-P6

Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure.

CM.AW-P7

Impacted individuals and organizations are notified about a privacy breach or event.

CM.AW-P8

Individuals are provided with mitigation mechanisms (e.g., credit monitoring, consent withdrawal, data alteration or deletion) to address impacts of problematic data actions.

PR.PO-P5

Improvements to data protection policies, processes, and procedures are identified (e.g., from evaluations, security tests and exercises, execution of policies, processes, and procedures), communicated, and implemented.

ID.IM-01

Improvements are identified from evaluations

Ex1:  Perform self-assessments of critical services that take current threats and TTPs into consideration
Ex2:  Invest in third-party assessments or independent audits of the effectiveness of the organization s cybersecurity program to identify areas that need improvement
Ex3:  Constantly evaluate compliance with selected cybersecurity requirements through automated means

ID.IM-03

Improvements are identified from execution of operational processes, procedures, and activities

Ex1:  Conduct collaborative lessons learned sessions with suppliers
Ex2:  Annually review cybersecurity policies, processes, and procedures to take lessons learned into account
Ex3:  Use metrics to assess operational cybersecurity performance over time

PR.PO-P7

Incident response and recovery plans are established, communicated, maintained, and improved.

ID.IM-04

Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved

Ex1:  Establish contingency plans (e.g., incident response, business continuity, disaster recovery) for responding to and recovering from adverse events that can interfere with operations, expose confidential information, or otherwise endanger the organization s mission and viability
Ex2:  Include contact and communication information, processes for handling common scenarios, and criteria for prioritization, escalation, and elevation in all contingency plans
Ex3:  Create a vulnerability management plan to identify and assess all types of vulnerabilities and to prioritize, test, and implement risk responses
Ex4:  Communicate cybersecurity plans (including updates) to those responsible for carrying them out and to affected parties
Ex5:  Review and update all cybersecurity plans annually or when a need for significant improvements is identified

ID.IM-02

Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties

Ex1:  Identify improvements for future incident response activities based on findings from incident response assessments (e.g., tabletop exercises and simulations, tests, internal reviews, independent audits)
Ex2:  Identify improvements for future business continuity, disaster recovery, and incident response activities based on exercises performed in coordination with critical service providers and product suppliers
Ex3:  Involve internal stakeholders (e.g., senior executives, legal department, HR) in security tests and exercises as appropriate
Ex4:  Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership
Ex5:  Exercise contingency plans for responding to and recovering from the discovery that products or services did not originate with the contracted supplier or partner or were altered before receipt
Ex6:  Collect and analyze performance metrics using security tools and services to inform improvements to the cybersecurity program

PR.AA-P1

Identities and credentials for authorized individuals, services, and hardware are managed by the organization.

PR.AA-01

Identities and credentials for authorized users, services, and hardware are managed by the organization

Ex1:  Initiate requests for new access or additional access for employees, contractors, and others, and track, review, and fulfill the requests, with permission from system or data owners when needed
Ex2:  Issue, manage, and revoke cryptographic certificates and identity tokens, cryptographic keys (i.e., key management), and other credentials
Ex3:  Select a unique identifier for each device from immutable hardware characteristics or an identifier securely provisioned to the device
Ex4:  Physically label authorized hardware with an identifier for inventory and servicing purposes

PR.AA-P2

Identities are proofed and bound to credentials based on the context of interactions.

PR.AA-02

Identities are proofed and bound to credentials based on the context of interactions

Ex1:  Verify a person s claimed identity at enrollment time using government-issued identity credentials (e.g., passport, visa, driver s license)
Ex2:  Issue a different credential for each person (i.e., no credential sharing)

PR.AA-P3

Individuals, services, and hardware are authenticated commensurate with risk.

PR.AA-03

Users, services, and hardware are authenticated

Ex1:  Require multifactor authentication
Ex2:  Enforce policies for the minimum strength of passwords, PINs, and similar authenticators
Ex3:  Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures)
Ex4:  Ensure that authorized personnel can access accounts essential for protecting safety under emergency conditions

PR.AA-P4

Identity assertions are protected, conveyed, and verified.

PR.AA-04

Identity assertions are protected, conveyed, and verified

Ex1:  Protect identity assertions that are used to convey authentication and user information through single sign-on systems
Ex2:  Protect identity assertions that are used to convey authentication and user information between federated systems
Ex3:  Implement standards-based approaches for identity assertions in all contexts, and follow all guidance for the generation (e.g., data models, metadata), protection (e.g., digital signing, encryption), and verification (e.g., signature validation) of identity assertions

PR.AA-P5

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

PR.AA-05

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

Ex1:  Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organization, and promptly rescind privileges that are no longer needed
Ex2:  Take attributes of the requester and the requested resource into account for authorization decisions (e.g., geolocation, day/time, requester endpoint s cyber health)
Ex3:  Restrict access and privileges to the minimum necessary (e.g., zero trust architecture)
Ex4:  Periodically review the privileges associated with critical business functions to confirm proper separation of duties

PR.AA-P6

Physical access to data and devices is managed, monitored, and enforced commensurate with risk.

PR.AA-06

Physical access to assets is managed, monitored, and enforced commensurate with risk

Ex1:  Use security guards, security cameras, locked entrances, alarm systems, and other physical controls to monitor facilities and restrict access
Ex2:  Employ additional physical security controls for areas that contain high-risk assets
Ex3:  Escort guests, vendors, and other third parties within areas that contain business-critical assets

PR.DS-P1

The confidentiality, integrity, and availability of data-at-rest are protected.

PR.DS-01

The confidentiality, integrity, and availability of data-at-rest are protected

Ex1:  Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of stored data in files, databases, virtual machine disk images, container images, and other resources
Ex2:  Use full disk encryption to protect data stored on user endpoints
Ex3:  Confirm the integrity of software by validating signatures
Ex4:  Restrict the use of removable media to prevent data exfiltration
Ex5:  Physically secure removable media containing unencrypted sensitive information, such as within locked offices or file cabinets

PR.DS-P2

The confidentiality, integrity, and availability of data-in-transit are protected.

PR.DS-02

The confidentiality, integrity, and availability of data-in-transit are protected

Ex1:  Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of network communications
Ex2:  Automatically encrypt or block outbound emails and other communications that contain sensitive data, depending on the data classification
Ex3:  Block access to personal email, file sharing, file storage services, and other personal communications applications and services from organizational systems and networks
Ex4:  Prevent reuse of sensitive data from production environments (e.g., customer records) in development, testing, and other non-production environments

PR.DS-P3

Systems/products/services and associated data are managed throughout their life cycle.

ID.AM-08

Systems, hardware, software, services, and data are managed throughout their life cycles

Ex1:  Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
Ex2:  Integrate cybersecurity considerations into product life cycles
Ex3:  Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT )
Ex4:  Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization s attack surface
Ex5:  Properly configure and secure systems, hardware, software, and services prior to their deployment in production
Ex6:  Update inventories when systems, hardware, software, and services are moved or transferred within the organization
Ex7:  Securely destroy stored data based on the organization s data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
Ex8:  Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
Ex9:  Offer methods for destroying paper, storage media, and other physical forms of data storage

PR.DS-P8

The authenticity and integrity of hardware and software are assessed prior to acquisition and use.

ID.RA-09

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Ex1:  Assess the authenticity and cybersecurity of critical technology products and services prior to acquisition and use

PR.DS-P9

The confidentiality, integrity, and availability of data-in-use are protected.

PR.DS-P10

Backups of data are created, protected, maintained, and tested.

PR.DS-11

Backups of data are created, protected, maintained, and tested

Ex1:  Continuously back up critical data in near-real-time, and back up other data frequently at agreed-upon schedules
Ex2:  Test backups and restores for all types of data sources at least annually
Ex3:  Securely store some backups offline and offsite so that an incident or disaster will not damage them
Ex4:  Enforce geographic separation and geolocation restrictions for data backup storage

PR.PS-P1

Configuration management practices are established and applied.

PR.PS-01

Configuration management practices are established and applied

Ex1:  Establish, test, deploy, and maintain hardened baselines that enforce the organization s cybersecurity policies and provide only essential capabilities (i.e., principle of least functionality)
Ex2:  Review all default configuration settings that may potentially impact cybersecurity when installing or upgrading software
Ex3:  Monitor implemented software for deviations from approved baselines

PR.PS-P2

Software is maintained, replaced, and removed commensurate with risk.

PR.PS-02

Software is maintained, replaced, and removed commensurate with risk

Ex1:  Perform routine and emergency patching within the timeframes specified in the vulnerability management plan
Ex2:  Update container images, and deploy new container instances to replace rather than update existing instances
Ex3:  Replace end-of-life software and service versions with supported, maintained versions
Ex4:  Uninstall and remove unauthorized software and services that pose undue risks
Ex5:  Uninstall and remove any unnecessary software components (e.g., operating system utilities) that attackers might misuse
Ex6:  Define and implement plans for software and service end-of-life maintenance support and obsolescence

PR.PS-P3

Hardware is maintained, replaced, and removed commensurate with risk.

PR.PS-03

Hardware is maintained, replaced, and removed commensurate with risk

Ex1:  Replace hardware when it lacks needed security capabilities or when it cannot support software with needed security capabilities
Ex2:  Define and implement plans for hardware end-of-life maintenance support and obsolescence
Ex3:  Perform hardware disposal in a secure, responsible, and auditable manner

PR.PS-P4

Installation and execution of unauthorized software are prevented.

PR.PS-05

Installation and execution of unauthorized software are prevented

Ex1:  When risk warrants it, restrict software execution to permitted products only or deny the execution of prohibited and unauthorized software
Ex2:  Verify the source of new software and the software s integrity before installing it
Ex3:  Configure platforms to use only approved DNS services that block access to known malicious domains
Ex4:  Configure platforms to allow the installation of organization-approved software only

PR.IR-P1

Networks and environments are protected from unauthorized logical access and usage.

PR.IR-01

Networks and environments are protected from unauthorized logical access and usage

Ex1:  Logically segment organization networks and cloud-based platforms according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), and permit required communications only between segments
Ex2:  Logically segment organization networks from external networks, and permit only necessary communications to enter the organization s networks from the external networks
Ex3:  Implement zero trust architectures to restrict network access to each resource to the minimum necessary
Ex4:  Check the cyber health of endpoints before allowing them to access and use production resources

PR.IR-P2

The organization s technology assets, including associated data, are protected from environmental threats.

PR.IR-02

The organization s technology assets are protected from environmental threats

Ex1:  Protect organizational equipment from known environmental threats, such as flooding, fire, wind, and excessive heat and humidity
Ex2:  Include protection from environmental threats and provisions for adequate operating infrastructure in requirements for service providers that operate systems on the organization's behalf

PR.IR-P3

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.

PR.IR-03

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations

Ex1:  Avoid single points of failure in systems and infrastructure
Ex2:  Use load balancing to increase capacity and improve reliability
Ex3:  Use high-availability components like redundant storage and power supplies to improve system reliability

PR.IR-P4

Adequate resource capacity to ensure availability is maintained.

PR.IR-04

Adequate resource capacity to ensure availability is maintained

Ex1:  Monitor usage of storage, power, compute, network bandwidth, and other resources
Ex2:  Forecast future needs, and scale resources accordingly