NIST Risk Priorities & Appetite - Internal/Exter

Functions metrics

Service Catalog Policy Alignme

Information Secu

Function Category

Asset Management

Business Environment

Identify Governance

Risk Assessment
Risk Management
Supply Chain Risk
Management

NIST Identity Management

and Access Control
Cybersecurity
Enterprise-
Aligned Awareness and Training

Framework: Data Security

Protect
- Risks Information Protection
- Service Processes and
Procedures
Catalog
- Priorities Maintenance
- Maturity
- Metrics
- 3-Year Protective Technology

Project,
Program &
Initiative
Roadmap
- Metrics
- 3-Year
Project,
Program & Anomalies and Events
Initiative
Roadmap Detect Security Continuous
Monitoring

IT Service Detection Processes

Management Response Planning

Life-Cycle Communications
Analysis
Respond
Process Mitigation
Improvement Improvements
Recovery Planning

Recover Improvements

Communications
- Internal/External

Policy Alignment
Information Security Risk-Aligned Framework Maturity Model

CSC Top NIST

InfoSec Service Catalog Risk FY-18 $ FY-19 $ FY-20 $ 0 1 2 3
20 Pol.

Ops. Sec. - Asset Management 4 $xxx DI

- Physical and Environmental 7 1,2 $xxx DM
Governance - Regulatory, Legal,
AP Metrics
Compliance All - $xxx
AU
Governance
PL
- Security Information Management
PM
5 - $xxx
Security and Risk Assessments 5a 4 $xxx $xxx AR
Governance - Risk Management 5b - AR

Vendor contract, Governance

All -

Identity and Access Management (IAM)

5, 9
- IAM
11, 12 AC
- SSO 2 $xxx
13, 14 IA
- NAC
- RBAC
3
6
15, 16
$xxx
$xxx Budgets:
9 $xxx $xxx $xxx Funded -
Awareness and Training
10 5,17 $xxx
Unfunded
AT
PS - Metrics

Security Architecture and Design (Life Proposed -

CA
Cycle) 13 1,2 $xxx
Governance - Proactive Protection -
- Policies, Standards, Guidelines 3, 4
7, 9 MP
- ITSM Process governance and
10, 11 PE
maturity SA Metrics (e-discovery)
- Acquisition, Development and 18, 19
SC
Maintenance 11
- Application development life cycle
3 ,4
Operations Security - Asset
Maintenance 5, 11 MA
12
14 $xxx
Operations Security 5, 6
- Change Management 7, 8
CM
- Information Management and 11, 13
Encryption 15 14, 16 $xxx $xxx $xxx

Key initiatives
nested and aligned
 Monitor, Alerts and Reports - SIEM-
6, 9
Vuln
PCI-PII-PHI
12, 19 Key initiatives
SI Metrics
1b $xxx $xxx $xxx
nested and aligned
Monitor, Alerts and Reports 4, 8
1a 16, 19 $xxx $xxx

Monitor, Alerts and Reports - DLP $xxx

1 19 $xxx $xxx $xxx
Gov. - Bus. Impact Analysis 5c 19
Incident Response - Alignment 8d 19
Incident Response - Risk 8a 6,19 $xxx
Incident Response 8c 4,19 IR
Incident Response - Maturity 8e 19,20 $xxx
Ops. Security - Bus. Continuity 8 10 $xxx $xxx CP

Ops. Security - Downtime Mgmt.

8b 20
Ops. Security - Svc. Alignment 12 - $xxx
 "Tiers" -
Maturity Map

Maturity Model Action Plan FY2016 Action Plan FY2017 Action Plan FY2018

FY18 FY18 FY18 FY18 FY19 FY19 FY19 FY19 FY20 FY20 FY20 FY20
4 5 6
-Q1 -Q2 -Q3 -Q4 -Q1 -Q2 -Q3 -Q4 -Q1 -Q2 -Q3 -Q4

Asset Strategy Review Project 7A

Metrics Risk Program

Policy Dev. Policy Review

Automate
Dashboard
Integration I1ntegration I2ntegration 3 Review

NAC SSO - Phase 0 IAM SSO - Phase 3

Metrics Alignment Review Review

Report IT Report Report

Servi
ce
Man
MD age Revi
Metrics (e-discovery) M ment ew
-
Auto Full
Asse Asse
mati
t
on t
Man
age
Man
age
CMM
ment Revi
Chan
ge
ment
ew -metrics
ITSM Chan
Man
Align ge
age
Mgm
ment
t.
 Exter Exter
nal nal
Metrics Pen-Test Pen-Test Pen-Test Pen-Test
Pen- Pen-
Test Test
Expand 3 Expand 4 Expand 5

DLP Phase 2 DLP Phase 3

BIA - Phase 1 BIA - Phase 3

Architecture Process Mapping
Risk Mapping Formal Review Formal Review
CIRT Test 1 CIRT Full Test CIRT Test 3
Extern
Remediate External Risk Assessment Remediate
DR Plan Test BC Plan Test BC Plan
Stan Test Test
dardi Dow Dow
Document ze ntim ntim
Train e e
ing Plan Plan
LMS Review Mid-year LMS Review Mid-year LMS Review Mid-year Challenges
identified

Current State

F
S

Maturity -
progress
identified
 Challenges
identified

NIST C
ent State Brian V
Paidhr
Revision
Future
State

Maturity -
progress
identified
Functions Sub-Category - Service CSC or NIST Core Policy Alignment Maturity specifics (process, policy, documentation and automation), used to "Tiers" or Maturity Three Year (or more) Action Plan (Implementation) based on "Profiles" -- Identified Risks,
Catalog Info. References calculate maturity map Map (see legend) Priorities, Maturity, and Capabilities. Quarter-by-quarter initiative or project time-lines and
Cat. IDs Risk Priorities & Appetite - Funded - Unfunded - Proposed measures of success
Internal/External metrics
Information Security Risk-Aligned Framework Maturity Roadmap FY2017
Category CSC Top NIST Policy Documentation Process
Function Unique Links Category Priority Organization Service Catalog FY2018 $ FY2019 $ FY2020 $ FY2021 $ FY2022 $ Process Level Policy Level Automation Level Policy Value Document Automate Maturity 1
In itial
2
R epeatable
3
Defined
4
Managed
5
Optimiz ing
Action Plan FY2018-2019 Action Plan FY2019-2020 Action Plan FY2020-2021
Identifier Twenty Family Level Value Value Value Score

CMDB system, Cis co Prime Vulnerabi li ty Manage ment Program Expansi on Networ k Access Co ntrol Eval uation M ap Data Flows
Vulnerabi li ty Scanner, CMDB s ys tem Vulnerabi li ty Manage ment Pass ive Scan Impl emen tati on CASB Evaluatio n
AM Infrastructure Asset Management Visi o
(CASB )
1, 2 35,000 35,000 10,000 60,000 10,000 DI, DM 26.7% Challenges across Software W hitel isi ng Evaluatio n
Review Asset Management Rol es and Res ponsi bil ities
services are
readily identified
Vulnerabi li ty Manage ment Program Expansi on
CMDB system, Cisco Prime 1 Standardized Informal Formal Partial 30% 5% 10% 5% 50% Vulnerabi li ty Manage ment Pass ive Scan Impl emen tati on Network Access Control Evaluation

Vulnerability Scanner, CMDB system 2 10,000 10,000 10,000 10,000 10,000 Measured None Formal Full 40% 0% 10% 10% 60% CASB Evaluatio n
Software W hitel isi ng Evaluatio n
Budget items roll up to
high level catagory
Visio 1 Inconsistent None Formal None 10% 0% 10% 0% 20% Map Data Flows

(CASB) 1 25,000 25,000 0 50,000 0 None None None None 0% 0% 0% 0% 0%

Inconsistent None Informal None 10% 0% 5% 0% 15%

Inconsistent Informal None None 10% 5% 0% 0% 15% Review Asset Management Roles and Responsibilities

Align with Organiz ational Mis sio n

BE Business Environment 0 0 0 0 0 AP 36.0%

Sample
Inconsistent None None None 10% 0% 0% 0% 10%
Projects
and
Initiatives
Inconsistent Defined Formal Partial 10% 10% 10% 5% 35%

Standardized None Improvement Partial 30% 0% 20% 5% 55% Align with Organizational Mission
Process

Inconsistent Audited Formal Partial 10% 15% 10% 5% 40%

Inconsistent Audited Metrics and None 10% 15% 15% 0% 40%

Reporting
Secu rity Pol icy Review Rol es an d Res pons ibi liti es Review Ro les an d Res pons ibi liti es R evi ew R oles and Respo nsib ili ties
Secu rity Pol icy, (Eramba GRC) Review Information Securi ty Poli ci es and Ar chi tecture Review Information Securi ty Poli ci es and Ar chi tecture R evi ew Information Secu rity Pol icies and Arch itectu re
GV Governance Governance Eramba GRC 250,000 100,000 100,000 100,000 100,000 AU, PL, 26.3% GRC Fr amew ork Eval uation and Project GRC Fr amew ork Project Phase 1 and Phase 2 GR C Framework Pro ject Phase 3 and Phase 4
PM HIPAA and P CI Ass essment HIPAA and P CI Ass essment HIPAA and PCI As sess ment

Calapse and Expand Security Policy Inconsistent Defined Formal None 10% 10% 10% 0% 30% Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities
sub-sections and
columns above
Security Policy, (Eramba GRC) 250,000 100,000 100,000 100,000 100,000 Inconsistent Defined Formal None 10% 10% 10% 0% 30% Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture

Eramba GRC Inconsistent Defined Formal None 10% 10% 10% 0% 30% GRC Framework Evaluation and Project GRC Framework Project Phase 1 and Phase 2 GRC Framework Project Phase 3 and Phase 4
IDENTIFY

Inconsistent Informal None None 10% 5% 0% 0% 15% HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment

Vulnerabi li ty Managemen t, P enetration Testin g, R isk Vulnerabi li ty Manage ment Expansi on P roject Evaluate M S-ISAC Th reat In telli gence C ardhol der Data Ri sk Asses sments
Asses sments Expand Th reat In telli gence Cardh older Data Ris k As sess men ts R isk Ass essment Improvements
RA Risk Assessments Risk Assessment MS-ISAC Threat Intel igence 3, 20 0 0 0 0 0 AR 35.0% Cardh older Data Ris k As sess men ts Ri sk Asses sment Improvements
Vulnerabi li ty Managemen t, P enetration Testin g, R isk Ri sk Asses sment Improvements
Asses sments
Ri sk Asses sments
Ri sk Asses sments CMM and
Ri skVulnerability
Asses sments Management, Penetration
Testing, Risk Assessments
3 Repeatable Informal Informal None 20% 5% 5% 0% 30% metrics Vulnerability Management Expansion Project

agnostic
MS-ISAC Threat Inteligence 3 Inconsistent Defined Informal None 10% 10% 5% 0% 25% Expand Threat Intelligence Evaluate MS-ISAC Threat Intelligence

Vulnerability Management, Penetration 3, 20 Inconsistent Defined Informal Partial 10% 10% 5% 5% 30%
Testing, Risk Assessments

Risk Assessments Inconsistent Audited Informal None 10% 15% 5% 0% 30% Cardholder Data Risk Assessments Cardholder Data Risk Assessments Cardholder Data Risk Assessments

Risk Assessments Repeatable Embedded Informal None 20% 20% 5% 0% 45%

Risk Assessments Inconsistent Defined Improvement Full 10% 10% 20% 10% 50% Risk Assessment Improvements Risk Assessment Improvements Risk Assessment Improvements
Process
Review Ri sk Pro cess Review Ri sk Pro cess R evi ew R isk P roces s
Review Tol erance Review Tol erance R evi ew To lerance
RM Risk Management Risk Management 0 0 0 0 0 AR 15.0%

Repeatable None Informal None 20% 0% 5% 0% 25% Review Risk Process Review Risk Process Review Risk Process

Inconsistent None None None 10% 0% 0% 0% 10% Review Tolerance Review Tolerance Review Tolerance

Inconsistent None None None 10% 0% 0% 0% 10%

Review Suppl y Chain Process Review Suppl y Chain Process R evi ew Sup ply Ch ai n Pr oces s
Review Ven dors Review Vendors R evi ew Vendor s
SC Supply Chain Risk
Supply Chain Risk Management 0 0 0 0 0 SA 26.0%
Manageme nt

Repeatable None Informal None 20% 0% 5% 0% 25% Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process

Repeatable Embedded Metrics and None 20% 20% 15% 0% 55% Review Vendors Review Vendors Review Vendors
Reporting

Inconsistent None None None 10% 0% 0% 0% 10% Review Vendors Review Vendors Review Vendors

Inconsistent None None None 10% 0% 0% 0% 10% Review Vendors Review Vendors Review Vendors

Repeatable Informal Informal None 20% 5% 5% 0% 30%

Acti ve Di rector y, ADFS, (IAM) Identity Access Management Evaluati on Pri vl eged Access Managemen t Eval Identi ty Acces s Mgmt P roject
(VP N), (IAM), (M DM) Remote Acces s Expansi on Networ k Access Co ntrol Eval uation M DM Eval uation
Identity Management (PAM), (NAC) 5 , 11-14, Review Active Di rector y Review Active Di rector y R evi ew Acti ve Directory
AC Firew all, W eb Fil ter, (NAC) 520,000 10,000 0 20,000 0 AC, IA 18.0% Web Con tent Fil ter Project Fi rewall Refres h Project
and Acces s Control 16, 1 8

Active Directory, ADFS, (IAM) 18 10,000 10,000 Inconsistent Defined Informal None 10% 10% 5% 0% 25% Identity Access Management Evaluation Privleged Access Management Eval Identity Access Mgmt Project

Inconsistent Informal None None 10% 5% 0% 0% 15%

(VPN), (IAM), (MDM) 12 500,000 Inconsistent Informal None None 10% 5% 0% 0% 15% Remote Access Expansion MDM Evaluation

Networ k Access Co ntrol Eval uation

(PAM), (NAC) 5, 14, 16, 18 Inconsistent Informal None None 10% 5% 0% 0% 15% Review Active Directory
Review Active Di rector y
Review Active Directory

Firewall, Web Filter, (NAC) 11, 12, 13, 10,000 20,000 Inconsistent Defined None None 10% 10% 0% 0% 20% Web Content Filter Project Firewall Refresh Project
14

User Awareness, (Phish Training) 17 Repeatable Defined Informal None 20% 10% 5% 0% 35% PCI Edu catio n Review Education Program Review Education Program
General Education

Security Policy, (Eramba GRC) 5, 17 Inconsistent Informal None None 10% 5% 0% 0% 15%
Maturity and
Security Policy 17 Inconsistent Informal None None 10% 5% 0% 0% 15%
progress also
identified
Security Policy, (Eramba GRC) 17 Inconsistent Informal None None 10% 5% 0% 0% 15%

Security Policy, (Eramba GRC) 17 Inconsistent Informal None None 10% 5% 0% 0% 15%

Bi tlocker, Stor age Encrypti on, Certi ficate Services SAN Encrypti on at rest Data Cl as sifi catio n Pro ject En cour age compl iance wi th 100% encryption pol icy
TLS, Cer tificate Servi ces Wo rks tation Certifi cates Data Lo ss Prevention Eval uation Evalu ate FIM solu tion
Operati onal Monito ring, External M onitor ing 1, 2, 1 3, Pol icy to en crypt al l n etwork connections (3yr compli ance) Evaluate FIM s oluti on
DS Data Security Data Loss Prevention , Di gi tal R ights Managemen t 14 0 0 0 0 0 CA 8.6%
Tri pwir e

Bitlocker, Storage Encryption, Certificate 14 Inconsistent Defined None None 10% 10% 0% 0% 20% SAN Encrypti on at rest Data Classification Project
Services Wo rks tation Certifi cates

TLS, Certificate Services 13, 14 Inconsistent Defined None None 10% 10% 0% 0% 20% Policy to encrypt all network connections (3yr compliance) Encourage compliance with 100% encryption policy

1 Inconsistent None None None 10% 0% 0% 0% 10%

Operational Monitoring, External Monitoring None None None None 0% 0% 0% 0% 0%

Data Loss Prevention, Digital Rights 13 None None None None 0% 0% 0% 0% 0% Data Loss Prevention Evaluation
Management

Tripwire 2 Inconsistent None None None 10% 0% 0% 0% 10% Evaluate FIM solution Evaluate FIM solution

None None None None 0% 0% 0% 0% 0%

CIS Benchmarks, DISA STIGs Document Pl an R evi ew P lan

Information P rotection IT Change Control
IP Process es and Backup/Res tore s olu tion 5, 3 , 7, 0 0 0 0 0 MP, P E, 14.6%
PROTECT

Inci dent R espon se Pl an, Bus iness Con tinui ty Plan 11, 1 9 SA, SC
Procedures Inci dent R espon se Pl an, Bus iness Con tinui ty Plan
Vulnerabi li ty Managemen t, 3r d Party

CIS Benchmarks, DISA STIGs 5, 7, 11 Inconsistent None Informal None 10% 0% 5% 0% 15%

Inconsistent None None None 10% 0% 0% 0% 10%

IT Change Control Repeatable Informal Formal Partial 20% 5% 10% 5% 40%

Backup/Restore solution Repeatable None Informal None 20% 0% 5% 0% 25%

Inconsistent Informal None None 10% 5% 0% 0% 15%

Inconsistent None None None 10% 0% 0% 0% 10%

Inconsistent None None None 10% 0% 0% 0% 10% Document Plan Review Plan

Inconsistent None None None 10% 0% 0% 0% 10%

Incident Response Plan, Business Continuity None Informal Informal None 0% 5% 5% 0% 10%
Plan

Incident Response Plan, Business Continuity 19 None None None None 0% 0% 0% 0% 0%

Plan

Inconsistent None None None 10% 0% 0% 0% 10%

Vulnerability Management, 3rd Party 3 Inconsistent Informal None Partial 10% 5% 0% 5% 20%

MA Maintenance 4, 12 0 0 0 0 0 MA 22.5%

Repeatable Informal Informal None 20% 5% 5% 0% 30%

4, 12 Inconsistent Informal None None 10% 5% 0% 0% 15%

Log Management, SIEM SIEM man agement/ rul es SIEM Tuni ng

(IAM) 4, 6 , 8, SIEM Tunin g
PT Protective Technology 11, 1 3, 0 0 0 0 0 CM 10.0%
Some Sections Hidden to 14, 1 8
illustrate function cleanly
SIEM man agement/ rul es
Log Management, SIEM 6 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tunin g SIEM Tuning

8, 13, 14 None None None None 0% 0% 0% 0% 0%

(IAM) 4, 14, 18 Inconsistent Defined None None 10% 10% 0% 0% 20%

11 Inconsistent None None None 10% 0% 0% 0% 10%

(Vulnerability Management), (Network 12 None None None None 0% 0% 0% 0% 0% Network Analytics

Analytics)

19 Inconsistent None None None 10% 0% 0% 0% 10%

'Log Management, SIEM 6 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

'Log Management, SIEM 19 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

JSA, (GrayLog) 19 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

'(Vulnerability Management), (Network 19 2,000 None None None None 0% 0% 0% 0% 0% Passive Scanner Pilot PVS
Analytics)

19 None None None None 0% 0% 0% 0% 0%

(Network Analytics) 19 None None None None 0% 0% 0% 0% 0%

Malware Protection 8, 19 Repeatable Defined Informal Partial 20% 10% 5% 5% 40%

DETECT

8, 19 None Defined None None 0% 10% 0% 0% 10%

(CASB) 19 None None None None 0% 0% 0% 0% 0%

19 Inconsistent Informal None None 10% 5% 0% 0% 15%

Vulnerability Management 3 Inconsistent Informal None None 10% 5% 0% 0% 15% Vulnerability Management Expansion

6 Inconsistent Informal None None 10% 5% 0% 0% 15% Networ k Passi ve scanner

IPS/IDS Revi ew

Networ k Passi ve scanner

6 Inconsistent None None None 10% 0% 0% 0% 10% IPS/IDS Revi ew

6 None None None None 0% 0% 0% 0% 0% Network Passive scanner

6 Inconsistent None None None 10% 0% 0% 0% 10%

6 None None None None 0% 0% 0% 0% 0%

19 Inconsistent Informal Informal None 10% 5% 5% 0% 20% Build IR Plan Review IR Plan Review IR Plan

19 Inconsistent Informal None None 10% 5% 0% 0% 15% Tabiletop IR Tabiletop IR

19 Inconsistent None Informal None 10% 0% 5% 0% 15%

19 Inconsistent None None None 10% 0% 0% 0% 10%

19 Inconsistent None None None 10% 0% 0% 0% 10%

19 Inconsistent None None None 10% 0% 0% 0% 10%

19 Inconsistent None None None 10% 0% 0% 0% 10%

RESPOND

19 Inconsistent None None None 10% 0% 0% 0% 10%

3rd party vendor, MS-ISAC 19 40,000 40,000 40,000 Inconsistent None Informal None 10% 0% 5% 0% 15% Perform forensic tests Perform forensic tests

19 Inconsistent None Informal None 10% 0% 5% 0% 15%

19 Inconsistent Defined Informal None 10% 10% 5% 0% 25%

19 Inconsistent Informal Informal None 10% 5% 5% 0% 20%

3 Inconsistent Informal None None 10% 5% 0% 0% 15% Exception Review Exception review Exception review

19 None None None None 0% 0% 0% 0% 0%

19 None None None None 0% 0% 0% 0% 0% Update IR procedures Update IR procedures Update IR procedures

19 None None None None 0% 0% 0% 0% 0% COOP Project

19 None None None None 0% 0% 0% 0% 0%

19 5,000 None None None None 0% 0% 0% 0% 0%

RECOVER

CO Communications 19 0 0 0 0 0 10.0%

4 19 Inconsistent None None None 10% 0% 0% 0% 10%

3 19 Inconsistent None None None 10% 0% 0% 0% 10%

2 19 Inconsistent None None None 10% 0% 0% 0% 10%

Proposed Funded Current State Progress Areas

Unfunded Future State Challenge Areas

NIST Cybersecurity Framework, Brian Maturity level of "Defined",

Ventura, Christopher Paidhrin, and Dean "Relational", or "Managed" (3,
Musson or mid-line), is 'realistic' near-
Revision 11.0 - 2013-2017 term goal
Maturity level of "Defined",
"Relational", or "Managed" (3,
or mid-line), is 'realistic' near-
term goal
 Information Security Risk-Aligned Framework Maturity Roadmap FY2021
Category CSC Top
Function Unique Links Category Cybersecurity Framework Control Priority Organization Service Catalog FY2020 $ FY2021 $ FY2022 $ FY2023 $ FY2024 $ NIST Policy Process Level Policy Level Documentation Automation Level Process Policy Value Document Automate Maturity 1
Initi al
2
Repeatabl e
3
Defi ned
4
Managed
5
Opti mi zi ng Action Plan FY2020-2021 Action Plan FY2021-2022 Action Plan FY2022-2023 Action Plan FY2023-2024 Action Plan FY2024-2025
Identifier Twenty Family Level Value Value Value Score

AM Infrastructure Asset Management Operational Security - Asset Management 1, 2 0 0 0 0 0 DI, DM 0.0%

ID.AM-1: Physical devices and systems within the organization are

inventoried 1 None None None None 0% 0% 0% 0% 0%

ID.AM-2: Software platforms and applications within the organization

are inventoried 2 None None None None 0% 0% 0% 0% 0%

ID.AM-3: Organizational communication and data flows are mapped 1 None None None None 0% 0% 0% 0% 0%

ID.AM-4: External information systems are catalogued 1 None None None None 0% 0% 0% 0% 0%

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and

software) are prioritized based on their classification, criticality, and None None None None 0% 0% 0% 0% 0%
business value
ID.AM-6: Cybersecurity roles and responsibilities for the entire
workforce and third-party stakeholders (e.g., suppliers, customers, None None None None 0% 0% 0% 0% 0%
partners) are established

BE Governance Business Environment Strategic Security - Business Environment 0 0 0 0 0 AP 0.0%

ID.BE-1: The organization’s role in the supply chain is identified and None None None None 0% 0% 0% 0% 0%
communicated

ID.BE-2: The organization’s place in critical infrastructure and its None None None None 0% 0% 0% 0% 0%
industry sector is identified and communicated

ID.BE-3: Priorities for organizational mission, objectives, and activities None None None None 0% 0% 0% 0% 0%
are established and communicated

ID.BE-4: Dependencies and critical functions for delivery of critical None None None None 0% 0% 0% 0% 0%
services are established

ID.BE-5: Resilience requirements to support delivery of critical services

are established for all operating states (e.g. None None None None 0% 0% 0% 0% 0%
under duress/attack, during recovery, normal operations)

GV Governance Governance Strategic Security - Governance and Compliance 0 0 0 0 0 AU, P L, 0.0%

PM
IDENTIFY

ID.GV-1: Organizational cybersecurity policy is established None None None None 0% 0% 0% 0% 0%

and communicated

ID.GV-2: CyberSecurity roles and responsibilities are coordinated and None None None None 0% 0% 0% 0% 0%
aligned with internal roles and external partners

ID.GV-3: Legal and regulatory requirements regarding cybersecurity,

including privacy and civil liberties obligations, are understood and None None None None 0% 0% 0% 0% 0%
managed

ID.GV-4: Governance and risk management processes address None None None None 0% 0% 0% 0% 0%
cybersecurity risks
IDENTIFY

RA Risk Assessments Risk Assessment Strategic Security - Risk Assessments 3, 20 0 0 0 0 0 AR 0.0%

ID.RA-1: Asset vulnerabilities are identified and documented 3 None None None None 0% 0% 0% 0% 0%

ID.RA-2: Cyber Threat inteligence is received from information sharing 3 None None None None 0% 0% 0% 0% 0%
forums and sources

ID.RA-3: Threats, both internal and external, are identified and 3, 20 None None None None 0% 0% 0% 0% 0%
documented

ID.RA-4: Potential business impacts and likelihoods are identified None None None None 0% 0% 0% 0% 0%

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to None None None None 0% 0% 0% 0% 0%
determine risk

ID.RA-6: Risk responses are identified and prioritized None None None None 0% 0% 0% 0% 0%

RM Risk Management Risk Management Strategic Security - Risk Management 0 0 0 0 0 AR 0.0%

ID.RM-1: Risk management processes are established, managed, and None None None None 0% 0% 0% 0% 0%
agreed to by organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined and clearly None None None None 0% 0% 0% 0% 0%
expressed

ID.RM-3: The organization’s determination of risk tolerance is informed None None None None 0% 0% 0% 0% 0%
by its role in critical infrastructure and sector specific risk analysis

SC Supply Chain Risk Supply Chain Ris k Strategic Security - Supply Chain Risk Management 0 0 0 0 0 AR 0.0%
Ma nagement Management
ID.SC-1: Cyber supply chain risk
management processes are identified,
established, assessed, managed, and agreed None None None None 0% 0% 0% 0% 0%
to by organizational stakeholders

ID.SC-2: Suppliers and third party

partners of information systems,
components, and services are identified, None None None None 0% 0% 0% 0% 0%
prioritized, and assessed using a cyber
supply chain risk assessment process

ID.SC-3: Contracts with suppliers and

third-party partners are used to implement
appropriate measures designed to meet the
objectives of an organization’s None None None None 0% 0% 0% 0% 0%
cybersecurity program and Cyber Supply
Chain Risk Management Plan.

ID.SC-4: Suppliers and third-party

partners are routinely assessed using
audits, test results, or other forms of None None None None 0% 0% 0% 0% 0%
evaluations to confirm they are meeting
their contractual obligations.

ID.SC-5: Response and recovery planning

and testing are conducted with suppliers None None None None 0% 0% 0% 0% 0%
and third-party providers

Identity M anagement and 4, 11 -14 ,

AC Access Control Operational Security - Access Control 16 , 18 0 0 0 0 0 AC, IA 0.0%

PR.AC-1: Identities and credentials are issued, managed , verified,

revoked, and audited for authorized devices, users 18 None None None None 0% 0% 0% 0% 0%
and processes

PR.AC-2: Physical access to assets is managed and protected None None None None 0% 0% 0% 0% 0%

PR.AC-3: Remote access is managed 12 None None None None 0% 0% 0% 0% 0%

PR.AC-4: Access permissions and authorizations are managed,

incorporating the principles of least privilege and separation of duties 4, 14, 16, 18 None None None None 0% 0% 0% 0% 0%

PR.AC-5: Network integrity is protected (e.g. network segregation, 11, 12, 13,
network segmentation) 14 None None None None 0% 0% 0% 0% 0%

PR.AC-6: Identities are proofed and bound to credentials and asserted in

interactions None None None None 0% 0% 0% 0% 0%

PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-
factor, multi-factor) commensurate with the risk
of the transaction (e.g., individuals’ security and privacy risks and other None None None None 0% 0% 0% 0% 0%
organizational risks)

AT Awareness Awareness and Training Strategic Security - Awareness and Training 4, 17 0 0 0 0 0 AT, PS 0.0%

PR.AT-1: All users are informed and trained 17 None None None None 0% 0% 0% 0% 0%

PR.AT-2: Privileged users understand their roles and responsibilities 4, 17 None None None None 0% 0% 0% 0% 0%

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners)

understand their roles and responsibilities 17 None None None None 0% 0% 0% 0% 0%

PR.AT-4: Senior executives understand their roles and responsibilities 17 None None None None 0% 0% 0% 0% 0%

PR.AT-5: Physical and CyberSecurity personnel understand their roles

and responsibilities 17 None None None None 0% 0% 0% 0% 0%

1, 2 , 13,
DS Data Security Operational Security - Encryption and Data Integrity 0 0 0 0 0 CA 0.0%
14

PR.DS-1: Data-at-rest is protected 14 None None None None 0% 0% 0% 0% 0%

PR.DS-2: Data-in-transit is protected 13, 14 None None None None 0% 0% 0% 0% 0%

PR.DS-3: Assets are formally managed throughout removal, transfers, 1 None None None None 0% 0% 0% 0% 0%
and disposition

PR.DS-4: Adequate capacity to ensure availability is maintained None None None None 0% 0% 0% 0% 0%

PR.DS-5: Protections against data leaks are implemented 13 None None None None 0% 0% 0% 0% 0%

PR.DS-6: Integrity checking mechanisms are used to verify software, 2 None None None None 0% 0% 0% 0% 0%
firmware, and information integrity

PR.DS-7: The development and testing environment(s) are separate None None None None 0% 0% 0% 0% 0%
from the production environment
PROTECT

PR.DS-8: Integrity checking mechanisms are used to verify hardware None None None None 0% 0% 0% 0% 0%
integrity

Information Protection 5 , 3, 7, MP , PE,

IP Operational Security - Processes and Procedures 0 0 0 0 0 0.0%
Proce sses and P rocedures 11 , 19 SA, SC

PR.IP-1: A baseline configuration of information technology/industrial

control systems is created and maintained incorporating security 5, 7, 11 None None None None 0% 0% 0% 0% 0%
principles (e.g. concept of least functionality)

PR.IP-2: A System Development Life Cycle to manage systems is None None None None 0% 0% 0% 0% 0%
implemented

PR.IP-3: Configuration change control processes are in place None None None None 0% 0% 0% 0% 0%

PR.IP-4: Backups of information are conducted, maintained, and tested None None None None 0% 0% 0% 0% 0%

PR.IP-5: Policy and regulations regarding the physical operating None None None None 0% 0% 0% 0% 0%
environment for organizational assets are met

PR.IP-6: Data is destroyed according to policy None None None None 0% 0% 0% 0% 0%

PR.IP-7: Protection processes are improved None None None None 0% 0% 0% 0% 0%

PR.IP-8: Effectiveness of protection technologies is shared None None None None 0% 0% 0% 0% 0%

PR.IP-9: Response plans (Incident Response and Business Continuity)

and recovery plans (Incident Recovery and Disaster Recovery) are in None None None None 0% 0% 0% 0% 0%
place and managed

PR.IP-10: Response and recovery plans are tested 19 None None None None 0% 0% 0% 0% 0%

PR.IP-11: Cybersecurity is included in human resources practices (e.g., None None None None 0% 0% 0% 0% 0%
deprovisioning, personnel screening)

PR.IP-12: A vulnerability management plan is developed and 3 None None None None 0% 0% 0% 0% 0%
implemented

MA Maintenance Operational Security - Asset Maintenance 4, 12 0 0 0 0 0 MA 0.0%

PR.MA-1: Maintenance and repair of organizational assets are performed None None None None 0% 0% 0% 0% 0%
and logged, with approved and controlled tools

PR.MA-2: Remote maintenance of organizational assets is approved, 4, 12 None None None None 0% 0% 0% 0% 0%
logged, and performed in a manner that prevents unauthorized access

4 , 6, 8,
PT Protective Technology Operational Security - Protect Assets 11 , 13, 0 0 0 0 0 CM 0.0%
14 , 18

PR.PT-1: Audit/log records are determined, documented, implemented, 6 None None None None 0% 0% 0% 0% 0%
and reviewed in accordance with policy

PR.PT-2: Removable media is protected and its use restricted according 8, 13, 14 None None None None 0% 0% 0% 0% 0%
to policy

PR.PT-3: The principle of least functionality is incorporated by 4, 14, 18 None None None None 0% 0% 0% 0% 0%
configuring systems to provide only essential capabilities

PR.PT-4: Communications and control networks are protected 11 None None None None 0% 0% 0% 0% 0%

PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are

implemented to achieve resilience requirements in normal and adverse 11 None None None None 0% 0% 0% 0% 0%
situations

AE Anomalies and Events Operational Security - Monitor, Analyze and Detect Events 6, 12, 19 0 0 0 0 0 SI 0.0%

DE.AE-1: A baseline of network operations and expected data flows for 12 None None None None 0% 0% 0% 0% 0%
users and systems is established and managed

DE.AE-2: Detected events are analyzed to understand attack targets and 19 None None None None 0% 0% 0% 0% 0%
methods

DE.AE-3: Event data are collected and correlated from multiple sources 6 None None None None 0% 0% 0% 0% 0%
and sensors

DE.AE-4: Impact of events is determined 19 None None None None 0% 0% 0% 0% 0%

DE.AE-5: Incident alert thresholds are established 19 None None None None 0% 0% 0% 0% 0%

Security Continuous
CM M onitoring Operational Security - Security Continuous Monitoring 5, 8, 19 0 0 0 0 0 0.0%

DE.CM-1: The network is monitored to detect potential cybersecurity 19 None None None None 0% 0% 0% 0% 0%
events

DE.CM-2: The physical environment is monitored to detect potential 19 None None None None 0% 0% 0% 0% 0%
cybersecurity events

DE.CM-3: Personnel activity is monitored to detect potential 19 None None None None 0% 0% 0% 0% 0%
cybersecurity events
DETECT

DE.CM-4: Malicious code is detected 8, 19 None None None None 0% 0% 0% 0% 0%

DE.CM-5: Unauthorized mobile code is detected 8, 19 None None None None 0% 0% 0% 0% 0%

DE.CM-6: External service provider activity is monitored to detect 19 None None None None 0% 0% 0% 0% 0%
potential cybersecurity events

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, 19 None None None None 0% 0% 0% 0% 0%
and software is performed

DE.CM-8: Vulnerability scans are performed 3 None None None None 0% 0% 0% 0% 0%

DP Detection Processes Operational Security - Detection Processes 6 0 0 0 0 0 0.0%

DE.DP-1: Roles and responsibilities for detection are well defined to 6 None None None None 0% 0% 0% 0% 0%
ensure accountability

DE.DP-2: Detection activities comply with all applicable requirements 6 None None None None 0% 0% 0% 0% 0%

DE.DP-3: Detection processes are tested 6 None None None None 0% 0% 0% 0% 0%

DE.DP-4: Event detection information is communicated 6 None None None None 0% 0% 0% 0% 0%

DE.DP-5: Detection processes are continuously improved 6 None None None None 0% 0% 0% 0% 0%

RP Response Planning Operational Security - Response Planning 19 0 0 0 0 0 0.0%

RS.RP-1: Response plan is executed during or after an incident 19 None None None None 0% 0% 0% 0% 0%

CO Communications Operational Security - Communications 19 0 0 0 0 0 0.0%

RS.CO-1: Personnel know their roles and order of operations when a 19 None None None None 0% 0% 0% 0% 0%
response is needed

RS.CO-2: Incidents are reported consistent with established criteria 19 None None None None 0% 0% 0% 0% 0%

RS.CO-3: Information is shared consistent with response plans 19 None None None None 0% 0% 0% 0% 0%

RS.CO-4: Coordination with stakeholders occurs consistent with 19 None None None None 0% 0% 0% 0% 0%
response plans

RS.CO-5: Voluntary information sharing occurs with external 19 None None None None 0% 0% 0% 0% 0%
stakeholders to achieve broader cybersecurity situational awareness

AN Analysis Operational Security - Analysis 19 0 0 0 0 0 0.0%

RS.AN-1: Notifications from detection systems are investigated  19 None None None None 0% 0% 0% 0% 0%
RESPOND

RS.AN-2: The impact of the incident is understood 19 None None None None 0% 0% 0% 0% 0%

RS.AN-3: Forensics are performed 19 None None None None 0% 0% 0% 0% 0%

RS.AN-4: Incidents are categorized consistent with response plans 19 None None None None 0% 0% 0% 0% 0%

RS.AN-5: Processes are established to receive, analyze and respond to

vulnerabilities disclosed to the organization from internal and external 19 None None None None 0% 0% 0% 0% 0%
sources (e.g. internal testing, security bulletins, or security researchers)
RESPOND
MI Mitigation Operational Security - Mitigation 3, 19 0 0 0 0 0 IR 0.0%

RS.MI-1: Incidents are contained 19 None None None None 0% 0% 0% 0% 0%

RS.MI-2: Incidents are mitigated 19 None None None None 0% 0% 0% 0% 0%

RS.MI-3: Newly identified vulnerabilities are mitigated or documented 3 None None None None 0% 0% 0% 0% 0%
as accepted risks

IM-D Improvements Operational Security - Improvements 19 0 0 0 0 0 0.0%

RS.IM-1: Response plans incorporate lessons learned 19 None None None None 0% 0% 0% 0% 0%

RS.IM-2: Response strategies are updated 19 None None None None 0% 0% 0% 0% 0%

RP Recovery Planning Operational Security - Recovery Planning 19 0 0 0 0 0 CP 0.0%

RC.RP-1: Recovery plan is executed during or after a cybersecurity 19 None None None None 0% 0% 0% 0% 0%
incident

IM-R Improvements Operational Security - Improvements 19 0 0 0 0 0 0.0%

RECOVER

RC.IM-1: Recovery plans incorporate lessons learned 19 None None None None 0% 0% 0% 0% 0%

RC.IM-2: Recovery strategies are updated 19 None None None None 0% 0% 0% 0% 0%

CO Communications Operational Security - Communications 19 0 0 0 0 0 0.0%

RC.CO-1: Public relations are managed 19 None None None None 0% 0% 0% 0% 0%

RC.CO-2: Reputation is repaired after an incident 19 None None None None 0% 0% 0% 0% 0%

RC.CO-3: Recovery activities are communicated to internal and external 19 None None None None 0% 0% 0% 0% 0%
stakeholders as well as executive and management teams

Rev. 11.0 Proposed Funded Current State Progress Areas

2/6/2017 Unfunded Future State Challenge Areas
 Process Value Policy Level Value

None 0% None 0%

Inconsistent 10% Informal 5%

Repeatable 20% Defined 10%

Standardized 30% Audited 15%

Measured 40% Embedded 20%

Optimized 50%
Documentation Level Value Automation Level Value

None 0% None 0%

Informal 5% Partial 5%

Formal 10% Full 10%

Metrics and Reporting 15% Unavailable 10%

Improvement Process 20%

 Likelihood

Adversary is almost certain to initiate attack.

9-10 Very High Accident or error is almost certain; occurs more than 100
times a year.
Almost certain to have adverse impacts.

Adversary is highly likely to initiate attack.

Accident or error is highly likely; occurs between 10-100 times
7-8 High
a year.
Highly likely to have adverse impacts.

Adversary is somewhat likely to initiate attack.

Accident or error is somewhat likely to occur; between 1-10
4-6 Moderate
times a year.
Somewhat likely to have adverse impacts.

Adversary is unlikely to initiate attack.

Accident or error is unlikely to occur; less than once a year,
2-3 Low
but more than once every 10.
Unlikely to have adverse impacts.

Adversary is highly unlikely to initiate attack.

Accident or error is highly unlikely to occur; less than once
0-1 Very Low
every 10 years.
Highly unlikely to have adverse impacts.

Priority

Critical control or foundational to a critical control; lack of this

9-10 Very High control would have multiple severe or catastrophic adverse
effects on the organization

Very important or foundational to a very important control;

7-8 High lack of this control would have severe or catastrophic adverse
effects on the organization

Control is important or foundational to an important control;

4-6 Moderate lack of this control would have serious adverse effects on the
organization

Control is of low importance or foundational to a low

2-3 Low importance control; lack of this control would have limited
adverse effects on the organization

Control is not a priority nor a foundational control; lack of this

0-1 Very Low control would have neglible adverse effects on the
organization
 Impact

Multiple severe or catastrophic adverse effects on the

organization.

Severe or catastrophic adverse effects on the organization.

Serious adverse effects on the organization.

Limited adverse effects on the organization.

Negligible adverse effects on the organization.

 Risk Level

Event could be expected to have multiple severe or

catastrophic adverse effects.

Event could be expected to have a severe or catastrophic

adverse effect.

Event could be expected to have a serious adverse effect.

Event could be expected to have a limited adverse effect.

Event could be expected to have a negligble adverse effect.