0% found this document useful (0 votes)

16 views

CSF 2

NIST

Uploaded by

abu80548

Available Formats

Download as ODS, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

16 views

CSF 2

NIST

Uploaded by

abu80548

Available Formats

Download as ODS, PDF, TXT or read online on Scribd

You are on page 1/ 91

NIST Cybersecurity Framework

(CSF) 2.0 Reference Tool

Title The NIST Cybersecurity Framework

(CSF) 2.0
Read Me This is a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core
Change Log Final
The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

GV.OC-02: Internal and external stakeholders

are understood, and their needs and
expectations regarding cybersecurity risk
management are understood and considered

CSF 2.0 Page 2 of 91

Function Category Subcategory
GV.OC-03: Legal, regulatory, and contractual
requirements regarding cybersecurity - including
privacy and civil liberties obligations - are
understood and managed

GV.OC-04: Critical objectives, capabilities, and

services that stakeholders depend on or expect
from the organization are understood and
communicated

CSF 2.0 Page 3 of 91

Function Category Subcategory
GV.OC-05: Outcomes, capabilities, and services
that the organization depends on are
understood and communicated

Risk Management Strategy (GV.RM): The

organization's priorities, constraints, risk
tolerance and appetite statements, and
assumptions are established,
communicated, and used to support
operational risk decisions
GV.RM-01: Risk management objectives are
established and agreed to by organizational
stakeholders

GV.RM-02: Risk appetite and risk tolerance

statements are established, communicated, and
maintained

CSF 2.0 Page 4 of 91

Function Category Subcategory
GV.RM-03: Cybersecurity risk management
activities and outcomes are included in
enterprise risk management processes

GV.RM-04: Strategic direction that describes

appropriate risk response options is established
and communicated

GV.RM-05: Lines of communication across the

organization are established for cybersecurity
risks, including risks from suppliers and other
third parties

CSF 2.0 Page 5 of 91

Function Category Subcategory
GV.RM-06: A standardized method for
calculating, documenting, categorizing, and
prioritizing cybersecurity risks is established and
communicated

GV.RM-07: Strategic opportunities (i.e., positive

risks) are characterized and are included in
organizational cybersecurity risk discussions

Roles, Responsibilities, and Authorities

(GV.RR): Cybersecurity roles,
responsibilities, and authorities to foster
accountability, performance assessment,
and continuous improvement are
established and communicated

CSF 2.0 Page 6 of 91

Function Category Subcategory
GV.RR-01: Organizational leadership is
responsible and accountable for cybersecurity
risk and fosters a culture that is risk-aware,
ethical, and continually improving

GV.RR-02: Roles, responsibilities, and authorities

related to cybersecurity risk management are
established, communicated, understood, and
enforced

CSF 2.0 Page 7 of 91

Function Category Subcategory
GV.RR-03: Adequate resources are allocated
commensurate with the cybersecurity risk
strategy, roles, responsibilities, and policies

GV.RR-04: Cybersecurity is included in human

resources practices

Policy (GV.PO): Organizational

cybersecurity policy is established,
communicated, and enforced

CSF 2.0 Page 8 of 91

Function Category Subcategory
GV.PO-01: Policy for managing cybersecurity
risks is established based on organizational
context, cybersecurity strategy, and priorities
and is communicated and enforced

GV.PO-02: Policy for managing cybersecurity

risks is reviewed, updated, communicated, and
enforced to reflect changes in requirements,
threats, technology, and organizational mission

Oversight (GV.OV): Results of organization-

wide cybersecurity risk management
activities and performance are used to
inform, improve, and adjust the risk
management strategy
CSF 2.0 Page 9 of 91
Function Category Subcategory
GV.OV-01: Cybersecurity risk management
strategy outcomes are reviewed to inform and
adjust strategy and direction

GV.OV-02: The cybersecurity risk management

strategy is reviewed and adjusted to ensure
coverage of organizational requirements and
risks

GV.OV-03: Organizational cybersecurity risk

management performance is evaluated and
reviewed for adjustments needed

Cybersecurity Supply Chain Risk

Management (GV.SC): Cyber supply chain
risk management processes are identified,
established, managed, monitored, and
improved by organizational stakeholders

CSF 2.0 Page 10 of 91

Function Category Subcategory
GV.SC-01: A cybersecurity supply chain risk
management program, strategy, objectives,
policies, and processes are established and
agreed to by organizational stakeholders

CSF 2.0 Page 11 of 91

Function Category Subcategory
GV.SC-02: Cybersecurity roles and
responsibilities for suppliers, customers, and
partners are established, communicated, and
coordinated internally and externally

CSF 2.0 Page 12 of 91

Function Category Subcategory
GV.SC-03: Cybersecurity supply chain risk
management is integrated into cybersecurity
and enterprise risk management, risk
assessment, and improvement processes

GV.SC-04: Suppliers are known and prioritized by

criticality

CSF 2.0 Page 13 of 91

Function Category Subcategory
GV.SC-05: Requirements to address
cybersecurity risks in supply chains are
established, prioritized, and integrated into
contracts and other types of agreements with
suppliers and other relevant third parties

CSF 2.0 Page 14 of 91

Function Category Subcategory
GV.SC-06: Planning and due diligence are
performed to reduce risks before entering into
formal supplier or other third-party relationships

GV.SC-07: The risks posed by a supplier, their

products and services, and other third parties
are understood, recorded, prioritized, assessed,
responded to, and monitored over the course of
the relationship

CSF 2.0 Page 15 of 91

Function Category Subcategory
GV.SC-08: Relevant suppliers and other third
parties are included in incident planning,
response, and recovery activities

GV.SC-09: Supply chain security practices are

integrated into cybersecurity and enterprise risk
management programs, and their performance
is monitored throughout the technology product
and service life cycle

CSF 2.0 Page 16 of 91

Function Category Subcategory
GV.SC-10: Cybersecurity supply chain risk
management plans include provisions for
activities that occur after the conclusion of a
partnership or service agreement

GOVERN (GV)
IDENTIFY (ID): The organization's
current cybersecurity risks are
understood
Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems,
facilities, services, people) that enable the
organization to achieve business purposes
are identified and managed consistent with
their relative importance to organizational
objectives and the organization's risk
strategy
ID.AM-01: Inventories of hardware managed by
the organization are maintained

CSF 2.0 Page 17 of 91

Function Category Subcategory
ID.AM-02: Inventories of software, services, and
systems managed by the organization are
maintained

ID.AM-03: Representations of the organization's

authorized network communication and internal
and external network data flows are maintained

ID.AM-04: Inventories of services provided by

suppliers are maintained

CSF 2.0 Page 18 of 91

Function Category Subcategory
ID.AM-05: Assets are prioritized based on
classification, criticality, resources, and impact
on the mission

ID.AM-07: Inventories of data and

corresponding metadata for designated data
types are maintained

CSF 2.0 Page 19 of 91

Function Category Subcategory
ID.AM-08: Systems, hardware, software,
services, and data are managed throughout their
life cycles

Risk Assessment (ID.RA): The cybersecurity

risk to the organization, assets, and
individuals is understood by the
organization

CSF 2.0 Page 20 of 91

Function Category Subcategory
ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded

ID.RA-02: Cyber threat intelligence is received

from information sharing forums and sources

ID.RA-03: Internal and external threats to the

organization are identified and recorded

CSF 2.0 Page 21 of 91

Function Category Subcategory
ID.RA-04: Potential impacts and likelihoods of
threats exploiting vulnerabilities are identified
and recorded

ID.RA-05: Threats, vulnerabilities, likelihoods,

and impacts are used to understand inherent
risk and inform risk response prioritization

ID.RA-06: Risk responses are chosen, prioritized,

planned, tracked, and communicated

CSF 2.0 Page 22 of 91

Function Category Subcategory
ID.RA-07: Changes and exceptions are managed,
assessed for risk impact, recorded, and tracked

ID.RA-08: Processes for receiving, analyzing, and

responding to vulnerability disclosures are
established

ID.RA-09: The authenticity and integrity of

hardware and software are assessed prior to
acquisition and use

ID.RA-10: Critical suppliers are assessed prior to

acquisition

CSF 2.0 Page 23 of 91

Function Category Subcategory
Improvement (ID.IM): Improvements to
organizational cybersecurity risk
management processes, procedures and
activities are identified across all CSF
Functions

ID.IM-01: Improvements are identified from

evaluations

CSF 2.0 Page 24 of 91

Function Category Subcategory
ID.IM-02: Improvements are identified from
security tests and exercises, including those
done in coordination with suppliers and relevant
third parties

ID.IM-03: Improvements are identified from

execution of operational processes, procedures,
and activities

CSF 2.0 Page 25 of 91

Function Category Subcategory
ID.IM-04: Incident response plans and other
cybersecurity plans that affect operations are
established, communicated, maintained, and
improved

IDENTIFY (ID)
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks
are used
Identity Management, Authentication, and
Access Control (PR.AA): Access to physical
and logical assets is limited to authorized
users, services, and hardware and
managed commensurate with the assessed
risk of unauthorized access

CSF 2.0 Page 26 of 91

Function Category Subcategory
PR.AA-01: Identities and credentials for
authorized users, services, and hardware are
managed by the organization

PR.AA-02: Identities are proofed and bound to

credentials based on the context of interactions

PR.AA-03: Users, services, and hardware are

authenticated

CSF 2.0 Page 27 of 91

Function Category Subcategory
PR.AA-04: Identity assertions are protected,
conveyed, and verified

PR.AA-05: Access permissions, entitlements, and

authorizations are defined in a policy, managed,
enforced, and reviewed, and incorporate the
principles of least privilege and separation of
duties

PR.AA-06: Physical access to assets is managed,

monitored, and enforced commensurate with
risk

CSF 2.0 Page 28 of 91

Function Category Subcategory
Awareness and Training (PR.AT): The
organization's personnel are provided with
cybersecurity awareness and training so
that they can perform their cybersecurity-
related tasks
PR.AT-01: Personnel are provided with
awareness and training so that they possess the
knowledge and skills to perform general tasks
with cybersecurity risks in mind

CSF 2.0 Page 29 of 91

Function Category Subcategory
PR.AT-02: Individuals in specialized roles are
provided with awareness and training so that
they possess the knowledge and skills to
perform relevant tasks with cybersecurity risks in
mind

Data Security (PR.DS): Data are managed

consistent with the organization's risk
strategy to protect the confidentiality,
integrity, and availability of information
PR.DS-01: The confidentiality, integrity, and
availability of data-at-rest are protected

CSF 2.0 Page 30 of 91

Function Category Subcategory
PR.DS-02: The confidentiality, integrity, and
availability of data-in-transit are protected

PR.DS-10: The confidentiality, integrity, and

availability of data-in-use are protected

PR.DS-11: Backups of data are created,

protected, maintained, and tested

Platform Security (PR.PS): The hardware,

software (e.g., firmware, operating systems,
applications), and services of physical and
virtual platforms are managed consistent
with the organization's risk strategy to
protect their confidentiality, integrity, and
availability

CSF 2.0 Page 31 of 91

Function Category Subcategory
PR.PS-01: Configuration management practices
are established and applied

PR.PS-02: Software is maintained, replaced, and

removed commensurate with risk

CSF 2.0 Page 32 of 91

Function Category Subcategory
PR.PS-03: Hardware is maintained, replaced, and
removed commensurate with risk

PR.PS-04: Log records are generated and made

available for continuous monitoring

PR.PS-05: Installation and execution of

unauthorized software are prevented

CSF 2.0 Page 33 of 91

Function Category Subcategory
PR.PS-06: Secure software development
practices are integrated, and their performance
is monitored throughout the software
development life cycle

Technology Infrastructure Resilience

(PR.IR): Security architectures are managed
with the organization's risk strategy to
protect asset confidentiality, integrity, and
availability, and organizational resilience

PR.IR-01: Networks and environments are

protected from unauthorized logical access and
usage

CSF 2.0 Page 34 of 91

Function Category Subcategory
PR.IR-02: The organization's technology assets
are protected from environmental threats

PR.IR-03: Mechanisms are implemented to

achieve resilience requirements in normal and
adverse situations

PR.IR-04: Adequate resource capacity to ensure

availability is maintained

PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found
and analyzed
Continuous Monitoring (DE.CM): Assets are
monitored to find anomalies, indicators of
compromise, and other potentially adverse
events

CSF 2.0 Page 35 of 91

Function Category Subcategory
DE.CM-01: Networks and network services are
monitored to find potentially adverse events

DE.CM-02: The physical environment is

monitored to find potentially adverse events

DE.CM-03: Personnel activity and technology

usage are monitored to find potentially adverse
events

CSF 2.0 Page 36 of 91

Function Category Subcategory
DE.CM-06: External service provider activities
and services are monitored to find potentially
adverse events

DE.CM-09: Computing hardware and software,

runtime environments, and their data are
monitored to find potentially adverse events

Adverse Event Analysis (DE.AE): Anomalies,

indicators of compromise, and other
potentially adverse events are analyzed to
characterize the events and detect
cybersecurity incidents

CSF 2.0 Page 37 of 91

Function Category Subcategory
DE.AE-02: Potentially adverse events are
analyzed to better understand associated
activities

DE.AE-03: Information is correlated from

multiple sources

DE.AE-04: The estimated impact and scope of

adverse events are understood

CSF 2.0 Page 38 of 91

Function Category Subcategory
DE.AE-06: Information on adverse events is
provided to authorized staff and tools

DE.AE-07: Cyber threat intelligence and other

contextual information are integrated into the
analysis

DE.AE-08: Incidents are declared when adverse

events meet the defined incident criteria

DETECT (DE)
RESPOND (RS): Actions regarding a
detected cybersecurity incident are
taken
Incident Management (RS.MA): Responses
to detected cybersecurity incidents are
managed

CSF 2.0 Page 39 of 91

Function Category Subcategory
RS.MA-01: The incident response plan is
executed in coordination with relevant third
parties once an incident is declared

RS.MA-02: Incident reports are triaged and

validated

RS.MA-03: Incidents are categorized and

prioritized

RS.MA-04: Incidents are escalated or elevated as

needed

CSF 2.0 Page 40 of 91

Function Category Subcategory
RS.MA-05: The criteria for initiating incident
recovery are applied

Incident Analysis (RS.AN): Investigations

are conducted to ensure effective response
and support forensics and recovery
activities
RS.AN-03: Analysis is performed to establish
what has taken place during an incident and the
root cause of the incident

RS.AN-06: Actions performed during an

investigation are recorded, and the records'
integrity and provenance are preserved

RS.AN-07: Incident data and metadata are

collected, and their integrity and provenance are
preserved

CSF 2.0 Page 41 of 91

Function Category Subcategory
RS.AN-08: An incident's magnitude is estimated
and validated

Incident Response Reporting and

Communication (RS.CO): Response
activities are coordinated with internal and
external stakeholders as required by laws,
regulations, or policies
RS.CO-02: Internal and external stakeholders are
notified of incidents

CSF 2.0 Page 42 of 91

Function Category Subcategory
RS.CO-03: Information is shared with designated
internal and external stakeholders

Incident Mitigation (RS.MI): Activities are

performed to prevent expansion of an
event and mitigate its effects
RS.MI-01: Incidents are contained

CSF 2.0 Page 43 of 91

Function Category Subcategory
RS.MI-02: Incidents are eradicated

RESPOND (RS)
RECOVER (RC): Assets and operations
affected by a cybersecurity incident
are restored
Incident Recovery Plan Execution (RC.RP):
Restoration activities are performed to
ensure operational availability of systems
and services affected by cybersecurity
incidents
RC.RP-01: The recovery portion of the incident
response plan is executed once initiated from
the incident response process

RC.RP-02: Recovery actions are selected, scoped,

prioritized, and performed

RC.RP-03: The integrity of backups and other

restoration assets is verified before using them
for restoration

CSF 2.0 Page 44 of 91

Function Category Subcategory
RC.RP-04: Critical mission functions and
cybersecurity risk management are considered
to establish post-incident operational norms

RC.RP-05: The integrity of restored assets is

verified, systems and services are restored, and
normal operating status is confirmed

RC.RP-06: The end of incident recovery is

declared based on criteria, and incident-related
documentation is completed

Incident Recovery Communication (RC.CO):

Restoration activities are coordinated with
internal and external parties

CSF 2.0 Page 45 of 91

Function Category Subcategory
RC.CO-03: Recovery activities and progress in
restoring operational capabilities are
communicated to designated internal and
external stakeholders

RC.CO-04: Public updates on incident recovery

are shared using approved methods and
messaging

RECOVER (RC)

CSF 2.0 Page 46 of 91

Implementation Examples Informative References
CRI Profile v2.0: GV
SP 800-221A: GV.PO
CSF v1.1: ID.GV

CRI Profile v2.0: GV.OC

SP 800-221A: GV.CT
SP 800-221A: GV.CT-5
CSF v1.1: ID.BE

1st: 1st Party Risk CRI Profile v2.0: GV.OC-01

Ex1: Share the organization's mission (e.g., CRI Profile v2.0: GV.OC-01.01
through vision and mission statements, SP 800-221A: GV.CT-5
marketing, and service strategies) to SP 800-221A: GV.CT-3
provide a basis for identifying risks that may CSF v1.1: ID.BE-2
impede that mission CSF v1.1: ID.BE-3

1st: 1st Party Risk SP 800-218: PO.2.1

3rd: 3rd Party Risk CRI Profile v2.0: GV.OC-02
Ex1: Identify relevant internal stakeholders CRI Profile v2.0: GV.OC-02.01
and their cybersecurity-related CRI Profile v2.0: GV.OC-02.02
expectations (e.g., performance and risk CRI Profile v2.0: GV.OC-02.03
expectations of officers, directors, and SP 800-221A: GV.OV-2
advisors; cultural expectations of SP 800-221A: GV.CT-2
employees) SP 800-221A: GV.CT-3
Ex2: Identify relevant external stakeholders CSF v1.1: ID.SC-2
and their cybersecurity-related CSF v1.1: ID.GV-2
expectations (e.g., privacy expectations of
customers, business expectations of
partnerships, compliance expectations of
regulators, ethics expectations of society)

CSF 2.0 Page 47 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PO.1.1
3rd: 3rd Party Risk SP 800-218: PO.1.2
Ex1: Determine a process to track and CRI Profile v2.0: GV.OC-03
manage legal and regulatory requirements CRI Profile v2.0: GV.OC-03.01
regarding protection of individuals' CRI Profile v2.0: GV.OC-03.02
information (e.g., Health Insurance CSF v1.1: ID.GV-3
Portability and Accountability Act, California
Consumer Privacy Act, General Data
Protection Regulation)
Ex2: Determine a process to track and
manage contractual requirements for
cybersecurity management of supplier,
customer, and partner information
Ex3: Align the organization's cybersecurity
strategy with legal, regulatory, and
contractual requirements
1st: 1st Party Risk CRI Profile v2.0: GV.OC-04
3rd: 3rd Party Risk CRI Profile v2.0: GV.OC-04.01
Ex1: Establish criteria for determining the CRI Profile v2.0: GV.OC-04.02
criticality of capabilities and services as CRI Profile v2.0: GV.OC-04.03
viewed by internal and external CRI Profile v2.0: GV.OC-04.04
stakeholders SP 800-221A: MA.RI-1
Ex2: Determine (e.g., from a business CSF v1.1: ID.BE-4
impact analysis) assets and business CSF v1.1: ID.BE-5
operations that are vital to achieving
mission objectives and the potential impact
of a loss (or partial loss) of such operations
Ex3: Establish and communicate resilience
objectives (e.g., recovery time objectives)
for delivering critical capabilities and
services in various operating states (e.g.,
under attack, during recovery, normal
operation)

CSF 2.0 Page 48 of 91

Implementation Examples Informative References
Ex1: Create an inventory of the CRI Profile v2.0: GV.OC-05
organization's dependencies on external CRI Profile v2.0: GV.OC-05.01
resources (e.g., facilities, cloud-based CRI Profile v2.0: GV.OC-05.02
hosting providers) and their relationships to CRI Profile v2.0: GV.OC-05.03
organizational assets and business CRI Profile v2.0: GV.OC-05.04
functions SP 800-221A: GV.CT-5
Ex2: Identify and document external SP 800-221A: MA.RI-1
dependencies that are potential points of CSF v1.1: ID.BE-1
failure for the organization's critical CSF v1.1: ID.BE-4
capabilities and services, and share that
information with appropriate personnel
3rd: 3rd Party Risk
CRI Profile v2.0: GV.RM
SP 800-221A: GV.BE-3
CSF v1.1: ID.RM

1st: 1st Party Risk CRI Profile v2.0: GV.RM-01

Ex1: Update near-term and long-term CRI Profile v2.0: GV.RM-01.01
cybersecurity risk management objectives CRI Profile v2.0: GV.RM-01.02
as part of annual strategic planning and CRI Profile v2.0: GV.RM-01.03
when major changes occur CRI Profile v2.0: GV.RM-01.04
Ex2: Establish measurable objectives for CRI Profile v2.0: GV.RM-01.05
cybersecurity risk management (e.g., SP 800-221A: GV.RR-2
manage the quality of user training, ensure CSF v1.1: ID.RM-1
adequate risk protection for industrial
control systems)
Ex3: Senior leaders agree about
cybersecurity objectives and use them for
measuring and managing risk and
performance
1st: 1st Party Risk CRI Profile v2.0: GV.RM-02
3rd: 3rd Party Risk CRI Profile v2.0: GV.RM-02.01
Ex1: Determine and communicate risk CRI Profile v2.0: GV.RM-02.02
appetite statements that convey CRI Profile v2.0: GV.RM-02.03
expectations about the appropriate level of SP 800-221A: GV.BE-1
risk for the organization SP 800-221A: GV.BE-3
Ex2: Translate risk appetite statements into CSF v1.1: ID.RM-2
specific, measurable, and broadly CSF v1.1: ID.RM-3
understandable risk tolerance statements
Ex3: Refine organizational objectives and
risk appetite periodically based on known
risk exposure and residual risk

CSF 2.0 Page 49 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: GV.RM-03
Ex1: Aggregate and manage cybersecurity CRI Profile v2.0: GV.RM-03.01
risks alongside other enterprise risks (e.g., CRI Profile v2.0: GV.RM-03.02
compliance, financial, operational, CRI Profile v2.0: GV.RM-03.03
regulatory, reputational, safety) CRI Profile v2.0: GV.RM-03.04
Ex2: Include cybersecurity risk managers in SP 800-221A: GV.PO-2
enterprise risk management planning SP 800-221A: GV.PO-3
Ex3: Establish criteria for escalating CSF v1.1: ID.GV-4
cybersecurity risks within enterprise risk
management
1st: 1st Party Risk CRI Profile v2.0: GV.RM-04
Ex1: Specify criteria for accepting and CRI Profile v2.0: GV.RM-04.01
avoiding cybersecurity risk for various SP 800-221A: GV.BE-1
classifications of data CSF v1.1: ID.RM-2
Ex2: Determine whether to purchase
cybersecurity insurance
Ex3: Document conditions under which
shared responsibility models are acceptable
(e.g., outsourcing certain cybersecurity
functions, having a third party perform
financial transactions on behalf of the
organization, using public cloud-based
services)
1st: 1st Party Risk CRI Profile v2.0: GV.RM-05
3rd: 3rd Party Risk CRI Profile v2.0: GV.RM-05.01
Ex1: Determine how to update senior CRI Profile v2.0: GV.RM-05.02
executives, directors, and management on SP 800-221A: GV.PO-1
the organization's cybersecurity posture at CSF v1.1: ID.SC-1
agreed-upon intervals
Ex2: Identify how all departments across
the organization - such as management,
operations, internal auditors, legal,
acquisition, physical security, and HR - will
communicate with each other about
cybersecurity risks

CSF 2.0 Page 50 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: GV.RM-06
Ex1: Establish criteria for using a CRI Profile v2.0: GV.RM-06.01
quantitative approach to cybersecurity risk SP 800-221A: GV.RR-2
analysis, and specify probability and CSF v1.1: ID.RM-1
exposure formulas
Ex2: Create and use templates (e.g., a risk
register) to document cybersecurity risk
information (e.g., risk description,
exposure, treatment, and ownership)
Ex3: Establish criteria for risk prioritization
at the appropriate levels within the
enterprise
Ex4: Use a consistent list of risk categories
to support integrating, aggregating, and
comparing cybersecurity risks
1st: 1st Party Risk CRI Profile v2.0: GV.RM-07
Ex1: Define and communicate guidance and CRI Profile v2.0: GV.RM-07.01
methods for identifying opportunities and
including them in risk discussions (e.g.,
strengths, weaknesses, opportunities, and
threats [SWOT] analysis)
Ex2: Identify stretch goals and document
them
Ex3: Calculate, document, and prioritize
positive risks alongside negative risks

SP 800-218: PO.2.1
CRI Profile v2.0: GV.RR
SP 800-221A: GV.OV-2
CSF v1.1: ID.GV-2

CSF 2.0 Page 51 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PO.2.3
Ex1: Leaders (e.g., directors) agree on their CIS Controls v8.0: 14.1
roles and responsibilities in developing, CRI Profile v2.0: GV.RR-01
implementing, and assessing the CRI Profile v2.0: GV.RR-01.01
organization's cybersecurity strategy CRI Profile v2.0: GV.RR-01.02
Ex2: Share leaders' expectations regarding a CRI Profile v2.0: GV.RR-01.03
secure and ethical culture, especially when CRI Profile v2.0: GV.RR-01.04
current events present the opportunity to CRI Profile v2.0: GV.RR-01.05
highlight positive or negative examples of
cybersecurity risk management
Ex3: Leaders direct the CISO to maintain a
comprehensive cybersecurity risk strategy
and review and update it at least annually
and after major events
Ex4: Conduct reviews to ensure adequate
authority and coordination among those
responsible for managing cybersecurity risk

1st: 1st Party Risk SP 800-218: PO.2.1

Ex1: Document risk management roles and CIS Controls v8.0: 14.9
responsibilities in policy CRI Profile v2.0: GV.RR-02
Ex2: Document who is responsible and CRI Profile v2.0: GV.RR-02.01
accountable for cybersecurity risk CRI Profile v2.0: GV.RR-02.02
management activities and how those CRI Profile v2.0: GV.RR-02.03
teams and individuals are to be consulted CRI Profile v2.0: GV.RR-02.04
and informed CRI Profile v2.0: GV.RR-02.05
Ex3: Include cybersecurity responsibilities CRI Profile v2.0: GV.RR-02.06
and performance requirements in CRI Profile v2.0: GV.RR-02.07
personnel descriptions SP 800-221A: GV.RR-1
Ex4: Document performance goals for SP 800-221A: GV.RR-2
personnel with cybersecurity risk SP 800-221A: GV.OV-2
management responsibilities, and CSF v1.1: ID.AM-6
periodically measure performance to CSF v1.1: ID.GV-2
identify areas for improvement CSF v1.1: DE.DP-1
Ex5: Clearly articulate cybersecurity
responsibilities within operations, risk
functions, and internal audit functions

CSF 2.0 Page 52 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: GV.RR-03
3rd: 3rd Party Risk CRI Profile v2.0: GV.RR-03.01
Ex1: Conduct periodic management reviews CRI Profile v2.0: GV.RR-03.02
to ensure that those given cybersecurity CRI Profile v2.0: GV.RR-03.03
risk management responsibilities have the SP 800-221A: GV.RR-2
necessary authority CSF v1.1: ID.RM-1
Ex2: Identify resource allocation and
investment in line with risk tolerance and
response
Ex3: Provide adequate and sufficient
people, process, and technical resources to
support the cybersecurity strategy

1st: 1st Party Risk CIS Controls v8.0: 6.1

Ex1: Integrate cybersecurity risk CIS Controls v8.0: 6.2
management considerations into human CRI Profile v2.0: GV.RR-04
resources processes (e.g., personnel CRI Profile v2.0: GV.RR-04.01
screening, onboarding, change notification, CRI Profile v2.0: GV.RR-04.02
offboarding) CRI Profile v2.0: GV.RR-04.03
Ex2: Consider cybersecurity knowledge to CSF v1.1: PR.IP-11
be a positive factor in hiring, training, and
retention decisions
Ex3: Conduct background checks prior to
onboarding new personnel for sensitive
roles, and periodically repeat background
checks for personnel with such roles
Ex4: Define and enforce obligations for
personnel to be aware of, adhere to, and
uphold security policies as they relate to
their roles
CRI Profile v2.0: GV.PO
SP 800-221A: GV.PO-1
CSF v1.1: ID.GV-1

CSF 2.0 Page 53 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: GV.PO-01
Ex1: Create, disseminate, and maintain an CRI Profile v2.0: GV.PO-01.01
understandable, usable risk management CRI Profile v2.0: GV.PO-01.02
policy with statements of management CRI Profile v2.0: GV.PO-01.03
intent, expectations, and direction CRI Profile v2.0: GV.PO-01.04
Ex2: Periodically review policy and CRI Profile v2.0: GV.PO-01.05
supporting processes and procedures to CRI Profile v2.0: GV.PO-01.06
ensure that they align with risk CRI Profile v2.0: GV.PO-01.07
management strategy objectives and CRI Profile v2.0: GV.PO-01.08
priorities, as well as the high-level direction SP 800-221A: GV.PO-1
of the cybersecurity policy CSF v1.1: ID.GV-1
Ex3: Require approval from senior
management on policy
Ex4: Communicate cybersecurity risk
management policy and supporting
processes and procedures across the
organization
Ex5: Require personnel to acknowledge
receipt of policy when first hired, annually,
and whenever policy is updated
1st: 1st Party Risk CRI Profile v2.0: GV.PO-02
Ex1: Update policy based on periodic CRI Profile v2.0: GV.PO-02.01
reviews of cybersecurity risk management SP 800-221A: GV.PO-1
results to ensure that policy and supporting CSF v1.1: ID.GV-1
processes and procedures adequately
maintain risk at an acceptable level
Ex2: Provide a timeline for reviewing
changes to the organization's risk
environment (e.g., changes in risk or in the
organization's mission objectives), and
communicate recommended policy updates
Ex3: Update policy to reflect changes in
legal and regulatory requirements
Ex4: Update policy to reflect changes in
technology (e.g., adoption of artificial
intelligence) and changes to the business
(e.g., acquisition of a new business, new
contract requirements)

CRI Profile v2.0: GV.OV

CSF 2.0 Page 54 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: GV.OV-01
Ex1: Measure how well the risk CRI Profile v2.0: GV.OV-01.01
management strategy and risk results have CRI Profile v2.0: GV.OV-01.02
helped leaders make decisions and achieve CRI Profile v2.0: GV.OV-01.03
organizational objectives SP 800-221A: GV.AD-3
Ex2: Examine whether cybersecurity risk
strategies that impede operations or
innovation should be adjusted
1st: 1st Party Risk CRI Profile v2.0: GV.OV-02
Ex1: Review audit findings to confirm CRI Profile v2.0: GV.OV-02.01
whether the existing cybersecurity strategy CRI Profile v2.0: GV.OV-02.02
has ensured compliance with internal and SP 800-221A: GV.AD-2
external requirements SP 800-221A: GV.AD-3
Ex2: Review the performance oversight of SP 800-221A: MA.RM-8
those in cybersecurity-related roles to
determine whether policy changes are
necessary
Ex3: Review strategy in light of
cybersecurity incidents
1st: 1st Party Risk CRI Profile v2.0: GV.OV-03
Ex1: Review key performance indicators CRI Profile v2.0: GV.OV-03.01
(KPIs) to ensure that organization-wide CRI Profile v2.0: GV.OV-03.02
policies and procedures achieve objectives SP 800-221A: GV.OV-2
Ex2: Review key risk indicators (KRIs) to SP 800-221A: MA.RM-2
identify risks the organization faces,
including likelihood and potential impact
Ex3: Collect and communicate metrics on
cybersecurity risk management with senior
leadership
CRI Profile v2.0: GV.SC
SP 800-221A: GV.OV-4
CSF v1.1: ID.SC

CSF 2.0 Page 55 of 91

Implementation Examples Informative References
Ex1: Establish a strategy that expresses the CIS Controls v8.0: 15.2
objectives of the cybersecurity supply chain CRI Profile v2.0: GV.SC-01
risk management program CRI Profile v2.0: GV.SC-01.01
Ex2: Develop the cybersecurity supply chain CRI Profile v2.0: GV.SC-01.02
risk management program, including a plan SP 800-221A: GV.PO-1
(with milestones), policies, and procedures CSF v1.1: ID.SC-1
that guide implementation and
improvement of the program, and share
the policies and procedures with the
organizational stakeholders
Ex3: Develop and implement program
processes based on the strategy, objectives,
policies, and procedures that are agreed
upon and performed by the organizational
stakeholders
Ex4: Establish a cross-organizational
mechanism that ensures alignment
between functions that contribute to
cybersecurity supply chain risk
management, such as cybersecurity, IT,
operations, legal, human resources, and
engineering
3rd: 3rd Party Risk

CSF 2.0 Page 56 of 91

Implementation Examples Informative References
Ex1: Identify one or more specific roles or SP 800-218: PO.2.1
positions that will be responsible and CIS Controls v8.0: 15.4
accountable for planning, resourcing, and CRI Profile v2.0: GV.SC-02
executing cybersecurity supply chain risk CRI Profile v2.0: GV.SC-02.01
management activities SP 800-221A: GV.RR-1
Ex2: Document cybersecurity supply chain SP 800-221A: GV.RR-2
risk management roles and responsibilities CSF v1.1: ID.AM-6
in policy
Ex3: Create responsibility matrixes to
document who will be responsible and
accountable for cybersecurity supply chain
risk management activities and how those
teams and individuals will be consulted and
informed
Ex4: Include cybersecurity supply chain risk
management responsibilities and
performance requirements in personnel
descriptions to ensure clarity and improve
accountability
Ex5: Document performance goals for
personnel with cybersecurity risk
management-specific responsibilities, and
periodically measure them to demonstrate
and improve performance
Ex6: Develop roles and responsibilities for
suppliers, customers, and business partners
to address shared responsibilities for
applicable cybersecurity risks, and integrate
them into organizational policies and
applicable third-party agreements
Ex7: Internally communicate cybersecurity
supply chain risk management roles and
responsibilities for third parties
Ex8: Establish rules and protocols for
information sharing and reporting
processes between the organization and its
suppliers
3rd: 3rd Party Risk

CSF 2.0 Page 57 of 91

Implementation Examples Informative References
Ex1: Identify areas of alignment and overlap SP 800-218: PW.4.1
with cybersecurity and enterprise risk CRI Profile v2.0: GV.SC-03
management CRI Profile v2.0: GV.SC-03.01
Ex2: Establish integrated control sets for SP 800-221A: GV.CT-2
cybersecurity risk management and SP 800-221A: GV.CT-3
cybersecurity supply chain risk CSF v1.1: ID.SC-2
management
Ex3: Integrate cybersecurity supply chain
risk management into improvement
processes
Ex4: Escalate material cybersecurity risks in
supply chains to senior management, and
address them at the enterprise risk
management level
3rd: 3rd Party Risk
Ex1: Develop criteria for supplier criticality CIS Controls v8.0: 15.1
based on, for example, the sensitivity of CIS Controls v8.0: 15.3
data processed or possessed by suppliers, CRI Profile v2.0: GV.SC-04
the degree of access to the organization's CRI Profile v2.0: GV.SC-04.01
systems, and the importance of the SP 800-221A: GV.CT-2
products or services to the organization's SP 800-221A: GV.CT-3
mission CSF v1.1: ID.SC-2
Ex2: Keep a record of all suppliers, and
prioritize suppliers based on the criticality
criteria
3rd: 3rd Party Risk

CSF 2.0 Page 58 of 91

Implementation Examples Informative References
Ex1: Establish security requirements for SP 800-218: PO.1.3
suppliers, products, and services CIS Controls v8.0: 15.4
commensurate with their criticality level CRI Profile v2.0: EX.CN
and potential impact if compromised CRI Profile v2.0: EX.CN-01
Ex2: Include all cybersecurity and supply CRI Profile v2.0: EX.CN-02
chain requirements that third parties must CRI Profile v2.0: EX.CN-01.01
follow and how compliance with the CRI Profile v2.0: EX.CN-01.02
requirements may be verified in default CRI Profile v2.0: EX.CN-01.03
contractual language CRI Profile v2.0: EX.CN-02.01
Ex3: Define the rules and protocols for CRI Profile v2.0: EX.CN-02.02
information sharing between the CRI Profile v2.0: EX.CN-02.03
organization and its suppliers and sub-tier CRI Profile v2.0: EX.CN-02.04
suppliers in agreements CSF v1.1: ID.SC-3
Ex4: Manage risk by including security
requirements in agreements based on their
criticality and potential impact if
compromised
Ex5: Define security requirements in
service-level agreements (SLAs) for
monitoring suppliers for acceptable security
performance throughout the supplier
relationship lifecycle
Ex6: Contractually require suppliers to
disclose cybersecurity features, functions,
and vulnerabilities of their products and
services for the life of the product or the
term of service
Ex7: Contractually require suppliers to
provide and maintain a current component
inventory (e.g., software or hardware bill of
materials) for critical products
Ex8: Contractually require suppliers to vet
their employees and guard against insider
threats
Ex9: Contractually require suppliers to
provide evidence of performing acceptable
security practices through, for example,
self-attestation, conformance to known
standards, certifications, or inspections
Ex10: Specify in contracts and other
agreements the rights and responsibilities
of the organization, its suppliers, and their
supply chains, with respect to potential
cybersecurity risks
3rd: 3rd Party Risk

CSF 2.0 Page 59 of 91

Implementation Examples Informative References
Ex1: Perform thorough due diligence on CIS Controls v8.0: 15.5
prospective suppliers that is consistent with CRI Profile v2.0: EX.DD
procurement planning and commensurate CRI Profile v2.0: EX.DD-01
with the level of risk, criticality, and CRI Profile v2.0: EX.DD-02
complexity of each supplier relationship CRI Profile v2.0: EX.DD-01.01
Ex2: Assess the suitability of the technology CRI Profile v2.0: EX.DD-01.02
and cybersecurity capabilities and the risk CRI Profile v2.0: EX.DD-01.03
management practices of prospective CRI Profile v2.0: EX.DD-02.01
suppliers CRI Profile v2.0: EX.DD-02.02
Ex3: Conduct supplier risk assessments CRI Profile v2.0: EX.DD-02.03
against business and applicable CRI Profile v2.0: EX.DD-02.04
cybersecurity requirements SP 800-221A: GV.PO-1
Ex4: Assess the authenticity, integrity, and CSF v1.1: ID.SC-1
security of critical products prior to
acquisition and use
3rd: 3rd Party Risk

Ex1: Adjust assessment formats and SP 800-218: PW.4.1

frequencies based on the third party's SP 800-218: PW.4.4
reputation and the criticality of the CIS Controls v8.0: 15.6
products or services they provide CRI Profile v2.0: EX.MM
Ex2: Evaluate third parties' evidence of CRI Profile v2.0: EX.MM-01
compliance with contractual cybersecurity CRI Profile v2.0: EX.MM-02
requirements, such as self-attestations, CRI Profile v2.0: EX.MM-01.01
warranties, certifications, and other CRI Profile v2.0: EX.MM-01.02
artifacts CRI Profile v2.0: EX.MM-01.03
Ex3: Monitor critical suppliers to ensure CRI Profile v2.0: EX.MM-01.04
that they are fulfilling their security CRI Profile v2.0: EX.MM-01.05
obligations throughout the supplier CRI Profile v2.0: EX.MM-01.06
relationship lifecycle using a variety of CRI Profile v2.0: EX.MM-02.01
methods and techniques, such as CRI Profile v2.0: EX.MM-02.02
inspections, audits, tests, or other forms of CRI Profile v2.0: EX.MM-02.03
evaluation SP 800-221A: GV.CT-2
Ex4: Monitor critical suppliers, services, and SP 800-221A: GV.CT-3
products for changes to their risk profiles, SP 800-221A: MA.RM-2
and reevaluate supplier criticality and risk SP 800-221A: MA.RM-3
impact accordingly CSF v1.1: ID.SC-2
Ex5: Plan for unexpected supplier and CSF v1.1: ID.SC-4
supply chain-related interruptions to ensure
business continuity
3rd: 3rd Party Risk

CSF 2.0 Page 60 of 91

Implementation Examples Informative References
Ex1: Define and use rules and protocols for CIS Controls v8.0: 15.4
reporting incident response and recovery CRI Profile v2.0: GV.SC-08
activities and the status between the CRI Profile v2.0: GV.SC-08.01
organization and its suppliers SP 800-221A: GV.CT-3
Ex2: Identify and document the roles and CSF v1.1: ID.SC-5
responsibilities of the organization and its
suppliers for incident response
Ex3: Include critical suppliers in incident
response exercises and simulations
Ex4: Define and coordinate crisis
communication methods and protocols
between the organization and its critical
suppliers
Ex5: Conduct collaborative lessons learned
sessions with critical suppliers
3rd: 3rd Party Risk
Ex1: Policies and procedures require CIS Controls v8.0: 15.6
provenance records for all acquired CRI Profile v2.0: GV.SC-09
technology products and services CRI Profile v2.0: GV.SC-09.01
Ex2: Periodically provide risk reporting to SP 800-221A: GV.PO-1
leaders about how acquired components CSF v1.1: ID.SC-1
are proven to be untampered and authentic
Ex3: Communicate regularly among
cybersecurity risk managers and operations
personnel about the need to acquire
software patches, updates, and upgrades
only from authenticated and trustworthy
software providers
Ex4: Review policies to ensure that they
require approved supplier personnel to
perform maintenance on supplier products
Ex5: Policies and procedure require
checking upgrades to critical hardware for
unauthorized changes
3rd: 3rd Party Risk

CSF 2.0 Page 61 of 91

Implementation Examples Informative References
Ex1: Establish processes for terminating CIS Controls v8.0: 15.7
critical relationships under both normal and CRI Profile v2.0: EX.TR
adverse circumstances CRI Profile v2.0: EX.TR-01
Ex2: Define and implement plans for CRI Profile v2.0: EX.TR-02
component end-of-life maintenance CRI Profile v2.0: EX.TR-01.01
support and obsolescence CRI Profile v2.0: EX.TR-01.02
Ex3: Verify that supplier access to CRI Profile v2.0: EX.TR-01.03
organization resources is deactivated CRI Profile v2.0: EX.TR-02.01
promptly when it is no longer needed SP 800-221A: GV.PO-1
Ex4: Verify that assets containing the CSF v1.1: ID.SC-1
organization's data are returned or properly
disposed of in a timely, controlled, and safe
manner
Ex5: Develop and execute a plan for
terminating or transitioning supplier
relationships that takes supply chain
security risk and resiliency into account
Ex6: Mitigate risks to data and systems
created by supplier termination
Ex7: Manage data leakage risks associated
with supplier termination
3rd: 3rd Party Risk

CRI Profile v2.0: ID

CSF v1.1: ID

CRI Profile v2.0: ID.AM

SP 800-221A: MA.RI-1
CSF v1.1: ID.AM

1st: 1st Party Risk CIS Controls v8.0: 1.1

Ex1: Maintain inventories for all types of CRI Profile v2.0: ID.AM-01
hardware, including IT, IoT, OT, and mobile CRI Profile v2.0: ID.AM-01.01
devices SP 800-221A: MA.RI-1
Ex2: Constantly monitor networks to detect CSF v1.1: ID.AM-1
new hardware and automatically update
inventories

CSF 2.0 Page 62 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 2.1
Ex1: Maintain inventories for all types of CRI Profile v2.0: ID.AM-02
software and services, including CRI Profile v2.0: ID.AM-02.01
commercial-off-the-shelf, open-source, SP 800-221A: MA.RI-1
custom applications, API services, and CSF v1.1: ID.AM-2
cloud-based applications and services
Ex2: Constantly monitor all platforms,
including containers and virtual machines,
for software and service inventory changes
Ex3: Maintain an inventory of the
organization's systems

1st: 1st Party Risk CIS Controls v8.0: 3.8

3rd: 3rd Party Risk CRI Profile v2.0: ID.AM-03
Ex1: Maintain baselines of communication CRI Profile v2.0: ID.AM-03.01
and data flows within the organization's CSF v1.1: ID.AM-3
wired and wireless networks CSF v1.1: DE.AE-1
Ex2: Maintain baselines of communication
and data flows between the organization
and third parties
Ex3: Maintain baselines of communication
and data flows for the organization's
infrastructure-as-a-service (IaaS) usage
Ex4: Maintain documentation of expected
network ports, protocols, and services that
are typically used among authorized
systems
Ex1: Inventory all external services used by CIS Controls v8.0: 15.1
the organization, including third-party CRI Profile v2.0: ID.AM-04
infrastructure-as-a-service (IaaS), platform- CRI Profile v2.0: ID.AM-04.01
as-a-service (PaaS), and software-as-a- CSF v1.1: ID.AM-4
service (SaaS) offerings; APIs; and other
externally hosted application services
Ex2: Update the inventory when a new
external service is going to be utilized to
ensure adequate cybersecurity risk
management monitoring of the
organization's use of that service
3rd: 3rd Party Risk

CSF 2.0 Page 63 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 3.7
Ex1: Define criteria for prioritizing each CRI Profile v2.0: ID.AM-05
class of assets CRI Profile v2.0: ID.AM-05.01
Ex2: Apply the prioritization criteria to CRI Profile v2.0: ID.AM-05.02
assets SP 800-221A: MA.RI-1
Ex3: Track the asset priorities and update CSF v1.1: ID.AM-5
them periodically or when significant
changes to the organization occur
1st: 1st Party Risk CIS Controls v8.0: 3.2
Ex1: Maintain a list of the designated data CRI Profile v2.0: ID.AM-07
types of interest (e.g., personally CRI Profile v2.0: ID.AM-07.01
identifiable information, protected health SP 800-221A: MA.RI-1
information, financial account numbers,
organization intellectual property,
operational technology data)
Ex2: Continuously discover and analyze ad
hoc data to identify new instances of
designated data types
Ex3: Assign data classifications to
designated data types through tags or
labels
Ex4: Track the provenance, data owner, and
geolocation of each instance of designated
data types

CSF 2.0 Page 64 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PW.4.1
3rd: 3rd Party Risk SP 800-218: PW.4.4
Ex1: Integrate cybersecurity considerations CIS Controls v8.0: 1.1
throughout the life cycles of systems, CIS Controls v8.0: 3.5
hardware, software, and services CRI Profile v2.0: ID.AM-08
Ex2: Integrate cybersecurity considerations CRI Profile v2.0: ID.AM-08.01
into product life cycles CRI Profile v2.0: ID.AM-08.02
Ex3: Identify unofficial uses of technology CRI Profile v2.0: ID.AM-08.03
to meet mission objectives (i.e., shadow IT) CRI Profile v2.0: ID.AM-08.04
Ex4: Periodically identify redundant CRI Profile v2.0: ID.AM-08.05
systems, hardware, software, and services CRI Profile v2.0: ID.AM-08.06
that unnecessarily increase the SP 800-221A: MA.RI-1
organization's attack surface CSF v1.1: PR.DS-3
Ex5: Properly configure and secure systems, CSF v1.1: PR.IP-2
hardware, software, and services prior to CSF v1.1: PR.MA-1
their deployment in production CSF v1.1: PR.MA-2
Ex6: Update inventories when systems, CSF v1.1: PR.IP-6
hardware, software, and services are CSF v1.1: PR.DS
moved or transferred within the
organization
Ex7: Securely destroy stored data based on
the organization's data retention policy
using the prescribed destruction method,
and keep and manage a record of the
destructions
Ex8: Securely sanitize data storage when
hardware is being retired, decommissioned,
reassigned, or sent for repairs or
replacement
Ex9: Offer methods for destroying paper,
storage media, and other physical forms of
data storage

CRI Profile v2.0: ID.RA

SP 800-221A: GV.BE-4
CSF v1.1: ID.RA

CSF 2.0 Page 65 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PO.5.2
Ex1: Use vulnerability management CIS Controls v8.0: 7.1
technologies to identify unpatched and CRI Profile v2.0: ID.RA-01
misconfigured software CRI Profile v2.0: ID.RA-01.01
Ex2: Assess network and system CRI Profile v2.0: ID.RA-01.02
architectures for design and CRI Profile v2.0: ID.RA-01.03
implementation weaknesses that affect SP 800-221A: MA.RI-3
cybersecurity CSF v1.1: ID.RA-1
Ex3: Review, analyze, or test organization- CSF v1.1: PR.IP-12
developed software to identify design, CSF v1.1: DE.CM-8
coding, and default configuration
vulnerabilities
Ex4: Assess facilities that house critical
computing assets for physical vulnerabilities
and resilience issues
Ex5: Monitor sources of cyber threat
intelligence for information on new
vulnerabilities in products and services
Ex6: Review processes and procedures for
weaknesses that could be exploited to
affect cybersecurity
1st: 1st Party Risk CRI Profile v2.0: ID.RA-02
Ex1: Configure cybersecurity tools and CRI Profile v2.0: ID.RA-02.01
technologies with detection or response CRI Profile v2.0: ID.RA-02.02
capabilities to securely ingest cyber threat SP 800-221A: GV.BE-4
intelligence feeds CSF v1.1: ID.RA-2
Ex2: Receive and review advisories from
reputable third parties on current threat
actors and their tactics, techniques, and
procedures (TTPs)
Ex3: Monitor sources of cyber threat
intelligence for information on the types of
vulnerabilities that emerging technologies
may have
1st: 1st Party Risk CRI Profile v2.0: ID.RA-03
3rd: 3rd Party Risk CRI Profile v2.0: ID.RA-03.01
Ex1: Use cyber threat intelligence to CRI Profile v2.0: ID.RA-03.02
maintain awareness of the types of threat CRI Profile v2.0: ID.RA-03.03
actors likely to target the organization and CRI Profile v2.0: ID.RA-03.04
the TTPs they are likely to use SP 800-221A: MA.RI-2
Ex2: Perform threat hunting to look for CSF v1.1: ID.RA-3
signs of threat actors within the
environment
Ex3: Implement processes for identifying
internal threat actors
CSF 2.0 Page 66 of 91
Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: ID.RA-04
Ex1: Business leaders and cybersecurity risk CRI Profile v2.0: ID.RA-04.01
management practitioners work together to SP 800-221A: MA.RI-4
estimate the likelihood and impact of risk CSF v1.1: ID.RA-4
scenarios and record them in risk registers
Ex2: Enumerate the potential business
impacts of unauthorized access to the
organization's communications, systems,
and data processed in or by those systems
Ex3: Account for the potential impacts of
cascading failures for systems of systems

1st: 1st Party Risk SP 800-218: PW.1.1

Ex1: Develop threat models to better CRI Profile v2.0: ID.RA-05
understand risks to the data and identify CRI Profile v2.0: ID.RA-05.01
appropriate risk responses CRI Profile v2.0: ID.RA-05.02
Ex2: Prioritize cybersecurity resource CRI Profile v2.0: ID.RA-05.03
allocations and investments based on CRI Profile v2.0: ID.RA-05.04
estimated likelihoods and impacts SP 800-221A: MA.RA-2
CSF v1.1: ID.RA-5
1st: 1st Party Risk SP 800-218: PO.5.2
Ex1: Apply the vulnerability management CRI Profile v2.0: ID.RA-06
plan's criteria for deciding whether to CRI Profile v2.0: ID.RA-06.01
accept, transfer, mitigate, or avoid risk CRI Profile v2.0: ID.RA-06.02
Ex2: Apply the vulnerability management CRI Profile v2.0: ID.RA-06.03
plan's criteria for selecting compensating CRI Profile v2.0: ID.RA-06.04
controls to mitigate risk CRI Profile v2.0: ID.RA-06.05
Ex3: Track the progress of risk response CRI Profile v2.0: ID.RA-06.06
implementation (e.g., plan of action and SP 800-221A: MA.RP
milestones [POA&M], risk register, risk CSF v1.1: ID.RA-6
detail report) CSF v1.1: RS.MI-3
Ex4: Use risk assessment findings to inform
risk response decisions and actions
Ex5: Communicate planned risk responses
to affected stakeholders in priority order

CSF 2.0 Page 67 of 91

Implementation Examples Informative References
Ex1: Implement and follow procedures for SP 800-218: PO.5.2
the formal documentation, review, testing, CRI Profile v2.0: ID.RA-07
and approval of proposed changes and CRI Profile v2.0: ID.RA-07.01
requested exceptions CRI Profile v2.0: ID.RA-07.02
Ex2: Document the possible risks of making CRI Profile v2.0: ID.RA-07.03
or not making each proposed change, and CRI Profile v2.0: ID.RA-07.04
provide guidance on rolling back changes CRI Profile v2.0: ID.RA-07.05
Ex3: Document the risks related to each SP 800-221A: MA.RI-3
requested exception and the plan for CSF v1.1: PR.IP-3
responding to those risks
Ex4: Periodically review risks that were
accepted based upon planned future
actions or milestones

1st: 1st Party Risk CIS Controls v8.0: 7.2

3rd: 3rd Party Risk CRI Profile v2.0: ID.RA-08
Ex1: Conduct vulnerability information CRI Profile v2.0: ID.RA-08.01
sharing between the organization and its CRI Profile v2.0: ID.RA-08.02
suppliers following the rules and protocols SP 800-221A: MA.RI-3
defined in contracts CSF v1.1: RS.AN-5
Ex2: Assign responsibilities and verify the
execution of procedures for processing,
analyzing the impact of, and responding to
cybersecurity threat, vulnerability, or
incident disclosures by suppliers,
customers, partners, and government
cybersecurity organizations
Ex1: Assess the authenticity and SP 800-218: PO.5.2
cybersecurity of critical technology CRI Profile v2.0: EX.DD-04
products and services prior to acquisition CRI Profile v2.0: EX.DD-04.01
and use CRI Profile v2.0: EX.DD-04.02
3rd: 3rd Party Risk SP 800-221A: MA.RI-3
CSF v1.1: PR.DS-8
Ex1: Conduct supplier risk assessments CRI Profile v2.0: EX.DD-03
against business and applicable CRI Profile v2.0: EX.DD-03.01
cybersecurity requirements, including the CRI Profile v2.0: EX.DD-03.02
supply chain CRI Profile v2.0: EX.DD-03.03
SP 800-221A: GV.CT-2
SP 800-221A: GV.CT-3
SP 800-221A: MA.RM-2
SP 800-221A: MA.RM-3
CSF v1.1: ID.SC-2
CSF v1.1: ID.SC-4

CSF 2.0 Page 68 of 91

Implementation Examples Informative References
CRI Profile v2.0: ID.IM
SP 800-221A: MA.IM-1
SP 800-221A: MA.IM-1
CSF v1.1: RS.IM
CSF v1.1: RC.IM
CSF v1.1: PR.IP-7
CSF v1.1: DE.DP-5
1st: 1st Party Risk CRI Profile v2.0: ID.IM-01
Ex1: Perform self-assessments of critical CRI Profile v2.0: ID.IM-01.01
services that take current threats and TTPs CRI Profile v2.0: ID.IM-01.02
into consideration CRI Profile v2.0: ID.IM-01.03
Ex2: Invest in third-party assessments or CRI Profile v2.0: ID.IM-01.04
independent audits of the effectiveness of CRI Profile v2.0: ID.IM-01.05
the organization's cybersecurity program to
identify areas that need improvement
Ex3: Constantly evaluate compliance with
selected cybersecurity requirements
through automated means

CSF 2.0 Page 69 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 17.7
3rd: 3rd Party Risk CRI Profile v2.0: ID.IM-02
Ex1: Identify improvements for future CRI Profile v2.0: ID.IM-02.01
incident response activities based on CRI Profile v2.0: ID.IM-02.02
findings from incident response CRI Profile v2.0: ID.IM-02.03
assessments (e.g., tabletop exercises and CRI Profile v2.0: ID.IM-02.04
simulations, tests, internal reviews, CRI Profile v2.0: ID.IM-02.05
independent audits) CRI Profile v2.0: ID.IM-02.06
Ex2: Identify improvements for future CRI Profile v2.0: ID.IM-02.07
business continuity, disaster recovery, and CRI Profile v2.0: ID.IM-02.08
incident response activities based on CRI Profile v2.0: ID.IM-02.09
exercises performed in coordination with SP 800-221A: GV.CT-3
critical service providers and product CSF v1.1: ID.SC-5
suppliers CSF v1.1: PR.IP-10
Ex3: Involve internal stakeholders (e.g., CSF v1.1: DE.DP-3
senior executives, legal department, HR) in
security tests and exercises as appropriate
Ex4: Perform penetration testing to identify
opportunities to improve the security
posture of selected high-risk systems as
approved by leadership
Ex5: Exercise contingency plans for
responding to and recovering from the
discovery that products or services did not
originate with the contracted supplier or
partner or were altered before receipt
Ex6: Collect and analyze performance
metrics using security tools and services to
inform improvements to the cybersecurity
program
1st: 1st Party Risk CRI Profile v2.0: ID.IM-03
Ex1: Conduct collaborative lessons learned CRI Profile v2.0: ID.IM-03.01
sessions with suppliers CRI Profile v2.0: ID.IM-03.02
Ex2: Annually review cybersecurity policies, SP 800-221A: GV.AD-1
processes, and procedures to take lessons SP 800-221A: MA.RM-6
learned into account SP 800-221A: MA.IM-1
Ex3: Use metrics to assess operational CSF v1.1: PR.IP-7
cybersecurity performance over time CSF v1.1: PR.IP-8
CSF v1.1: DE.DP-5
CSF v1.1: RS.IM-1
CSF v1.1: RS.IM-2
CSF v1.1: RC.IM-1
CSF v1.1: RC.IM-2

CSF 2.0 Page 70 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: ID.IM-04
Ex1: Establish contingency plans (e.g., CRI Profile v2.0: ID.IM-04.01
incident response, business continuity, CRI Profile v2.0: ID.IM-04.02
disaster recovery) for responding to and CRI Profile v2.0: ID.IM-04.03
recovering from adverse events that can CRI Profile v2.0: ID.IM-04.04
interfere with operations, expose CRI Profile v2.0: ID.IM-04.05
confidential information, or otherwise CRI Profile v2.0: ID.IM-04.06
endanger the organization's mission and CRI Profile v2.0: ID.IM-04.07
viability CRI Profile v2.0: ID.IM-04.08
Ex2: Include contact and communication SP 800-221A: MA.RR-4
information, processes for handling SP 800-221A: MA.IM-1
common scenarios, and criteria for CSF v1.1: PR.IP-9
prioritization, escalation, and elevation in CSF v1.1: RS.IM-1
all contingency plans CSF v1.1: RC.IM-1
Ex3: Create a vulnerability management CSF v1.1: PR.IP-10
plan to identify and assess all types of
vulnerabilities and to prioritize, test, and
implement risk responses
Ex4: Communicate cybersecurity plans
(including updates) to those responsible for
carrying them out and to affected parties
Ex5: Review and update all cybersecurity
plans annually or when a need for
significant improvements is identified

CRI Profile v2.0: PR

CSF v1.1: PR

CRI Profile v2.0: PR.AA

CSF v1.1: PR.AC

CSF 2.0 Page 71 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 5.1
Ex1: Initiate requests for new access or CIS Controls v8.0: 6.7
additional access for employees, CRI Profile v2.0: PR.AA-01
contractors, and others, and track, review, CRI Profile v2.0: PR.AA-01.01
and fulfill the requests, with permission CRI Profile v2.0: PR.AA-01.02
from system or data owners when needed CSF v1.1: PR.AC-1
Ex2: Issue, manage, and revoke
cryptographic certificates and identity
tokens, cryptographic keys (i.e., key
management), and other credentials
Ex3: Select a unique identifier for each
device from immutable hardware
characteristics or an identifier securely
provisioned to the device
Ex4: Physically label authorized hardware
with an identifier for inventory and
servicing purposes

1st: 1st Party Risk CRI Profile v2.0: PR.AA-02

3rd: 3rd Party Risk CRI Profile v2.0: PR.AA-02.01
Ex1: Verify a person's claimed identity at CSF v1.1: PR.AC-6
enrollment time using government-issued
identity credentials (e.g., passport, visa,
driver's license)
Ex2: Issue a different credential for each
person (i.e., no credential sharing)
1st: 1st Party Risk SP 800-218: PO.5.2
Ex1: Require multifactor authentication CRI Profile v2.0: PR.AA-03
Ex2: Enforce policies for the minimum CRI Profile v2.0: PR.AA-03.01
strength of passwords, PINs, and similar CRI Profile v2.0: PR.AA-03.02
authenticators CRI Profile v2.0: PR.AA-03.03
Ex3: Periodically reauthenticate users, CSF v1.1: PR.AC-3
services, and hardware based on risk (e.g., CSF v1.1: PR.AC-7
in zero trust architectures)
Ex4: Ensure that authorized personnel can
access accounts essential for protecting
safety under emergency conditions

CSF 2.0 Page 72 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: PR.AA-04
Ex1: Protect identity assertions that are CRI Profile v2.0: PR.AA-04.01
used to convey authentication and user
information through single sign-on systems
Ex2: Protect identity assertions that are
used to convey authentication and user
information between federated systems
Ex3: Implement standards-based
approaches for identity assertions in all
contexts, and follow all guidance for the
generation (e.g., data models, metadata),
protection (e.g., digital signing, encryption),
and verification (e.g., signature validation)
of identity assertions

1st: 1st Party Risk SP 800-218: PO.5.2

Ex1: Review logical and physical access SP 800-218: PS.1.1
privileges periodically and whenever CIS Controls v8.0: 3.3
someone changes roles or leaves the CIS Controls v8.0: 6.8
organization, and promptly rescind CRI Profile v2.0: PR.AA-05
privileges that are no longer needed CRI Profile v2.0: PR.AA-05.01
Ex2: Take attributes of the requester and CRI Profile v2.0: PR.AA-05.02
the requested resource into account for CRI Profile v2.0: PR.AA-05.03
authorization decisions (e.g., geolocation, CRI Profile v2.0: PR.AA-05.04
day/time, requester endpoint's cyber CSF v1.1: PR.AC-1
health) CSF v1.1: PR.AC-3
Ex3: Restrict access and privileges to the CSF v1.1: PR.AC-4
minimum necessary (e.g., zero trust
architecture)
Ex4: Periodically review the privileges
associated with critical business functions
to confirm proper separation of duties
1st: 1st Party Risk SP 800-218: PO.5.2
3rd: 3rd Party Risk CRI Profile v2.0: PR.AA-06
Ex1: Use security guards, security cameras, CRI Profile v2.0: PR.AA-06.01
locked entrances, alarm systems, and other CRI Profile v2.0: PR.AA-06.02
physical controls to monitor facilities and CSF v1.1: PR.AC-2
restrict access CSF v1.1: PR.PT-4
Ex2: Employ additional physical security
controls for areas that contain high-risk
assets
Ex3: Escort guests, vendors, and other third
parties within areas that contain business-
critical assets

CSF 2.0 Page 73 of 91

Implementation Examples Informative References
SP 800-218: PO.2.2
CRI Profile v2.0: PR.AT
CSF v1.1: PR.AT

1st: 1st Party Risk SP 800-218: PO.2.2

Ex1: Provide basic cybersecurity awareness CIS Controls v8.0: 14.1
and training to employees, contractors, CRI Profile v2.0: PR.AT-01
partners, suppliers, and all other users of CRI Profile v2.0: PR.AT-01.01
the organization's non-public resources CRI Profile v2.0: PR.AT-01.02
Ex2: Train personnel to recognize social CRI Profile v2.0: PR.AT-01.03
engineering attempts and other common CRI Profile v2.0: PR.AT-01.04
attacks, report attacks and suspicious SP 800-221A: GV.CT-3
activity, comply with acceptable use SP 800-221A: GV.RR-2
policies, and perform basic cyber hygiene CSF v1.1: PR.AT-1
tasks (e.g., patching software, choosing CSF v1.1: PR.AT-3
passwords, protecting credentials) CSF v1.1: RS.CO-1
Ex3: Explain the consequences of
cybersecurity policy violations, both to
individual users and the organization as a
whole
Ex4: Periodically assess or test users on
their understanding of basic cybersecurity
practices
Ex5: Require annual refreshers to reinforce
existing practices and introduce new
practices

CSF 2.0 Page 74 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PO.2.2
3rd: 3rd Party Risk CIS Controls v8.0: 14.9
Ex1: Identify the specialized roles within the CRI Profile v2.0: PR.AT-02
organization that require additional CRI Profile v2.0: PR.AT-02.01
cybersecurity training, such as physical and CRI Profile v2.0: PR.AT-02.02
cybersecurity personnel, finance personnel, CRI Profile v2.0: PR.AT-02.03
senior leadership, and anyone with access CRI Profile v2.0: PR.AT-02.04
to business-critical data CRI Profile v2.0: PR.AT-02.05
Ex2: Provide role-based cybersecurity CRI Profile v2.0: PR.AT-02.06
awareness and training to all those in CRI Profile v2.0: PR.AT-02.07
specialized roles, including contractors, CRI Profile v2.0: PR.AT-02.08
partners, suppliers, and other third parties SP 800-221A: GV.CT-3
Ex3: Periodically assess or test users on SP 800-221A: GV.CT-4
their understanding of cybersecurity SP 800-221A: GV.RR-2
practices for their specialized roles CSF v1.1: PR.AT-2
Ex4: Require annual refreshers to reinforce CSF v1.1: PR.AT-3
existing practices and introduce new CSF v1.1: PR.AT-4
practices CSF v1.1: PR.AT-5
CRI Profile v2.0: PR.DS
CSF v1.1: PR.DS

1st: 1st Party Risk SP 800-218: PS.1.1

Ex1: Use encryption, digital signatures, and SP 800-218: PS.2.1
cryptographic hashes to protect the SP 800-218: PS.3.1
confidentiality and integrity of stored data CIS Controls v8.0: 3.11
in files, databases, virtual machine disk CRI Profile v2.0: PR.DS-01
images, container images, and other CRI Profile v2.0: PR.DS-01.01
resources CRI Profile v2.0: PR.DS-01.02
Ex2: Use full disk encryption to protect data CRI Profile v2.0: PR.DS-01.03
stored on user endpoints CSF v1.1: PR.DS-1
Ex3: Confirm the integrity of software by CSF v1.1: PR.DS-5
validating signatures CSF v1.1: PR.DS-6
Ex4: Restrict the use of removable media to CSF v1.1: PR.PT-2
prevent data exfiltration
Ex5: Physically secure removable media
containing unencrypted sensitive
information, such as within locked offices or
file cabinets

CSF 2.0 Page 75 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 3.10
Ex1: Use encryption, digital signatures, and CRI Profile v2.0: PR.DS-02
cryptographic hashes to protect the CRI Profile v2.0: PR.DS-02.01
confidentiality and integrity of network CSF v1.1: PR.DS-2
communications CSF v1.1: PR.DS-5
Ex2: Automatically encrypt or block
outbound emails and other
communications that contain sensitive
data, depending on the data classification
Ex3: Block access to personal email, file
sharing, file storage services, and other
personal communications applications and
services from organizational systems and
networks
Ex4: Prevent reuse of sensitive data from
production environments (e.g., customer
records) in development, testing, and other
non-production environments
1st: 1st Party Risk CRI Profile v2.0: PR.DS-10
Ex1: Remove data that must remain CRI Profile v2.0: PR.DS-10.01
confidential (e.g., from processors and CSF v1.1: PR.DS-5
memory) as soon as it is no longer needed
Ex2: Protect data in use from access by
other users and processes of the same
platform
1st: 1st Party Risk SP 800-218: PS.3.1
Ex1: Continuously back up critical data in CIS Controls v8.0: 11.2
near-real-time, and back up other data CIS Controls v8.0: 11.3
frequently at agreed-upon schedules CIS Controls v8.0: 11.5
Ex2: Test backups and restores for all types CRI Profile v2.0: PR.DS-11
of data sources at least annually CRI Profile v2.0: PR.DS-11.01
Ex3: Securely store some backups offline CSF v1.1: PR.IP-4
and offsite so that an incident or disaster
will not damage them
Ex4: Enforce geographic separation and
geolocation restrictions for data backup
storage
CRI Profile v2.0: PR.PS

CSF 2.0 Page 76 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PO.5.2
Ex1: Establish, test, deploy, and maintain SP 800-218: PS.1.1
hardened baselines that enforce the CIS Controls v8.0: 4.1
organization's cybersecurity policies and CIS Controls v8.0: 4.2
provide only essential capabilities (i.e., CRI Profile v2.0: PR.PS-01
principle of least functionality) CRI Profile v2.0: PR.PS-01.01
Ex2: Review all default configuration CRI Profile v2.0: PR.PS-01.02
settings that may potentially impact CRI Profile v2.0: PR.PS-01.03
cybersecurity when installing or upgrading CRI Profile v2.0: PR.PS-01.04
software CRI Profile v2.0: PR.PS-01.05
Ex3: Monitor implemented software for CRI Profile v2.0: PR.PS-01.06
deviations from approved baselines CRI Profile v2.0: PR.PS-01.07
CRI Profile v2.0: PR.PS-01.08
CRI Profile v2.0: PR.PS-01.09
CSF v1.1: PR.IP-1
CSF v1.1: PR.IP-3
CSF v1.1: PR.PT-2
CSF v1.1: PR.PT-3
1st: 1st Party Risk SP 800-218: PO.5.2
Ex1: Perform routine and emergency CIS Controls v8.0: 2.2
patching within the timeframes specified in CIS Controls v8.0: 2.3
the vulnerability management plan CRI Profile v2.0: PR.PS-02
Ex2: Update container images, and deploy CRI Profile v2.0: PR.PS-02.01
new container instances to replace rather CRI Profile v2.0: PR.PS-02.02
than update existing instances CRI Profile v2.0: PR.PS-02.03
Ex3: Replace end-of-life software and CSF v1.1: PR.IP-12
service versions with supported, CSF v1.1: PR.MA-2
maintained versions
Ex4: Uninstall and remove unauthorized
software and services that pose undue risks
Ex5: Uninstall and remove any unnecessary
software components (e.g., operating
system utilities) that attackers might misuse
Ex6: Define and implement plans for
software and service end-of-life
maintenance support and obsolescence

CSF 2.0 Page 77 of 91

Implementation Examples Informative References
1st: 1st Party Risk SP 800-218: PO.5.2
3rd: 3rd Party Risk CIS Controls v8.0: 1.2
Ex1: Replace hardware when it lacks CRI Profile v2.0: PR.PS-03
needed security capabilities or when it CRI Profile v2.0: PR.PS-03.01
cannot support software with needed CSF v1.1: PR.MA-1
security capabilities CSF v1.1: PR.DS-3
Ex2: Define and implement plans for
hardware end-of-life maintenance support
and obsolescence
Ex3: Perform hardware disposal in a secure,
responsible, and auditable manner
1st: 1st Party Risk SP 800-218: PO.3.3
Ex1: Configure all operating systems, CIS Controls v8.0: 8.2
applications, and services (including cloud- CRI Profile v2.0: PR.PS-04
based services) to generate log records CRI Profile v2.0: PR.PS-04.01
Ex2: Configure log generators to securely CRI Profile v2.0: PR.PS-04.02
share their logs with the organization's CRI Profile v2.0: PR.PS-04.03
logging infrastructure systems and services CSF v1.1: PR.PT-1
Ex3: Configure log generators to record the
data needed by zero-trust architectures

1st: 1st Party Risk CIS Controls v8.0: 2.5

Ex1: When risk warrants it, restrict software CRI Profile v2.0: PR.PS-05
execution to permitted products only or CRI Profile v2.0: PR.PS-05.01
deny the execution of prohibited and CRI Profile v2.0: PR.PS-05.02
unauthorized software CRI Profile v2.0: PR.PS-05.03
Ex2: Verify the source of new software and
the software's integrity before installing it
Ex3: Configure platforms to use only
approved DNS services that block access to
known malicious domains
Ex4: Configure platforms to allow the
installation of organization-approved
software only

CSF 2.0 Page 78 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 16.1
Ex1: Protect all components of CRI Profile v2.0: PR.PS-06
organization-developed software from CRI Profile v2.0: PR.PS-06.01
tampering and unauthorized access CRI Profile v2.0: PR.PS-06.02
Ex2: Secure all software produced by the CRI Profile v2.0: PR.PS-06.03
organization, with minimal vulnerabilities in CRI Profile v2.0: PR.PS-06.04
their releases CRI Profile v2.0: PR.PS-06.05
Ex3: Maintain the software used in CRI Profile v2.0: PR.PS-06.06
production environments, and securely CRI Profile v2.0: PR.PS-06.07
dispose of software once it is no longer CRI Profile v2.0: PR.PS-06.08
needed CRI Profile v2.0: PR.PS-06.09
CRI Profile v2.0: PR.PS-06.10
CSF v1.1: PR.IP-2
CRI Profile v2.0: PR.IR

1st: 1st Party Risk SP 800-218: PO.5.1

3rd: 3rd Party Risk CIS Controls v8.0: 3.12
Ex1: Logically segment organization CIS Controls v8.0: 12.2
networks and cloud-based platforms CRI Profile v2.0: PR.IR-01
according to trust boundaries and platform CRI Profile v2.0: PR.IR-01.01
types (e.g., IT, IoT, OT, mobile, guests), and CRI Profile v2.0: PR.IR-01.02
permit required communications only CRI Profile v2.0: PR.IR-01.03
between segments CRI Profile v2.0: PR.IR-01.04
Ex2: Logically segment organization CRI Profile v2.0: PR.IR-01.05
networks from external networks, and CRI Profile v2.0: PR.IR-01.06
permit only necessary communications to CRI Profile v2.0: PR.IR-01.07
enter the organization's networks from the CRI Profile v2.0: PR.IR-01.08
external networks CSF v1.1: PR.AC-3
Ex3: Implement zero trust architectures to CSF v1.1: PR.AC-5
restrict network access to each resource to CSF v1.1: PR.DS-7
the minimum necessary CSF v1.1: PR.PT-4
Ex4: Check the cyber health of endpoints
before allowing them to access and use
production resources

CSF 2.0 Page 79 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: PR.IR-02
3rd: 3rd Party Risk CRI Profile v2.0: PR.IR-02.01
Ex1: Protect organizational equipment from CSF v1.1: PR.IP-5
known environmental threats, such as
flooding, fire, wind, and excessive heat and
humidity
Ex2: Include protection from environmental
threats and provisions for adequate
operating infrastructure in requirements for
service providers that operate systems on
the organization's behalf

1st: 1st Party Risk CRI Profile v2.0: PR.IR-03

Ex1: Avoid single points of failure in CRI Profile v2.0: PR.IR-03.01
systems and infrastructure CSF v1.1: PR.PT-5
Ex2: Use load balancing to increase capacity
and improve reliability
Ex3: Use high-availability components like
redundant storage and power supplies to
improve system reliability
Ex1: Monitor usage of storage, power, CRI Profile v2.0: PR.IR-04
compute, network bandwidth, and other CRI Profile v2.0: PR.IR-04.01
resources CRI Profile v2.0: PR.IR-04.02
Ex2: Forecast future needs, and scale CSF v1.1: PR.DS-4
resources accordingly

CRI Profile v2.0: DE

CSF v1.1: DE

CRI Profile v2.0: DE.CM

CSF v1.1: DE.CM

CSF 2.0 Page 80 of 91

Implementation Examples Informative References
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1
services for adverse events CRI Profile v2.0: DE.CM-01
Ex2: Monitor wired and wireless networks CRI Profile v2.0: DE.CM-01.01
for connections from unauthorized CRI Profile v2.0: DE.CM-01.02
endpoints CRI Profile v2.0: DE.CM-01.03
Ex3: Monitor facilities for unauthorized or CRI Profile v2.0: DE.CM-01.04
rogue wireless networks CRI Profile v2.0: DE.CM-01.05
Ex4: Compare actual network flows against CRI Profile v2.0: DE.CM-01.06
baselines to detect deviations CSF v1.1: DE.CM-1
Ex5: Monitor network communications to CSF v1.1: DE.CM-4
identify changes in security postures for CSF v1.1: DE.CM-5
zero trust purposes CSF v1.1: DE.CM-7
1st: 1st Party Risk
Ex1: Monitor logs from physical access CRI Profile v2.0: DE.CM-02
control systems (e.g., badge readers) to find CRI Profile v2.0: DE.CM-02.01
unusual access patterns (e.g., deviations CSF v1.1: DE.CM-2
from the norm) and failed access attempts
Ex2: Review and monitor physical access
records (e.g., from visitor registration, sign-
in sheets)
Ex3: Monitor physical access controls (e.g.,
locks, latches, hinge pins, alarms) for signs
of tampering
Ex4: Monitor the physical environment
using alarm systems, cameras, and security
guards
1st: 1st Party Risk

Ex1: Use behavior analytics software to CIS Controls v8.0: 10.7

detect anomalous user activity to mitigate CRI Profile v2.0: DE.CM-03
insider threats CRI Profile v2.0: DE.CM-03.01
Ex2: Monitor logs from logical access CRI Profile v2.0: DE.CM-03.02
control systems to find unusual access CRI Profile v2.0: DE.CM-03.03
patterns and failed access attempts CSF v1.1: DE.CM-3
Ex3: Continuously monitor deception CSF v1.1: DE.CM-7
technology, including user accounts, for any
usage
1st: 1st Party Risk

CSF 2.0 Page 81 of 91

Implementation Examples Informative References
Ex1: Monitor remote and onsite CIS Controls v8.0: 15.2
administration and maintenance activities CIS Controls v8.0: 15.6
that external providers perform on CRI Profile v2.0: DE.CM-06
organizational systems CRI Profile v2.0: DE.CM-06.01
Ex2: Monitor activity from cloud-based CRI Profile v2.0: DE.CM-06.02
services, internet service providers, and CSF v1.1: DE.CM-6
other service providers for deviations from CSF v1.1: DE.CM-7
expected behavior
3rd: 3rd Party Risk
Ex1: Monitor email, web, file sharing, CIS Controls v8.0: 10.1
collaboration services, and other common CRI Profile v2.0: DE.CM-09
attack vectors to detect malware, phishing, CRI Profile v2.0: DE.CM-09.01
data leaks and exfiltration, and other CRI Profile v2.0: DE.CM-09.02
adverse events CRI Profile v2.0: DE.CM-09.03
Ex2: Monitor authentication attempts to CSF v1.1: PR.DS-6
identify attacks against credentials and CSF v1.1: PR.DS-8
unauthorized credential reuse CSF v1.1: DE.CM-4
Ex3: Monitor software configurations for CSF v1.1: DE.CM-5
deviations from security baselines CSF v1.1: DE.CM-7
Ex4: Monitor hardware and software for
signs of tampering
Ex5: Use technologies with a presence on
endpoints to detect cyber health issues
(e.g., missing patches, malware infections,
unauthorized software), and redirect the
endpoints to a remediation environment
before access is authorized
1st: 1st Party Risk
CRI Profile v2.0: DE.AE
CSF v1.1: DE.AE
CSF v1.1: DE.DP-2

CSF 2.0 Page 82 of 91

Implementation Examples Informative References
Ex1: Use security information and event CIS Controls v8.0: 8.11
management (SIEM) or other tools to CRI Profile v2.0: DE.AE-02
continuously monitor log events for known CRI Profile v2.0: DE.AE-02.01
malicious and suspicious activity CRI Profile v2.0: DE.AE-02.02
Ex2: Utilize up-to-date cyber threat CSF v1.1: DE.AE-2
intelligence in log analysis tools to improve
detection accuracy and characterize threat
actors, their methods, and indicators of
compromise
Ex3: Regularly conduct manual reviews of
log events for technologies that cannot be
sufficiently monitored through automation
Ex4: Use log analysis tools to generate
reports on their findings
1st: 1st Party Risk

Ex1: Constantly transfer log data generated CRI Profile v2.0: DE.AE-03
by other sources to a relatively small CRI Profile v2.0: DE.AE-03.01
number of log servers CRI Profile v2.0: DE.AE-03.02
Ex2: Use event correlation technology (e.g., CSF v1.1: DE.AE-3
SIEM) to collect information captured by
multiple sources
Ex3: Utilize cyber threat intelligence to help
correlate events among log sources
1st: 1st Party Risk
Ex1: Use SIEMs or other tools to estimate CRI Profile v2.0: DE.AE-04
impact and scope, and review and refine CRI Profile v2.0: DE.AE-04.01
the estimates CSF v1.1: DE.AE-4
Ex2: A person creates their own estimates
of impact and scope
1st: 1st Party Risk

CSF 2.0 Page 83 of 91

Implementation Examples Informative References
Ex1: Use cybersecurity software to generate CRI Profile v2.0: DE.AE-06
alerts and provide them to the security CRI Profile v2.0: DE.AE-06.01
operations center (SOC), incident CSF v1.1: DE.DP-4
responders, and incident response tools
Ex2: Incident responders and other
authorized personnel can access log
analysis findings at all times
Ex3: Automatically create and assign tickets
in the organization's ticketing system when
certain types of alerts occur
Ex4: Manually create and assign tickets in
the organization's ticketing system when
technical staff discover indicators of
compromise
1st: 1st Party Risk
Ex1: Securely provide cyber threat CRI Profile v2.0: DE.AE-07
intelligence feeds to detection CRI Profile v2.0: DE.AE-07.01
technologies, processes, and personnel CRI Profile v2.0: DE.AE-07.02
Ex2: Securely provide information from CSF v1.1: DE.AE-3
asset inventories to detection technologies,
processes, and personnel
Ex3: Rapidly acquire and analyze
vulnerability disclosures for the
organization's technologies from suppliers,
vendors, and third-party security advisories
1st: 1st Party Risk

Ex1: Apply incident criteria to known and CRI Profile v2.0: DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01
to determine whether an incident should CSF v1.1: DE.AE-5
be declared
Ex2: Take known false positives into
account when applying incident criteria
1st: 1st Party Risk

CRI Profile v2.0: RS

CSF v1.1: RS

CRI Profile v2.0: RS.MA

CSF v1.1: RS.RP

CSF 2.0 Page 84 of 91

Implementation Examples Informative References
Ex1: Detection technologies automatically CIS Controls v8.0: 17.4
report confirmed incidents CRI Profile v2.0: RS.MA-01
Ex2: Request incident response assistance CRI Profile v2.0: RS.MA-01.01
from the organization's incident response CSF v1.1: RS.RP-1
outsourcer CSF v1.1: RS.CO-4
Ex3: Designate an incident lead for each
incident
Ex4: Initiate execution of additional
cybersecurity plans as needed to support
incident response (for example, business
continuity and disaster recovery)
3rd: 3rd Party Risk
1st: 1st Party Risk CRI Profile v2.0: RS.MA-02
Ex1: Preliminarily review incident reports to CRI Profile v2.0: RS.MA-02.01
confirm that they are cybersecurity-related CSF v1.1: RS.AN-1
and necessitate incident response activities CSF v1.1: RS.AN-2
Ex2: Apply criteria to estimate the severity
of an incident

1st: 1st Party Risk CRI Profile v2.0: RS.MA-03

Ex1: Further review and categorize CRI Profile v2.0: RS.MA-03.01
incidents based on the type of incident CSF v1.1: RS.AN-4
(e.g., data breach, ransomware, DDoS, CSF v1.1: RS.AN-2
account compromise)
Ex2: Prioritize incidents based on their
scope, likely impact, and time-critical
nature
Ex3: Select incident response strategies for
active incidents by balancing the need to
quickly recover from an incident with the
need to observe the attacker or conduct a
more thorough investigation
1st: 1st Party Risk CRI Profile v2.0: RS.MA-04
Ex1: Track and validate the status of all CRI Profile v2.0: RS.MA-04.01
ongoing incidents CSF v1.1: RS.AN-2
Ex2: Coordinate incident escalation or CSF v1.1: RS.CO-4
elevation with designated internal and
external stakeholders

CSF 2.0 Page 85 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 17.9
Ex1: Apply incident recovery criteria to CRI Profile v2.0: RS.MA-05
known and assumed characteristics of the CRI Profile v2.0: RS.MA-05.01
incident to determine whether incident
recovery processes should be initiated
Ex2: Take the possible operational
disruption of incident recovery activities
into account
CRI Profile v2.0: RS.AN
CSF v1.1: RS.AN

1st: 1st Party Risk CIS Controls v8.0: 17.8

Ex1: Determine the sequence of events that CRI Profile v2.0: RS.AN-03
occurred during the incident and which CRI Profile v2.0: RS.AN-03.01
assets and resources were involved in each CSF v1.1: RS.AN-3
event
Ex2: Attempt to determine what
vulnerabilities, threats, and threat actors
were directly or indirectly involved in the
incident
Ex3: Analyze the incident to find the
underlying, systemic root causes
Ex4: Check any cyber deception technology
for additional information on attacker
behavior
1st: 1st Party Risk CRI Profile v2.0: RS.AN-06
Ex1: Require each incident responder and CRI Profile v2.0: RS.AN-06.01
others (e.g., system administrators, CSF v1.1: RS.AN-3
cybersecurity engineers) who perform
incident response tasks to record their
actions and make the record immutable
Ex2: Require the incident lead to document
the incident in detail and be responsible for
preserving the integrity of the
documentation and the sources of all
information being reported
1st: 1st Party Risk CRI Profile v2.0: RS.AN-07
Ex1: Collect, preserve, and safeguard the CRI Profile v2.0: RS.AN-07.01
integrity of all pertinent incident data and
metadata (e.g., data source, date/time of
collection) based on evidence preservation
and chain-of-custody procedures

CSF 2.0 Page 86 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: RS.AN-08
Ex1: Review other potential targets of the CRI Profile v2.0: RS.AN-08.01
incident to search for indicators of
compromise and evidence of persistence
Ex2: Automatically run tools on targets to
look for indicators of compromise and
evidence of persistence
CRI Profile v2.0: RS.CO
CSF v1.1: RS.CO

1st: 1st Party Risk CIS Controls v8.0: 17.2

3rd: 3rd Party Risk CRI Profile v2.0: RS.CO-02
Ex1: Follow the organization's breach CRI Profile v2.0: RS.CO-02.01
notification procedures after discovering a CRI Profile v2.0: RS.CO-02.02
data breach incident, including notifying CRI Profile v2.0: RS.CO-02.03
affected customers CSF v1.1: RS.CO-2
Ex2: Notify business partners and CSF v1.1: RS.CO-3
customers of incidents in accordance with
contractual requirements
Ex3: Notify law enforcement agencies and
regulatory bodies of incidents based on
criteria in the incident response plan and
management approval

CSF 2.0 Page 87 of 91

Implementation Examples Informative References
1st: 1st Party Risk CIS Controls v8.0: 17.2
3rd: 3rd Party Risk CRI Profile v2.0: RS.CO-03
Ex1: Securely share information consistent CRI Profile v2.0: RS.CO-03.01
with response plans and information CRI Profile v2.0: RS.CO-03.02
sharing agreements CSF v1.1: RS.CO-3
Ex2: Voluntarily share information about an CSF v1.1: RS.CO-5
attacker's observed TTPs, with all sensitive
data removed, with an Information Sharing
and Analysis Center (ISAC)
Ex3: Notify HR when malicious insider
activity occurs
Ex4: Regularly update senior leadership on
the status of major incidents
Ex5: Follow the rules and protocols defined
in contracts for incident information sharing
between the organization and its suppliers
Ex6: Coordinate crisis communication
methods between the organization and its
critical suppliers

CRI Profile v2.0: RS.MI

CSF v1.1: RS.MI

1st: 1st Party Risk CRI Profile v2.0: RS.MI-01

3rd: 3rd Party Risk CRI Profile v2.0: RS.MI-01.01
Ex1: Cybersecurity technologies (e.g., CSF v1.1: RS.MI-1
antivirus software) and cybersecurity
features of other technologies (e.g.,
operating systems, network infrastructure
devices) automatically perform
containment actions
Ex2: Allow incident responders to manually
select and perform containment actions
Ex3: Allow a third party (e.g., internet
service provider, managed security service
provider) to perform containment actions
on behalf of the organization
Ex4: Automatically transfer compromised
endpoints to a remediation virtual local
area network (VLAN)

CSF 2.0 Page 88 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: RS.MI-02
3rd: 3rd Party Risk CRI Profile v2.0: RS.MI-02.01
Ex1: Cybersecurity technologies and CSF v1.1: RS.MI-2
cybersecurity features of other
technologies (e.g., operating systems,
network infrastructure devices)
automatically perform eradication actions
Ex2: Allow incident responders to manually
select and perform eradication actions
Ex3: Allow a third party (e.g., managed
security service provider) to perform
eradication actions on behalf of the
organization

CRI Profile v2.0: RC

CSF v1.1: RC

CRI Profile v2.0: RC.RP

CSF v1.1: RC.RP

1st: 1st Party Risk CRI Profile v2.0: RC.RP-01

Ex1: Begin recovery procedures during or CRI Profile v2.0: RC.RP-01.01
after incident response processes CSF v1.1: RC.RP-1
Ex2: Make all individuals with recovery
responsibilities aware of the plans for
recovery and the authorizations required to
implement each aspect of the plans
1st: 1st Party Risk CRI Profile v2.0: RC.RP-02
Ex1: Select recovery actions based on the CRI Profile v2.0: RC.RP-02.01
criteria defined in the incident response CRI Profile v2.0: RC.RP-02.02
plan and available resources CSF v1.1: RC.RP-1
Ex2: Change planned recovery actions
based on a reassessment of organizational
needs and resources
1st: 1st Party Risk CIS Controls v8.0: 11.5
Ex1: Check restoration assets for indicators CRI Profile v2.0: RC.RP-03
of compromise, file corruption, and other CRI Profile v2.0: RC.RP-03.01
integrity issues before use

CSF 2.0 Page 89 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: RC.RP-04
Ex1: Use business impact and system CRI Profile v2.0: RC.RP-04.01
categorization records (including service
delivery objectives) to validate that
essential services are restored in the
appropriate order
Ex2: Work with system owners to confirm
the successful restoration of systems and
the return to normal operations
Ex3: Monitor the performance of restored
systems to verify the adequacy of the
restoration
1st: 1st Party Risk CRI Profile v2.0: RC.RP-05
Ex1: Check restored assets for indicators of CRI Profile v2.0: RC.RP-05.01
compromise and remediation of root CRI Profile v2.0: RC.RP-05.02
causes of the incident before production
use
Ex2: Verify the correctness and adequacy of
the restoration actions taken before putting
a restored system online
1st: 1st Party Risk CRI Profile v2.0: RC.RP-06
Ex1: Prepare an after-action report that CRI Profile v2.0: RC.RP-06.01
documents the incident itself, the response
and recovery actions taken, and lessons
learned
Ex2: Declare the end of incident recovery
once the criteria are met
CRI Profile v2.0: RC.CO
CSF v1.1: RC.CO

CSF 2.0 Page 90 of 91

Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: RC.CO-03
3rd: 3rd Party Risk CRI Profile v2.0: RC.CO-03.01
Ex1: Securely share recovery information, CRI Profile v2.0: RC.CO-03.02
including restoration progress, consistent SP 800-221A: GV.CO-1
with response plans and information CSF v1.1: RC.CO-3
sharing agreements
Ex2: Regularly update senior leadership on
recovery status and restoration progress for
major incidents
Ex3: Follow the rules and protocols defined
in contracts for incident information sharing
between the organization and its suppliers
Ex4: Coordinate crisis communication
between the organization and its critical
suppliers

1st: 1st Party Risk CIS Controls v8.0: 17.2

Ex1: Follow the organization's breach CIS Controls v8.0: 17.6
notification procedures for recovering from CRI Profile v2.0: RC.CO-04
a data breach incident CRI Profile v2.0: RC.CO-04.01
Ex2: Explain the steps being taken to SP 800-221A: GV.CO-1
recover from the incident and to prevent a CSF v1.1: RC.CO-1
recurrence CSF v1.1: RS.CO-2

CSF 2.0 Page 91 of 91

MS-ISAC NIST CSF 2.0 Policy Template Guide 2024
No ratings yet
MS-ISAC NIST CSF 2.0 Policy Template Guide 2024
28 pages
CSF 2.0 Organizational Profile Template Draft
No ratings yet
CSF 2.0 Organizational Profile Template Draft
33 pages
NIST CSF 2.0 and ISO 27001 - 2022 (Mapping)
100% (2)
NIST CSF 2.0 and ISO 27001 - 2022 (Mapping)
11 pages
Food Safety and Standards Act, 2006 Final
100% (1)
Food Safety and Standards Act, 2006 Final
48 pages
Pertmaster Training Deck
100% (1)
Pertmaster Training Deck
212 pages
csf2 References
No ratings yet
csf2 References
145 pages
CSF 20
No ratings yet
CSF 20
17 pages
CPRT CSF 2 0 0 11-13-2024
No ratings yet
CPRT CSF 2 0 0 11-13-2024
17 pages
csf2
No ratings yet
csf2
17 pages
csf2
No ratings yet
csf2
17 pages
CSF 20
No ratings yet
CSF 20
9 pages
NISTCSF20
No ratings yet
NISTCSF20
195 pages
CSF 2.0 Implementation Examples
No ratings yet
CSF 2.0 Implementation Examples
30 pages
CSF 2
No ratings yet
CSF 2
11 pages
CSF 2
No ratings yet
CSF 2
11 pages
CSF 2
No ratings yet
CSF 2
11 pages
Experiential Learning Guidelines-GRC2025
No ratings yet
Experiential Learning Guidelines-GRC2025
23 pages
CSF 2.0 Implementation Examples (1)
No ratings yet
CSF 2.0 Implementation Examples (1)
30 pages
CSF 2.0 Organizational Profile Template Draft
No ratings yet
CSF 2.0 Organizational Profile Template Draft
36 pages
Nist SP 1299
No ratings yet
Nist SP 1299
8 pages
NIST CSF 20 Audit Checklist Part 1 - 240429 - 094544
100% (2)
NIST CSF 20 Audit Checklist Part 1 - 240429 - 094544
21 pages
CSF 2.0-Implementation - Examples
No ratings yet
CSF 2.0-Implementation - Examples
39 pages
IR8286 To Framework v1.1 OLIR 0
No ratings yet
IR8286 To Framework v1.1 OLIR 0
167 pages
Quick Start Guide CSF 2.0 Template Compiled 1_16_2024 ERB Version Final[66]
No ratings yet
Quick Start Guide CSF 2.0 Template Compiled 1_16_2024 ERB Version Final[66]
7 pages
NIST Cybersecurity Framework 2.0 Final Draft
100% (1)
NIST Cybersecurity Framework 2.0 Final Draft
39 pages
Nist SP 1300
No ratings yet
Nist SP 1300
9 pages
Prnistcsf2 240304203317 Ef16f4b5
No ratings yet
Prnistcsf2 240304203317 Ef16f4b5
31 pages
NIST CSF Maturity Tool v2.1.2
No ratings yet
NIST CSF Maturity Tool v2.1.2
56 pages
Cybersecurity Framework v2.0 - Concept Crosswalk - Template
No ratings yet
Cybersecurity Framework v2.0 - Concept Crosswalk - Template
4 pages
Doe c2m2v2 1 CSF Mapping
No ratings yet
Doe c2m2v2 1 CSF Mapping
184 pages
NIST CSF 2 0 Draft Overview 1691619611
No ratings yet
NIST CSF 2 0 Draft Overview 1691619611
22 pages
NIST
No ratings yet
NIST
12 pages
CSF PF To Sp800 53r5 Mappings
No ratings yet
CSF PF To Sp800 53r5 Mappings
285 pages
Risk Compliance Update
No ratings yet
Risk Compliance Update
22 pages
NIST CSF Auditor Checklist: Function Category Identify (Id)
No ratings yet
NIST CSF Auditor Checklist: Function Category Identify (Id)
21 pages
Financial Services Sector Cybersecurity Profile Diagnostic Statements and Mappings Only 2018 10 25
No ratings yet
Financial Services Sector Cybersecurity Profile Diagnostic Statements and Mappings Only 2018 10 25
270 pages
Nist Cyber Security
No ratings yet
Nist Cyber Security
31 pages
Prnistcsf2 240304203317 Ef16f4b5
No ratings yet
Prnistcsf2 240304203317 Ef16f4b5
31 pages
Informative Reference Submission Form Field Name
No ratings yet
Informative Reference Submission Form Field Name
44 pages
CSF 1.1 to 2.0 Core Transition Changes
No ratings yet
CSF 1.1 to 2.0 Core Transition Changes
154 pages
CYFUN_IMPORTANT_EN_20230301
No ratings yet
CYFUN_IMPORTANT_EN_20230301
65 pages
Nist CSWP 04162018
No ratings yet
Nist CSWP 04162018
7 pages
Nist CSF 2.0 Using The CSF Tiers
No ratings yet
Nist CSF 2.0 Using The CSF Tiers
3 pages
NIST CSF 2.0_ Quick-Start Guide for Using the CSF Tiers
No ratings yet
NIST CSF 2.0_ Quick-Start Guide for Using the CSF Tiers
3 pages
CyFUN - IMPORTANT - V2023-03-01 - E - Update 2024 - 0
No ratings yet
CyFUN - IMPORTANT - V2023-03-01 - E - Update 2024 - 0
66 pages
Critical Infrastructure Cybersecurity
No ratings yet
Critical Infrastructure Cybersecurity
35 pages
NIST SP 1302 Ipd
No ratings yet
NIST SP 1302 Ipd
3 pages
Function Category: Asset Management (ID - AM) : The Data, Personnel
No ratings yet
Function Category: Asset Management (ID - AM) : The Data, Personnel
30 pages
Documento Sem Título
No ratings yet
Documento Sem Título
17 pages
NIST SP 1303 Ipd
No ratings yet
NIST SP 1303 Ipd
8 pages
Expel Self Scoring Tool For NIST CSF 1803
No ratings yet
Expel Self Scoring Tool For NIST CSF 1803
27 pages
CSAU Question
No ratings yet
CSAU Question
7 pages
NIST 2 Framework
100% (1)
NIST 2 Framework
32 pages
NIST OLIR CIS Submission V1.a
No ratings yet
NIST OLIR CIS Submission V1.a
157 pages
CSF Subcategories - SP 800 53 Mapping
No ratings yet
CSF Subcategories - SP 800 53 Mapping
17 pages
Nist+Domain+Roles
No ratings yet
Nist+Domain+Roles
8 pages
Mapping Nist Csf to Iso 27001-2022
No ratings yet
Mapping Nist Csf to Iso 27001-2022
37 pages
NIST Framework Summary Book
No ratings yet
NIST Framework Summary Book
12 pages
Cyber Security Risk Management
From Everand
Cyber Security Risk Management
Mark Hayward
No ratings yet
Cyber Security Advanced
From Everand
Cyber Security Advanced
Mark Hayward
No ratings yet
Cyber Security ISO 27001:2022 Certification
From Everand
Cyber Security ISO 27001:2022 Certification
Mark Hayward
No ratings yet
Cyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions
From Everand
Cyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions
Richard O. Moore III
No ratings yet
Course Index
No ratings yet
Course Index
30 pages
SOP for outsourcing policy_v.1.0
No ratings yet
SOP for outsourcing policy_v.1.0
14 pages
Risk and Butterfly
No ratings yet
Risk and Butterfly
5 pages
CG TEST QUESTIONS
No ratings yet
CG TEST QUESTIONS
6 pages
BS EN 62305-2:2012 Part 2: Risk Management
No ratings yet
BS EN 62305-2:2012 Part 2: Risk Management
23 pages
Risk Analysis Template 2013
No ratings yet
Risk Analysis Template 2013
10 pages
GAPS Guidelines: Transformers - Maintenance
No ratings yet
GAPS Guidelines: Transformers - Maintenance
6 pages
Organic Agriculture Livelihood Project District 3
No ratings yet
Organic Agriculture Livelihood Project District 3
5 pages
15 Regional Training Course On Community Based Disaster Risk Management
No ratings yet
15 Regional Training Course On Community Based Disaster Risk Management
5 pages
Strategic Asset Management PDF
No ratings yet
Strategic Asset Management PDF
71 pages
P4 Revision Handout - 2017
No ratings yet
P4 Revision Handout - 2017
14 pages
EED 301
No ratings yet
EED 301
38 pages
Bibliography
No ratings yet
Bibliography
19 pages
Manual For Active BowTie
80% (5)
Manual For Active BowTie
40 pages
Chapter (5) Case Study: Arab Academy For Science and Technology and Maritime Transport
100% (1)
Chapter (5) Case Study: Arab Academy For Science and Technology and Maritime Transport
77 pages
Emergency Response Plan
No ratings yet
Emergency Response Plan
22 pages
2020 Transparency and Disclosure Report - Pillar 3
No ratings yet
2020 Transparency and Disclosure Report - Pillar 3
29 pages
JOY, Jim GRIFFITHS, Derek. National Minerals Industry Safety and Health Risk Assessment Guideline. Version 3, March, MCA and MISHC, Australia, (2011), Retrieved August 2013 at Www. Pla PDF
No ratings yet
JOY, Jim GRIFFITHS, Derek. National Minerals Industry Safety and Health Risk Assessment Guideline. Version 3, March, MCA and MISHC, Australia, (2011), Retrieved August 2013 at Www. Pla PDF
164 pages
Training Program Summary
No ratings yet
Training Program Summary
9 pages
AMP Pump Stations
No ratings yet
AMP Pump Stations
64 pages
MBA Project Synopic
No ratings yet
MBA Project Synopic
36 pages
Rules and Regulations Enforced by PSA at NCS
No ratings yet
Rules and Regulations Enforced by PSA at NCS
15 pages
BDM Assignment-I (Saransh Upadhyaya)
No ratings yet
BDM Assignment-I (Saransh Upadhyaya)
7 pages
Report Lion
No ratings yet
Report Lion
147 pages
The Global State of Family Offices
100% (3)
The Global State of Family Offices
20 pages
Topik Peran Tanggung Jawab Profesi K3 - R02 2
No ratings yet
Topik Peran Tanggung Jawab Profesi K3 - R02 2
81 pages
BSBLDR601 Student Assessment Tasks
No ratings yet
BSBLDR601 Student Assessment Tasks
11 pages
Risk Briefing Report Template
No ratings yet
Risk Briefing Report Template
4 pages