NIST Cybersecurity Framework

Title (CSF)
The 2.0Cybersecurity
NIST ReferenceFramework
Tool
Read Me (CSF)is 2.0
This a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core
Change Log Final
 The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

Function Category Subcategory

GOVERN (GV): The organization's
cybersecurity risk management Organizational Context (GV.OC): The
circumstances - mission, stakeholder GV.OC-01: The organizational mission is
understood and informs
GV.OC-02: Internal cybersecurity
and external risk
stakeholders
are understood,
GV.OC-03: Legal,and their needs
regulatory, and and
contractual
requirements regarding cybersecurity - including
GV.OC-04: Critical objectives, capabilities, and
services that external stakeholders depend
GV.OC-05: Outcomes, capabilities, and serviceson or
Risk Management Strategy (GV.RM): The that the organization depends on are
organization's priorities, constraints, risk GV.RM-01: Risk management objectives are
established and appetite
GV.RM-02: Risk agreed toand
by organizational
risk tolerance
statements
GV.RM-03: Cybersecurity risk management and
are established, communicated,
activities
GV.RM-04: and outcomes
Strategic are included
direction in
that describes
appropriate risk response
GV.RM-05: Lines options is across
of communication established
the
organization are established for
GV.RM-06: A standardized method for cybersecurity
calculating, documenting,
GV.RM-07: Strategic categorizing,
opportunities (i.e.,and
positive
Roles, Responsibilities, and Authorities risks) are characterized and are included in
(GV.RR): Cybersecurity roles, GV.RR-01: Organizational leadership is
responsible and accountable
GV.RR-02: Roles, for cybersecurity
responsibilities, and authorities
related to cybersecurity risk management
GV.RR-03: Adequate resources are allocated are
commensurate with the cybersecurity risk
GV.RR-04: Cybersecurity is included in human
Policy (GV.PO): Organizational resources practices
cybersecurity policy is established, GV.PO-01: Policy for managing cybersecurity
risks is established
GV.PO-02: based
Policy for on organizational
managing cybersecurity
Oversight (GV.OV): Results of organization- risks is reviewed, updated, communicated, and
wide cybersecurity risk management GV.OV-01: Cybersecurity risk management
strategy
GV.OV-02: outcomes are reviewed
The cybersecurity riskto inform and
management
strategy
GV.OV-03: is reviewed and adjusted
Organizational to ensure
cybersecurity risk
management performance is evaluated and
CSF 2.0 Page 2 of 17
 Function Category Subcategory
Cybersecurity Supply Chain Risk
Management (GV.SC): Cyber supply chain GV.SC-01: A cybersecurity supply chain risk
management program, strategy,
GV.SC-02: Cybersecurity roles andobjectives,
responsibilities for suppliers,
GV.SC-03: Cybersecurity customers,
supply chain riskand
management is integrated
GV.SC-04: Suppliers are knowninto and
cybersecurity
prioritized by
criticality
GV.SC-05: Requirements to address
cybersecurity risks inand
GV.SC-06: Planning supply
due chains areare
diligence
performed
GV.SC-07: The to reduce risks before
risks posed entering
by a supplier, into
their
products
GV.SC-08:and services,
Relevant and other
suppliers andthird
otherparties
third
parties are included in incident planning,
GV.SC-09: Supply chain security practices are
integrated into cybersecurity
GV.SC-10: Cybersecurity and
supply enterprise
chain risk risk
GOVERN (GV) management plans include provisions for
IDENTIFY (ID): The organization's
current cybersecurity risks are Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems, ID.AM-01: Inventories of hardware managed by
the organization
ID.AM-02: are maintained
Inventories of software, services, and
systems managed by
ID.AM-03: Representations the organization are
of the organization's
authorized network communication
ID.AM-04: Inventories of services provided and internal
by
suppliers are maintained
ID.AM-05: Assets are prioritized based on
classification, criticality, Incorporated
ID.AM-06: [Withdrawn: resources, andintoimpact
GV.RR-02,
ID.AM-07: GV.SC-02]
Inventories of data and
corresponding
ID.AM-08: Systems,metadata for designated
hardware, software,data
Risk Assessment (ID.RA): The cybersecurity services, and data are managed throughout their
risk to the organization, assets, and ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded
ID.RA-02: Cyber threat intelligence is received
from
ID.RA-03: Internalsharing
information forumsthreats
and external and sources
to the
organization are identified and recorded
ID.RA-04: Potential impacts and likelihoods of
threats
ID.RA-05:exploiting
Threats,vulnerabilities
vulnerabilities,are identified
likelihoods,
and impacts
ID.RA-06: are
Risk used to understand
responses are chosen,inherent
prioritized,
planned, tracked, and communicated
ID.RA-07: Changes and exceptions are managed,
assessed
ID.RA-08:for risk impact,
Processes recorded,analyzing,
for receiving, and tracked
and
responding to vulnerability disclosures
ID.RA-09: The authenticity and integrity of are
hardware and software
ID.RA-10: Critical areare
suppliers assessed prior
assessed to to
prior
acquisition
CSF 2.0 Page 3 of 17
 Function Category Subcategory
Improvement (ID.IM): Improvements to
organizational cybersecurity risk ID.IM-01: Improvements are identified from
evaluations
ID.IM-02: Improvements are identified from
security
ID.IM-03:tests and exercises,
Improvements areincluding
identifiedthose
from
execution of operational processes, procedures,
ID.IM-04: Incident response plans and other
Business Environment (ID.BE): [Withdrawn: cybersecurity plans that affect operations are
Incorporated into GV.OC] ID.BE-01: [Withdrawn: Incorporated into GV.OC-
05]
ID.BE-02: [Withdrawn: Incorporated into GV.OC-
01]
ID.BE-03: [Withdrawn: Incorporated into GV.OC-
01]
ID.BE-04: [Withdrawn: Incorporated into GV.OC-
04, GV.OC-05]
ID.BE-05: [Withdrawn: Incorporated into GV.OC-
Governance (ID.GV): [Withdrawn: 04]
Incorporated into GV] ID.GV-01: [Withdrawn: Incorporated into GV.PO,
GV.PO-01, GV.PO-02] Incorporated into GV.OC-
ID.GV-02: [Withdrawn:
02, GV.RR,[Withdrawn:
ID.GV-03: GV.RR-02] Moved to GV.OC-03]
ID.GV-04: [Withdrawn: Moved to GV.RM-04]
Risk Management Strategy (ID.RM):
[Withdrawn: Incorporated into GV.RM] ID.RM-01: [Withdrawn: Incorporated into
GV.RM-01, GV.RM-06, GV.RR-03]
ID.RM-02: [Withdrawn: Incorporated into
GV.RM-02, GV.RM-04]
ID.RM-03: [Withdrawn: Moved into GV.RM-02]
Supply Chain Risk Management (ID.SC):
[Withdrawn: Incorporated into GV.SC] ID.SC-01: [Withdrawn: Incorporated into GV.RM-
05, GV.SC-01,
ID.SC-02: GV.SC-06,Incorporated
[Withdrawn: GV.SC-09, GV.SC-10]
into GV.OC-
02, GV.SC-03, GV.SC-04, GV.SC-07, ID.RA-10]
ID.SC-03: [Withdrawn: Moved to GV.SC-05]
ID.SC-04: [Withdrawn: Incorporated into GV.SC-
07, ID.RA-10]
ID.SC-05: [Withdrawn: Incorporated into GV.SC-
IDENTIFY (ID) 08, ID.IM-02]
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks Identity Management, Authentication, and
Access Control (PR.AA): Access to physical PR.AA-01: Identities and credentials for
authorized users, services,
PR.AA-02: Identities and hardware
are proofed and boundareto
credentials basedservices,
PR.AA-03: Users, on the context of interactions
and hardware are
authenticated
PR.AA-04: Identity assertions are protected,
conveyed, and verified
CSF 2.0 Page 4 of 17
 Function Category Subcategory
PR.AA-05: Access permissions, entitlements, and
authorizations are defined
PR.AA-06: Physical in assets
access to a policy, managed,
is managed,
Awareness and Training (PR.AT): The monitored, and enforced commensurate with
organization's personnel are provided with PR.AT-01: Personnel are provided with
awareness and training
PR.AT-02: Individuals in so that theyroles
specialized possess
are the
provided with awareness and training so
PR.AT-03: [Withdrawn: Incorporated into PR.AT- that
01, PR.AT-02]
PR.AT-04: [Withdrawn: Incorporated into PR.AT-
02]
PR.AT-05: [Withdrawn: Incorporated into PR.AT-
Data Security (PR.DS): Data are managed 02]
consistent with the organization's risk PR.DS-01: The confidentiality, integrity, and
availability
PR.DS-02: Theof data-at-rest are protected
confidentiality, integrity, and
availability of data-in-transit
PR.DS-03: [Withdrawn: Incorporatedare protected
into ID.AM-
08, PR.PS-03]
PR.DS-04: [Withdrawn: Moved to PR.IR-04]
PR.DS-05: [Withdrawn: Incorporated into PR.DS-
01, PR.DS-02,
PR.DS-06: PR.DS-10]Incorporated into PR.DS-
[Withdrawn:
01, DE.CM-09]
PR.DS-07: [Withdrawn: Incorporated into PR.IR-
01]
PR.DS-08: [Withdrawn: Incorporated into ID.RA-
09, DE.CM-09]
PR.DS-10: The confidentiality, integrity, and
availability of data-in-use
PR.DS-11: Backups of dataareareprotected
created,
Platform Security (PR.PS): The hardware, protected, maintained, and tested
software (e.g., firmware, operating systems, PR.PS-01: Configuration management practices
are established
PR.PS-02: and is
Software applied
maintained, replaced, and
removed commensurate with risk replaced, and
PR.PS-03: Hardware is maintained,
removed
PR.PS-04:commensurate
Log records arewith risk and made
generated
available
PR.PS-05:for continuous
Installation andmonitoring
execution of
unauthorized software
PR.PS-06: Secure software are development
prevented
Technology Infrastructure Resilience practices are integrated, and their performance
(PR.IR): Security architectures are managed PR.IR-01: Networks and environments are
protected fromorganization's
PR.IR-02: The unauthorizedtechnology
logical access and
assets
are protected from environmental
PR.IR-03: Mechanisms are implemented to threats
achieve
PR.IR-04:resilience
Adequate requirements in normal
resource capacity and
to ensure
Identity Management, Authentication and availability is maintained
Access Control (PR.AC): [Withdrawn: Moved PR.AC-01: [Withdrawn: Incorporated into PR.AA-
01, PR.AA-05]
CSF 2.0 Page 5 of 17
 Function Category Subcategory
PR.AC-02: [Withdrawn: Moved to PR.AA-06]
PR.AC-03: [Withdrawn: Incorporated into PR.AA-
03, PR.AA-05,
PR.AC-04: PR.IR-01] Moved to PR.AA-05]
[Withdrawn:
PR.AC-05: [Withdrawn: Incorporated into PR.IR-
01]
PR.AC-06: [Withdrawn: Moved to PR.AA-02]
PR.AC-07: [Withdrawn: Moved to PR.AA-03]
Information Protection Processes and
Procedures (PR.IP): [Withdrawn: PR.IP-01: [Withdrawn: Incorporated into PR.PS-
01]
PR.IP-02: [Withdrawn: Incorporated into ID.AM-
08, PR.PS-06]
PR.IP-03: [Withdrawn: Incorporated into PR.PS-
01, ID.RA-07]
PR.IP-04: [Withdrawn: Moved to PR.DS-11]
PR.IP-05: [Withdrawn: Moved to PR.IR-02]
PR.IP-06: [Withdrawn: Incorporated into ID.AM-
08]
PR.IP-07: [Withdrawn: Incorporated into ID.IM,
ID.IM-03] [Withdrawn: Moved to ID.IM-03]
PR.IP-08:
PR.IP-09: [Withdrawn: Moved to ID.IM-04]
PR.IP-10: [Withdrawn: Incorporated into ID.IM-
02, ID.IM-04]
PR.IP-11: [Withdrawn: Moved to GV.RR-04]
PR.IP-12: [Withdrawn: Incorporated into ID.RA-
Maintenance (PR.MA): [Withdrawn: 01, PR.PS-02]
Incorporated into ID.AM-08] PR.MA-01: [Withdrawn: Incorporated into
ID.AM-08,
PR.MA-02:PR.PS-03]
[Withdrawn: Incorporated into
Protective Technology (PR.PT): [Withdrawn: ID.AM-08, PR.PS-02]
Incorporated into other Protect Categories] PR.PT-01: [Withdrawn: Incorporated into PR.PS-
04]
PR.PT-02: [Withdrawn: Incorporated into PR.DS-
01, PR.PS-01]
PR.PT-03: [Withdrawn: Incorporated into PR.PS-
01]
PR.PT-04: [Withdrawn: Incorporated into PR.AA-
06, PR.IR-01]
PR.PT-05: [Withdrawn: Moved to PR.IR-03]
PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found Continuous Monitoring (DE.CM): Assets are
monitored to find anomalies, indicators of DE.CM-01: Networks and network services are
monitored
DE.CM-02: to
Thefind potentially
physical adverse is
environment events
monitored to find potentially adverse events
CSF 2.0 Page 6 of 17
 Function Category Subcategory
DE.CM-03: Personnel activity and technology
usage are monitored
DE.CM-04: to find
[Withdrawn: potentiallyinto
Incorporated adverse
DE.CM-01,
DE.CM-05: DE.CM-09]
[Withdrawn: Incorporated into
DE.CM-01, DE.CM-09]
DE.CM-06: External service provider activities
and services[Withdrawn:
DE.CM-07: are monitored to find potentially
Incorporated into
DE.CM-01, DE.CM-03, DE.CM-06,
DE.CM-08: [Withdrawn: Incorporated DE.CM-09]
into ID.RA-
01]
DE.CM-09: Computing hardware and software,
Adverse Event Analysis (DE.AE): Anomalies, runtime environments, and their data are
indicators of compromise, and other DE.AE-01: [Withdrawn: Incorporated into ID.AM-
03]
DE.AE-02: Potentially adverse events are
analyzed
DE.AE-03:toInformation
better understand associated
is correlated from
multiple sources
DE.AE-04: The estimated impact and scope of
adverse events
DE.AE-05: are understood
[Withdrawn: Moved to DE.AE-08]
DE.AE-06: Information on adverse events is
provided
DE.AE-07:toCyber
authorized
threat staff and tools
intelligence and other
contextual
DE.AE-08: Incidents are declared wheninto
information are integrated the
adverse
Detection Processes (DE.DP): [Withdrawn: events meet the defined incident criteria
Incorporated into other Categories and DE.DP-01: [Withdrawn: Incorporated into GV.RR-
02]
DE.DP-02: [Withdrawn: Incorporated into DE.AE]
DE.DP-03: [Withdrawn: Incorporated into ID.IM-
02]
DE.DP-04: [Withdrawn: Incorporated into DE.AE-
06]
DE.DP-05: [Withdrawn: Incorporated into ID.IM,
DETECT (DE) ID.IM-03]
RESPOND (RS): Actions regarding a
detected cybersecurity incident are Incident Management (RS.MA): Responses
to detected cybersecurity incidents are RS.MA-01: The incident response plan is
executed
RS.MA-02:inIncident
coordination with
reports arerelevant
triaged third
and
validated
RS.MA-03: Incidents are categorized and
prioritized
RS.MA-04: Incidents are escalated or elevated as
needed
RS.MA-05: The criteria for initiating incident
Incident Analysis (RS.AN): Investigations recovery are applied
are conducted to ensure effective response RS.AN-01: [Withdrawn: Incorporated into
RS.MA-02]
RS.AN-02: [Withdrawn: Incorporated into
RS.MA-02, RS.MA-03, RS.MA-04]
CSF 2.0 Page 7 of 17
 Function Category Subcategory
RS.AN-03: Analysis is performed to establish
what has taken
RS.AN-04: place during
[Withdrawn: Moved an to
incident and the
RS.MA-03]
RS.AN-05: [Withdrawn: Moved to ID.RA-08]
RS.AN-06: Actions performed during an
investigation are recorded,
RS.AN-07: Incident data andand the records'
metadata are
collected, and their integrity and
RS.AN-08: An incident's magnitude provenance are
is estimated
Incident Response Reporting and and validated
Communication (RS.CO): Response RS.CO-01: [Withdrawn: Incorporated into PR.AT-
01]
RS.CO-02: Internal and external stakeholders are
notified
RS.CO-03:of Information
incidents is shared with designated
internal
RS.CO-04:and external stakeholders
[Withdrawn: Incorporated into
RS.MA-01, RS.MA-04]
RS.CO-05: [Withdrawn: Incorporated into RS.CO-
Incident Mitigation (RS.MI): Activities are 03]
performed to prevent expansion of an RS.MI-01: Incidents are contained
RS.MI-02: Incidents are eradicated
RS.MI-03: [Withdrawn: Incorporated into ID.RA-
Response Planning (RS.RP): [Withdrawn: 06]
Incorporated into RS.MA] RS.RP-01: [Withdrawn: Incorporated into RS.MA-
Improvements (RS.IM): [Withdrawn: 01]
Incorporated into ID.IM] RS.IM-01: [Withdrawn: Incorporated into ID.IM-
03, ID.IM-04]
RS.IM-02: [Withdrawn: Incorporated into ID.IM-
RESPOND (RS) 03]
RECOVER (RC): Assets and operations
affected by a cybersecurity incident Incident Recovery Plan Execution (RC.RP):
Restoration activities are performed to RC.RP-01: The recovery portion of the incident
response
RC.RP-02:plan is executed
Recovery actionsonce initiated from
are selected, scoped,
prioritized, and performed
RC.RP-03: The integrity of backups and other
restoration assets mission
RC.RP-04: Critical is verified before using
functions and them
cybersecurity
RC.RP-05: Therisk management
integrity are assets
of restored considered
is
verified,
RC.RP-06: The end of incident recovery is and
systems and services are restored,
Incident Recovery Communication (RC.CO): declared based on criteria, and incident-related
Restoration activities are coordinated with RC.CO-01: [Withdrawn: Incorporated into RC.CO-
04]
RC.CO-02: [Withdrawn: Incorporated into RC.CO-
04]
CSF 2.0 Page 8 of 17
 Function Category Subcategory
RC.CO-03: Recovery activities and progress in
restoring
RC.CO-04:operational capabilities
Public updates are recovery
on incident
Improvements (RC.IM): [Withdrawn: are shared using approved methods and
Incorporated into ID.IM] RC.IM-01: [Withdrawn: Incorporated into ID.IM-
03, ID.IM-04]
RC.IM-02: [Withdrawn: Incorporated into ID.IM-
RECOVER (RC) 03]

CSF 2.0 Page 9 of 17

 Implementation Examples Informative References
CRI Profile v2.0: GV
CSF v1.1: ID.GV
CRI Profile v2.0: GV.OC
CSF v1.1: ID.BE
Ex1: Share the organization's mission (e.g., CRI Profile v2.0: GV.OC-01
through vision
Ex1: Identify and mission
relevant internalstatements,
stakeholders CRICRI Profile
Profile v2.0:
v2.0: GV.OC-01.01
GV.OC-02
and their cybersecurity-related
Ex1: Determine a process to track and CRI
CRI Profile v2.0: GV.OC-02.01
Profile v2.0: GV.OC-03
manage
Ex1: Establish criteria for determining the CRI Profile v2.0: GV.OC-03.01
legal and regulatory requirements CRI Profile v2.0: GV.OC-04
criticality of capabilities
Ex1: Create an inventory of theand services as CRI
CRI Profile v2.0: GV.OC-04.01
Profile v2.0: GV.OC-05
organization's dependencies on external CRI
CRI Profile
Profile v2.0:
v2.0: GV.OC-05.01
GV.RM
Ex1: Update near-term and long-term CSF v1.1: ID.RM
CRI Profile v2.0: GV.RM-01
cybersecurity risk management
Ex1: Determine and communicate risk objectives CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-01.01
GV.RM-02
appetite
Ex1: Aggregate and manage cybersecurity CRI Profile v2.0: GV.RM-02.01
statements that convey CRI Profile v2.0: GV.RM-03
risks alongside
Ex1: Specify otherfor
criteria enterprise
acceptingrisks
and(e.g., CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-03.01
GV.RM-04
avoiding cybersecurity risk
Ex1: Determine how to update seniorfor various CRI
CRI Profile v2.0: GV.RM-04.01
Profile v2.0: GV.RM-05
executives, directors, and management
Ex1: Establish criteria for using a on CRI
CRI Profile v2.0: GV.RM-05.01
Profile v2.0: GV.RM-06
quantitative
Ex1: Define and communicate guidance and CRI Profile v2.0: GV.RM-06.01
approach to cybersecurity risk CRI Profile v2.0: GV.RM-07
methods for identifying opportunities and CRI CRI Profile
Profile v2.0:
v2.0: GV.RM-07.01
GV.RR
CSF v1.1: ID.GV-2
Ex1: Leaders (e.g., directors) agree on their CIS Controls v8.0: 14.1
roles and responsibilities
Ex1: Document in developing,
risk management roles and CRI Profile v2.0:
CIS Controls v8.0:GV.RR-01
14.9
responsibilities in policy CRI Profile
Ex1: Conduct periodic management reviews CRI Profile v2.0: GV.RR-03v2.0: GV.RR-02
to ensure
Ex1: that cybersecurity
Integrate those given cybersecurity
risk CRI Profile v2.0:
CIS Controls v8.0:GV.RR-03.01
6.1
management considerations into human CIS Controls v8.0: 6.2
CRI Profile v2.0: GV.PO
Ex1: Create, disseminate, and maintain an CSF v1.1: ID.GV-1
CRI Profile v2.0: GV.PO-01
understandable, usable risk
Ex1: Update policy based on periodic management CRI
CRI Profile v2.0:
Profile v2.0: GV.PO-01.01
GV.PO-02
reviews of cybersecurity risk management CRI CRI Profile
Profile v2.0:
v2.0: GV.OV
GV.PO-02.01
Ex1: Measure how well the risk CRI Profile v2.0: GV.OV-01
management strategy and risk
Ex1: Review audit findings to confirm results have CRI
CRI Profile
Profile v2.0:
v2.0: GV.OV-01.01
GV.OV-02
whether the existing cybersecurity
Ex1: Review key performance indicators strategy CRI
CRI Profile v2.0: GV.OV-02.01
Profile v2.0: GV.OV-03
(KPIs) to ensure that organization-wide CRI Profile v2.0: GV.OV-03.01
CSF 2.0 Page 10 of 17
 Implementation Examples Informative References
CRI Profile v2.0: GV.SC
Ex1: Establish a strategy that expresses the CSF v1.1: ID.SC
CIS Controls v8.0: 15.2
objectives
Ex1: Identify one or more specific roles or CIS Controls v8.0:GV.SC-01
of the cybersecurity supply chain CRI Profile v2.0: 15.4
positions that will be responsible and CRI Profile v2.0:
Ex1: Identify areas of alignment and overlap CRI Profile v2.0: GV.SC-03 GV.SC-02
with cybersecurity
Ex1: Develop and
criteria forenterprise risk
supplier criticality CRI Profile v2.0:
CIS Controls v8.0:GV.SC-03.01
15.1
based on, for example, the sensitivity
Ex1: Establish security requirements for of CIS
CIS Controls v8.0:
Controls v8.0: 15.3
15.4
suppliers, products, and services
Ex1: Perform thorough due diligence on CRI Profile v2.0: EX.CN
CIS Controls v8.0: 15.5
prospective suppliers that
Ex1: Adjust assessment formats and is consistent with CRI Profile v2.0:
CIS Controls v8.0:EX.DD
15.6
frequencies based on the third party's CRI Profile
Ex1: Define and use rules and protocols for CIS Controls v8.0: 15.4v2.0: EX.MM
reporting incident
Ex1: Policies response and
and procedures recovery CRI
require Profile v2.0:
CIS Controls v8.0:GV.SC-08
15.6
provenance records for all acquired
Ex1: Establish processes for terminating CRI Profile v2.0: GV.SC-09
CIS Controls v8.0: 15.7
critical relationships under both normal and CRI Profile v2.0: EX.TR
CRI Profile v2.0: ID
CSF v1.1: IDv2.0: ID.AM
CRI Profile
Ex1: Maintain inventories for all types of CSF v1.1: ID.AM
CIS Controls v8.0: 1.1
hardware, including IT, IoT, OT, and mobile
Ex1: Maintain inventories for all types of CRI
CIS Controls v8.0:ID.AM-01
Profile v2.0: 2.1
software and services, including CRI Profile v2.0:
Ex1: Maintain baselines of communication CIS Controls v8.0: 3.8 ID.AM-02
and
Ex1:data flows all
Inventory within the organization's
external services used by CRI Profile v2.0:
CIS Controls v8.0:ID.AM-03
15.1
the organization, including third-party
Ex1: Define criteria for prioritizing each CRI Profile v2.0: ID.AM-04
CIS Controls v8.0: 3.7
class of assets CRI Profile v2.0: ID.AM-05
Ex1: Maintain a list of the designated data CIS Controls v8.0: 3.2
types of interest
Ex1: Integrate (e.g., personally
cybersecurity considerations CRI Profile v2.0:
CIS Controls v8.0:ID.AM-07
1.1
throughout the life cycles of systems, CIS Controls v8.0: 3.5
CRI Profile v2.0: ID.RA
Ex1: Use vulnerability management CSF v1.1: ID.RA
CIS Controls v8.0: 7.1
technologies to identify unpatched
Ex1: Configure cybersecurity tools and and CRI
CRI Profile v2.0: ID.RA-01
Profile v2.0: ID.RA-02
technologies with detection or
Ex1: Use cyber threat intelligence to response CRI
CRI Profile
Profile v2.0:
v2.0: ID.RA-02.01
ID.RA-03
maintain
Ex1: Business leaders and cybersecurity risk CRI Profile v2.0: ID.RA-03.01
awareness of the types of threat CRI Profile v2.0: ID.RA-04
management practitioners work
Ex1: Develop threat models to better together to CRI
CRI Profile v2.0: ID.RA-04.01
Profile v2.0: ID.RA-05
understand
Ex1: Apply the vulnerability management CRI Profile v2.0: ID.RA-05.01
risks to the data and identify CRI Profile v2.0: ID.RA-06
plan's criteria forand
Ex1: Implement deciding
followwhether
proceduresto for CRICRI Profile
Profile v2.0:
v2.0: ID.RA-06.01
ID.RA-07
the formal documentation, review,
Ex1: Conduct vulnerability information testing, CRI
CIS Controls v8.0:ID.RA-07.01
Profile v2.0: 7.2
sharing between the organization
Ex1: Assess the authenticity and and its CRI Profile v2.0: ID.RA-08
CRI Profile v2.0: EX.DD-04
cybersecurity of critical technology
Ex1: Conduct supplier risk assessments CRI
CRI Profile
Profile v2.0:
v2.0: EX.DD-04.01
EX.DD-03
against business and applicable CRI Profile v2.0: EX.DD-03.01
CSF 2.0 Page 11 of 17
 Implementation Examples Informative References
CRI Profile v2.0: ID.IM
Ex1: Perform self-assessments of critical CSF v1.1: RS.IM
CRI Profile v2.0: ID.IM-01
services that improvements
Ex1: Identify take current threats and TTPs
for future CRI
CIS Controlsv2.0:
Profile v8.0:ID.IM-01.01
17.7
incident response
Ex1: Conduct activities lessons
collaborative based on
learned CRI Profile v2.0: ID.IM-02
CRI Profile v2.0: ID.IM-03
sessions with suppliers
Ex1: Establish contingency plans (e.g., CRI
CRI Profile
Profile v2.0:
v2.0: ID.IM-03.01
ID.IM-04
incident response, business continuity, CRI Profile v2.0: ID.IM-04.01

CRI Profile v2.0: PR

CSF v1.1: PRv2.0: PR.AA
CRI Profile
Ex1: Initiate requests for new access or CSF v1.1: PR.AC
CIS Controls v8.0: 5.1
additional
Ex1: Verifyaccess for employees,
a person's claimed identity at CIS Controls v8.0:PR.AA-02
CRI Profile v2.0: 6.7
enrollment time using
Ex1: Require multifactor government-issued
authentication CRI
CRI Profile
Profile v2.0:
v2.0: PR.AA-02.01
PR.AA-03
Ex2: Enforce policies for the
Ex1: Protect identity assertionsminimum
that are CRI
CRI Profile v2.0: PR.AA-03.01
Profile v2.0: PR.AA-04
used to convey authentication and user CRI Profile v2.0: PR.AA-04.01
CSF 2.0 Page 12 of 17
 Implementation Examples Informative References
Ex1: Review logical and physical access CIS Controls v8.0: 3.3
privileges periodically
Ex1: Use security andsecurity
guards, whenevercameras, CIS
CRI Controls v8.0:PR.AA-06
Profile v2.0: 6.8
locked entrances, alarm systems, and other CRI
CRI Profile
Profile v2.0:
v2.0: PR.AA-06.01
PR.AT
CSF v1.1: PR.AT
Ex1: Provide basic cybersecurity awareness CIS Controls v8.0: 14.1
and
Ex1:training
Identify to
theemployees,
specializedcontractors,
roles within the CRI Profile v2.0:
CIS Controls v8.0:PR.AT-01
14.9
organization that require additional CRI Profile v2.0: PR.AT-02

CRI Profile v2.0: PR.DS

Ex1: Use encryption, digital signatures, and CSF v1.1: PR.DS
CIS Controls v8.0: 3.11
cryptographic hashesdigital
Ex1: Use encryption, to protect the and
signatures, CRI
CIS Controls v8.0:PR.DS-01
Profile v2.0: 3.10
cryptographic hashes to protect the CRI Profile v2.0: PR.DS-02

Ex1: Remove data that must remain CRI Profile v2.0: PR.DS-10
confidential (e.g., from
Ex1: Continuously back processors and in
up critical data CRI Profile v2.0:
CIS Controls v8.0:PR.DS-10.01
11.2
near-real-time, and back up other data CIS Controls v8.0: 11.3
CRI Profile v2.0: PR.PS
Ex1: Establish, test, deploy, and maintain CIS Controls v8.0: 4.1
hardened baselines
Ex1: Perform routinethat
andenforce
emergency the CIS
CIS Controls
Controls v8.0:
v8.0: 4.2
2.2
patching within
Ex1: Replace the timeframes
hardware specified in
when it lacks CIS
CIS Controls v8.0: 2.3
Controls v8.0: 1.2
needed securityallcapabilities
Ex1: Configure or when it
operating systems, CRI Profile v2.0: PR.PS-03
CIS Controls v8.0: 8.2
applications,
Ex1: When riskand servicesit,(including
warrants cloud-
restrict software CRI Profile v2.0:
CIS Controls v8.0:PR.PS-04
2.5
execution to permitted products
Ex1: Protect all components of only or CRI
CIS Controls v8.0:PR.PS-05
Profile v2.0: 16.1
organization-developed software from CRI Profile v2.0: PR.PS-06
CRI Profile v2.0: PR.IR
Ex1: Logically segment organization CIS Controls v8.0: 3.12
networks andorganizational
Ex1: Protect cloud-based platforms
equipment from CIS
CRI Controls v8.0:PR.IR-02
Profile v2.0: 12.2
known
Ex1: Avoid single pointsthreats,
environmental such
of failure in as CRI Profile v2.0: PR.IR-02.01
CRI Profile v2.0: PR.IR-03
systems and infrastructure
Ex1: Monitor usage of storage, power, CRI
CRI Profile
Profile v2.0:
v2.0: PR.IR-03.01
PR.IR-04
compute, network bandwidth, and other CRI Profile v2.0: PR.IR-04.01

CSF 2.0 Page 13 of 17

 Implementation Examples Informative References

CRI Profile v2.0: DE

CSF v1.1: DE
CRI Profile v2.0: DE.CM
CSF v1.1: DE.CM
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1
services for adverse
Ex1: Monitor events
logs from physical access CRI
CRI Profile
Profile v2.0:
v2.0: DE.CM-01
DE.CM-02
control systems (e.g., badge readers) to find CRI Profile v2.0: DE.CM-02.01
CSF 2.0 Page 14 of 17
 Implementation Examples Informative References
Ex1: Use behavior analytics software to CIS Controls v8.0: 10.7
detect anomalous user activity to mitigate CRI Profile v2.0: DE.CM-03

Ex1: Monitor remote and onsite CIS Controls v8.0: 15.2

administration and maintenance activities CIS Controls v8.0: 15.6

Ex1: Monitor email, web, file sharing, CIS Controls v8.0: 10.1
collaboration services, and other common CRI
CRI Profile
Profile v2.0:
v2.0: DE.CM-09
DE.AE
CSF v1.1: DE.AE
Ex1: Use security information and event CIS Controls v8.0: 8.11
management (SIEM)
Ex1: Constantly or other
transfer tools
log data to
generated CRI
CRI Profile
Profile v2.0:
v2.0: DE.AE-02
DE.AE-03
by other
Ex1: Use sources
SIEMs ortoother
a relatively
tools tosmall
estimate CRI
CRI Profile v2.0: DE.AE-03.01
Profile v2.0: DE.AE-04
impact and scope, and review and refine CRI Profile v2.0: DE.AE-04.01
Ex1: Use cybersecurity software to generate CRI Profile v2.0: DE.AE-06
alerts and provide
Ex1: Securely them
provide to the
cyber security
threat CRI
CRI Profile
Profile v2.0:
v2.0: DE.AE-06.01
DE.AE-07
intelligence
Ex1: Apply incident criteria to known and CRI Profile v2.0: DE.AE-07.01
feeds to detection CRI Profile v2.0: DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01

CRI Profile v2.0: RS

CSF v1.1: RSv2.0: RS.MA
CRI Profile
CSF v1.1: RS.RP
Ex1: Detection technologies automatically CIS Controls v8.0: 17.4
report
Ex1: Preliminarily review incident reports to CRI Profile v2.0: RS.MA-01
confirmed incidents CRI Profile v2.0: RS.MA-02
confirm that they are cybersecurity-related
Ex1: Further review and categorize CRI
CRI Profile v2.0: RS.MA-02.01
Profile v2.0: RS.MA-03
incidents based on the type of incident
Ex1: Track and validate the status of all CRI
CRI Profile v2.0: RS.MA-03.01
Profile v2.0: RS.MA-04
ongoing incidents
Ex1: Apply incident recovery criteria to CRI Profile v2.0:
CIS Controls v8.0:RS.MA-04.01
17.9
known and assumed characteristics of the CRI Profile v2.0: RS.MA-05
CRI Profile v2.0: RS.AN
CSF v1.1: RS.AN

CSF 2.0 Page 15 of 17

 Implementation Examples Informative References
Ex1: Determine the sequence of events that CIS Controls v8.0: 17.8
occurred during the incident and which CRI Profile v2.0: RS.AN-03

Ex1: Require each incident responder and CRI Profile v2.0: RS.AN-06
others (e.g., system
Ex1: Collect, administrators,
preserve, and safeguard the CRI
CRI Profile
Profile v2.0:
v2.0: RS.AN-06.01
RS.AN-07
integrity of all pertinent
Ex1: Review other potentialincident data
targets of and
the CRI
CRI Profile v2.0:
Profile v2.0: RS.AN-07.01
RS.AN-08
incident to search for indicators of CRI
CRI Profile v2.0: RS.AN-08.01
Profile v2.0: RS.CO
CSF v1.1: RS.CO
Ex1: Follow the organization's breach CIS Controls v8.0: 17.2
notification
Ex1: Securelyprocedures after discovering
share information a
consistent CRI Profile v2.0:
CIS Controls v8.0:RS.CO-02
17.2
with response plans and information CRI Profile v2.0: RS.CO-03

CRI Profile v2.0: RS.MI

Ex1: Cybersecurity technologies (e.g., CSF v1.1: RS.MI
CRI Profile v2.0: RS.MI-01
antivirus software) technologies
Ex1: Cybersecurity and cybersecurity
and CRI
CRI Profile v2.0:
Profile v2.0: RS.MI-01.01
RS.MI-02
cybersecurity features of other CRI Profile v2.0: RS.MI-02.01

CRI Profile v2.0: RC

CSF v1.1: RCv2.0: RC.RP
CRI Profile
Ex1: Begin recovery procedures during or CSF v1.1: RC.RP
CRI Profile v2.0: RC.RP-01
after
Ex1: Select recovery actions based on the CRI Profile v2.0:
incident response processes CRI Profile v2.0: RC.RP-01.01
RC.RP-02
criteria
Ex1: Check restoration assets for indicators CIS Controls v8.0:RC.RP-02.01
defined in the incident response CRI Profile v2.0: 11.5
of compromise, file corruption,
Ex1: Use business impact and system and other CRI Profile v2.0: RC.RP-03
CRI Profile v2.0: RC.RP-04
categorization
Ex1: Check restored assets for indicators of CRI
records (including service CRI Profile
Profile v2.0:
v2.0: RC.RP-04.01
RC.RP-05
compromise and remediation of root
Ex1: Prepare an after-action report that CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-05.01
RC.RP-06
documents the incident itself, the response CRICRI Profile v2.0: RC.RP-06.01
Profile v2.0: RC.CO
CSF v1.1: RC.CO

CSF 2.0 Page 16 of 17

 Implementation Examples Informative References
Ex1: Securely share recovery information, CRI Profile v2.0: RC.CO-03
including
Ex1: Followrestoration progress,breach
the organization's consistent CRI Profile v2.0:
CIS Controls v8.0:RC.CO-03.01
17.2
notification procedures for recovering from CIS Controls v8.0: 17.6

CSF 2.0 Page 17 of 17