| 💼 Analysis (RS.AN) | 5 | | | |
| 💼 RS.AN-1: Notifications from detection systems are investigated | | 19 | 22 | |
| 💼 RS.AN-2: The impact of the incident is understood | | | | |
| 💼 RS.AN-3: Forensics are performed | | | | |
| 💼 RS.AN-4: Incidents are categorized consistent with response plans | | | | |
| 💼 RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) | | | | |
| 💼 Anomalies and Events (DE.AE) | 5 | | | |
| 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed | | 10 | 11 | |
| 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods | | 19 | 22 | |
| 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors | | 19 | 22 | |
| 💼 DE.AE-4: Impact of events is determined | | 14 | 14 | |
| 💼 DE.AE-5: Incident alert thresholds are established | | | | |
| 💼 Asset Management (ID.AM) | 6 | | | |
| 💼 ID.AM-1: Physical devices and systems within the organization are inventoried | | | 2 | |
| 💼 ID.AM-2: Software platforms and applications within the organization are inventoried | | 4 | 6 | |
| 💼 ID.AM-3: Organizational communication and data flows are mapped | | 3 | 3 | |
| 💼 ID.AM-4: External information systems are catalogued | | | | |
| 💼 ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value | | | | |
| 💼 ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | | | | |
| 💼 Awareness and Training (PR.AT) | 5 | | | |
| 💼 PR.AT-1: All users are informed and trained | | 7 | 7 | |
| 💼 PR.AT-2: Privileged users understand their roles and responsibilities | | | | |
| 💼 PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities | | | | |
| 💼 PR.AT-4: Senior executives understand their roles and responsibilities | | | | |
| 💼 PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities | | | | |
| 💼 Business Environment (ID.BE) | 5 | | | |
| 💼 ID.BE-1: The organization's role in the supply chain is identified and communicated | | | | |
| 💼 ID.BE-2: The organization's place in critical infrastructure and its industry sector is identified and communicated | | | | |
| 💼 ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated | | | | |
| 💼 ID.BE-4: Dependencies and critical functions for delivery of critical services are established | | | 4 | |
| 💼 ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) | | 4 | 4 | |
| 💼 Communications (RC.CO) | 3 | | | |
| 💼 RC.CO-1: Public relations are managed | | | | |
| 💼 RC.CO-2: Reputation is repaired after an incident | | | | |
| 💼 RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams | | | | |
| 💼 Communications (RS.CO) | 5 | | | |
| 💼 RS.CO-1: Personnel know their roles and order of operations when a response is needed | | | | |
| 💼 RS.CO-2: Incidents are reported consistent with established criteria | | 20 | 23 | |
| 💼 RS.CO-3: Information is shared consistent with response plans | | 16 | 17 | |
| 💼 RS.CO-4: Coordination with stakeholders occurs consistent with response plans | | | | |
| 💼 RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness | | | | |
| 💼 Data Security (PR.DS) | 8 | | | |
| 💼 PR.DS-1: Data-at-rest is protected | | 15 | 19 | |
| 💼 PR.DS-2: Data-in-transit is protected | | 14 | 21 | |
| 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition | | | 2 | |
| 💼 PR.DS-4: Adequate capacity to ensure availability is maintained | | 1 | 1 | |
| 💼 PR.DS-5: Protections against data leaks are implemented | | 43 | 51 | |
| 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity | | 18 | 19 | |
| 💼 PR.DS-7: The development and testing environment(s) are separate from the production environment | | | 1 | |
| 💼 PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity | | | | |
| 💼 Detection Processes (DE.DP) | 5 | | | |
| 💼 DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability | | | | |
| 💼 DE.DP-2: Detection activities comply with all applicable requirements | | 7 | 7 | |
| 💼 DE.DP-3: Detection processes are tested | | 14 | 14 | |
| 💼 DE.DP-4: Event detection information is communicated | | 30 | 33 | |
| 💼 DE.DP-5: Detection processes are continuously improved | | 14 | 16 | |
| 💼 Governance (ID.GV) | 4 | | | |
| 💼 ID.GV-1: Organizational cybersecurity policy is established and communicated | | | | |
| 💼 ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners | | | | |
| 💼 ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed | | 2 | 2 | |
| 💼 ID.GV-4: Governance and risk management processes address cybersecurity risks | | | | |
| 💼 Identity Management, Authentication and Access Control (PR.AC) | 7 | | | |
| 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes | | 19 | 22 | |
| 💼 PR.AC-2: Physical access to assets is managed and protected | | | | |
| 💼 PR.AC-3: Remote access is managed | | | | |
| 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | | 17 | 35 | |
| 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) | | 7 | 13 | |
| 💼 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions | | 4 | 8 | |
| 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks) | | 19 | 22 | |
| 💼 Improvements (RC.IM) | 2 | | | |
| 💼 RC.IM-1: Recovery plans incorporate lessons learned | | | | |
| 💼 RC.IM-2: Recovery strategies are updated | | | | |
| 💼 Improvements (RS.IM) | 2 | | | |
| 💼 RS.IM-1: Response plans incorporate lessons learned | | | | |
| 💼 RS.IM-2: Response strategies are updated | | | | |
| 💼 Information Protection Processes and Procedures (PR.IP) | 12 | | | |
| 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) | | 4 | 14 | |
| 💼 PR.IP-2: A System Development Life Cycle to manage systems is implemented | | 6 | 6 | |
| 💼 PR.IP-3: Configuration change control processes are in place | | 4 | 4 | |
| 💼 PR.IP-4: Backups of information are conducted, maintained, and tested | | 5 | 5 | |
| 💼 PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met | | | | |
| 💼 PR.IP-6: Data is destroyed according to policy | | | | |
| 💼 PR.IP-7: Protection processes are improved | | | 2 | |
| 💼 PR.IP-8: Effectiveness of protection technologies is shared | | 7 | 7 | |
| 💼 PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed | | 3 | 3 | |
| 💼 PR.IP-10: Response and recovery plans are tested | | 1 | 1 | |
| 💼 PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) | | | | |
| 💼 PR.IP-12: A vulnerability management plan is developed and implemented | | 7 | 8 | |
| 💼 Maintenance (PR.MA) | 2 | | | |
| 💼 PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools | | | | |
| 💼 PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access | | 1 | 1 | |
| 💼 Mitigation (RS.MI) | 3 | | | |
| 💼 RS.MI-1: Incidents are contained | | 7 | 7 | |
| 💼 RS.MI-2: Incidents are mitigated | | 7 | 7 | |
| 💼 RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks | | 7 | 7 | |
| 💼 Protective Technology (PR.PT) | 5 | | | |
| 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy | | 17 | 20 | |
| 💼 PR.PT-2: Removable media is protected and its use restricted according to policy | | | | |
| 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities | | 21 | 25 | |
| 💼 PR.PT-4: Communications and control networks are protected | | 7 | 13 | |
| 💼 PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations | | 4 | 4 | |
| 💼 Recovery Planning (RC.RP) | 1 | | | |
| 💼 RC.RP-1: Recovery plan is executed during or after a cybersecurity incident | | | | |
| 💼 Response Planning (RS.RP) | 1 | | | |
| 💼 RS.RP-1: Response plan is executed during or after an incident | | | | |
| 💼 Risk Assessment (ID.RA) | 6 | | | |
| 💼 ID.RA-1: Asset vulnerabilities are identified and documented | | 14 | 15 | |
| 💼 ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources | | | | |
| 💼 ID.RA-3: Threats, both internal and external, are identified and documented | | 7 | 7 | |
| 💼 ID.RA-4: Potential business impacts and likelihoods are identified | | 7 | 7 | |
| 💼 ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | | 7 | 7 | |
| 💼 ID.RA-6: Risk responses are identified and prioritized | | | | |
| 💼 Risk Management Strategy (ID.RM) | 3 | | | |
| 💼 ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders | | | | |
| 💼 ID.RM-2: Organizational risk tolerance is determined and clearly expressed | | | | |
| 💼 ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | | | | |
| 💼 Security Continuous Monitoring (DE.CM) | 8 | | | |
| 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events | | 19 | 28 | |
| 💼 DE.CM-2: The physical environment is monitored to detect potential cybersecurity events | | | | |
| 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events | | 21 | 24 | |
| 💼 DE.CM-4: Malicious code is detected | | 7 | 7 | |
| 💼 DE.CM-5: Unauthorized mobile code is detected | | 11 | 11 | |
| 💼 DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events | | 7 | 7 | |
| 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed | | 19 | 23 | |
| 💼 DE.CM-8: Vulnerability scans are performed | | 7 | 7 | |
| 💼 Supply Chain Risk Management (ID.SC) | 5 | | | |
| 💼 ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | | | | |
| 💼 ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process | | 7 | 7 | |
| 💼 ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan | | | | |
| 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations | | 16 | 19 | |
| 💼 ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers | | 1 | 1 | |