| 💼 Adverse Event Analysis (DE.AE) | 6 | | | |
| 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities | | | 26 | |
| 💼 DE.AE-03: Information is correlated from multiple sources | | | 26 | |
| 💼 DE.AE-04: The estimated impact and scope of adverse events are understood | | | 14 | |
| 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools | | | 33 | |
| 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis | | | 22 | |
| 💼 DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria | | | | |
| 💼 Asset Management (ID.AM) | 7 | | | |
| 💼 ID.AM-01: Inventories of hardware managed by the organization are maintained | | | 3 | |
| 💼 ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained | | | 7 | |
| 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained | | | 31 | |
| 💼 ID.AM-04: Inventories of services provided by suppliers are maintained | | | | |
| � 💼 ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission | | | | |
| 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained | | | | |
| 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles | | | 3 | |
| 💼 Awareness and Training (PR.AT) | 2 | | | |
| 💼 PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind | | | 7 | |
| 💼 PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind | | | | |
| 💼 Continuous Monitoring (DE.CM) | 5 | | | |
| 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events | | | 83 | |
| 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events | | | 8 | |
| 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events | | | 59 | |
| 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events | | | 27 | |
| 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | | | 89 | |
| 💼 Cybersecurity Supply Chain Risk Management (GV.SC) | 10 | | | |
| 💼 GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | | | | |
| 💼 GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | | | | |
| 💼 GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | | | 7 | |
| 💼 GV.SC-04: Suppliers are known and prioritized by criticality | | | 7 | |
| 💼 GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | | | | |
| 💼 GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | | | | |
| 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | | | 26 | |
| 💼 GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | | | 1 | |
| 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | | | | |
| 💼 GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | | | | |
| 💼 Data Security (PR.DS) | 4 | | | |
| 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected | | | 82 | |
| 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected | | | 69 | |
| 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected | | | 67 | |
| 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested | | | 6 | |
| 💼 Identity Management, Authentication, and Access Control (PR.AA) | 6 | | | |
| 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization | | | 23 | |
| 💼 PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions | | | 8 | |
| 💼 PR.AA-03: Users, services, and hardware are authenticated | | | 22 | |
| 💼 PR.AA-04: Identity assertions are protected, conveyed, and verified | | | | |
| 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | | | 58 | |
| 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk | | | 13 | |
| ���💼 Improvement (ID.IM) | 4 | | | |
| 💼 ID.IM-01: Improvements are identified from evaluations | | | 10 | |
| 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | | | 23 | |
| 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities | | | 24 | |
| 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved | | | 3 | |
| 💼 Incident Analysis (RS.AN) | 4 | | | |
| 💼 RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident | | | | |
| 💼 RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved | | | | |
| 💼 RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved | | | | |
| 💼 RS.AN-08: An incident's magnitude is estimated and validated | | | | |
| 💼 Incident Management (RS.MA) | 5 | | | |
| 💼 RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared | | | | |
| 💼 RS.MA-02: Incident reports are triaged and validated | | | 22 | |
| 💼 RS.MA-03: Incidents are categorized and prioritized | | | | |
| 💼 RS.MA-04: Incidents are escalated or elevated as needed | | | | |
| 💼 RS.MA-05: The criteria for initiating incident recovery are applied | | | | |
| 💼 Incident Mitigation (RS.MI) | 2 | | | |
| 💼 RS.MI-01: Incidents are contained | | | 7 | |
| 💼 RS.MI-02: Incidents are eradicated | | | 7 | |
| 💼 Incident Recovery Communication (RC.CO) | 2 | | | |
| 💼 RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | | | | |
| 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging | | | 23 | |
| 💼 Incident Recovery Plan Execution (RC.RP) | 6 | | | |
| 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process | | | 2 | |
| 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed | | | 2 | |
| 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration | | | 1 | |
| 💼 RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms | | | | |
| 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed | | | 2 | |
| 💼 RC.RP-06: The end of incident recovery is declared based on criteria, and incident-related documentation is completed | | | | |
| 💼 Incident Response Reporting and Communication (RS.CO) | 2 | | | |
| 💼 RS.CO-02: Internal and external stakeholders are notified of incidents | | | 30 | |
| 💼 RS.CO-03: Information is shared with designated internal and external stakeholders | | | 17 | |
| 💼 Organizational Context (GV.OC) | 5 | | | |
| 💼 GV.OC-01: The organizational mission is understood and informs cybersecurity risk management | | | | |
| 💼 GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | | | 7 | |
| 💼 GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | | | 2 | |
| 💼 GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated | | | 4 | |
| 💼 GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated | | | 4 | |
| 💼 Oversight (GV.OV) | 3 | | | |
| 💼 GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | | | | |
| 💼 GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | | | | |
| 💼 GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | | | | |
| 💼 Policy (GV.PO) | 2 | | | |
| 💼 GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | | | | |
| 💼 GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | | | | |
| 💼 Risk Assessment (ID.RA) | 10 | | | |
| 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded | | | 22 | |
| 💼 ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources | | | | |
| 💼 ID.RA-03: Internal and external threats to the organization are identified and recorded | | | 7 | |
| 💼 ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | | | 7 | |
| 💼 ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization | | | 7 | |
| 💼 ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated | | | 7 | |
| 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked | | | 24 | |
| 💼 ID.RA-08: Processes for receiving, analyzing, and responding to vulnerability disclosures are established | | | | |
| 💼 ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use | | | | |
| 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition | | | 26 | |
| 💼 Risk Management Strategy (GV.RM) | 7 | | | |
| 💼 GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders | | | | |
| 💼 GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained | | | | |
| 💼 GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | | | | |
| 💼 GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated | | | | |
| 💼 GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | | | | |
| 💼 GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | | | | |
| 💼 GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | | | | |
| 💼 Roles, Responsibilities, and Authorities (GV.RR) | 4 | | | |
| 💼 GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving | | | | |
| 💼 GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | | | | |
| 💼 GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies | | | | |
| 💼 GV.RR-04: Cybersecurity is included in human resources practices | | | | |
| 💼 Technology Infrastructure Resilience (PR.IR) | 4 | | | |
| 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage | | | 40 | |
| 💼 PR.IR-02: The organization's technology assets are protected from environmental threats | | | | |
| 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations | | | 5 | |
| 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained | | | 1 | |