NIST CSF

Summary

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector. The version used in this section NIST CSF v2.0.

Definitions

Definition	Requirements
NIST-ID_AM-03. Representations of the organization’s authorized network communication and internal and external network data flows are maintained	337. Make critical logic flows thread safe
NIST-ID_AM-04. Inventories of services provided by suppliers are maintained	330. Verify Subresource Integrity
NIST-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization	122. Validate credential ownership 142. Change system default credentials 143. Unique access credentials 380. Define a password management tool 025. Manage concurrent sessions 035. Manage privilege modifications
NIST-PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions	033. Restrict administrative access
NIST-PR_AA-03. Users, services, and hardware are authenticated	225. Proper authentication responses 229. Request access credentials 264. Request authentication 362. Assign MFA mechanisms to a single account
NIST-PR_AA-04. Identity assertions are protected, conveyed, and verified	096. Set user's required privileges
NIST-PR_AA-05. Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties	186. Use the principle of least privilege
NIST-PR_AA-06. Physical access to assets is managed, monitored, and enforced commensurate with risk	257. Access based on user credentials 266. Disable insecure functionalities 273. Define a fixed security suite
NIST-PR_DS-01. The confidentiality, integrity, and availability of data-at-rest are protected	176. Restrict system objects
NIST-PR_DS-02. The confidentiality, integrity, and availability of data-in-transit are protected	181. Transmit data using secure protocols
NIST-PR_DS-10. The confidentiality, integrity, and availability of data-in-use are protected	062. Define standard configurations
NIST-PR_DS-11. Backups of data are created, protected, maintained, and tested	185. Encrypt sensitive information
NIST-PR_PS-02. Software is maintained, replaced, and removed commensurate with risk	262. Verify third-party components
NIST-PR_PS-04. Log records are generated and made available for continuous monitoring	377. Store logs based on valid regulation 378. Use of log management system
NIST-PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle	158. Use a secure programming language 161. Define secure default options 062. Define standard configurations
NIST-PR_IR-01. Networks and environments are protected from unauthorized logical access and usage	259. Segment the organization network 341. Use the principle of deny by default
NIST-DE_CM-01. Networks and network services are monitored to find potentially adverse events	376. Register severity level
NIST-DE_CM-03. Personnel activity and technology usage are monitored to find potentially adverse events	376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system 075. Record exceptional events in logs 079. Record exact occurrence time of events
NIST-DE_CM-06. External service provider activities and services are monitored to find potentially adverse events	262. Verify third-party components
NIST-DE_AE-02. Potentially adverse events are analyzed to better understand associated activities	376. Register severity level 079. Record exact occurrence time of events 080. Prevent log modification
NIST-RS_MA-01. The incident response plan is executed in coordination with relevant third parties once an incident is declared	225. Proper authentication responses
NIST-RS_AN-07. Incident data and metadata are collected, and their integrity and provenance are preserved	377. Store logs based on valid regulation 046. Manage the integrity of critical files 080. Prevent log modification
NIST-RC_RP-01. The recovery portion of the incident response plan is executed once initiated from the incident response process	238. Establish safe recovery

Last updated

2024/03/05