logo

Database

NIST CSF

Last updated: 2024/03/05
logo

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector. The version used in this section NIST CSF v2.0.

Control-Requirement Mapping

DefinitionRequirements
ID_AM-03. Representations of the organization’s authorized network communication and internal and external network data flows are maintained
ID_AM-04. Inventories of services provided by suppliers are maintained
PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions
PR_AA-03. Users, services, and hardware are authenticated
PR_AA-04. Identity assertions are protected, conveyed, and verified
PR_AA-05. Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
PR_AA-06. Physical access to assets is managed, monitored, and enforced commensurate with risk
PR_DS-01. The confidentiality, integrity, and availability of data-at-rest are protected
PR_DS-02. The confidentiality, integrity, and availability of data-in-transit are protected
PR_DS-10. The confidentiality, integrity, and availability of data-in-use are protected
PR_DS-11. Backups of data are created, protected, maintained, and tested
PR_PS-02. Software is maintained, replaced, and removed commensurate with risk
PR_PS-04. Log records are generated and made available for continuous monitoring
PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
PR_IR-01. Networks and environments are protected from unauthorized logical access and usage
DE_CM-01. Networks and network services are monitored to find potentially adverse events
DE_CM-03. Personnel activity and technology usage are monitored to find potentially adverse events
DE_CM-06. External service provider activities and services are monitored to find potentially adverse events
DE_AE-02. Potentially adverse events are analyzed to better understand associated activities
RS_MA-01. The incident response plan is executed in coordination with relevant third parties once an incident is declared
RS_AN-07. Incident data and metadata are collected, and their integrity and provenance are preserved
RC_RP-01. The recovery portion of the incident response plan is executed once initiated from the incident response process