NIST
          Cybersecurity Framework

Use NIST's Framework to manage and control your cybersecurity threats and attacks.
Use it to protect your organization's critical infrastructure and to safeguard the health,
safety, security, and privacy of its customers, employees, and other interested parties.
This web page presents an extensive overview of NIST's Cybersecurity Framework. 
It also provides to a PDF sample of our Plain English Cybersecurity Framework.

ID. Identify your context

ID.AM Identify all relevant assets.

• Identify the assets that enable you to achieve your business purposes.

• Manage your assets in a way that is consistent with their relative importance.

ID.AM-1 Identify your physical devices and systems.

• Inventory the devices that enable you to achieve your business purposes.

• Inventory the systems that enable you to achieve your business purposes.

ID.AM-2 Identify your software platforms and apps.

• Identify the software platforms that enable you to achieve your business purposes.

• Identify the software applications that enable you to achieve your business purposes.

ID.AM-3 Identify your communication and data flows.

• Identify the communications that enable you to achieve your business purposes.

• Identify the data flows that enable you to achieve your business purposes.

ID.AM-4 Identify your external information systems.

• Identify the external systems that enable you to achieve business purposes.

ID.AM-5 Identify your high priority security resources.

• Identify high priority security facilities that support your organization’s purpose.

• Identify high priority security hardware that supports your organization’s purpose.

• Identify high priority security software that supports your organization’s purpose.

• Identify high priority security devices that support your organization’s purpose.

• Identify high priority security data that support your organization’s purpose.

• Identify high priority security personnel that support your organization’s purpose.

ID.AM-6 Identify your security roles and responsibilities.

• Identify the cybersecurity jobs that enable you to achieve your business purposes.

• Establish the cybersecurity jobs that enable you to achieve business purposes.

• Manage the cybersecurity jobs that enable you to achieve business purposes.

ID.BE Identify business environment.

• Identify and understand your mission, objectives, activities, and stakeholders.

• Use your cybersecurity priorities to help define your approach to cybersecurity.

ID.BE-1 Clarify your organization’s role in overall supply chain.

• Identify your organization’s role in the supply chain.

• Understand your organization’s role in the supply chain.

ID.BE-2 Clarify how you fit into your infrastructure environment.

• Identify how your organization’s infrastructure fits into your area’s infrastructure.

• Understand the role that your infrastructure plays in your area’s infrastructure.

ID.BE-3 Clarify your organization’s general cybersecurity priorities.

• Communicate your organization’s infrastructure cybersecurity priorities.

ID.BE-4 Clarify your critical functions, services, and dependencies.

• Identify your organization’s critical functions, services, and dependencies.

• Communicate your organization’s critical functions, services, and dependencies.

ID.BE-5 Clarify your organization’s general resilience requirements.

• Identify your organization’s critical service delivery resilience requirements.

• Prioritize your organization’s critical service delivery resilience requirements.

• Communicate your organization’s critical service delivery resilience requirements.

ID.GV Identify governance framework.

• Identify and understand your organization’s approach to governance.

• Use your approach to governance to guide cybersecurity risk management.

ID.GV-1 Formulate your organization’s cybersecurity policy.

• Establish a cybersecurity policy for your organization.

• Communicate your organization’s cybersecurity policy.

ID.GV-2 Align your cybersecurity roles and responsibilities.

• Align internal cybersecurity roles and responsibilities with other functions.

• Coordinate internal cybersecurity roles and responsibilities with other functions.

ID.GV-3 Understand your legal and regulatory requirements.

• Understand your organization’s legal and regulatory cybersecurity requirements.

• Manage your organization’s legal and regulatory cybersecurity requirements.

ID.GV-4 Define processes to address your cybersecurity risks.

• Define a governance process to address your organization’s cybersecurity risks.

• Define a management process to address your organization’s cybersecurity risks.

ID.RA Identify threats and vulnerabilities.

• Identify and understand your organization’s cybersecurity risks.

ID.RA-1 Identify and document your asset vulnerabilities.

• Establish a corporate asset vulnerability assessment process.

• Assign asset vulnerability assessment roles and responsibilities.

• Evaluate how vulnerable your organization’s assets actually are.

• Identify and document your organization’s asset vulnerabilities.

ID.RA-2 Gather threat intelligence from external sources.

• Join information sharing forums that discuss cyber security risks and threats.

• Gather cyber threat intelligence from information sharing forums and sources.

• Generate and disseminate internal security alerts, advisories, and directives.

ID.RA-3 Define and document your cybersecurity threats.

• Identify and document your organization’s cybersecurity threats.

• Consider establishing an insider cybersecurity threat program.

ID.RA-4 Clarify potential business impacts and likelihoods.

• Consider potential security threats and identify potential business impacts.

• Assess the likelihood that infrastructure security incidents will actually occur.

ID.RA-5 Use threats and vulnerabilities to determine risk.

• Consider your organization’s security threats and vulnerabilities.

• Consider information about likelihoods and potential impacts.

ID.RA-6 Specify and prioritize treatments and responses.

• Specify your organization’s risk treatment options and responses.

• Prioritize your organization’s risk treatment options and responses.

ID.RM Identify risk management strategy.

• Establish your organization’s risk management strategy.

• Implement your organization’s risk management strategy.

ID.RM-1 Establish your risk management processes.

• Develop your organization’s risk management processes.

• Establish your organization’s risk management processes.

• Manage your organization’s risk management processes.

ID.RM-2 Determine your organization’s risk tolerances.

• Determine how much risk your organization is willing to take.

• Document your organization’s risk tolerance for each type of risk.

• Implement and apply risk tolerance levels for each type of risk.

ID.RM-3 Use your infrastructure’s role to guide decisions.

• Consider how your infrastructure fits into your region’s critical infrastructure.

• Consider how your infrastructure fits into your organization’s industrial sector.

ID.SC Identify strategy for supply chains.

Use your risk management strategy to help manage your supply chains.

ID.SC-1 Develop supply chain risk management processes.

• Develop your organization’s cyber supply chain risk management processes.

• Establish your organization’s cyber supply chain risk management processes.

• Manage your organization’s cyber supply chain risk management processes.

ID.SC-2 Identify suppliers and assess your supply chain risks.

• Identify providers of information systems, services, and components.

• Prioritize providers of information systems, services, and components.

• Assess providers of information systems, services, and components.

ID.SC-3 Use security contracts to control supply chain risks.

• Establish cybersecurity contracts with suppliers and third-party partners.

• Use contracts to implement measures to control your cybersecurity risks.

ID.SC-4 Evaluate the performance of suppliers and partners.

• Confirm that your suppliers are meeting their contractual obligations.

• Confirm that third-party partners are meeting their contractual obligations.

ID.SC-5 Conduct response and recovery planning and testing.

• Carry out suitable incident response and recovery planning activities.

• Carry out suitable incident response and recovery testing activities.

PR. Protect your assets

PR.AC Protect assets by managing access.

• Limit access to your assets and facilities.

• Manage access to your assets and facilities.

PR.AC-1 Control identity of users, devices, and processes.

• Control identities and credentials for authorized users.

• Control identities and credentials for authorized devices.

• Control identities and credentials for authorized processes.

PR.AC-2 Control physical access to organization’s assets.

• Control physical access to your organization’s assets and associated facilities.

• Protect physical assets that contain either sensitive or critical information.

PR.AC-3 Control remote access to organization’s assets.

• Control remote access to your organization’s assets and associated facilities.

• Establish remote access control policies and procedures for your organization.

PR.AC-4 Control access permissions and authorizations.

• Control how access permissions and authorizations are managed.

• Incorporate "separation of duties" and "least privilege" principles.

PR.AC-5 Control access to networks by separating them.

• Protect and control the integrity of your organization's networks.

• Consider using network segregation to control network access and integrity.

• Consider using network segmentation to control network access and integrity.

PR.AC-6 Control how identities are proofed and asserted.

• Control the unique identities of your users, devices, and processes.

PR.AC-7 Control authentication commensurate with risk.

• Control authentication of users that have access to physical and logical assets.

• Control authentication of devices that have access to physical and logical assets.

• Control authentication of processes that have access to physical and logical assets.

PR.AT Protect assets by managing awareness.

• Provide cybersecurity awareness services to personnel and partners.

• Provide cybersecurity training services to personnel and partners.

PR.AT-1 Make users aware of their security duties.

• Provide cybersecurity awareness services to your organization’s users.

• Provide cybersecurity training services to your organization’s users.

PR.AT-2 Make privileged users aware of their duties.

• Provide cybersecurity awareness services to all privileged users.

• Provide cybersecurity training services to all privileged users.

PR.AT-3 Make your stakeholders aware of their duties.

• Make sure that third-party stakeholders understand their cybersecurity obligations.

PR.AT-4 Make senior executives aware of their duties.

• Make sure that your senior executives understand their cybersecurity functions.

PR.AT-5 Make security people aware of their duties.

• Make sure that physical security personnel understand their roles and responsibilities.

•Make sure that cybersecurity personnel understand their roles and responsibilities.

PR.DS Protect assets by managing data security.

• Protect the confidentiality, integrity, and availability of your organization’s data.

PR.DS-1 Protect and preserve data-at-rest.

• Protect the confidentiality, integrity, and availability of your data-at-rest.

PR.DS-2 Secure and preserve data-in-transit.

• Protect the confidentiality, integrity, and availability of your data-in-transit.

PR.DS-3 Manage asset transfers and disposals.

• Manage assets throughout transfer, removal, and disposition.

PR.DS-4 Ensure data is available when needed.

• Protect the availability of your data by maintaining adequate capacity.

PR.DS-5 Prevent data leaks, spills, and breaches.

• Protect the availability of data by preventing data leaks.

PR.DS-6 Verify the integrity of data and software.

• Use integrity checking mechanisms to verify the integrity of software.

• Use integrity checking mechanisms to verify the integrity of firmware.

• Use integrity checking mechanisms to verify the integrity of information.

PR.DS-7 Compartmentalize development activities.

• Keep development environments separate from production environments.

• Control access to development, testing, and production environments.

PR.DS-8 Check the integrity of all hardware systems.

• Establish hardware maintenance and repair policies and guidelines.

•Control and restrict access to hardware and integrity verification tools.

PR.IP Protect assets by managing information.

• Establish security policies to protect information systems and assets.

• Implement information security policies, processes, and procedures.

PR.IP-1 Adopt security principles and create baselines.

• Incorporate generally accepted security principles into your systems.

• Establish baseline configurations of industrial control systems and technologies.

PR.IP-2 Use life cycle models to manage your systems.

• Use System Development Life Cycle Models to manage your systems.

PR.IP-3 Create configuration change control processes.

• Establish configuration change control processes and procedures.

• Use these processes and procedures to control systemic change.

PR.IP-4 Conduct regular backups of your information.

• Establish a policy to control how backups are handled.

• Make regular backup copies in accordance with your policy.

• Maintain your organization’s backups in a secure location.

PR.IP-5 Control your physical operating environment.

• Comply with policies that affect your physical operating environment.

• Comply with regulations that affect your physical operating environment.

PR.IP-6 Develop an appropriate data destruction policy.

• Establish a policy to manage and control data destruction.

• Comply with your organization’s data destruction policy.

• Verify that all data has been destroyed before you reuse media.

PR.IP-7 Improve your information protection processes.

• Improve your organization's information protection processes.

PR.IP-8 Share information about protection technologies.

• Share information about the effectiveness of your protection technologies.

PR.IP-9 Establish incident response and recovery plans.

• Establish incident response and business continuity plan.

• Establish incident recovery and business restoration plan.

PR.IP-10 Evaluate incident response and recovery plans.

• Test your incident response and business continuity plans.

• Test your incident recovery and business restoration plans.

PR.IP-11 Build security into human resource practices.

• Build cybersecurity duties into personnel recruitment practices.

• Build cybersecurity duties into personnel management practices.

• Build cybersecurity duties into personnel termination practices.

PR.IP-12 Formulate vulnerability management plan.

• Develop a cybersecurity vulnerability management plan.

• Implement cybersecurity vulnerability management plan.

PR.MA Protect assets by managing maintenance.

• Maintain and repair your organization’s industrial control systems.

• Maintain and repair your organization’s information system components.

PR.MA-1 Control repair and maintenance of your assets.

• Control the maintenance and repair of your organizational assets.

• Control your repair and maintenance tools and technologies.

PR.MA-2 Control remote repair and maintenance activities.

• Establish remote maintenance and repair policies, plans, and procedures.

PR.PT Protect assets by managing technologies.

• Use technologies to protect the security and resilience of your systems and assets.

PR.PT-1 Establish audit logs to record user events and faults.

• Formulate a policy to control the use of audit logs and records.

• Establish controls to protect audit log information and facilities.

• Review your organization’s system of audit logs and records.

PR.PT-2 Protect removable media and restrict how it is used.

• Prevent the unauthorized and uncontrolled use of removable media.

PR.PT-3 Configure systems to provide only essential capabilities.

• Configure your systems so that only essential capabilities are provided.

PR.PT-4 Safeguard your communications and control networks.

• Protect your organization’s communications and control networks.

PR.PT-5 Implement measures to meet resilience requirements.

Implement measures to meet resilience requirements in normal situations.

• Implement measures to meet resilience requirements in adverse situations.

DE. Detect your anomalies

DE.AE Detect anomalies by analyzing events.

• Use detection technologies to identify anomalies and events.

• Understand the impact that anomalies and events could have.

DE.AE-1 Establish baselines for network users and systems.

• Establish baselines of network operations and expected data flows.

• Manage baselines of network operations and expected data flows.

DE.AE-2 Analyze events to understand targets and methods.

• Allocate responsibility for analyzing malicious cybersecurity events.

DE.AE-3 Collect and correlate event data from many sources.

• Allocate responsibility for collecting and correlating event data.

DE.AE-4 Determine the impact malicious events could have.

• Allocate responsibility for determining the impact malicious events could have.

DE.AE-5 Configure cybersecurity incident alert thresholds.

• Establish incident alert thresholds for all relevant sources and sensors.

DE.CM Detect anomalies by monitoring systems.

• Establish ways of monitoring your assets and information systems.

• Continuously monitor your organization’s assets and information systems.

DE.CM-1 Detect events and anomalies by monitoring networks.

• Establish your organization’s network monitoring strategy and program.

• Implement your organization’s network monitoring strategy and program.

DE.CM-2 Detect events and anomalies by monitoring environment.

• Detect cybersecurity events and anomalies by monitoring your physical environment.

DE.CM-3 Detect events and anomalies by monitoring all personnel.

• Detect internal cybersecurity events by monitoring personnel activity.

• Detect external cybersecurity events by monitoring personnel activity.

DE.CM-4 Detect and contain malicious code by monitoring systems.

• Detect malicious code by continuously monitoring your information systems and assets.

• Update malicious code protection software when new releases and updates are available.

DE.CM-5 Detect unauthorized mobile code by monitoring activities.

• Define acceptable and unacceptable mobile code and related technologies.

• Detect unauthorized mobile code by continuously monitoring your systems.

DE.CM-6 Detect cybersecurity events by monitoring your suppliers.

Develop a continuous monitoring strategy and program for external service providers.

Establish cybersecurity responsibilities and requirements for external service providers.

Detect potential cybersecurity events by monitoring external service provider activity.

DE.CM-7 Detect unauthorized devices, software, and connections.

• Develop a continuous monitoring strategy and program to detect unauthorized activity.

• Detect potential cybersecurity events and anomalies by monitoring internal activity.

DE.CM-8 Detect weaknesses by performing vulnerability scans.

• Develop a continuous monitoring strategy and programs to detect vulnerabilities.

• Detect cybersecurity vulnerabilities and weaknesses by monitoring your systems.

DE.DP Detect anomalies by maintaining processes.

• Establish anomalous event detection and awareness processes.

• Maintain anomalous event detection and awareness processes.

DE.DP-1 Define clear detection roles and responsibilities.

• Establish accountability for detecting anomalous cybersecurity events.

DE.DP-2 Establish detection activities that meet requirements.

• Establish anomalous event detection activities that comply with requirements.

DE.DP-3 Test your anomaly detection processes and procedures.

• Establish and maintain processes to detect anomalies and events.

• Establish and maintain procedures to detect anomalous events.

DE.DP-4 Communicate anomalous event detection information.

• Communicate information about your anomaly detection activities and events.

DE.DP-5 Improve your detection processes and procedures.

• Evaluate your organization’s anomaly detection processes and procedures.

• Use what you learn to improve anomaly detection methods and activities.

RS. Respond to incidents

RS.RP Respond to incidents by controlling steps.

• Establish your organization’s incident response processes and procedures.

• Establish your organization’s business continuity processes and procedures.

RS.RP-1 Execute your organization’s incident response plans.

• Execute your organization’s response plans while incidents are happening.

• Execute your organization’s continuity plans after incidents have occurred.

RS.CO Respond to incidents by coordinating action.

• Respond to incidents by communicating with your stakeholders.

RS.CO-1 Confirm that incident responders know their roles.

• Confirm that responders know what to do when a timely response is needed.

RS.CO-2 Report incidents in accordance with reporting criteria.

• Establish criteria to control how cybersecurity incidents are reported.

• Follow established criteria when you report cybersecurity incidents.

RS.CO-3 Comply with response plans when sharing information.

• Follow established incident response plans when sharing information internally.

• Follow established incident response plans when sharing information externally.

RS.CO-4 Coordinate all response activities with your stakeholders.

• Follow incident response plans when coordinating response with internal stakeholders.

•Follow incident response plans when coordinating response with external stakeholders.

RS.CO-5 Raise awareness by sharing information with stakeholders.

• Raise cybersecurity awareness by voluntarily sharing information about incidents.

RS.AN Respond to incidents by analyzing the situation.

• Assign responsibility for analyzing cybersecurity events and incidents.

• Analyze the cybersecurity events and incidents that are being detected.

• Use your analytical results to facilitate incident management activities.

RS.AN-1 Investigate notifications received from detection systems.

• Assign responsibility for investigating notifications received from all detection systems.

• Investigate and analyze incidents and events that have an impact on your organization.

RS.AN-2 Review and understand the impact of cybersecurity incidents.

• Assign responsibility for reviewing the impact that cybersecurity incidents could have.

• Review and understand the potential impact that cybersecurity incidents could have.

RS.AN-3 Examine cybersecurity incidents and gather forensic evidence.

• Assign responsibility for examining incidents and gathering related forensic evidence.

• Examine cybersecurity incidents and events and carry out forensic investigations.

RS.AN-4 Classify cybersecurity incidents consistent with response plan.

• Assign responsibility for using incident response plans to categorize incidents.

• Create a scheme for recognizing, differentiating, and categorizing your incidents.

• Use categorization scheme and incident response plans to classify your incidents.

RS.AN-5 Set up processes to handle information about vulnerabilities.

• Assign responsibility for managing information about cybersecurity vulnerabilities.

• Establish processes to manage information about cybersecurity vulnerabilities.

RS.MI Respond to incidents by mitigating the damage.

• Assign responsibility for containing, mitigating, and resolving cybersecurity incidents.

• Prevent the expansion of cybersecurity events and contain cybersecurity incidents.

• Mitigate the harm cybersecurity events cause and resolve cybersecurity incidents.

RS.MI-1 Carry out activities to contain your cybersecurity incidents.

• Assign responsibility for containing the harm that cybersecurity incidents can cause.

• Carry out activities to contain cybersecurity incidents and limit the harm they cause.

RS.MI-2 Mitigate the damage that cybersecurity incidents can cause.

• Assign responsibility for mitigating the damage that incidents can cause.

• Carry out activities to mitigate incidents and limit the damage they cause.

RS.MI-3 Assess new vulnerabilities and decide how to handle them.

• Assign responsibility for investigating and mitigating new vulnerabilities.

•Take steps to investigate new vulnerabilities and mitigate your security risk.

RS.IM Respond to incidents by making improvements.

• Respond to cybersecurity incidents by improving response activities.

• Respond to cybersecurity incidents by improving business continuity activities.

RS.IM-1 Use lessons to improve response and continuity plans.

• Use lessons learned to improve your organization’s incident response plans.

• Use lessons learned to improve your organization’s business continuity plans.

RS.IM-2 Use lessons to update response and continuity strategies.

• Use lessons learned to improve your organization’s incident response strategies.

• Use lessons learned to improve your organization’s business continuity strategies.

RC. Recover from incidents

RC.RP Recover from incidents by controlling steps.

• Establish your organization’s incident recovery processes and procedures.

• Establish your organization’s business restoration processes and procedures.

RC.RP-1 Execute recovery plans whenever incidents occur.

• Execute your organization’s recovery plan while incidents are happening.

• Execute your organization’s restoration plan after incidents have occurred.

RC.IM Recover from incidents by making improvements.

• Recover from cybersecurity incidents by improving recovery activities.

• Recover from cybersecurity incidents by improving restoration activities.

RC.IM-1 Use lessons to improve recovery and restoration plans.

• Use lessons learned to improve your organization’s incident recovery plans.

• Use lessons learned to improve your organization’s business restoration plans.

RC.IM-2 Use lessons to update recovery and restoration strategies.

• Use lessons learned to improve your organization’s incident recovery strategies.

• Use lessons learned to improve your organization’s business restoration strategies.

RC.CO Recover from incidents by coordinating activities.

• Coordinate your organization’s recovery activities with interested parties.

• Coordinate your organization’s restoration activities with interested parties.

RC.CO-1 Manage public relations and communicate externally.

• Assign responsibility for managing your organization’s cybersecurity public relations.

• Manage and control your organization’s cybersecurity public relations program.

RC.CO-2 Repair your organization’s reputation after incidents.

• Repair your organization’s reputation after incidents have occurred.

RC.CO-3 Share information about your recovery activities.

• Share information about recovery activities with your stakeholders.


This page summarizes NIST's Cybersecurity Framework. It highlights the main points.
It does not present detail.
If you like our approach, please consider purchasing
our Title 60: NIST Cybersecurity Framework Translated into Plain English.

Title 60 is detailed, accurate, and complete. It uses language that is clear,
precise, and easy to understand. We guarantee it. Title 60 is 112 pages
 long and is provided in both pdf and Microsoft docx file formats.

pdf sample: Plain English Cybersecurity Framework (Title 60)

Title 60 Contents

Place an Order

Check Prices

Product License


MORE CYBERSECURITY PAGES

Introduction Cybersecurity Framework

Overview of NIST Cybersecurity Framework

Structure of NIST Cybersecurity Framework

How to Establish a Cybersecurity Program

NIST Cybersecurity Implementation Tiers

NIST Cybersecurity Privacy Principles

Cybersecurity Audit Checklist

Cybersecurity Audit Tool

Updated on March 31, 2020. First published on January 23, 2020.

Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited              help@praxiom.com             780-461-4514


Legal Restrictions on the Use of this Page
Thank you for visiting this web page. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2020 by Praxiom Research Group Ltd. All Rights Reserved.

Praxiom Research Group Limited