NIST Cybersecurity Framework

Title (CSF)
The 2.0Cybersecurity
NIST ReferenceFramework
Tool
Read Me (CSF)is 2.0
This a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core
Change Log Final
 The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

Function Category Subcategory

GOVERN (GV): The organization's
cybersecurity risk management
CSF 2.0
Organizational Context (GV.OC): The
circumstances - mission, stakeholder GV.OC-01: The organizational mission is
understood and informs
GV.OC-02: Internal cybersecurity
and external risk
stakeholders
are understood,
GV.OC-03: Legal,and their needs
regulatory, and and
contractual
requirements regarding cybersecurity - including
GV.OC-04: Critical objectives, capabilities, and
services that stakeholders depend on or expect
GV.OC-05: Outcomes, capabilities, and services
Risk Management Strategy (GV.RM): The that the organization depends on are
organization's priorities, constraints, risk GV.RM-01: Risk management objectives are
established and appetite
GV.RM-02: Risk agreed toand
by organizational
risk tolerance
statements
GV.RM-03: Cybersecurity risk management and
are established, communicated,
activities
GV.RM-04: and outcomes
Strategic are included
direction in
that describes
appropriate risk response
GV.RM-05: Lines options is across
of communication established
the
organization are established for
GV.RM-06: A standardized method for cybersecurity
calculating, documenting,
GV.RM-07: Strategic categorizing,
opportunities (i.e.,and
positive
Roles, Responsibilities, and Authorities risks) are characterized and are included in
(GV.RR): Cybersecurity roles, GV.RR-01: Organizational leadership is
responsible and accountable
GV.RR-02: Roles, for cybersecurity
responsibilities, and authorities
related to cybersecurity risk management
GV.RR-03: Adequate resources are allocated are
commensurate with the cybersecurity risk
GV.RR-04: Cybersecurity is included in human
Policy (GV.PO): Organizational resources practices
cybersecurity policy is established, GV.PO-01: Policy for managing cybersecurity
risks is established
GV.PO-02: based
Policy for on organizational
managing cybersecurity
Oversight (GV.OV): Results of organization- risks is reviewed, updated, communicated, and
wide cybersecurity risk management GV.OV-01: Cybersecurity risk management
strategy
GV.OV-02: outcomes are reviewed
The cybersecurity riskto inform and
management
strategy
GV.OV-03: is reviewed and adjusted
Organizational to ensure
cybersecurity risk
management performance is evaluated and
Page 2 of 11
 Function Category Subcategory
Cybersecurity Supply Chain Risk
Management (GV.SC): Cyber supply chain GV.SC-01: A cybersecurity supply chain risk
management program, strategy,
GV.SC-02: Cybersecurity roles andobjectives,
responsibilities for suppliers,
GV.SC-03: Cybersecurity customers,
supply chain riskand
management is integrated
GV.SC-04: Suppliers are knowninto and
cybersecurity
prioritized by
criticality
GV.SC-05: Requirements to address
cybersecurity risks inand
GV.SC-06: Planning supply
due chains areare
diligence
performed
GV.SC-07: The to reduce risks before
risks posed entering
by a supplier, into
their
products
GV.SC-08:and services,
Relevant and other
suppliers andthird
otherparties
third
parties are included in incident planning,
GV.SC-09: Supply chain security practices are
integrated into cybersecurity
GV.SC-10: Cybersecurity and
supply enterprise
chain risk risk
GOVERN (GV) management plans include provisions for
IDENTIFY (ID): The organization's
current cybersecurity risks are Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems, ID.AM-01: Inventories of hardware managed by
the organization
ID.AM-02: are maintained
Inventories of software, services, and
systems managed by
ID.AM-03: Representations the organization are
of the organization's
authorized network communication
ID.AM-04: Inventories of services provided and internal
by
suppliers are maintained
ID.AM-05: Assets are prioritized based on
classification, criticality,ofresources,
ID.AM-07: Inventories data and and impact
corresponding
ID.AM-08: Systems,metadata for designated
hardware, software,data
Risk Assessment (ID.RA): The cybersecurity services, and data are managed throughout their
risk to the organization, assets, and ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded
ID.RA-02: Cyber threat intelligence is received
from
ID.RA-03: Internalsharing
information forumsthreats
and external and sources
to the
organization are identified and recorded
ID.RA-04: Potential impacts and likelihoods of
threats
ID.RA-05:exploiting
Threats,vulnerabilities
vulnerabilities,are identified
likelihoods,
and impacts
ID.RA-06: are
Risk used to understand
responses are chosen,inherent
prioritized,
planned, tracked, and communicated
ID.RA-07: Changes and exceptions are managed,
assessed
ID.RA-08:for risk impact,
Processes recorded,analyzing,
for receiving, and tracked
and
responding to vulnerability disclosures
ID.RA-09: The authenticity and integrity of are
hardware and software
ID.RA-10: Critical areare
suppliers assessed prior
assessed to to
prior
Improvement (ID.IM): Improvements to acquisition
organizational cybersecurity risk
CSF 2.0 Page 3 of 11
 Function Category Subcategory
ID.IM-01: Improvements are identified from
evaluations
ID.IM-02: Improvements are identified from
security
ID.IM-03:tests and exercises,
Improvements areincluding
identifiedthose
from
execution of operational processes, procedures,
ID.IM-04: Incident response plans and other
IDENTIFY (ID) cybersecurity plans that affect operations are
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks Identity Management, Authentication, and
Access Control (PR.AA): Access to physical PR.AA-01: Identities and credentials for
authorized users, services,
PR.AA-02: Identities and hardware
are proofed and boundareto
credentials based on the context of
PR.AA-03: Users, services, and hardware are interactions
authenticated
PR.AA-04: Identity assertions are protected,
conveyed,
PR.AA-05: and verified
Access permissions, entitlements, and
authorizations
PR.AA-06: Physicaldefined
are access to in assets
a policy, managed,
is managed,
Awareness and Training (PR.AT): The monitored, and enforced commensurate with
organization's personnel are provided with PR.AT-01: Personnel are provided with
awareness and training
PR.AT-02: Individuals in so that theyroles
specialized possess
are the
Data Security (PR.DS): Data are managed provided with awareness and training so that
consistent with the organization's risk PR.DS-01: The confidentiality, integrity, and
availability
PR.DS-02: Theof data-at-rest are protected
confidentiality, integrity, and
availability of data-in-transit are protected
PR.DS-10: The confidentiality, integrity, and
availability of data-in-use are protected
PR.DS-11: Backups of data are created,
Platform Security (PR.PS): The hardware, protected, maintained, and tested
software (e.g., firmware, operating systems, PR.PS-01: Configuration management practices
are established
PR.PS-02: and is
Software applied
maintained, replaced, and
removed commensurate with risk replaced, and
PR.PS-03: Hardware is maintained,
removed
PR.PS-04: Log records arewith
commensurate risk and made
generated
available
PR.PS-05:for continuous
Installation andmonitoring
execution of
unauthorized software are prevented
PR.PS-06: Secure software development
Technology Infrastructure Resilience practices are integrated, and their performance
(PR.IR): Security architectures are managed PR.IR-01: Networks and environments are
protected fromorganization's
PR.IR-02: The unauthorizedtechnology
logical access and
assets
are protected
PR.IR-03: from environmental
Mechanisms are implemented threats
to
achieve resilience requirements in normal
PR.IR-04: Adequate resource capacity to ensure and
availability is maintained
CSF 2.0 Page 4 of 11
 Function Category Subcategory
PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found Continuous Monitoring (DE.CM): Assets are
monitored to find anomalies, indicators of DE.CM-01: Networks and network services are
monitored
DE.CM-02: toThefind potentially
physical adverse is
environment events
monitored to find potentially adverse
DE.CM-03: Personnel activity and technologyevents
usage are monitored
DE.CM-06: to findprovider
External service potentially adverse
activities
and servicesComputing
DE.CM-09: are monitored to find
hardware potentially
and software,
Adverse Event Analysis (DE.AE): Anomalies, runtime environments, and their data are
indicators of compromise, and other DE.AE-02: Potentially adverse events are
analyzed
DE.AE-03:toInformation
better understand associated
is correlated from
multiple sources
DE.AE-04: The estimated impact and scope of
adverse
DE.AE-06:events are understood
Information on adverse events is
provided
DE.AE-07: Cyber threat staff
to authorized and tools
intelligence and other
contextual
DE.AE-08: Incidents are declared wheninto
information are integrated the
adverse
DETECT (DE) events meet the defined incident criteria
RESPOND (RS): Actions regarding a
detected cybersecurity incident are Incident Management (RS.MA): Responses
to detected cybersecurity incidents are RS.MA-01: The incident response plan is
executed
RS.MA-02:inIncident
coordination with
reports arerelevant
triaged third
and
validated
RS.MA-03: Incidents are categorized and
prioritized
RS.MA-04: Incidents are escalated or elevated as
needed
RS.MA-05: The criteria for initiating incident
Incident Analysis (RS.AN): Investigations recovery are applied
are conducted to ensure effective response RS.AN-03: Analysis is performed to establish
what has taken
RS.AN-06: place
Actions during anduring
performed incident
an and the
investigation are recorded,
RS.AN-07: Incident data andand the records'
metadata are
collected, and their integrity and provenance
RS.AN-08: An incident's magnitude is estimated are
Incident Response Reporting and and validated
Communication (RS.CO): Response RS.CO-02: Internal and external stakeholders are
notified
RS.CO-03:of Information
incidents is shared with designated
Incident Mitigation (RS.MI): Activities are internal and external stakeholders
performed to prevent expansion of an RS.MI-01: Incidents are contained

CSF 2.0 Page 5 of 11

 Function Category Subcategory
RS.MI-02: Incidents are eradicated
RESPOND (RS)
RECOVER (RC): Assets and operations
affected by a cybersecurity incident Incident Recovery Plan Execution (RC.RP):
Restoration activities are performed to RC.RP-01: The recovery portion of the incident
response
RC.RP-02:plan is executed
Recovery actionsonce initiated from
are selected, scoped,
prioritized, and performed
RC.RP-03: The integrity of backups and other
restoration assets mission
RC.RP-04: Critical is verified before using
functions and them
cybersecurity
RC.RP-05: Therisk management
integrity are assets
of restored considered
is
verified,
RC.RP-06: The end of incident recovery is and
systems and services are restored,
Incident Recovery Communication (RC.CO): declared based on criteria, and incident-related
Restoration activities are coordinated with RC.CO-03: Recovery activities and progress in
restoring
RC.CO-04:operational capabilities
Public updates are recovery
on incident
RECOVER (RC) are shared using approved methods and

CSF 2.0 Page 6 of 11

 Implementation Examples Informative References
CRI Profile v2.0: GV
SP
CRI800-221A: GV.PO
Profile v2.0: GV.OC
1st: 1st Party Risk SP 800-221A: GV.CT
CRI Profile v2.0: GV.OC-01
Ex1: Share
1st: 1st theRisk
Party organization's mission (e.g., CRI Profile v2.0:
SP 800-218: GV.OC-01.01
PO.2.1
3rd: 3rdParty
1st: 1st PartyRisk
Risk CRI Profile v2.0:
SP 800-218: GV.OC-02
PO.1.1
3rd: 3rdParty
1st: 1st PartyRisk
Risk SP
CRI800-218: PO.1.2
Profile v2.0: GV.OC-04
3rd:
Ex1: 3rd Party
Create anRisk
inventory of the CRI
CRI Profile v2.0: GV.OC-04.01
Profile v2.0: GV.OC-05
organization's dependencies on external CRI
CRI Profile
Profile v2.0:
v2.0: GV.OC-05.01
GV.RM
1st: 1st Party Risk SP 800-221A: GV.BE-3
CRI Profile v2.0: GV.RM-01
Ex1: Update
1st: 1st Partynear-term
Risk and long-term CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-01.01
GV.RM-02
3rd: 3rdParty
1st: 1st PartyRisk
Risk CRI
CRI Profile v2.0: GV.RM-02.01
Profile v2.0: GV.RM-03
Ex1: Aggregate and manage cybersecurity
1st: 1st Party Risk CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-03.01
GV.RM-04
Ex1: Specify
1st: 1st Partycriteria
Risk for accepting and CRI
CRI Profile v2.0: GV.RM-04.01
Profile v2.0: GV.RM-05
3rd: 3rdParty
1st: 1st PartyRisk
Risk CRI
CRI Profile v2.0: GV.RM-05.01
Profile v2.0: GV.RM-06
Ex1: Establish
1st: 1st criteria for using a
Party Risk CRI
CRI Profile v2.0: GV.RM-06.01
Profile v2.0: GV.RM-07
Ex1: Define and communicate guidance and CRI Profile v2.0:
SP 800-218: GV.RM-07.01
PO.2.1
1st: 1st Party Risk CRI Profile v2.0:
SP 800-218: GV.RR
PO.2.3
Ex1: Leaders
1st: 1st Party(e.g.,
Risk directors) agree on their CIS Controls PO.2.1
SP 800-218: v8.0: 14.1
Ex1: Document
1st: 1st risk management roles and
Party Risk CIS
CRI Controls v8.0:GV.RR-03
Profile v2.0: 14.9
3rd: 3rd Party Risk
1st: 1st Party Risk CRI Profile v2.0: GV.RR-03.01
CIS Controls v8.0: 6.1
Ex1: Integrate cybersecurity risk CIS
CRI Controls v8.0:GV.PO
Profile v2.0: 6.2
1st: 1st Party Risk SP
CRI800-221A: GV.PO-1
Profile v2.0: GV.PO-01
Ex1: Create,
1st: 1st Partydisseminate,
Risk and maintain an CRI
CRI Profile v2.0: GV.PO-01.01
Profile v2.0: GV.PO-02
Ex1: Update policy based on periodic CRI Profile
CRI Profile v2.0:
v2.0: GV.OV
GV.PO-02.01
1st: 1st Party Risk CRI Profile v2.0: GV.OV-01
Ex1: Measure
1st: 1st how well the risk
Party Risk CRI
CRI Profile
Profile v2.0:
v2.0: GV.OV-01.01
GV.OV-02
Ex1: Review
1st: 1st Partyaudit
Risk findings to confirm CRI
CRI Profile v2.0: GV.OV-02.01
Profile v2.0: GV.OV-03
Ex1: Review key performance indicators CRI Profile v2.0: GV.OV-03.01
CSF 2.0 Page 7 of 11
 Implementation Examples Informative References
CRI Profile v2.0: GV.SC
Ex1: Establish a strategy that expresses the SP CIS800-221A: GV.OV-4
Controls v8.0: 15.2
objectives of the cybersecurity supply chain CRI Profile
Ex1: Identify one or more specific roles or SP 800-218: PO.2.1 v2.0: GV.SC-01
positions thatareas
Ex1: Identify will be
of responsible
alignment and andoverlap CIS Controls PW.4.1
SP 800-218: v8.0: 15.4
with cybersecurity
Ex1: Develop and
criteria forenterprise risk
supplier criticality CRI Profile v2.0:
CIS Controls v8.0:GV.SC-03
15.1
based on, for example, the sensitivity
Ex1: Establish security requirements for of CIS Controls v8.0: 15.3
SP 800-218: PO.1.3
suppliers,
Ex1: Perform products,
thoroughanddueservices
diligence on CIS
CIS Controls
Controls v8.0:
v8.0: 15.4
15.5
prospective suppliers that
Ex1: Adjust assessment formats and is consistent with CRI Profile v2.0:
SP 800-218: PW.4.1EX.DD
frequencies
Ex1: Define and use rules and protocols for SP
based on the third party's CIS800-218:
Controls PW.4.4
v8.0: 15.4
reporting incident response
Ex1: Policies and procedures require and recovery CRI Profile v2.0:
CIS Controls v8.0:GV.SC-08
15.6
provenance records for all acquired
Ex1: Establish processes for terminating CRI Profile v2.0: GV.SC-09
CIS Controls v8.0: 15.7
critical relationships under both normal and CRI Profile v2.0: EX.TR
CRI Profile v2.0: ID
CSF v1.1: IDv2.0: ID.AM
CRI Profile
1st: 1st Party Risk SP
CIS800-221A: MA.RI-1
Controls v8.0: 1.1
Ex1: Maintain
1st: 1st inventories for all types of
Party Risk CRI Profile v2.0: ID.AM-01
CIS Controls v8.0: 2.1
Ex1: Maintain
1st: 1st inventories for all types of
Party Risk CRI Profile v2.0:
CIS Controls v8.0:ID.AM-02
3.8
3rd:
Ex1: InventoryRisk
3rd Party all external services used by CRI
CIS Controls v8.0:ID.AM-03
Profile v2.0: 15.1
the
1st: 1st Party Riskincluding third-party
organization, CRI Profile v2.0: ID.AM-04
CIS Controls v8.0: 3.7
Ex1: Define
1st: 1st Partycriteria
Risk for prioritizing each CRI Profile v2.0:
CIS Controls v8.0:ID.AM-05
3.2
Ex1: Maintain
1st: 1st a list of the designated data
Party Risk CRI Profile v2.0:
SP 800-218: PW.4.1ID.AM-07
3rd: 3rd Party Risk SP
CRI800-218: PW.4.4
Profile v2.0: ID.RA
1st: 1st Party Risk SP 800-221A: GV.BE-4
SP 800-218: PO.5.2
Ex1: UseParty
1st: 1st vulnerability
Risk management CIS
CRI Controls v8.0:ID.RA-02
Profile v2.0: 7.1
Ex1: Configure
1st: 1st cybersecurity tools and
Party Risk CRI
CRI Profile
Profile v2.0:
v2.0: ID.RA-02.01
ID.RA-03
3rd: 3rd Party Risk
1st: 1st Party Risk CRI
CRI Profile v2.0:
Profile v2.0: ID.RA-03.01
ID.RA-04
Ex1: Business
1st: 1st leaders and cybersecurity risk
Party Risk CRI Profile v2.0:
SP 800-218: PW.1.1ID.RA-04.01
Ex1: Develop
1st: 1st Party threat
Risk models to better CRI Profile v2.0:
SP 800-218: ID.RA-05
PO.5.2
Ex1:
Ex1: Apply the vulnerability
Implement management
and follow procedures for CRI Profile v2.0:
SP 800-218: ID.RA-06
PO.5.2
the formal documentation,
1st: 1st Party Risk review, testing, CRI
CIS Controls v8.0:ID.RA-07
Profile v2.0: 7.2
3rd:
Ex1: 3rd Party
Assess theRisk
authenticity and CRI Profile v2.0:
SP 800-218: PO.5.2ID.RA-08
cybersecurity of criticalrisk
Ex1: Conduct supplier technology
assessments CRI
CRI Profile
Profile v2.0:
v2.0: EX.DD-04
EX.DD-03
against business and applicable CRI
CRI Profile v2.0: EX.DD-03.01
Profile v2.0: ID.IM
SP 800-221A: MA.IM-1
CSF 2.0 Page 8 of 11
 Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: ID.IM-01
Ex1: Perform
1st: 1st Party self-assessments
Risk of critical CRI Profile v2.0:
CIS Controls v8.0:ID.IM-01.01
17.7
3rd: 3rdParty
1st: 1st PartyRisk
Risk CRI Profile v2.0: ID.IM-02
CRI Profile v2.0: ID.IM-03
Ex1: Conduct
1st: 1st collaborative lessons learned
Party Risk CRI
CRI Profile
Profile v2.0:
v2.0: ID.IM-03.01
ID.IM-04
Ex1: Establish contingency plans (e.g., CRI Profile v2.0: ID.IM-04.01
CRI Profile v2.0: PR
CSF v1.1: PRv2.0: PR.AA
CRI Profile
1st: 1st Party Risk CSF v1.1: PR.AC
CIS Controls v8.0: 5.1
Ex1: Initiate
1st: 1st Partyrequests
Risk for new access or CIS Controls v8.0:PR.AA-02
CRI Profile v2.0: 6.7
3rd: 3rd Party Risk
1st: 1st Party Risk CRI Profile v2.0:
SP 800-218: PO.5.2PR.AA-02.01
Ex1: Require
1st: 1st Partymultifactor
Risk authentication CRI
CRI Profile
Profile v2.0:
v2.0: PR.AA-03
PR.AA-04
Ex1: Protect
1st: 1st Partyidentity
Risk assertions that are CRI Profile v2.0:
SP 800-218: PO.5.2PR.AA-04.01
Ex1: Review
1st: 1st Partylogical
Risk and physical access SP
SP 800-218:
800-218: PS.1.1
PO.5.2
3rd: 3rd Party Risk CRI Profile v2.0:
SP 800-218: PR.AA-06
PO.2.2
1st: 1st Party Risk CRI Profile v2.0:
SP 800-218: PR.AT
PO.2.2
Ex1: Provide
1st: 1st Partybasic
Risk cybersecurity awareness CIS Controls PO.2.2
SP 800-218: v8.0: 14.1
3rd: 3rd Party Risk CIS
CRI Controls v8.0:PR.DS
Profile v2.0: 14.9
1st: 1st Party Risk CSF v1.1: PR.DS
SP 800-218: PS.1.1
Ex1: UseParty
1st: 1st encryption,
Risk digital signatures, and SP
CIS800-218:
Controls PS.2.1
v8.0: 3.10
Ex1: UseParty
1st: 1st encryption,
Risk digital signatures, and CRI
CRI Profile v2.0: PR.DS-02
Profile v2.0: PR.DS-10
Ex1: Remove
1st: 1st Party data
Risk that must remain CRI Profile v2.0:
SP 800-218: PS.3.1PR.DS-10.01
Ex1: Continuously back up critical data in CIS Controls v8.0: 11.2
CRI Profile v2.0: PR.PS
1st: 1st Party Risk SP 800-218: PO.5.2
Ex1: Establish,
1st: 1st test, deploy, and maintain
Party Risk SP
SP 800-218:
800-218: PS.1.1
PO.5.2
Ex1: Perform
1st: 1st Party routine
Risk and emergency CIS Controls v8.0: 2.2
SP 800-218: PO.5.2
3rd: 3rd Party Risk
1st: 1st Party Risk CIS Controls v8.0: 1.2
SP 800-218: PO.3.3
Ex1: Configure
1st: 1st all operating systems,
Party Risk CIS
CIS Controls
Controls v8.0:
v8.0: 8.2
2.5
Ex1: When
1st: 1st riskRisk
Party warrants it, restrict software CRI Profile v2.0: PR.PS-05
CIS Controls v8.0: 16.1
Ex1: Protect all components of CRI Profile
CRI Profile v2.0:
v2.0: PR.IR
PR.PS-06
1st: 1st Party Risk SP 800-218: PO.5.1
3rd: 3rdParty
1st: 1st PartyRisk
Risk CIS
CRI Controls v8.0:PR.IR-02
Profile v2.0: 3.12
3rd: 3rdParty
1st: 1st PartyRisk
Risk CRI
CRI Profile
Profile v2.0:
v2.0: PR.IR-02.01
PR.IR-03
Ex1:
Ex1: Avoid
Monitorsingle points
usage of failure
of storage, in
power, CRI
CRI Profile v2.0: PR.IR-03.01
Profile v2.0: PR.IR-04
compute, network bandwidth, and other CRI Profile v2.0: PR.IR-04.01
CSF 2.0 Page 9 of 11
 Implementation Examples Informative References

CRI Profile v2.0: DE

CSF v1.1: DE
CRI Profile v2.0: DE.CM
CSF v1.1:
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1 DE.CM
services for adverse
Ex1: Monitor logs fromevents
physical access CRI
CRI Profile
Profile v2.0:
v2.0: DE.CM-01
DE.CM-02
control systems (e.g., badge readers)
Ex1: Use behavior analytics software to to find CRI
CIS Controlsv2.0:
Profile v8.0:DE.CM-02.01
10.7
detect anomalous user
Ex1: Monitor remote and onsiteactivity to mitigate CRI Profile v2.0: DE.CM-03
CIS Controls v8.0: 15.2
administration and maintenance
Ex1: Monitor email, web, file sharing, activities CIS
CIS Controls
Controls v8.0:
v8.0: 15.6
10.1
collaboration services, and other common CRI Profile v2.0: DE.CM-09
CRI Profile v2.0: DE.AE
Ex1: Use security information and event CSF v1.1: DE.AE
CIS Controls v8.0: 8.11
management
Ex1: Constantly transfer log data generated CRI Profile v2.0: DE.AE-02
(SIEM) or other tools to CRI Profile v2.0: DE.AE-03
by
Ex1: Use SIEMs or other tools to estimate CRI Profile v2.0: DE.AE-03.01
other sources to a relatively small CRI Profile v2.0: DE.AE-04
impact
Ex1: Use cybersecurity software to generate CRI Profile v2.0: DE.AE-04.01
and scope, and review and refine CRI Profile v2.0: DE.AE-06
alerts and provide
Ex1: Securely providethem to the
cyber security
threat CRI
CRI Profile
Profile v2.0:
v2.0: DE.AE-06.01
DE.AE-07
intelligence
Ex1: Apply incident criteria to known and CRI Profile v2.0: DE.AE-07.01
feeds to detection CRI Profile v2.0: DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01
CRI Profile v2.0: RS
CSF v1.1: RSv2.0: RS.MA
CRI Profile
Ex1: Detection technologies automatically CSF v1.1: RS.RP
CIS Controls v8.0: 17.4
report confirmed
1st: 1st Party Risk incidents CRI
CRI Profile v2.0: RS.MA-01
Profile v2.0: RS.MA-02
Ex1: Preliminarily
1st: 1st Party Risk review incident reports to CRI
CRI Profile v2.0: RS.MA-02.01
Profile v2.0: RS.MA-03
Ex1: Further review
1st: 1st Party Risk and categorize CRI
CRI Profile
Profile v2.0:
v2.0: RS.MA-03.01
RS.MA-04
Ex1: Track and validate
1st: 1st Party Risk the status of all CRI
CIS Controls v8.0:RS.MA-04.01
Profile v2.0: 17.9
Ex1: Apply incident recovery criteria to CRI Profile v2.0: RS.MA-05
CRI Profile v2.0: RS.AN
1st: 1st Party Risk CSF v1.1: RS.AN
CIS Controls v8.0: 17.8
Ex1: Determine the
1st: 1st Party Risk sequence of events that CRI
CRI Profile v2.0:
Profile v2.0: RS.AN-03
RS.AN-06
Ex1: Require each
1st: 1st Party Risk incident responder and CRI
CRI Profile v2.0: RS.AN-06.01
Profile v2.0: RS.AN-07
Ex1: Collect, preserve,
1st: 1st Party Risk and safeguard the CRI
CRI Profile v2.0: RS.AN-07.01
Profile v2.0: RS.AN-08
Ex1: Review other potential targets of the CRI CRI Profile v2.0: RS.AN-08.01
Profile v2.0: RS.CO
1st: 1st Party Risk CSF v1.1: RS.CO
CIS Controls v8.0: 17.2
3rd: 3rdParty
1st: 1st PartyRisk
Risk CRI Profile v2.0:
CIS Controls v8.0:RS.CO-02
17.2
3rd: 3rd Party Risk CRI Profile v2.0: RS.CO-03
CRI Profile v2.0: RS.MI
1st: 1st Party Risk CSF v1.1: RS.MI
CRI Profile v2.0: RS.MI-01
3rd: 3rd Party Risk CRI Profile v2.0: RS.MI-01.01
CSF 2.0 Page 10 of 11
 Implementation Examples Informative References
1st: 1st Party Risk CRI Profile v2.0: RS.MI-02
3rd: 3rd Party Risk CRI Profile v2.0: RS.MI-02.01
CRI Profile v2.0: RC
CSF v1.1: RCv2.0: RC.RP
CRI Profile
1st: 1st Party Risk CSF v1.1: RC.RP
CRI Profile v2.0: RC.RP-01
Ex1: Begin recovery
1st: 1st Party Risk procedures during or CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-01.01
RC.RP-02
Ex1: Select recovery
1st: 1st Party Risk actions based on the CRI
CIS Controls v8.0:RC.RP-02.01
Profile v2.0: 11.5
Ex1: Check restoration
1st: 1st Party Risk assets for indicators CRI Profile v2.0: RC.RP-03
CRI Profile v2.0: RC.RP-04
Ex1: Use business
1st: 1st Party Risk impact and system CRI
CRI Profile
Profile v2.0:
v2.0: RC.RP-04.01
RC.RP-05
Ex1: Check restored
1st: 1st Party Risk assets for indicators of CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-05.01
RC.RP-06
Ex1: Prepare an after-action report that CRI
CRI Profile v2.0: RC.RP-06.01
Profile v2.0: RC.CO
1st: 1st Party Risk CSF v1.1: RC.CO
CRI Profile v2.0: RC.CO-03
3rd: 3rd Party Risk
1st: 1st Party Risk CRI Profile v2.0:
CIS Controls v8.0:RC.CO-03.01
17.2
Ex1: Follow the organization's breach CIS Controls v8.0: 17.6

CSF 2.0 Page 11 of 11