Professional Documents
Culture Documents
csf2 References
csf2 References
csf2 References
0 Reference Tool
Read Me This is a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core ver
GOVERN (GV)
IDENTIFY (ID): The organization's
current cybersecurity risks are
understood
IDENTIFY (ID)
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks
are used
DETECT (DE)
RESPOND (RS): Actions regarding a
detected cybersecurity incident are
taken
RESPOND (RS)
RECOVER (RC): Assets and operations
affected by a cybersecurity incident
are restored
RECOVER (RC)
Ex1: Share the organization's mission (e.g., CRI Profile v2.0: GV.OC-01
through vision and mission statements, CRI Profile v2.0: GV.OC-01.01
marketing, and service strategies) to CSF v1.1: ID.BE-2
provide a basis for identifying risks that may CSF v1.1: ID.BE-3
impede that mission SP 800-221A: GV.CT-5
SP 800-221A: GV.CT-3
SP 800-53 Rev 5.1.1: PM-11
Ex1: Specify criteria for accepting and CRI Profile v2.0: GV.RM-04
avoiding cybersecurity risk for various CRI Profile v2.0: GV.RM-04.01
classifications of data CSF v1.1: ID.RM-2
Ex2: Determine whether to purchase SP 800-221A: GV.BE-1
cybersecurity insurance SP 800-53 Rev 5.1.1: PM-09
Ex3: Document conditions under which SP 800-53 Rev 5.1.1: PM-28
shared responsibility models are acceptable SP 800-53 Rev 5.1.1: PM-30
(e.g., outsourcing certain cybersecurity SP 800-53 Rev 5.1.1: SR-02
functions, having a third party perform
financial transactions on behalf of the
organization, using public cloud-based
services)
Ex1: Maintain inventories for all types of CIS Controls v8.0: 1.1
hardware, including IT, IoT, OT, and mobile CRI Profile v2.0: ID.AM-01
devices CRI Profile v2.0: ID.AM-01.01
Ex2: Constantly monitor networks to detect CSF v1.1: ID.AM-1
new hardware and automatically update SP 800-221A: MA.RI-1
inventories SP 800-53 Rev 5.1.1: CM-08
SP 800-53 Rev 5.1.1: PM-05
Ex1: Maintain inventories for all types of CIS Controls v8.0: 2.1
software and services, including CRI Profile v2.0: ID.AM-02
commercial-off-the-shelf, open-source, CRI Profile v2.0: ID.AM-02.01
custom applications, API services, and CSF v1.1: ID.AM-2
cloud-based applications and services SP 800-221A: MA.RI-1
Ex2: Constantly monitor all platforms, SP 800-53 Rev 5.1.1: AC-20
including containers and virtual machines, SP 800-53 Rev 5.1.1: CM-08
for software and service inventory changes SP 800-53 Rev 5.1.1: PM-05
Ex3: Maintain an inventory of the SP 800-53 Rev 5.1.1: SA-05
organization's systems SP 800-53 Rev 5.1.1: SA-09
Ex1: Inventory all external services used by CIS Controls v8.0: 15.1
the organization, including third-party CRI Profile v2.0: ID.AM-04
infrastructure-as-a-service (IaaS), platform- CRI Profile v2.0: ID.AM-04.01
as-a-service (PaaS), and software-as-a- CSF v1.1: ID.AM-4
service (SaaS) offerings; APIs; and other SP 800-53 Rev 5.1.1: AC-20
externally hosted application services SP 800-53 Rev 5.1.1: SA-09
Ex2: Update the inventory when a new SP 800-53 Rev 5.1.1: SR-02
external service is going to be utilized to
ensure adequate cybersecurity risk
management monitoring of the
organization's use of that service
Ex1: Maintain a list of the designated data CIS Controls v8.0: 3.2
types of interest (e.g., personally CRI Profile v2.0: ID.AM-07
identifiable information, protected health CRI Profile v2.0: ID.AM-07.01
information, financial account numbers, SP 800-221A: MA.RI-1
organization intellectual property, SP 800-53 Rev 5.1.1: CM-12
operational technology data) SP 800-53 Rev 5.1.1: CM-13
Ex2: Continuously discover and analyze ad SP 800-53 Rev 5.1.1: SI-12
hoc data to identify new instances of
designated data types
Ex3: Assign data classifications to
designated data types through tags or
labels
Ex4: Track the provenance, data owner, and
geolocation of each instance of designated
data types
Ex1: Business leaders and cybersecurity risk CRI Profile v2.0: ID.RA-04
management practitioners work together to CRI Profile v2.0: ID.RA-04.01
estimate the likelihood and impact of risk CSF v1.1: ID.RA-4
scenarios and record them in risk registers SP 800-221A: MA.RI-4
Ex2: Enumerate the potential business SP 800-53 Rev 5.1.1: PM-09
impacts of unauthorized access to the SP 800-53 Rev 5.1.1: PM-11
organization's communications, systems, SP 800-53 Rev 5.1.1: RA-02
and data processed in or by those systems SP 800-53 Rev 5.1.1: RA-03
Ex3: Account for the potential impacts of SP 800-53 Rev 5.1.1: RA-08
cascading failures for systems of systems SP 800-53 Rev 5.1.1: RA-09
Ex1: Initiate requests for new access or CIS Controls v8.0: 5.1
additional access for employees, CIS Controls v8.0: 6.7
contractors, and others, and track, review, CRI Profile v2.0: PR.AA-01
and fulfill the requests, with permission CRI Profile v2.0: PR.AA-01.01
from system or data owners when needed CRI Profile v2.0: PR.AA-01.02
Ex2: Issue, manage, and revoke CSF v1.1: PR.AC-1
cryptographic certificates and identity SP 800-53 Rev 5.1.1: AC-01
tokens, cryptographic keys (i.e., key SP 800-53 Rev 5.1.1: AC-02
management), and other credentials SP 800-53 Rev 5.1.1: AC-14
Ex3: Select a unique identifier for each SP 800-53 Rev 5.1.1: IA-01
device from immutable hardware SP 800-53 Rev 5.1.1: IA-02
characteristics or an identifier securely SP 800-53 Rev 5.1.1: IA-03
provisioned to the device SP 800-53 Rev 5.1.1: IA-04
Ex4: Physically label authorized hardware SP 800-53 Rev 5.1.1: IA-05
with an identifier for inventory and SP 800-53 Rev 5.1.1: IA-06
servicing purposes SP 800-53 Rev 5.1.1: IA-07
SP 800-53 Rev 5.1.1: IA-08
SP 800-53 Rev 5.1.1: IA-09
SP 800-53 Rev 5.1.1: IA-10
SP 800-53 Rev 5.1.1: IA-11
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1
services for adverse events CRI Profile v2.0: DE.CM-01
Ex2: Monitor wired and wireless networks CRI Profile v2.0: DE.CM-01.01
for connections from unauthorized CRI Profile v2.0: DE.CM-01.02
endpoints CRI Profile v2.0: DE.CM-01.03
Ex3: Monitor facilities for unauthorized or CRI Profile v2.0: DE.CM-01.04
rogue wireless networks CRI Profile v2.0: DE.CM-01.05
Ex4: Compare actual network flows against CRI Profile v2.0: DE.CM-01.06
baselines to detect deviations CSF v1.1: DE.CM-1
Ex5: Monitor network communications to CSF v1.1: DE.CM-4
identify changes in security postures for CSF v1.1: DE.CM-5
zero trust purposes CSF v1.1: DE.CM-7
SP 800-53 Rev 5.1.1: AC-02
SP 800-53 Rev 5.1.1: AU-12
SP 800-53 Rev 5.1.1: CA-07
SP 800-53 Rev 5.1.1: CM-03
SP 800-53 Rev 5.1.1: SC-05
SP 800-53 Rev 5.1.1: SC-07
SP 800-53 Rev 5.1.1: SI-04
Ex1: Constantly transfer log data generated CRI Profile v2.0: DE.AE-03
by other sources to a relatively small CRI Profile v2.0: DE.AE-03.01
number of log servers CRI Profile v2.0: DE.AE-03.02
Ex2: Use event correlation technology (e.g., CSF v1.1: DE.AE-3
SIEM) to collect information captured by SP 800-53 Rev 5.1.1: AU-06
multiple sources SP 800-53 Rev 5.1.1: CA-07
Ex3: Utilize cyber threat intelligence to help SP 800-53 Rev 5.1.1: PM-16
correlate events among log sources SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.1.1: IR-05
SP 800-53 Rev 5.1.1: IR-08
SP 800-53 Rev 5.1.1: SI-04
Ex1: Apply incident criteria to known and CRI Profile v2.0: DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01
to determine whether an incident should CSF v1.1: DE.AE-5
be declared SP 800-53 Rev 5.1.1: IR-04
Ex2: Take known false positives into SP 800-53 Rev 5.1.1: IR-08
account when applying incident criteria
Ex1: Determine the sequence of events that CIS Controls v8.0: 17.8
occurred during the incident and which CRI Profile v2.0: RS.AN-03
assets and resources were involved in each CRI Profile v2.0: RS.AN-03.01
event CSF v1.1: RS.AN-3
Ex2: Attempt to determine what SP 800-53 Rev 5.1.1: AU-07
vulnerabilities, threats, and threat actors SP 800-53 Rev 5.1.1: IR-04
were directly or indirectly involved in the
incident
Ex3: Analyze the incident to find the
underlying, systemic root causes
Ex4: Check any cyber deception technology
for additional information on attacker
behavior
Ex1: Collect, preserve, and safeguard the CRI Profile v2.0: RS.AN-07
integrity of all pertinent incident data and CRI Profile v2.0: RS.AN-07.01
metadata (e.g., data source, date/time of SP 800-53 Rev 5.1.1: AU-07
collection) based on evidence preservation SP 800-53 Rev 5.1.1: IR-04
and chain-of-custody procedures SP 800-53 Rev 5.1.1: IR-06
Ex1: Review other potential targets of the CRI Profile v2.0: RS.AN-08
incident to search for indicators of CRI Profile v2.0: RS.AN-08.01
compromise and evidence of persistence SP 800-53 Rev 5.1.1: IR-04
Ex2: Automatically run tools on targets to SP 800-53 Rev 5.1.1: IR-08
look for indicators of compromise and SP 800-53 Rev 5.1.1: RA-03
evidence of persistence SP 800-53 Rev 5.1.1: RA-07
Ex1: Check restoration assets for indicators CIS Controls v8.0: 11.5
of compromise, file corruption, and other CRI Profile v2.0: RC.RP-03
integrity issues before use CRI Profile v2.0: RC.RP-03.01
SP 800-53 Rev 5.1.1: CP-02
SP 800-53 Rev 5.1.1: CP-04
SP 800-53 Rev 5.1.1: CP-09
Ex1: Use business impact and system CRI Profile v2.0: RC.RP-04
categorization records (including service CRI Profile v2.0: RC.RP-04.01
delivery objectives) to validate that SP 800-53 Rev 5.1.1: PM-08
essential services are restored in the SP 800-53 Rev 5.1.1: PM-09
appropriate order SP 800-53 Rev 5.1.1: PM-11
Ex2: Work with system owners to confirm SP 800-53 Rev 5.1.1: IR-01
the successful restoration of systems and SP 800-53 Rev 5.1.1: IR-08
the return to normal operations
Ex3: Monitor the performance of restored
systems to verify the adequacy of the
restoration
Ex1: Check restored assets for indicators of CRI Profile v2.0: RC.RP-05
compromise and remediation of root CRI Profile v2.0: RC.RP-05.01
causes of the incident before production CRI Profile v2.0: RC.RP-05.02
use SP 800-53 Rev 5.1.1: CP-10
Ex2: Verify the correctness and adequacy of
the restoration actions taken before putting
a restored system online