0003959
The CRI Profile, v2.0
Cyber Risk Institute
Best Practice Guideline
Free
CRI Profile, v2.0
The CRI Profile
2024-02-29
The document as a whole was last reviewed and released on 2024-09-26T00:00:00-0700.
0003959
Free
Cyber Risk Institute
Best Practice Guideline
CRI Profile, v2.0
The CRI Profile
2024-02-29
The document as a whole was last reviewed and released on 2024-09-26T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within The CRI Profile, v2.0 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for The CRI Profile, v2.0 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Business Processes | Preventive | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection. PR.IR-04.01] | Technical Security | Preventive | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Business Processes | Preventive | |
| Restrict transaction activities, as necessary. CC ID 16334 | Business Processes | Preventive | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Communicate | Preventive | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Business Processes | Preventive | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Business Processes | Preventive | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Business Processes | Preventive | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Establish/Maintain Documentation | Preventive | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Business Processes | Preventive | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Configuration | Preventive | |
| Protect the integrity of application service transactions. CC ID 12017 [The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters. PR.AA-03.03] | Business Processes | Preventive | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Data and Information Management | Preventive | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Business Processes | Preventive | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Communicate | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 [Planning is performed for procurements and agreements that involve elevated risk to the organization EX.DD-01 Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain acquisition notices. CC ID 16682 | Acquisition/Sale of Assets or Services | Preventive | |
| Include the geographic locations of the organization in the acquisition notice. CC ID 16723 | Acquisition/Sale of Assets or Services | Preventive | |
| Include certification that the organizations meet applicable requirements in the acquisition notice. CC ID 16714 | Acquisition/Sale of Assets or Services | Preventive | |
| Include the capital ratios in the acquisition notice. CC ID 16712 | Acquisition/Sale of Assets or Services | Preventive | |
| Include the relevant authorities in the acquisition notice. CC ID 16711 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a description of the subsidiary's activities in the acquisition notice. CC ID 16707 | Acquisition/Sale of Assets or Services | Preventive | |
| Include the subsidiary's contact information in the acquisition notice. CC ID 16704 | Acquisition/Sale of Assets or Services | Preventive | |
| Include in scope transactions in the acquisition notice. CC ID 16700 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition/Sale of Assets or Services | Preventive | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 | Communicate | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Establish/Maintain Documentation | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Establish/Maintain Documentation | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Communicate | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Process or Activity | Corrective | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition/Sale of Assets or Services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Establish/Maintain Documentation | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Establish/Maintain Documentation | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Establish/Maintain Documentation | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Establish/Maintain Documentation | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in system acquisition contracts. CC ID 14765 | Establish/Maintain Documentation | Preventive | |
| Include the acceptance criteria in system acquisition contracts. CC ID 14288 | Acquisition/Sale of Assets or Services | Preventive | |
| Include audit record generation capabilities in system acquisition contracts. CC ID 16427 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231 | Acquisition/Sale of Assets or Services | Preventive | |
| Include environmental considerations in the acquisition feasibility study. CC ID 16224 | Acquisition/Sale of Assets or Services | Preventive | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Testing | Detective | |
| Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666 | Technical Security | Preventive | |
| Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 | Establish/Maintain Documentation | Preventive | |
| Obtain authorization for marketing new products. CC ID 16805 | Business Processes | Preventive | |
| Include compliance requirements in the product and services acquisition policy. CC ID 14163 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the product and services acquisition policy. CC ID 14161 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the product and services acquisition policy. CC ID 14159 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the product and services acquisition policy. CC ID 14158 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Communicate | Preventive | |
| Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Communicate | Preventive | |
| Establish, implement, and maintain the requirements for competitive bid documents. CC ID 16936 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain the requirements for off-contract purchases. CC ID 16929 | Acquisition/Sale of Assets or Services | Preventive | |
| Require prior approval from the appropriate authority for any off-contract purchases. CC ID 16928 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain acquisition approval requirements. CC ID 13704 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Communicate | Preventive | |
| Review and update the acquisition contracts, as necessary. CC ID 14279 | Acquisition/Sale of Assets or Services | Corrective | |
| Establish, implement, and maintain a software product acquisition methodology. CC ID 01138 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Establish/Maintain Documentation | Preventive | |
| Align the service management program with the Code of Conduct. CC ID 14211 | Establish/Maintain Documentation | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Technical Security | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Establish/Maintain Documentation | Preventive | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Testing | Detective | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 [The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Testing | Detective | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Process or Activity | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [The organization has an independent audit function to support oversight of the technology and cybersecurity programs GV.AU The organization has an independent audit function (i.e., internal audit group or external auditor) that follows generally accepted audit practices and approved audit policies and procedures. GV.AU-01.01] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [A formal process is in place for the independent audit function to review and update its procedures and audit plans regularly or in response to changes in relevant standards, the technology environment, or the business environment. GV.AU-02.01 A formal process is in place for the independent audit function to update its procedures and audit plans based on changes to the organization's risk appetite, risk tolerance, threat environment, and evolving risk profile. GV.AU-02.02] | Establish/Maintain Documentation | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 [The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps. GV.AU-03.01] | Establish/Maintain Documentation | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [An independent audit function assesses compliance with applicable laws and <span style="background-color:#F0BBBC;" class="term_primary-noun">regulations. An independent audit function assesses compliance with applicable laws and regulations. GV.AU-01.05 The independent audit function assesses compliance with internal controls and applicable laws and regulations GV.AU-01 The independent audit function assesses compliance with internal controls and applicable laws and regulations GV.AU-01] | Audits and Risk Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps. GV.AU-03.01] | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 [The governing authority (e.g., the Board or one of its committees) regularly reviews and evaluates the organization's ability to manage its technology, cybersecurity, third-party, and resilience risks. GV.OV-01.01 {risk tolerance} The independent risk management function provides assurance that the technology and cybersecurity risk management frameworks have been implemented according to policy and are consistent with the organization's risk appetite and tolerance GV.IR-01 {be consistent} The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended. GV.IR-01.01] | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 {business continuity} {design effectiveness} Technology, cybersecurity, and resilience controls are regularly assessed and/or tested for design and operating effectiveness. ID.IM-01.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Testing | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02] | Monitor and Evaluate Occurrences | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. GV.AU-03.02 The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03 The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04] | Establish/Maintain Documentation | Corrective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Actionable Reports or Measurements | Corrective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02 The independent audit function updates its procedures and audit plans to adjust to the evolving technology and cybersecurity environment GV.AU-02] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Risk management objectives are established and agreed to by organizational stakeholders GV.RM-01 The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's technology and cybersecurity risk management decisions are understood GV.OC Technology and cybersecurity risk management activities and outcomes are included in enterprise risk management processes GV.RM-03 Technology and cybersecurity risk management strategies and frameworks are informed by applicable international, national, and financial services industry standards and guidelines. GV.RM-01.02 Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 {risk management framework} The organization's obligation to its customers, employees, and stakeholders to maintain safety and soundness, while balancing size and complexity, is reflected in the organization's risk management strategy and framework, its risk appetite and risk tolerance statements, and in a risk-aware culture. GV.OC-02.01 The organization's technology, cybersecurity, resilience, and third-party risk management programs, policies, resources, and priorities are aligned and mutually supporting. GV.RM-01.05 Technology and cybersecurity risk management frameworks are applied to, and are adapted as needed by, the organization's innovations in technology use and adoption of emerging technologies. GV.RM-08.01 {be consistent} The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended. GV.IR-01.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 The independent risk management function evaluates the appropriateness of the risk management program for the organization's risk appetite and proposes program improvements as warranted GV.IR-02] | Establish/Maintain Documentation | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [The independent risk management function has sufficient independence, stature, authority, resources, and access to the governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's risk management frameworks. GV.IR-01.02] | Establish/Maintain Documentation | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 [The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices. GV.RM-02.02] | Business Processes | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 [{risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external). GV.RM-03.04] | Business Processes | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 [{mobile device} The organization implements policies, procedures, end-user agreements, and technical controls to address the risks of end-user mobile or personal computing devices accessing the organization's network and resources. PR.IR-01.08] | Establish/Maintain Documentation | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [Results of organization-wide technology and cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy GV.OV Technology and cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction GV.OV-01 The technology and cybersecurity risk management strategies are reviewed and adjusted to ensure coverage of organizational requirements and risks GV.OV-02 Organizational technology and cybersecurity risk management performance is evaluated and reviewed for adjustments needed GV.OV-03 Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. GV.RM-01.01 Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. GV.RM-01.01 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01] | Establish/Maintain Documentation | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02] | Audits and Risk Management | Detective | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [Technology and cybersecurity risk management strategies identify and communicate the organization's role as it relates to other critical infrastructure sectors outside of the financial services sector and the interdependency risks. GV.OC-02.03] | Establish Roles | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external). GV.RM-03.04 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01 The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Establish/Maintain Documentation | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Technology and cybersecurity risk management strategies identify and communicate the organization's role within the financial services sector as a component of critical infrastructure. GV.OC-02.02 The organization's budgeting and resourcing processes identify, prioritize, and address resource needs to manage identified technology and cybersecurity risks (e.g., skill shortages, headcount, new tools, incident-related expenses, and unsupported systems). GV.RR-03.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 [The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. ID.RA-03.03 The technology and cybersecurity risks to the organization, assets, and individuals are understood by the organization ID.RA The organization's current technology and cybersecurity risks are understood ID {technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01] | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Document cybersecurity risks. CC ID 12281 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01] | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04] | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction. ID.IM-01.04] | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Internal and external threats to the organization are identified and recorded ID.RA-03 The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Technical Security | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining its color:#F0BBBC;" class="term_primary-noun">validity; ID.RA-08.02 (1) A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06] | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02] | Audits and Risk Management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded ID.RA-04 The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized. ID.RA-04.01] | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [A supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-01] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 [The organization regularly reviews and updates its threat analysis methodology, threat information sources, and supporting tools. ID.RA-03.04] | Establish/Maintain Documentation | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01 The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance. GV.OV-02.01] | Establish/Maintain Documentation | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of d-color:#F0BBBC;" class="term_primary-noun">senior management in a timely manner, so that they can address and respond to emerging cyber risk. The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk. ID.RA-01.02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Lines of communication across the organization are established for technology and cybersecurity risks, including risks from suppliers and other third parties GV.RM-05 A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 {recovery procedure} The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders. RC.CO-03.01] | Behavior | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized. ID.RA-04.01] | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes. ID.RA-05.04 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM] | Establish/Maintain Documentation | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 [Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization ID.RA-05 The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02] | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 [The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01] | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The organization identifies, assesses, and documents the key dependencies, interdependencies, and potential points of failure to support the delivery of critical services (e.g., systems, business processes, workforce, third parties, facilities, etc.) GV.OC-05.01 The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance. GV.OV-02.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03 The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning. GV.OC-04.02] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04 The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01] | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the ;" class="term_primary-noun">impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02 Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded ID.RA-04] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 [Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Actionable Reports or Measurements | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01 The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices. GV.RM-02.02 {risk tolerance} The independent risk management function provides assurance that the technology and cybersecurity risk management frameworks have been implemented according to policy and are consistent with the organization's risk appetite and tolerance GV.IR-01 The independent risk management function regularly evaluates the appropriateness of the technology and cybersecurity risk management programs to the organization's risk appetite and inherent risk environment GV.IR-02.01 The organization determines and articulates how it intends to maintain an acceptable level of residual technology and cybersecurity risk as set by the governing authority (e.g., the Board or one of its committees). GV.OV-02.02 The independent risk management function evaluates the appropriateness of the risk management program for the organization's risk appetite and proposes program improvements as warranted GV.IR-02 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Establish/Maintain Documentation | Preventive | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 [The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01] | Investigate | Preventive | |
| Approve the risk acceptance level, as necessary. CC ID 17168 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Process or Activity | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM] | Behavior | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02 The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04] | Establish/Maintain Documentation | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization ID.RA-05 Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06 The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02 {cybersecurity control} Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls. ID.RA-06.01 {cybersecurity control} Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls. ID.RA-06.01 Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees). ID.RA-06.03 Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees). ID.RA-06.03 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01 The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Establish/Maintain Documentation | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Communicate | Preventive | |
| Approve the risk treatment plan. CC ID 13495 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and Risk Management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Establish/Maintain Documentation | Corrective | |
| Include risk responses in the risk management program. CC ID 13195 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Establish/Maintain Documentation | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV {critical function} {post incident activity} Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms RC.RP-04 The organization has established, and maintains, technology and cybersecurity programs designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite and business needs. GV.RM-01.03] | Audits and Risk Management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 [Improvements are identified from evaluations ID.IM-01 Improvements are identified from execution of operational processes, procedures, and activities ID.IM-03 {risk management program} Improvements to organizational technology and cybersecurity risk management processes, procedures and activities are identified across all Profile Functions ID.IM The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02] | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV] | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [{external partner} The organization has established and implemented plans to identify and mitigate the "term_primary-noun">cyber risks it poses through interconnectedness to sector partners and external stakeholders. ID.IM-04.06 Strategic direction that describes appropriate risk response options is established and communicated GV.RM-04 Technology and cybersecurity processes, procedures, and controls are established in alignment with cybersecurity policy. GV.PO-01.05 Safeguards to manage the organization's technology and cybersecurity risks are used PR] | Establish/Maintain Documentation | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01] | Establish/Maintain Documentation | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 [Strategic direction that describes appropriate risk response options is established and communicated GV.RM-04] | Communicate | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 [A supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-01 The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 [Supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders GV.SC {cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09] | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 [Supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders GV.SC The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 [The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties. GV.RR-01.02 The organization maintains documented third-party risk management program policies and procedures approved by the governing authority (e.g., the Board or one of its committees). GV.PO-01.08] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [{cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09] | Establish/Maintain Documentation | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 [Risk management objectives are established and agreed to by organizational stakeholders GV.RM-01] | Communicate | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Establish/Maintain Documentation | Preventive | |
| Include risk management metrics in the disclosure report. CC ID 16345 [The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators. GV.OV-03.01 The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Establish Roles | Preventive | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources Management | Preventive | |
| Define the scope for the security operations center. CC ID 15713 | Establish/Maintain Documentation | Preventive | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources Management | Preventive | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Behavior | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01 The governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization's technology and cybersecurity risk management strategies and frameworks. GV.RR-01.01 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05 The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties. GV.RR-01.02] | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
| Define and assign risk committees, as necessary. CC ID 14795 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Establish/Maintain Documentation | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 | Human Resources Management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources Management | Preventive | |
| Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources Management | Preventive | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources Management | Preventive | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources Management | Preventive | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources Management | Preventive | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 [The organization has designated a qualified Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing a cybersecurity strategy, overseeing and implementing its cybersecurity program, and enforcing its cybersecurity policy. GV.RR-01.04 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05] | Establish Roles | Preventive | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources Management | Preventive | |
| Define and assign the Public Information Officer's roles and responsibilities. CC ID 17059 | Establish Roles | Preventive | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources Management | Preventive | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources Management | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources Management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [{cybersecurity program} The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned. GV.OC-03.01] | Human Resources Management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 [Technology and cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated GV.RR Roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-02 {business continuity program} The roles, responsibilities, qualifications, and skill requirements for personnel (employees and third parties) that implement, manage, and oversee the technology, cybersecurity, and resilience programs are defined, aligned, coordinated, and holistically managed. GV.RR-02.01 The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions. GV.RR-02.02] | Human Resources Management | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02 The organization has an independent risk management function GV.IR {cybersecurity program} The independent risk management function has an understanding of the organization's structure, technology and cybersecurity strategies and programs, and relevant risks and threats. GV.IR-01.03] | Human Resources Management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources Management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Establish Roles | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Establish/Maintain Documentation | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources Management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources Management | Preventive | |
| Analyze workforce management. CC ID 12844 [The organization regularly assesses its skill and resource level requirements against its current personnel complement to determine gaps in resource need. GV.RR-03.02 The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Human Resources Management | Detective | |
| Identify root causes of staffing shortages, if any exist. CC ID 13276 | Human Resources Management | Detective | |
| Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 | Human Resources Management | Detective | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Cybersecurity is included in human resources practices GV.RR-04] | Establish/Maintain Documentation | Preventive | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources Management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources Management | Preventive | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources Management | Preventive | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources Management | Preventive | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources Management | Preventive | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources Management | Preventive | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources Management | Preventive | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources Management | Preventive | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources Management | Preventive | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources Management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 [{security policy} All personnel (employees and third party) consent to policies addressing acceptable technology use, social media use, personal device use (e.g., BYOD), confidentiality, and/or other security-related policies and agreements as warranted by their position. GV.PO-01.04] | Human Resources Management | Preventive | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Establish/Maintain Documentation | Preventive | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Establish/Maintain Documentation | Preventive | |
| Train all new hires, as necessary. CC ID 06673 | Behavior | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the personnel security policy. CC ID 14113 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the personnel security policy. CC ID 14111 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the personnel security policy. CC ID 14110 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Communicate | Preventive | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources Management | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Testing | Detective | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [{background check} The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems. GV.RR-04.01] | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 [{background check} The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems. GV.RR-04.01] | Human Resources Management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets. GV.RR-04.02] | Establish/Maintain Documentation | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Technical Security | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Technical Security | Corrective | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources Management | Preventive | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Data and Information Management | Corrective | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources Management | Preventive | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Behavior | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Communicate | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources Management | Preventive | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources Management | Corrective | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Behavior | Preventive | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources Management | Preventive | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Establish/Maintain Documentation | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources Management | Detective | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 [Technology and cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated GV.RR Roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-02 Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02] | Establish Roles | Detective | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Technology and cybersecurity risk management frameworks provide for segregation of duties between policy development, implementation, and oversight. GV.RR-02.07] | Testing | Detective | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies. GV.PO-01.03] | Human Resources Management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Establish/Maintain Documentation | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Communicate | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Establish/Maintain Documentation | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Establish/Maintain Documentation | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [As new technology is deployed or undergoes change that also requires changes in practices, all impacted personnel (e.g., end-users, developers, operators, etc.) are trained on the new system and any accompanying technology and cybersecurity risks. PR.AT-01.04 All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security. PR.AT-02.05] | Behavior | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Training | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [Mechanisms are in place to ensure that the personnel working with cybersecurity and technology (e.g., developers, DBAs, network admins, etc.) maintain current knowledge and skills related to changing threats, countermeasures, new tools, best practices, and their job responsibilities. PR.AT-02.01] | Behavior | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind PR.AT-01 Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind PR.AT-02 The organization maintains and enhances the skills and knowledge of the in-house staff performing incident management and forensic investigation activities. PR.AT-02.04] | Behavior | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Establish/Maintain Documentation | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Training | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 [The organization integrates insider threat considerations into its human resource, risk management, and control programs to address the potential for malicious or unintentional harm by trusted employees or third parties. GV.RR-04.03] | Training | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 [Personnel (employees and third parties) who fulfill the organization's physical security and cybersecurity objectives understand their roles and responsibilities. GV.RR-02.05] | Training | Preventive | |
| Conduct personal data processing training. CC ID 13757 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Establish/Maintain Documentation | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 [Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity and independent sources of expertise to discuss cybersecurity related matters. PR.AT-02.08] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Cybersecurity awareness training is updated on a regular basis to reflect risks and threats identified by the organization, the organization's security policies and standards, applicable laws and regulations, and changes in individual responsibilities. PR.AT-01.03 {inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Evaluate and manage cyber risks; PR.AT-02.07 (1) The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks PR.AT The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies. GV.PO-01.03 Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive term_primary-noun">cybersecurity situational awareness training to include appropriate skills and knowledge to: The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: PR.AT-02.07 The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Lead by or:#CBD0E5;" class="term_secondary-verb">und-color:#F0BBBC;" class="term_primary-noun">example. PR.AT-02.07 (3) High-risk groups, such as those with elevated privileges or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities. PR.AT-02.02 All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security. PR.AT-02.05] | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [All personnel receive cybersecurity awareness training upon hire and on a regular basis. PR.AT-01.01] | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 [{security baseline configuration} The organization establishes and maintains standard system security configuration baselines, informed by industry standards and hardening guidelines, to facilitate the consistent application of security settings, configurations, and versions. PR.PS-01.01] | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02 Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Behavior | Corrective | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01] | Behavior | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 [{incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03] | Process or Activity | Detective | |
| Establish, implement, and maintain warning procedures. CC ID 12407 [The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders. DE.AE-06.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 [The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. DE.CM-06.02 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 {network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02 The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders. DE.AE-06.01] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03 The independent audit function reports to the governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when risk tolerance has been exceeded in any part of the organization. GV.AU-03.03] | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Process or Activity | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Communicate | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.) EX.MM-01.03] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 [The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in class="term_secondary-verb">need of improvement over time. The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. ID.IM-01.03] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
| Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
| Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
| Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 [Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction. ID.IM-01.04 The organization's technology operations and service and support functions are designed and managed to address business operational needs and stakeholder requirements. PR.PS-07] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Outcomes, capabilities, and services that the organization depends on are understood and communicated GV.OC-05] | Communicate | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 [Internal and external threats to the organization are identified and recorded ID.RA-03 The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03] | Business Processes | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 [The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01] | Business Processes | Preventive | |
| Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [Internal and external stakeholders are understood, and their needs and expectations regarding technology and cybersecurity risk management are understood and considered GV.OC-02] | Business Processes | Preventive | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The confidentiality, integrity, and availability of data-in-use are protected PR.DS-10 The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03 The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03] | Establish/Maintain Documentation | Preventive | |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
| Include the data source in the data governance and management practices. CC ID 17211 | Data and Information Management | Preventive | |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Establish/Maintain Documentation | Preventive | |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Establish/Maintain Documentation | Preventive | |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 [{IT architecture} The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs. GV.RM-08.05 Tehcnology and security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience PR.IR] | Establish/Maintain Documentation | Preventive | |
| Involve all stakeholders in the architecture review process. CC ID 16935 | Process or Activity | Preventive | |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands. PR.IR-04.02] | Establish/Maintain Documentation | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Monitor and Evaluate Occurrences | Detective | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Cyber threat intelligence is received from information sharing forums and sources ID.RA-02] | Technical Security | Detective | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [The organization ensures that cyber threat intelligence is made available, in a secure manner, to authorized staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization. RS.CO-03.01] | Communicate | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy ID.AM] | Business Processes | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [{third party requirement} {third party contract} Consideration is specifically given to the implications of organizational third-party dependence, requirements, contracts, and interactions in the design, operation, monitoring, and improvement of policies, procedures, and controls to ensure the fulfillment of business requirements within risk appetite. GV.SC-09.01] | Establish/Maintain Documentation | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 [{technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Establish/Maintain Documentation | Detective | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Business Processes | Preventive | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Establish/Maintain Documentation | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Business Processes | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 [The organizational mission is understood and informs technology and cybersecurity risk management GV.OC-01 {strategic option} Strategic opportunities (i.e., positive risks) are characterized and are included in organizational technology and cybersecurity risk discussions GV.RM-07 The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions. GV.RR-02.02] | Establish/Maintain Documentation | Preventive | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Establish/Maintain Documentation | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [{technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03] | Establish/Maintain Documentation | Preventive | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 [{IT architecture} The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs. GV.RM-08.05] | Business Processes | Corrective | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [The designated Technology Officer (e.g., CIO or CTO) regularly reports to the governing authority (e.g., the Board or one of its committees) on the status of technology use and risks within the organization. GV.OV-01.03] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Business Processes | Preventive | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Promote a culture that recognizes that staff at all levels have important responsibilities in en0E5;" class="term_secondary-verb">suring the organization's ="term_primary-noun">cyber resilience; and PR.AT-02.07 (2)] | Behavior | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitor and Evaluate Occurrences | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Personnel activity and technology usage are monitored to find potentially adverse events DE.CM-03 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for errors and faults. CC ID 04544 [Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Monitor and Evaluate Occurrences | Detective | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Communicate | Corrective | |
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned. ID.IM-03.02 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Log Management | Detective | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Communicate | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Communicate | Preventive | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. DE.CM-06.02 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 Account access, authentication, and authorization activities are logged and monitored, for both users and devices, to enforce authorized access. DE.CM-03.01] | Log Management | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [Possible cybersecurity attacks and compromises, and other operationally adverse events, are found and analyzed DE] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Establish/Maintain Documentation | Preventive | |
| Install and maintain an Intrusion Detection and Prevention System. CC ID 00581 [The organization deploys intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. DE.CM-01.01 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified. PR.PS-01.03] | Configuration | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03 The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events DE.CM The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03 {unauthorized hardware} The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes. DE.CM-09.03] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 [The organization implements mechanisms, such as alerting and filtering of sudden high volumes and suspicious incoming traffic, to detect and mitigate Denial of Service, "bot", and credential stuffing attacks. DE.CM-01.02] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 [The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03] | Monitor and Evaluate Occurrences | Preventive | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Monitor systems for unauthorized mobile code. CC ID 10034 [The organization implements safeguards against unauthorized mobile code (e.g., JavaScript, ActiveX, VBScript, PowerShell, etc.) on mobile, end point, and server systems. PR.PS-05.02] | Monitor and Evaluate Occurrences | Preventive | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 [The organization employs deception techniques and technologies (e.g., honeypots) to detect and prevent a potential intrusion in its early stages to support timely containment and recovery. DE.CM-01.06] | Technical Security | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 [Log records are generated and made available for continuous monitoring PR.PS-04] | Log Management | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03 {refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02 Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection. PR.IR-04.01] | Log Management | Detective | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Information is correlated from multiple sources DE.AE-03 The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned. ID.IM-03.02 Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation. DE.AE-07.02 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 [{refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02] | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [{network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 [{timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01] | Technical Security | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03 The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 {timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01] | Log Management | Detective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Document the event information to be logged in the event information log specification. CC ID 00639 [{refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Configuration | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Log records are generated and made available for continuous monitoring PR.PS-04] | Log Management | Detective | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Configuration | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. PR.PS-01.04] | Configuration | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02] | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02] | Communicate | Preventive | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01 {timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01 {privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Monitor and Evaluate Occurrences | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Technical Security | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 [Networks and network services are monitored to find potentially adverse events DE.CM-01 The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems). DE.CM-01.04] | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Investigate | Detective | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitor and Evaluate Occurrences | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Investigate | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Investigate | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Implement file integrity monitoring. CC ID 01205 [The organization uses integrity checking mechanisms to verify software, firmware and information integrity and provenance (e.g., checksums, Software Bill of Materials, etc.) DE.CM-09.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitor and Evaluate Occurrences | Detective | |
| Monitor and evaluate user account activity. CC ID 07066 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 {privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Monitor and Evaluate Occurrences | Detective | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01 The risks posed by a third-party are monitored and managed over the course of the relationship EX.MM {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 [{high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01] | Monitor and Evaluate Occurrences | Detective | |
| Implement a fraud detection system. CC ID 13081 [The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters. PR.AA-03.03] | Business Processes | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Testing | Detective | |
| Establish, implement, and maintain a testing program. CC ID 00654 [The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive), that could affect the organization's ability to service internal and external stakeholders. ID.IM-02.05 {third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06 The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Behavior | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 [The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses. ID.IM-02.01] | Technical Security | Detective | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Testing | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 [Improvements are identified from tests and exercises, including those done in coordination with suppliers and relevant third parties ID.IM-02] | Establish/Maintain Documentation | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Testing | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Testing | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Data and Information Management | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Testing | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Behavior | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Testing | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Establish/Maintain Documentation | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Testing | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Communicate | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Process or Activity | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Process or Activity | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
| Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 [The thoroughness and results of independent penetration testing are regularly reviewed to help determine the need to rotate testing vendors to obtain fresh independent perspectives. ID.IM-02.02] | Behavior | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses. ID.IM-02.01] | Testing | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Technical Security | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Establish/Maintain Documentation | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets. ID.RA-01.03] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets. ID.RA-01.03 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Technical Security | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Testing | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining it's severity and e="background-color:#F0BBBC;" class="term_primary-noun">impact; ID.RA-08.02 (3) Vulnerabilities in assets are identified, validated, and recorded ID.RA-01 Vulnerabilities in assets are identified, validated, and recorded ID.RA-01 The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes. ID.RA-05.04] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining it's -color:#F0BBBC;" class="term_primary-noun">severity and impact; ID.RA-08.02 (2) Vulnerabilities in assets are identified, validated, and recorded ID.RA-01] | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: ID.RA-08.02] | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
| Document and maintain test results. CC ID 17028 | Testing | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Establish/Maintain Documentation | Preventive | |
| Include time information in the test results. CC ID 17105 | Establish/Maintain Documentation | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Communicate | Preventive | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Analyzing options to nd-color:#CBD0E5;" class="term_secondary-verb">respond. ID.RA-08.02 (5)] | Technical Security | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities. ID.RA-06.05 The organization follows documented procedures, consistent with established risk response processes, for mitigating or accepting the risk of vulnerabilities or weaknesses identified in exercises and testing or when responding to incidents. ID.RA-06.06 The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01 The system development lifecycle remediates known critical vulnerabilities, and critical vulnerabilities discovered during testing, prior to production deployment. PR.PS-06.06 {secure state} Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented. RS.MI-02.01] | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 [The organization establishes and maintains an exception management process for identified vulnerabilities that cannot be mitigated within target timeframes. ID.RA-07.05] | Technical Security | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators. GV.OV-03.01] | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Personnel activity and technology usage are monitored to find potentially adverse events DE.CM-03] | Monitor and Evaluate Occurrences | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [The independent risk management function reports on the implementation of the technology and cybersecurity risk management frameworks to the governing authority (e.g., the Board or one of its committees) GV.IR-03 The independent risk management function reports to the governing authority (e.g., the Board or one of its committees) and to the designated risk management officer within the organization on the implementation of the technology and cybersecurity risk management frameworks throughout the organization and its independent assessment of risk posture. GV.IR-03.01] | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [{business continuity program} Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees). GV.OV-03.02] | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 [{business continuity program} Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees). GV.OV-03.02] | Actionable Reports or Measurements | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [The organization implements a regular process to collect, store, report, benchmark, and assess trends in actionable performance indicators and risk metrics (e.g., threat KRIs, security incident metrics, vulnerability metrics, and operational measures). ID.IM-01.02] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 [The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in class="term_secondary-verb">need of improvement over time. The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. ID.IM-01.03] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Report timely risk metrics. DE.AE-02.01 (3)] | Business Processes | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Establish/Maintain Documentation | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Establish/Maintain Documentation | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03] | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities. ID.RA-06.05 The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Monitor and Evaluate Occurrences | Detective | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Actionable Reports or Measurements | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Establish/Maintain Documentation | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
| Include monitoring in the corrective action plan. CC ID 11645 [The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified. PR.PS-01.03] | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Communicate | Preventive | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the term_primary-noun">status of cybersecurity within the organization. The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization. GV.OV-01.02 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Actionable Reports or Measurements | Corrective | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Business Processes | Preventive | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Technical Security | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 [{network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02] | Technical Security | Preventive | |
| Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [{cyberattack} The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Predict and block a similar future attack; and DE.AE-02.01 (2)] | Technical Security | Preventive | |
| Determine the time frame to take action based on cyber threat intelligence. CC ID 12748 | Process or Activity | Preventive | |
| Evaluate cyber threat intelligence. CC ID 12747 [{adverse events} Cyber threat intelligence and other contextual information are integrated into the analysis DE.AE-07 The organization solicits and considers threat intelligence received from the organization's stakeholders, service and utility providers, and other industry and security organizations. ID.RA-03.02] | Process or Activity | Detective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [{business continuity program} The organization maintains documented business continuity and resilience program policies and procedures approved by the governing authority (e.g., the Board or one of its committees). GV.PO-01.07 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations. RC.RP-01.01] | Establish/Maintain Documentation | Preventive | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Testing | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Investigate | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Investigate | Detective | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Communicate | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Establish/Maintain Documentation | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Establish/Maintain Documentation | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Establish/Maintain Documentation | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Establish/Maintain Documentation | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Establish/Maintain Documentation | Preventive | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Testing | Detective | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Establish/Maintain Documentation | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 [Resilience requirements to support the delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, and normal operations). GV.OC-04.03 The organization's business continuity and resilience requirement risks are managed GV.RM-09 {business continuity strategy} The organization has an enterprise-wide resilience strategy and program, including architecture, cyber resilience, business continuity, disaster recovery, and incident response, which support its mission, stakeholder obligations, critical infrastructure role, and risk appetite. GV.RM-09.01 The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [The organization defines objectives (e.g., Recovery Time Objective, Maximum Tolerable Downtime, Impact Tolerance) for the resumption of critical operations in alignment with business imperatives, stakeholder obligations, and critical infrastructure dependencies. GV.OC-05.03] | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 [{business continuity strategy} The organization's resilience strategy, plans, tests, and exercises incorporate its external dependencies and critical business partners. GV.SC-08.01] | Systems Continuity | Detective | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. EX.TR-01.01] | Establish/Maintain Documentation | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{business continuity program} Resilience program roles and responsibilities are assigned to management across the organization to ensure risk assessment, planning, testing, and execution coverage for all critical business functions. GV.RR-02.03 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02] | Establish Roles | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Restoration activities are coordinated with internal and external parties RC.CO] | Systems Continuity | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{business continuity strategy} The organization's business continuity and resilience strategy and program align with and support the overall enterprise risk management framework. GV.RM-03.02] | Systems Continuity | Detective | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity strategy} The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's resilience strategy and program and for managing the organization's ongoing resilience risks. GV.RR-01.03] | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [The organization's business continuity and resilience requirement risks are managed GV.RM-09 {business continuity strategy} The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's resilience strategy and program and for managing the organization's ongoing resilience risks. GV.RR-01.03] | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05 Assets and operations affected by an adverse incident are restored RC Restoration activities are performed to ensure operational availability of systems and services affected by adverse incidents RC.RP Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved. RC.RP-05.02 {secure state} Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented. RS.MI-02.01] | Systems Continuity | Corrective | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Joint maintenance of contingency plans; GV.RM-05.02 (1)] | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, etc.) are established, communicated, maintained, and improved ID.IM-04 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations. RC.RP-01.01] | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 [Recovery plans include service resumption steps for all operating environments, including traditional, alternate recovery, and highly available (e.g., cloud) infrastructures. ID.IM-04.03] | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05] | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [The criteria for initiating incident recovery are applied RS.MA-05 Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05 The organization's incident response plans define severity levels and associated criteria for initiating response plans and escalating event response to appropriate stakeholders and management levels. RS.MA-05.01] | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04 The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04] | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04] | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 [The integrity of backups and other restoration assets is verified before using them for restoration RC.RP-03 Restoration steps include the verification of backups, data replications, system images, and other restoration assets prior to continued use. RC.RP-03.01 Restoration steps include the verification of data integrity, transaction positions, system functionality, and the operation of security controls by appropriate organizational stakeholders and system owners. RC.RP-04.01 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders RC.CO-03 {recovery procedure} The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders. RC.CO-03.01] | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [{business continuity program} The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages). GV.RM-09.02 Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05 Restoration activities are performed to ensure operational availability of systems and services affected by adverse incidents RC.RP] | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery plans are executed by first resuming critical services and core business functions, while minimizing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. RC.RP-02.02] | Establish/Maintain Documentation | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{business continuity program} The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages). GV.RM-09.02] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 [Public updates on incident recovery are shared using approved methods and messaging RC.CO-04 The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as required or appropriate. RC.CO-03.02 The end of incident recovery is declared based on criteria, and incident-related documentation is completed RC.RP-06] | Communicate | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Communicate | Preventive | |
| Identify and document critical facilities. CC ID 17304 | Systems Continuity | Preventive | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Systems Continuity | Detective | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04] | Establish/Maintain Documentation | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Establish/Maintain Documentation | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Establish/Maintain Documentation | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Establish/Maintain Documentation | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 | Establish/Maintain Documentation | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Establish/Maintain Documentation | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated GV.OC-04 {critical function} {post incident activity} Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms RC.RP-04 The organization prioritizes the resilience design, planning, testing, and monitoring of systems and other key internal and external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. GV.OC-04.04] | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [Recovery point objectives to support data integrity are consistent with the organization's recovery time objectives, information flow dependencies between systems, and business obligations. GV.OC-05.04] | Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [The organization has prioritized its external dependencies according to their criticality to the supported enterprise mission, business functions, and to the financial services sector. GV.OC-05.02] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 [The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02 The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02 The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02] | Establish/Maintain Documentation | Detective | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Establish/Maintain Documentation | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Establish/Maintain Documentation | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backups of data are created, protected, maintained, and tested PR.DS-11 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Communicate | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 [The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding tyle="background-color:#F0BBBC;" class="term_primary-noun">recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04] | Establish/Maintain Documentation | Preventive | |
| Encrypt backup data. CC ID 00958 [Backups of data are created, protected, maintained, and tested PR.DS-11] | Configuration | Preventive | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backups of data are created, protected, maintained, and tested PR.DS-11 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Testing | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05] | Testing | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
| Validate information security continuity controls regularly. CC ID 12008 [Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Systems Continuity | Preventive | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Communicate | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [All personnel (employee and third party) are made aware of and are trained for their role and operational steps in response and recovery plans. PR.AT-02.03] | Behavior | Preventive | |
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Training | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Establish/Maintain Documentation | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 [The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. ID.IM-02.08] | Establish/Maintain Documentation | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 [The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. ID.IM-02.08] | Establish/Maintain Documentation | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Testing | Detective | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 [Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing. EX.CN-02.04] | Testing | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02] | Testing | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 [The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results. ID.IM-02.07] | Testing | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Testing | Detective | |
| Review all third party's continuity plan test results. CC ID 01365 [A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02] | Testing | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results. ID.IM-02.07] | Actionable Reports or Measurements | Preventive | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 | Testing | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Communicate | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 [Adequate resource capacity to ensure availability is maintained PR.IR-04 Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands. PR.IR-04.02] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Systems Design, Build, and Implementation | Preventive | |
| Follow the resource workload schedule. CC ID 00941 | Business Processes | Detective | |
| Manage cloud services. CC ID 13144 | Business Processes | Preventive | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 | Technical Security | Preventive | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Process or Activity | Preventive | |
| Document the organization's business processes. CC ID 13035 [The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning. GV.OC-04.02] | Establish/Maintain Documentation | Detective | |
| Correlate business processes and applications. CC ID 16300 [The organization's technology operations and service and support functions are designed and managed to address business operational needs and stakeholder requirements. PR.PS-07] | Business Processes | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Technology and cybersecurity strategies, architectures, and programs are formally governed to align with and support the organization's mission, objectives, priorities, tactical initiatives, and risk profile. GV.OC-01.01 Technology and cybersecurity risk management frameworks and programs are integrated into the enterprise risk management framework. GV.RM-03.01 Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making. GV.RM-08.06 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Establish/Maintain Documentation | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 [{IT architecture} The organization integrates the use of technology architecture in its governance processes to support consistent approaches to security and technology design, integration of third party services, consideration and adoption of new technologies, and investment and procurement decisioning. GV.RM-08.04] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [Adequate resources are allocated commensurate with technology and cybersecurity risk strategy, roles, responsibilities, and policies GV.RR-03] | Acquisition/Sale of Assets or Services | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [The organization has mechanisms in place to ensure that strategies, initiatives, opportunities, and emerging technologies (e.g., artificial intelligence, quantum computing, etc.) are evaluated both in terms of risks and uncertainties that are potentially detrimental to the organization, as well as potentially advantageous to the organization (i.e., positive risks). GV.RM-07.01] | Process or Activity | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [{emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Process or Activity | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 [The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization. EX.MM-01.01] | Business Processes | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{protection process} A formal process is in place to improve protection controls and processes by integrating recommendations, findings, and lessons learned from exercises, testing, audits, assessments, and incidents. ID.IM-03.01] | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01 Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03 {malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | Establish/Maintain Documentation | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Establish/Maintain Documentation | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Establish/Maintain Documentation | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Configuration | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 [{incident alert threshold} The organization establishes, documents, and regularly reviews event alert parameters and thresholds, as well as rule-based triggers to support automated responses, when known attack patterns, signatures or behaviors are detected. DE.AE-02.02] | Establish/Maintain Documentation | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 [{information sharing forum}The organization has established enterprise processes for receiving and appropriately 8ED;" class="term_primary-verb">channeling vulnerability disclosures from: Vulnerability sharing forums (e.g., FS-ISAC); and ID.RA-08.01 (2) The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: Third-parties (e.g., cloud vendors); ID.RA-08.01 (3) The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: Internal sources (e.g., development teams). ID.RA-08.01 (4) The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from: Public sources (e.g., customers and security researchers); ID.RA-08.01 (1)] | Establish/Maintain Documentation | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 [{cybersecurity} The organization participates actively (in alignment with its business operations, inherent risk, and complexity) in information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats, and early warning indicators relating to cyber threats. ID.RA-02.01 The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party's approach to securing systems. ID.RA-02.02] | Communicate | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 [{escalation procedure} The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon. RS.CO-02.01] | Establish/Maintain Documentation | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Process or Activity | Preventive | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 [The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party's approach to securing systems. ID.RA-02.02] | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Establish/Maintain Documentation | Preventive | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Establish/Maintain Documentation | Preventive | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 [Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01] | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 [Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01 Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01 The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01 The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated. GV.PO-01.02] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [{security architecture}{security process}{security practice} The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. GV.RM-08.03] | Establish/Maintain Documentation | Preventive | |
| Include environmental security in the information security program. CC ID 12383 [{physical security policy} Physical and environmental security policies are implemented and managed. GV.PO-01.06] | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 [The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.) EX.MM-01.03] | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Communicate | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Communicate | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 [The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). GV.RR-03.03] | Process or Activity | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Establish/Maintain Documentation | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01] | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Communicate | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Communicate | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Establish/Maintain Documentation | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Establish/Maintain Documentation | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Establish/Maintain Documentation | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Communicate | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Communicate | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Establish/Maintain Documentation | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Establish/Maintain Documentation | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Process or Activity | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Process or Activity | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Establish/Maintain Documentation | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Communicate | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Communicate | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Establish/Maintain Documentation | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Communicate | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Establish/Maintain Documentation | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Business Processes | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Behavior | Detective | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Process or Activity | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Process or Activity | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Process or Activity | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Process or Activity | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Process or Activity | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Establish/Maintain Documentation | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Process or Activity | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Business Processes | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Communicate | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Communicate | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Establish/Maintain Documentation | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Establish/Maintain Documentation | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Communicate | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Business Processes | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Data and Information Management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Establish/Maintain Documentation | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Establish/Maintain Documentation | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Communicate | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01] | Process or Activity | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated. GV.PO-01.02] | Process or Activity | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{cybersecurity program} The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned. GV.OC-03.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Business Processes | Preventive | |
| Establish, implement, and maintain a service management program. CC ID 11388 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS] | Establish/Maintain Documentation | Preventive | |
| Communicate the service management program to interested personnel and affected parties. CC ID 13904 | Communicate | Preventive | |
| Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 | Communicate | Preventive | |
| Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 | Communicate | Preventive | |
| Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 | Communicate | Preventive | |
| Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 | Communicate | Preventive | |
| Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 | Communicate | Preventive | |
| Include a service management plan in the service management program. CC ID 13902 | Establish/Maintain Documentation | Preventive | |
| Include the information security policy in the service management program. CC ID 13925 | Establish/Maintain Documentation | Preventive | |
| Include the change management policy in the service management program. CC ID 13923 | Establish/Maintain Documentation | Preventive | |
| Include known limitations in the service management program. CC ID 11391 [Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Establish/Maintain Documentation | Preventive | |
| Include continuity plans in the Service Management program. CC ID 13919 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 | Communicate | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The organization's asset management processes ensure the protection of sensitive data throughout removal, transfers, maintenance, end-of-life, and secure disposal or re-use. ID.AM-08.04 The organization establishes and maintains asset lifecycle management policies and procedures to ensure that assets are acquired, tracked, implemented, used, decommissioned, and protected commensurate with their sensitivity, criticality, and business value. ID.AM-08.01 The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Business Processes | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 [The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 [The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy ID.AM] | Establish/Maintain Documentation | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Business Processes | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 [Assets are prioritized based on classification, criticality, resources, and impact on the mission ID.AM-05] | Business Processes | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what BBC;" class="term_primary-noun">level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02] | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA] | Systems Design, Build, and Implementation | Preventive | |
| Define confidentiality controls. CC ID 01908 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved. RC.RP-05.02] | Establish/Maintain Documentation | Preventive | |
| Define integrity controls. CC ID 01909 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The organization uses integrity checking mechanisms to verify hardware integrity. DE.CM-09.02] | Establish/Maintain Documentation | Preventive | |
| Define availability controls. CC ID 01911 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS The organization implements mechanisms (e.g., failsafe, load balancing, hot swaps, redundant equipment, alternate services, backup facilities, etc.) to achieve resilience requirements in normal and adverse situations. PR.IR-03.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 [{be risk-based} The organization establishes and maintains risk-based policies and procedures for the classification of hardware, software, and data assets based on sensitivity and criticality. ID.AM-05.01] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. ID.AM-01.01 The organization maintains an inventory of key internal assets, business functions, and external dependencies that includes mappings to other assets, business functions, and information flows. GV.OC-04.01] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02 The organization maintains a current inventory of the data being created, stored, or processed by its information assets and data flow diagrams depicting key internal and external data flows. ID.AM-07.01] | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 [Inventories of hardware managed by the organization are maintained ID.AM-01 Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Establish/Maintain Documentation | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02 The organization maintains a current and complete inventory of software platforms, business applications, and other software assets (e.g., virtual machines and virtual network devices). ID.AM-02.01 Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [Inventories of data and corresponding metadata for designated data types are maintained ID.AM-07] | Establish/Maintain Documentation | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 [Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Establish/Maintain Documentation | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02] | Establish/Maintain Documentation | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Data and Information Management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Data and Information Management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS Software is maintained, replaced, and removed commensurate with risk PR.PS-02] | Establish/Maintain Documentation | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Configuration | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 | Business Processes | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The organization defines and implements controls for the on-site and remote maintenance and repair of the organization's technology assets (e.g., work must be performed by authorized personnel, use of approved procedures and tools, use of original or vendor-approved spare parts). PR.PS-03.01] | Establish/Maintain Documentation | Preventive | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Maintenance | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Maintenance | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Maintenance | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Maintenance | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Establish/Maintain Documentation | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Communicate | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Process or Activity | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Behavior | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Business Processes | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 [Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed. PR.PS-02.03 Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed. PR.PS-02.03] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Communicate | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
| Review each system's operational readiness. CC ID 06275 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08 Possible cybersecurity attacks and compromises, and other operationally adverse events, are found and analyzed DE {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [Incidents are declared when adverse events meet the defined incident criteria DE.AE-08] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents DE.AE {incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 [The estimated impact and scope of adverse events are understood DE.AE-04 Incidents are categorized and prioritized RS.MA-03 Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation. DE.AE-07.02] | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [The estimated impact and scope of adverse events are understood DE.AE-04 An incident's magnitude is estimated and validated RS.AN-08 Defined criteria and severity levels are in place to facilitate the declaration, escalation, organization, and alignment of response activities to response plans within the organization and across relevant third parties. DE.AE-08.01] | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [An incident's magnitude is estimated and validated RS.AN-08 The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Assess and understand the nature, scope and method of the attack; DE.AE-02.01 (1)] | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 [Analysis is performed to establish what has taken place during an incident and the root cause of the incident Analysis is performed to establish what has taken place during an incident and the root cause of the incident RS.AN-03] | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Incident reports are triaged and validated RS.MA-02 The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems and services to the enterprise. RS.MA-03.01 Actions regarding a detected adverse incidents are taken RS The organization has a documented process to analyze and triage incidents to assess root cause, technical impact, mitigation priority, and business impact on the organization, as well as across the financial sector and other third party stakeholders. DE.AE-04.01] | Monitor and Evaluate Occurrences | Detective | |
| Escalate incidents, as necessary. CC ID 14861 [Incidents are categorized and prioritized RS.MA-03 Incidents are escalated or elevated as needed RS.MA-04] | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [Relevant suppliers and other third parties are included in incident planning, response, and recovery activities GV.SC-08 The incident response plan is executed in coordination with relevant third parties once an incident is declared RS.MA-01 Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies RS.CO The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01 The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics. RC.RP-02.01] | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 [Activities are performed to prevent expansion of an event and mitigate its effects RS.MI Incidents are contained RS.MI-01 The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01] | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06] | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [Available incident information is assessed to determine the extent of impact to the organization and its stakeholders, the potential near- and long-term financial implications, and whether or not the incident constitutes a material event. RS.AN-08.01 Analysis is performed to establish what has taken place during an incident and the root cause of the incident Analysis is performed to establish what has taken place during an incident and the root cause of the incident RS.AN-03] | Testing | Corrective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [Information on adverse events is provided to authorized staff and tools DE.AE-06 Internal and external stakeholders are notified of incidents RS.CO-02 {incident information} Information is shared with designated internal and external stakeholders RS.CO-03 In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants. RS.CO-03.02] | Data and Information Management | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [Pre-established communication plans and message templates, and authorized protocols, contacts, media, and communications, are used to notify and inform the public and key external stakeholders about an incident. RC.CO-04.01] | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05 The organization maintains documented procedures for sanitizing, testing, authorizing, and returning systems to service following an incident or investigation. RC.RP-05.01] | Establish/Maintain Documentation | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01 {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01 The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01] | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01] | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01] | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 [{incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [{incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03 {incident communication protocol} The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident. RS.CO-02.03] | Establish/Maintain Documentation | Preventive | |
| Provide customer security advice, as necessary. CC ID 13674 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Communicate | Preventive | |
| Use simple understandable language when providing customer security advice. CC ID 13685 | Communicate | Preventive | |
| Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Communicate | Preventive | |
| Display customer security advice prominently. CC ID 13667 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 Responses to detected adverse incidents are managed RS.MA] | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 [Incident reports are triaged and validated RS.MA-02] | Establish/Maintain Documentation | Preventive | |
| Include entities notified of the incident in the incident response report. CC ID 17294 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 | Establish/Maintain Documentation | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Establish/Maintain Documentation | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Assessing its scope (e.g., affected assets); ID.RA-08.02 (2)] | Establish/Maintain Documentation | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 | Establish/Maintain Documentation | Preventive | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01] | Establish/Maintain Documentation | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Acquisition/Sale of Assets or Services | Preventive | |
| Analyze and respond to security alerts. CC ID 12504 [Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents DE.AE Potentially adverse events are analyzed to better understand associated activities DE.AE-02] | Business Processes | Detective | |
| Mitigate reported incidents. CC ID 12973 [Activities are performed to prevent expansion of an event and mitigate its effects RS.MI Incidents are eradicated RS.MI-02] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 [The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08] | Establish/Maintain Documentation | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Establish/Maintain Documentation | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Establish/Maintain Documentation | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Establish/Maintain Documentation | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 [{escalation procedure} The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon. RS.CO-02.01] | Establish/Maintain Documentation | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Establish/Maintain Documentation | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Establish/Maintain Documentation | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Establish/Maintain Documentation | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Establish/Maintain Documentation | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Establish/Maintain Documentation | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 [Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, etc.) are established, communicated, maintained, and improved ID.IM-04] | Communicate | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics. RC.RP-02.01] | Establish Roles | Preventive | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 [The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01] | Testing | Corrective | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [In the event of an incident, the organization notifies impacted stakeholders including, as required, government bodies, self-regulatory agencies and/or other supervisory bodies, within required timeframes. RS.CO-02.02] | Communicate | Corrective | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Establish/Maintain Documentation | Preventive | |
| Include log management procedures in the incident response program. CC ID 17081 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Communicate | Preventive | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 [The recovery portion of the incident response plan is executed once initiated from the incident response process RC.RP-01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Establish/Maintain Documentation | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Records Management | Preventive | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06 Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Investigate | Detective | |
| Include time information in the chain of custody. CC ID 17068 | Log Management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Log Management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Log Management | Preventive | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Investigate | Corrective | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 [The organization pre-identifies, pre-qualifies, and retains third party incident management support and forensic service firms, as required, that can be called upon to quickly assist with incident response, investigation, and recovery. ID.IM-04.07] | Communicate | Detective | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01 Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value. RS.AN-07.01] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01 Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value. RS.AN-07.01] | Records Management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Investigate | Detective | |
| Collect evidence from the incident scene. CC ID 02236 [Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Business Processes | Corrective | |
| Secure devices containing digital forensic evidence. CC ID 08681 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01] | Investigate | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06 Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Investigate | Detective | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [The end of incident recovery is declared based on criteria, and incident-related documentation is completed RC.RP-06] | Actionable Reports or Measurements | Preventive | |
| Test the incident response procedures. CC ID 01216 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 {incident communication protocol} The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident. RS.CO-02.03] | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rate limits for connection attempts. CC ID 16986 | Technical Security | Preventive | |
| Include performance requirements in the Service Level Agreement. CC ID 00841 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{business continuity plan} Technology projects and system change processes ensure that requisite changes in security posture, data classification and flows, architecture, support documentation, business processes, and business resilience plans are addressed. ID.RA-07.03 {change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Establish/Maintain Documentation | Preventive | |
| Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
| Manage change requests. CC ID 00887 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 {change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02] | Business Processes | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 [{emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [{change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Establish/Maintain Documentation | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Testing | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
| Provide audit trails for all approved changes. CC ID 13120 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the transition strategy. CC ID 17290 | Establish/Maintain Documentation | Preventive | |
| Include resources in the transition strategy. CC ID 17289 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the transition strategy. CC ID 17288 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Process or Activity | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
| Perform a patch test prior to deploying a patch. CC ID 00898 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Testing | Detective | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Business Processes | Preventive | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Testing | Detective | |
| Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
| Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
| Document the organization's local environments. CC ID 06726 [The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: DE.AE-02.01] | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Communicate | Preventive | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Communicate | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security policy} Physical and environmental security policies are implemented and managed. GV.PO-01.06] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Establish/Maintain Documentation | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Establish/Maintain Documentation | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Audits and Risk Management | Detective | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Communicate | Corrective | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Configuration | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Configuration | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Communicate | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Establish/Maintain Documentation | Preventive | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Log Management | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Log Management | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Log Management | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Log Management | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Log Management | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Log Management | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Business Processes | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Process or Activity | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Testing | Detective | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The physical environment is monitored to find potentially adverse events DE.CM-02 {high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01] | Monitor and Evaluate Occurrences | Detective | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Log Management | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Log Management | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01] | Establish/Maintain Documentation | Preventive | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Log Management | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01 The organization manages and protects physical and visual access to sensitive information assets and physical records (e.g., session lockout, clean desk policies, printer/facsimile output trays, file cabinet/room security, document labelling, etc.) PR.AA-06.02 {environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and Environmental Protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Restrict physical access to distributed assets. CC ID 11865 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 [The organization defines and implements controls for the protection and use of removable media (e.g., access/use restrictions, encryption, malware scanning, data loss prevention, etc.) PR.DS-01.03] | Data and Information Management | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Records Management | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Business Processes | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02] | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Communicate | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Communicate | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [{mobile device} End-user mobile or personal computing devices accessing the organization's network employ mechanisms to protect network, application, and data integrity, such as "Mobile Device Management (MDM)" and "Mobile Application Management (MAM)" technologies, device fingerprinting, storage containerization and encryption, integrity scanning, automated patch application, remote wipe, and data leakage protections. PR.PS-01.08] | Establish/Maintain Documentation | Preventive | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Process or Activity | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 [{personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 Relationship terminations and the return or destruction of assets are performed in a controlled and safe manner EX.TR-02] | Establish/Maintain Documentation | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets. GV.RR-04.02] | Behavior | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Establish/Maintain Documentation | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Business Processes | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Establish/Maintain Documentation | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Establish Roles | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Records Management | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Establish/Maintain Documentation | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and Environmental Protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and Environmental Protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and Environmental Protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and Environmental Protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Establish/Maintain Documentation | Preventive | |
| Install and maintain power distribution boards. CC ID 16486 | Systems Design, Build, and Implementation | Preventive | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and Environmental Protection | Preventive | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and Environmental Protection | Preventive | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and Environmental Protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and Environmental Protection | Preventive | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Technical Security | Preventive | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Establish/Maintain Documentation | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and Environmental Protection | Preventive | |
| Install and maintain smoke control systems. CC ID 17291 | Physical and Environmental Protection | Preventive | |
| Install and maintain fire alarm systems. CC ID 17267 | Physical and Environmental Protection | Preventive | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and Environmental Protection | Preventive | |
| Conduct fire drills, as necessary. CC ID 13985 | Process or Activity | Preventive | |
| Employ environmental protections. CC ID 12570 [The organization's technology assets are protected from environmental threats PR.IR-02] | Process or Activity | Preventive | |
| Establish, implement, and maintain geomagnetic disturbance operating procedures. CC ID 17158 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the geomagnetic disturbance operating plan. CC ID 17157 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a geomagnetic disturbance operating plan. CC ID 17156 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate space weather information to interested personnel and affected parties. CC ID 17155 | Communicate | Preventive | |
| Include roles and responsibilities in the geomagnetic disturbance operating procedures. CC ID 17154 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cold weather preparedness plan. CC ID 17131 | Establish/Maintain Documentation | Preventive | |
| Include design specifications for applicable assets in the cold weather preparedness plan. CC ID 17144 | Establish/Maintain Documentation | Preventive | |
| Include limitations in the cold weather preparedness plan. CC ID 17143 | Establish/Maintain Documentation | Preventive | |
| Include performance data in the cold weather preparedness plan. CC ID 17142 | Establish/Maintain Documentation | Preventive | |
| Include maintenance requirements in the cold weather preparedness plan. CC ID 17141 | Establish/Maintain Documentation | Preventive | |
| Include freeze protection measures in the cold weather preparedness plan. CC ID 17140 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and Environmental Protection | Preventive | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 | Communicate | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Communicate | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). GV.OC-03.02] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Establish/Maintain Documentation | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Establish/Maintain Documentation | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 | Establish/Maintain Documentation | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Establish/Maintain Documentation | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Establish/Maintain Documentation | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Establish/Maintain Documentation | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Establish/Maintain Documentation | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Establish/Maintain Documentation | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Establish/Maintain Documentation | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Establish/Maintain Documentation | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 | Establish/Maintain Documentation | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Establish/Maintain Documentation | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Establish/Maintain Documentation | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Establish/Maintain Documentation | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Establish/Maintain Documentation | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Establish/Maintain Documentation | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Establish/Maintain Documentation | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Establish/Maintain Documentation | Preventive | |
| Include opt-out instructions in the privacy policy. CC ID 00411 | Establish/Maintain Documentation | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Establish/Maintain Documentation | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Establish/Maintain Documentation | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Establish/Maintain Documentation | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Establish/Maintain Documentation | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Communicate | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Communicate | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Process or Activity | Preventive | |
| Approve the privacy plan. CC ID 14700 [The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). GV.OC-03.02] | Business Processes | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Establish/Maintain Documentation | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Communicate | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Behavior | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 [{data classification policy} {data protection policy} Data-in-use is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, visual shielding, memory integrity monitoring, etc.) PR.DS-10.01] | Technical Security | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 [The organization implements measures for monitoring external sources (e.g., social media, the dark web, etc.) to integrate with other intelligence information to better detect and evaluate potential threats and compromises. DE.AE-07.01] | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03] | Establish/Maintain Documentation | Detective | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Data and Information Management | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Process or Activity | Preventive | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Data and Information Management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03] | Records Management | Preventive | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed. ID.AM-08.05] | Establish/Maintain Documentation | Preventive | |
| Perform destruction at authorized facilities. CC ID 17074 | Business Processes | Preventive | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Business Processes | Preventive | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Data and Information Management | Preventive | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Process or Activity | Preventive | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Business Processes | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed. ID.AM-08.05] | Establish/Maintain Documentation | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Data and Information Management | Preventive | |
| Include the sanitization method in the disposal record. CC ID 17073 | Log Management | Preventive | |
| Include time information in the disposal record. CC ID 17072 | Log Management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Communicate | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Records Management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [{data classification policy} {data protection policy} Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, segregation, masking, tokenization, and file integrity monitoring). PR.DS-01.01] | Records Management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 [The confidentiality, integrity, and availability of data-at-rest are protected PR.DS-01] | Technical Security | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 [Configuration management practices are established and applied PR.PS-01] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | Communicate | Preventive | |
| Document external connections for all systems. CC ID 06415 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Configuration | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | Establish/Maintain Documentation | Preventive | |
| Terminate all dependent sessions upon session termination. CC ID 16984 | Technical Security | Preventive | |
| Configure “Docker” to organizational standards. CC ID 14457 | Configuration | Preventive | |
| Configure the "autolock" argument to organizational standards. CC ID 14547 | Configuration | Preventive | |
| Configure the "COPY" instruction to organizational standards. CC ID 14515 | Configuration | Preventive | |
| Configure the "memory" argument to organizational standards. CC ID 14497 | Configuration | Preventive | |
| Configure the "docker0" bridge to organizational standards. CC ID 14504 | Configuration | Preventive | |
| Configure the "docker exec commands" to organizational standards. CC ID 14502 | Configuration | Preventive | |
| Configure the "health-cmd" argument to organizational standards. CC ID 14527 | Configuration | Preventive | |
| Configure the "HEALTHCHECK" to organizational standards. CC ID 14511 | Configuration | Detective | |
| Configure the maximum number of images to organizational standards. CC ID 14545 | Configuration | Preventive | |
| Configure the minimum number of manager nodes to organizational standards. CC ID 14543 | Configuration | Preventive | |
| Configure the "on-failure" restart policy to organizational standards. CC ID 14542 | Configuration | Preventive | |
| Configure the maximum number of containers to organizational standards. CC ID 14540 | Configuration | Preventive | |
| Configure the "lifetime_minutes" to organizational standards. CC ID 14539 | Configuration | Preventive | |
| Configure the "Linux kernel capabilities" to organizational standards. CC ID 14531 | Configuration | Preventive | |
| Configure the "Docker socket" to organizational standards. CC ID 14506 | Configuration | Preventive | |
| Configure the "read-only" argument to organizational standards. CC ID 14498 | Configuration | Preventive | |
| Configure the signed image enforcement to organizational standards. CC ID 14517 | Configuration | Preventive | |
| Configure the "storage-opt" argument to organizational standards. CC ID 14658 | Configuration | Preventive | |
| Configure the "swarm services" to organizational standards. CC ID 14516 | Configuration | Preventive | |
| Configure the "experimental" argument to organizational standards. CC ID 14494 | Configuration | Preventive | |
| Configure the cluster role-based access control policies to organizational standards. CC ID 14514 | Configuration | Preventive | |
| Configure the "secret management commands" to organizational standards. CC ID 14512 | Configuration | Preventive | |
| Configure the "renewal_threshold_minutes" to organizational standards. CC ID 14538 | Configuration | Preventive | |
| Configure the "docker swarm unlock-key" command to organizational standards. CC ID 14490 | Configuration | Preventive | |
| Configure the "per_user_limit" to organizational standards. CC ID 14523 | Configuration | Preventive | |
| Configure the "privileged" argument to organizational standards. CC ID 14510 | Configuration | Preventive | |
| Configure the "update instructions" to organizational standards. CC ID 14525 | Configuration | Preventive | |
| Configure the "swarm mode" to organizational standards. CC ID 14508 | Configuration | Preventive | |
| Configure the "USER" directive to organizational standards. CC ID 14507 | Configuration | Preventive | |
| Configure the "DOCKER_CONTENT_TRUST" to organizational standards. CC ID 14488 | Configuration | Preventive | |
| Configure the "no-new-privileges" argument to organizational standards. CC ID 14474 | Configuration | Preventive | |
| Configure the "seccomp-profile" argument to organizational standards. CC ID 14503 | Configuration | Preventive | |
| Configure the "cpu-shares" argument to organizational standards. CC ID 14489 | Configuration | Preventive | |
| Configure the "volume" argument to organizational standards. CC ID 14533 | Configuration | Preventive | |
| Configure the "cgroup-parent" to organizational standards. CC ID 14466 | Configuration | Preventive | |
| Configure the "live-restore" argument to organizational standards. CC ID 14465 | Configuration | Preventive | |
| Configure the "userland-proxy" argument to organizational standards. CC ID 14464 | Configuration | Preventive | |
| Configure the "user namespace support" to organizational standards. CC ID 14462 | Configuration | Preventive | |
| Configure "etcd" to organizational standards. CC ID 14535 | Configuration | Preventive | |
| Configure the "auto-tls" argument to organizational standards. CC ID 14621 | Configuration | Preventive | |
| Configure the "peer-auto-tls" argument to organizational standards. CC ID 14636 | Configuration | Preventive | |
| Configure the "peer-client-cert-auth" argument to organizational standards. CC ID 14614 | Configuration | Preventive | |
| Configure the "peer-cert-file" argument to organizational standards. CC ID 14606 | Configuration | Preventive | |
| Configure the "key-file" argument to organizational standards. CC ID 14604 | Configuration | Preventive | |
| Configure the "cert-file" argument to organizational standards. CC ID 14602 | Configuration | Preventive | |
| Configure the "client-cert-auth" argument to organizational standards. CC ID 14596 | Configuration | Preventive | |
| Configure the "peer-key-file" argument to organizational standards. CC ID 14595 | Configuration | Preventive | |
| Establish, implement, and maintain container orchestration. CC ID 16350 | Technical Security | Preventive | |
| Configure "Kubernetes" to organizational standards. CC ID 14528 | Configuration | Preventive | |
| Configure the "ImagePolicyWebhook" admission controller to organizational standards. CC ID 14657 | Configuration | Preventive | |
| Configure the "allowedCapabilities" to organizational standards. CC ID 14653 | Configuration | Preventive | |
| Configure the "allowPrivilegeEscalation" flag to organizational standards. CC ID 14645 | Configuration | Preventive | |
| Configure the "Security Context" to organizational standards. CC ID 14656 | Configuration | Preventive | |
| Configure the "cluster-admin" role to organizational standards. CC ID 14642 | Configuration | Preventive | |
| Configure the "automountServiceAccountToken" to organizational standards. CC ID 14639 | Configuration | Preventive | |
| Configure the "audit-log-maxsize" argument to organizational standards. CC ID 14624 | Configuration | Detective | |
| Configure the "seccomp" profile to organizational standards. CC ID 14652 | Configuration | Preventive | |
| Configure the "securityContext.privileged" flag to organizational standards. CC ID 14641 | Configuration | Preventive | |
| Configure the "audit-log-path" argument to organizational standards. CC ID 14622 | Configuration | Detective | |
| Configure the "audit-log-maxbackup" argument to organizational standards. CC ID 14613 | Configuration | Detective | |
| Configure the "audit-policy-file" to organizational standards. CC ID 14610 | Configuration | Preventive | |
| Configure the "audit-log-maxage" argument to organizational standards. CC ID 14605 | Configuration | Detective | |
| Configure the "bind-address" argument to organizational standards. CC ID 14601 | Configuration | Preventive | |
| Configure the "request-timeout" argument to organizational standards. CC ID 14583 | Configuration | Preventive | |
| Configure the "secure-port" argument to organizational standards. CC ID 14582 | Configuration | Preventive | |
| Configure the "service-account-key-file" argument to organizational standards. CC ID 14581 | Configuration | Preventive | |
| Configure the "insecure-bind-address" argument to organizational standards. CC ID 14580 | Configuration | Preventive | |
| Configure the "service-account-lookup" argument to organizational standards. CC ID 14579 | Configuration | Preventive | |
| Configure the "admission control plugin PodSecurityPolicy" to organizational standards. CC ID 14578 | Configuration | Preventive | |
| Configure the "profiling" argument to organizational standards. CC ID 14577 | Configuration | Preventive | |
| Configure the "hostNetwork" flag to organizational standards. CC ID 14649 | Configuration | Preventive | |
| Configure the "hostPID" flag to organizational standards. CC ID 14648 | Configuration | Preventive | |
| Configure the "etcd-certfile" argument to organizational standards. CC ID 14584 | Configuration | Preventive | |
| Configure the "runAsUser.rule" to organizational standards. CC ID 14651 | Configuration | Preventive | |
| Configure the "requiredDropCapabilities" to organizational standards. CC ID 14650 | Configuration | Preventive | |
| Configure the "hostIPC" flag to organizational standards. CC ID 14643 | Configuration | Preventive | |
| Configure the "admission control plugin ServiceAccount" to organizational standards. CC ID 14576 | Configuration | Preventive | |
| Configure the "insecure-port" argument to organizational standards. CC ID 14575 | Configuration | Preventive | |
| Configure the "admission control plugin AlwaysPullImages" to organizational standards. CC ID 14574 | Configuration | Preventive | |
| Configure the "pod" to organizational standards. CC ID 14644 | Configuration | Preventive | |
| Configure the "ClusterRoles" to organizational standards. CC ID 14637 | Configuration | Preventive | |
| Configure the "event-qps" argument to organizational standards. CC ID 14633 | Configuration | Preventive | |
| Configure the "Kubelet" to organizational standards. CC ID 14635 | Configuration | Preventive | |
| Configure the "NET_RAW" to organizational standards. CC ID 14647 | Configuration | Preventive | |
| Configure the "make-iptables-util-chains" argument to organizational standards. CC ID 14638 | Configuration | Preventive | |
| Configure the "hostname-override" argument to organizational standards. CC ID 14631 | Configuration | Preventive | |
| Configure the "admission control plugin NodeRestriction" to organizational standards. CC ID 14573 | Configuration | Preventive | |
| Configure the "admission control plugin AlwaysAdmit" to organizational standards. CC ID 14572 | Configuration | Preventive | |
| Configure the "etcd-cafile" argument to organizational standards. CC ID 14592 | Configuration | Preventive | |
| Configure the "encryption-provider-config" argument to organizational standards. CC ID 14587 | Configuration | Preventive | |
| Configure the "rotate-certificates" argument to organizational standards. CC ID 14640 | Configuration | Preventive | |
| Configure the "etcd-keyfile" argument to organizational standards. CC ID 14586 | Configuration | Preventive | |
| Configure the "client-ca-file" argument to organizational standards. CC ID 14585 | Configuration | Preventive | |
| Configure the "kube-apiserver" to organizational standards. CC ID 14589 | Configuration | Preventive | |
| Configure the "tls-private-key-file" argument to organizational standards. CC ID 14590 | Configuration | Preventive | |
| Configure the "streaming-connection-idle-timeout" argument to organizational standards. CC ID 14634 | Configuration | Preventive | |
| Configure the "RotateKubeletServerCertificate" argument to organizational standards. CC ID 14626 | Configuration | Preventive | |
| Configure the "protect-kernel-defaults" argument to organizational standards. CC ID 14629 | Configuration | Preventive | |
| Configure the "read-only-port" argument to organizational standards. CC ID 14627 | Configuration | Preventive | |
| Configure the "admission control plugin NamespaceLifecycle" to organizational standards. CC ID 14571 | Configuration | Preventive | |
| Configure the "terminated-pod-gc-threshold" argument to organizational standards. CC ID 14593 | Configuration | Preventive | |
| Configure the "tls-cert-file" argument to organizational standards. CC ID 14588 | Configuration | Preventive | |
| Configure the "kubelet-certificate-authority" argument to organizational standards. CC ID 14570 | Configuration | Preventive | |
| Configure the "service-account-private-key-file" argument to organizational standards. CC ID 14607 | Configuration | Preventive | |
| Configure the "admission control plugin SecurityContextDeny" to organizational standards. CC ID 14569 | Configuration | Preventive | |
| Configure the "kubelet-client-certificate" argument to organizational standards. CC ID 14568 | Configuration | Preventive | |
| Configure the "root-ca-file" argument to organizational standards. CC ID 14599 | Configuration | Preventive | |
| Configure the "admission control plugin EventRateLimit" to organizational standards. CC ID 14567 | Configuration | Preventive | |
| Configure the "use-service-account-credentials" argument to organizational standards. CC ID 14594 | Configuration | Preventive | |
| Configure the "token-auth-file" argument to organizational standards. CC ID 14566 | Configuration | Preventive | |
| Configure the "authorization-mode" argument to organizational standards. CC ID 14565 | Configuration | Preventive | |
| Configure the "anonymous-auth" argument to organizational standards. CC ID 14564 | Configuration | Preventive | |
| Configure the "kubelet-client-key" argument to organizational standards. CC ID 14563 | Configuration | Preventive | |
| Configure the "kubelet-https" argument to organizational standards. CC ID 14561 | Configuration | Preventive | |
| Configure the "basic-auth-file" argument to organizational standards. CC ID 14559 | Configuration | Preventive | |
| Configure the Remote Deposit Capture system to organizational standards. CC ID 13569 | Configuration | Preventive | |
| Prohibit files from containing wild cards, as necessary. CC ID 16318 | Process or Activity | Preventive | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [Software is maintained, replaced, and removed commensurate with risk PR.PS-02 Installation and execution of unauthorized software are prevented PR.PS-05] | Configuration | Preventive | |
| Use the latest approved version of all assets. CC ID 00897 [Software is maintained, replaced, and removed commensurate with risk PR.PS-02] | Technical Security | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | Communicate | Preventive | |
| Configure the system's booting configuration. CC ID 10656 | Configuration | Preventive | |
| Configure Least Functionality and Least Privilege settings to organizational standards. CC ID 07599 [The organization's systems are configured to provide only essential capabilities to implement the und-color:#F0BBBC;" class="term_primaryry-verb">-noun">principle of least functionality. The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality. PR.PS-01.02] | Configuration | Preventive | |
| Prohibit directories from having read/write capability, as appropriate. CC ID 16313 | Configuration | Preventive | |
| Configure "Block public access (bucket settings)" to organizational standards. CC ID 15444 | Configuration | Preventive | |
| Configure S3 Bucket Policies to organizational standards. CC ID 15431 | Configuration | Preventive | |
| Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards. CC ID 15417 | Configuration | Preventive | |
| Configure "Allow Cloud Search" to organizational standards. CC ID 15416 | Configuration | Preventive | |
| Configure "Configure Watson events" to organizational standards. CC ID 15414 | Configuration | Preventive | |
| Configure "Allow Clipboard synchronization across devices" to organizational standards. CC ID 15412 | Configuration | Preventive | |
| Configure "Prevent users from modifying settings" to organizational standards. CC ID 15411 | Configuration | Preventive | |
| Configure "Prevent users from sharing files within their profile" to organizational standards. CC ID 15408 | Configuration | Preventive | |
| Configure "Manage preview builds" to organizational standards. CC ID 15405 | Configuration | Preventive | |
| Configure "Turn off Help Experience Improvement Program" to organizational standards. CC ID 15403 | Configuration | Preventive | |
| Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards. CC ID 15402 | Configuration | Preventive | |
| Configure "Hardened UNC Paths" to organizational standards. CC ID 15400 | Configuration | Preventive | |
| Configure "Turn off all Windows spotlight features" to organizational standards. CC ID 15397 | Configuration | Preventive | |
| Configure "Allow Message Service Cloud Sync" to organizational standards. CC ID 15396 | Configuration | Preventive | |
| Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards. CC ID 15394 | Configuration | Preventive | |
| Configure "Configure Windows spotlight on lock screen" to organizational standards. CC ID 15391 | Configuration | Preventive | |
| Configure "Do not suggest third-party content in Windows spotlight" to organizational standards. CC ID 15389 | Configuration | Preventive | |
| Configure "Enable Font Providers" to organizational standards. CC ID 15388 | Configuration | Preventive | |
| Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards. CC ID 15386 | Configuration | Preventive | |
| Configure "Do not display network selection UI" to organizational standards. CC ID 15381 | Configuration | Preventive | |
| Configure "Turn off KMS Client Online AVS Validation" to organizational standards. CC ID 15380 | Configuration | Preventive | |
| Configure "Allow Telemetry" to organizational standards. CC ID 15378 | Configuration | Preventive | |
| Configure "Allow users to enable online speech recognition services" to organizational standards. CC ID 15377 | Configuration | Preventive | |
| Configure "Prevent enabling lock screen camera" to organizational standards. CC ID 15373 | Configuration | Preventive | |
| Configure "Continue experiences on this device" to organizational standards. CC ID 15372 | Configuration | Preventive | |
| Configure "Prevent the usage of OneDrive for file storage" to organizational standards. CC ID 15369 | Configuration | Preventive | |
| Configure "Do not use diagnostic data for tailored experiences" to organizational standards. CC ID 15367 | Configuration | Preventive | |
| Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards. CC ID 15365 | Configuration | Preventive | |
| Configure "Turn off Microsoft consumer experiences" to organizational standards. CC ID 15363 | Configuration | Preventive | |
| Configure "Allow Use of Camera" to organizational standards. CC ID 15362 | Configuration | Preventive | |
| Configure "Allow Online Tips" to organizational standards. CC ID 15360 | Configuration | Preventive | |
| Configure "Turn off cloud optimized content" to organizational standards. CC ID 15357 | Configuration | Preventive | |
| Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards. CC ID 15356 | Configuration | Preventive | |
| Configure "Toggle user control over Insider builds" to organizational standards. CC ID 15354 | Configuration | Preventive | |
| Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards. CC ID 15353 | Configuration | Preventive | |
| Configure "Do not show feedback notifications" to organizational standards. CC ID 15350 | Configuration | Preventive | |
| Configure "Prevent enabling lock screen slide show" to organizational standards. CC ID 15349 | Configuration | Preventive | |
| Configure "Turn off the advertising ID" to organizational standards. CC ID 15348 | Configuration | Preventive | |
| Configure "Allow Windows Ink Workspace" to organizational standards. CC ID 15346 | Configuration | Preventive | |
| Configure "Allow a Windows app to share application data between users" to organizational standards. CC ID 15345 | Configuration | Preventive | |
| Configure "Turn off handwriting personalization data sharing" to organizational standards. CC ID 15339 | Configuration | Preventive | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | Technical Security | Preventive | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | Configuration | Preventive | |
| Invalidate unexpected session identifiers. CC ID 15307 | Configuration | Preventive | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | Configuration | Preventive | |
| Reject session identifiers that are not valid. CC ID 15306 | Configuration | Preventive | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | Configuration | Preventive | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | Configuration | Preventive | |
| Install custom applications, only if they are trusted. CC ID 04822 | Configuration | Preventive | |
| Configure Simple Network Management Protocol (SNMP) to organizational standards. CC ID 12423 | Configuration | Preventive | |
| Establish access requirements for SNMP community strings. CC ID 16357 | Technical Security | Preventive | |
| Use different SNMP community strings across devices to support least privilege. CC ID 17053 | Data and Information Management | Preventive | |
| Configure the system's storage media. CC ID 10618 | Configuration | Preventive | |
| Configure the "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting. CC ID 04910 | Configuration | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | Configuration | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | Configuration | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | Configuration | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | Technical Security | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | Technical Security | Detective | |
| Manage access credentials for service accounts. CC ID 13862 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | Technical Security | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | Configuration | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | Configuration | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | Configuration | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | Configuration | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | Configuration | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | Configuration | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | Configuration | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | Configuration | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | Configuration | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | Configuration | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | Configuration | Preventive | |
| Configure the IAS service properly. CC ID 05028 | Configuration | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | Configuration | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | Configuration | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | Configuration | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | Configuration | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | Configuration | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | Configuration | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | Configuration | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | Configuration | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | Configuration | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | Configuration | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | Configuration | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | Configuration | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | Configuration | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | Configuration | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | Configuration | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | Configuration | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | Configuration | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | Configuration | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | Configuration | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | Configuration | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | Configuration | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | Configuration | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | Configuration | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | Configuration | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | Configuration | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | Configuration | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | Configuration | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | Configuration | Preventive | |
| Configure the Server service properly. CC ID 05063 | Configuration | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | Configuration | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | Configuration | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | Configuration | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | Configuration | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | Configuration | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | Configuration | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | Configuration | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | Configuration | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | Configuration | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | Configuration | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | Configuration | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | Configuration | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | Configuration | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | Configuration | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | Configuration | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | Configuration | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | Configuration | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | Configuration | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | Configuration | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | Configuration | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | Configuration | Preventive | |
| Configure the Themes service properly. CC ID 05091 | Configuration | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | Configuration | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | Configuration | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | Configuration | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | Configuration | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | Configuration | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | Configuration | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | Configuration | Preventive | |
| Configure the system to refrain from completing authentication methods when a security breach is detected. CC ID 13790 | Configuration | Preventive | |
| Configure the "/etc/shadow" settings to organizational standards. CC ID 15332 | Configuration | Preventive | |
| Configure the "Interactive logon: Require removal card" setting. CC ID 06053 | Configuration | Preventive | |
| Configure the TCP/IP Dead Gateway Detection as appropriate. CC ID 06025 | Configuration | Preventive | |
| Verify the environment variable "Os2LibPath" exists, as appropriate. CC ID 05142 | Configuration | Preventive | |
| Define the path to the Microsoft OS/2 version 1.x library properly. CC ID 05143 | Configuration | Preventive | |
| Set the "Specify intranet Microsoft update service location" properly. CC ID 05144 | Configuration | Preventive | |
| Set the path to the debugger used for Just-In-Time debugging properly. CC ID 05145 | Configuration | Preventive | |
| Set the OS/2 Subsystem location properly. CC ID 05146 | Configuration | Preventive | |
| Set the registry permission for HKEY_CLASSES_ROOT properly. CC ID 05154 | Configuration | Preventive | |
| Set the registry key HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Os2 properly. CC ID 05155 | Configuration | Preventive | |
| Set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger properly. CC ID 05156 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command properly. CC ID 05157 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography properly. CC ID 05158 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hlp properly. CC ID 05159 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\helpfile properly. CC ID 05160 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing properly. CC ID 05161 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais properly. CC ID 05162 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell properly. CC ID 05163 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony properly. CC ID 05164 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability properly. CC ID 05165 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell properly. CC ID 05166 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion properly. CC ID 05167 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech properly. CC ID 05168 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC properly. CC ID 05169 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem properly. CC ID 05170 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates properly. CC ID 05171 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports properly. CC ID 05172 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing properly. CC ID 05173 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Policies properly. CC ID 05174 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor properly. CC ID 05175 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ads\Providers\WinNT properly. CC ID 05176 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT properly. CC ID 05177 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS properly. CC ID 05178 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions properly. CC ID 05179 | Configuration | Preventive | |
| Set the registry permission for HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots properly. CC ID 05180 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager properly. CC ID 05181 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help properly. CC ID 05182 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip properly. CC ID 05183 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing properly. CC ID 05184 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceManager properly. CC ID 05185 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security properly. CC ID 05186 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP properly. CC ID 05187 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent properly. CC ID 05188 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security properly. CC ID 05189 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security properly. CC ID 05190 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security properly. CC ID 05191 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security properly. CC ID 05192 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security properly. CC ID 05193 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security properly. CC ID 05194 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security properly. CC ID 05195 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security properly. CC ID 05196 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility properly. CC ID 05197 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security properly. CC ID 05198 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security properly. CC ID 05199 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services properly. CC ID 05200 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers properly. CC ID 05201 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network properly. CC ID 05202 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\LSA\Data properly. CC ID 05203 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG properly. CC ID 05204 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1 properly. CC ID 05205 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD properly. CC ID 05206 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control properly. CC ID 05207 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wbem properly. CC ID 05208 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security properly. CC ID 05209 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font properly. CC ID 05210 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog properly. CC ID 05211 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares properly. CC ID 05212 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status properly. CC ID 05213 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Secure properly. CC ID 05214 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups properly. CC ID 05215 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon properly. CC ID 05216 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones properly. CC ID 05217 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping properly. CC ID 05218 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS properly. CC ID 05219 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper properly. CC ID 05220 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility properly. CC ID 05221 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug properly. CC ID 05222 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx properly. CC ID 05223 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce properly. CC ID 05224 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run properly. CC ID 05225 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows properly. CC ID 05226 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Secure properly. CC ID 05227 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC properly. CC ID 05228 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options properly. CC ID 05229 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole properly. CC ID 05230 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions properly. CC ID 05231 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout properly. CC ID 05232 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex properly. CC ID 05233 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName properly. CC ID 05234 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy properly. CC ID 05235 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule properly. CC ID 05236 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost properly. CC ID 05237 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit properly. CC ID 05238 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList properly. CC ID 05239 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS properly. CC ID 05240 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 properly. CC ID 05241 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes properly. CC ID 05242 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion properly. CC ID 05243 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates properly. CC ID 05244 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows properly. CC ID 05245 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole properly. CC ID 05246 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers properly. CC ID 05247 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies properly. CC ID 05248 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey properly. CC ID 05249 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host properly. CC ID 05250 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings properly. CC ID 05251 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class properly. CC ID 05252 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security properly. CC ID 05253 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache properly. CC ID 05254 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security properly. CC ID 05255 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security properly. CC ID 05256 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt properly. CC ID 05257 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess properly. CC ID 05259 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security properly. CC ID 05260 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security properly. CC ID 05261 | Configuration | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries properly. CC ID 05262 | Configuration | Preventive | |
| Configure the "%SystemRoot%$NtServicePackUninstall$" directory permissions to organizational standards. CC ID 10126 | Configuration | Preventive | |
| Configure the "HKEY_CLASSES_ROOT" registry key permissions to organizational standards. CC ID 10200 | Configuration | Preventive | |
| Configure the "%SystemRoot%System32 eg.exe" file permissions to organizational standards. CC ID 10312 | Configuration | Preventive | |
| Configure the "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup Policy" registry key permissions to organizational standards. CC ID 10404 | Configuration | Preventive | |
| Include the date and time that access was granted in the system record. CC ID 15174 | Establish/Maintain Documentation | Preventive | |
| Include the access level granted in the system record. CC ID 15173 | Establish/Maintain Documentation | Preventive | |
| Include when access is withdrawn in the system record. CC ID 15172 | Establish/Maintain Documentation | Preventive | |
| Restrict logons by specified source addresses. CC ID 16394 | Technical Security | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
| Disallow personal data in authenticators. CC ID 13864 | Technical Security | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 [Identities and credentials for authorized users, services, and hardware are managed by the organization PR.AA-01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a repository of authenticators. CC ID 16372 | Data and Information Management | Preventive | |
| Configure authenticator activation codes in accordance with organizational standards. CC ID 17032 | Configuration | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Configuration | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | Business Processes | Corrective | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | Configuration | Preventive | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | Configuration | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as proper names, as necessary. CC ID 17030 | Configuration | Preventive | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | Configuration | Preventive | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | Configuration | Preventive | |
| Ensure the root account is the first entry in password files. CC ID 16323 | Data and Information Management | Detective | |
| Configure the authenticator display screen to organizational standards. CC ID 13794 | Configuration | Preventive | |
| Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 | Configuration | Preventive | |
| Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 | Configuration | Preventive | |
| Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 | Communicate | Preventive | |
| Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 | Configuration | Corrective | |
| Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 | Configuration | Preventive | |
| Configure the system to allow paste functionality for the authenticator field. CC ID 13819 | Configuration | Preventive | |
| Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 | Configuration | Preventive | |
| Protect authenticators or authentication factors from unauthorized modification and disclosure. CC ID 15317 | Technical Security | Preventive | |
| Obscure authentication information during the login process. CC ID 15316 | Configuration | Preventive | |
| Issue temporary authenticators, as necessary. CC ID 17062 | Process or Activity | Preventive | |
| Renew temporary authenticators, as necessary. CC ID 17061 | Process or Activity | Preventive | |
| Disable authenticators, as necessary. CC ID 17060 | Process or Activity | Preventive | |
| Change authenticators, as necessary. CC ID 15315 | Configuration | Preventive | |
| Implement safeguards to protect authenticators from unauthorized access. CC ID 15310 | Technical Security | Preventive | |
| Change all default authenticators. CC ID 15309 | Configuration | Preventive | |
| Configure each system's security alerts to organizational standards. CC ID 12113 | Technical Security | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | Configuration | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | Configuration | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | Configuration | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | Configuration | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | Configuration | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | Configuration | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | Configuration | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | Configuration | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | Configuration | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | Configuration | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | Configuration | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | Configuration | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | Configuration | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | Configuration | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | Configuration | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | Configuration | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | Configuration | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | Configuration | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | Configuration | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | Configuration | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | Configuration | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | Configuration | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | Configuration | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | Configuration | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | Configuration | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | Configuration | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | Configuration | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | Configuration | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | Technical Security | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | Configuration | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | Configuration | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | Configuration | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | Configuration | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | Configuration | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | Configuration | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | Configuration | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | Configuration | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | Configuration | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | Configuration | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | Configuration | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | Configuration | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | Configuration | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | Configuration | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | Configuration | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | Configuration | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | Configuration | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | Configuration | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | Configuration | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | Configuration | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | Configuration | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | Configuration | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | Configuration | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | Configuration | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | Configuration | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | Configuration | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | Configuration | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | Configuration | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | Configuration | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | Configuration | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | Configuration | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | Configuration | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | Configuration | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | Configuration | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | Configuration | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | Configuration | Preventive | |
| Configure knowledge-based authentication tools in accordance with organizational standards. CC ID 13740 | Configuration | Preventive | |
| Configure the session timeout for the knowledge-based authentication tool used for the identity proofing process according to organizational standards. CC ID 13754 | Configuration | Preventive | |
| Configure the knowledge-based authentication tool to restart after a session timeout. CC ID 13753 | Configuration | Preventive | |
| Configure the number of attempts allowed to complete the knowledge-based authentication in the knowledge-based authentication tool. CC ID 13751 | Configuration | Preventive | |
| Configure Windows User Account Control in accordance with organizational standards. CC ID 16437 | Configuration | Preventive | |
| Remove unnecessary accounts. CC ID 16476 | Technical Security | Corrective | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Change default usernames, as necessary. CC ID 14661 | Configuration | Corrective | |
| Remove unnecessary user credentials. CC ID 16409 | Configuration | Preventive | |
| Change default accounts. CC ID 16468 | Process or Activity | Preventive | |
| Configure "SYSVOL" to organizational standards. CC ID 15398 | Configuration | Preventive | |
| Configure the "docker.service" file ownership to organizational standards. CC ID 14477 | Configuration | Preventive | |
| Set the /usr/bin/at file file permissions properly. CC ID 05456 | Configuration | Preventive | |
| Configure the "/etc/default/docker" file permissions to organizational standards. CC ID 14487 | Configuration | Preventive | |
| Configure the "/etc/default/docker" file ownership to organizational standards. CC ID 14484 | Configuration | Preventive | |
| Configure the "/etc/docker" directory permissions to organizational standards. CC ID 14470 | Configuration | Preventive | |
| Configure the "/etc/docker" directory ownership to organizational standards. CC ID 14469 | Configuration | Preventive | |
| Configure the "/etc/kubernetes/pki/*.crt" file permissions to organizational standards. CC ID 14562 | Configuration | Preventive | |
| Configure the "/etc/kubernetes/pki/*.key" file permissions to organizational standards. CC ID 14557 | Configuration | Preventive | |
| Configure the "/etc/kubernetes/pki" file ownership to organizational standards. CC ID 14555 | Configuration | Preventive | |
| Configure the "/etc/sysconfig/docker" file ownership to organizational standards. CC ID 14491 | Configuration | Preventive | |
| Configure the "/etc/sysconfig/docker" file permissions to organizational standards. CC ID 14486 | Configuration | Preventive | |
| Configure the "docker.socket" file ownership to organizational standards. CC ID 14472 | Configuration | Preventive | |
| Configure the "docker.socket" file permissions to organizational standards. CC ID 14468 | Configuration | Preventive | |
| Set the /etc/security/audit/events file file permissions properly. CC ID 05520 | Configuration | Preventive | |
| Set the /etc/hosts.lpd file file permissions properly. CC ID 05526 | Configuration | Preventive | |
| Configure the "docker.service" file permissions to organizational standards. CC ID 14479 | Configuration | Preventive | |
| Set the Cron log file file permissions properly. CC ID 05553 | Configuration | Preventive | |
| Set the /etc/fs file permissions properly. CC ID 05556 | Configuration | Preventive | |
| Configure the "Docker socket" file ownership to organizational standards. CC ID 14493 | Configuration | Preventive | |
| Configure the "daemon.json" file permissions to organizational standards. CC ID 14492 | Configuration | Preventive | |
| Configure the "Docker server certificate" file ownership to organizational standards. CC ID 14471 | Configuration | Preventive | |
| Configure the "Docker server certificate key" file permissions to organizational standards. CC ID 14485 | Configuration | Preventive | |
| Configure the "daemon.json" file ownership to organizational standards. CC ID 14482 | Configuration | Preventive | |
| Configure the "Docker socket" file permissions to organizational standards. CC ID 14480 | Configuration | Preventive | |
| Configure the "Docker server certificate key" file ownership to organizational standards. CC ID 14478 | Configuration | Preventive | |
| Configure the "admin.conf" file ownership to organizational standards. CC ID 14556 | Configuration | Preventive | |
| Configure the "admin.conf" file permissions to organizational standards. CC ID 14554 | Configuration | Preventive | |
| Configure the "Certificate Authority" file ownership to organizational standards. CC ID 14630 | Configuration | Preventive | |
| Configure the "Docker server certificate" file permissions to organizational standards. CC ID 14476 | Configuration | Preventive | |
| Configure the "etcd" data directory ownership to organizational standards. CC ID 14620 | Configuration | Preventive | |
| Configure the "etcd" data directory permissions to organizational standards. CC ID 14618 | Configuration | Preventive | |
| Configure the "etcd.yaml" file ownership to organizational standards. CC ID 14615 | Configuration | Preventive | |
| Configure the "etcd.yaml" file permissions to organizational standards. CC ID 14609 | Configuration | Preventive | |
| Configure the "Certificate Authority" file permissions to organizational standards. CC ID 14623 | Configuration | Preventive | |
| Configure the "kubelet --config" file ownership to organizational standards. CC ID 14632 | Configuration | Preventive | |
| Configure the "kubelet.conf" file ownership to organizational standards. CC ID 14628 | Configuration | Preventive | |
| Configure the "kubelet --config" file permissions to organizational standards. CC ID 14625 | Configuration | Preventive | |
| Configure the "kubelet service" file permissions to organizational standards. CC ID 14660 | Configuration | Preventive | |
| Configure the "kubelet.conf" file permissions to organizational standards. CC ID 14619 | Configuration | Preventive | |
| Configure the "controller-manager.conf" file ownership to organizational standards. CC ID 14560 | Configuration | Preventive | |
| Configure the "kubeconfig" file ownership to organizational standards. CC ID 14617 | Configuration | Preventive | |
| Configure the "kubeconfig" file permissions to organizational standards. CC ID 14616 | Configuration | Preventive | |
| Configure the "kubelet service" file ownership to organizational standards. CC ID 14612 | Configuration | Preventive | |
| Configure the "kube-scheduler.yaml" file ownership to organizational standards. CC ID 14611 | Configuration | Preventive | |
| Configure the "kube-scheduler.yaml" file permissions to organizational standards. CC ID 14603 | Configuration | Preventive | |
| Configure the "kube-controller-manager.yaml" file ownership to organizational standards. CC ID 14600 | Configuration | Preventive | |
| Configure the "kube-controller-manager.yaml" file permissions to organizational standards. CC ID 14598 | Configuration | Preventive | |
| Configure the "kube-apiserver.yaml" file ownership to organizational standards. CC ID 14597 | Configuration | Preventive | |
| Configure the "scheduler.conf" file ownership to organizational standards. CC ID 14558 | Configuration | Preventive | |
| Configure the "controller-manager.conf" file permissions to organizational standards. CC ID 14553 | Configuration | Preventive | |
| Configure the "Container Network Interface" file ownership to organizational standards. CC ID 14552 | Configuration | Preventive | |
| Configure the "Container Network Interface" file permissions to organizational standards. CC ID 14550 | Configuration | Preventive | |
| Configure the "scheduler.conf" file permissions to organizational standards. CC ID 14551 | Configuration | Preventive | |
| Configure the "kube-apiserver.yaml" file permissions to organizational standards. CC ID 14549 | Configuration | Preventive | |
| Configure the "registry certificate" file permissions to organizational standards. CC ID 14483 | Configuration | Preventive | |
| Configure the "registry certificate" file ownership to organizational standards. CC ID 14481 | Configuration | Preventive | |
| Configure the "setgid" permissions to organizational standards. CC ID 14513 | Configuration | Preventive | |
| Configure the "TLS CA certificate" file permissions to organizational standards. CC ID 14475 | Configuration | Preventive | |
| Configure the "TLS CA certificate" file ownership to organizational standards. CC ID 14473 | Configuration | Preventive | |
| Configure the "setuid" permissions to organizational standards. CC ID 14509 | Configuration | Preventive | |
| Configure the "User Account Control: Allow UIAccess applications to prompt for elevation" setting. CC ID 05586 | Configuration | Preventive | |
| Configure the "Do Not Allow New Client Connections" policy for Terminal Services properly. CC ID 05587 | Configuration | Preventive | |
| Configure the service permissions for NetMeeting, as appropriate. CC ID 06045 | Configuration | Preventive | |
| Configure the "sudo" to organizational standards. CC ID 15325 | Configuration | Preventive | |
| Configure the file permissions for %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwts32.log properly. CC ID 05627 | Configuration | Preventive | |
| Configure the directory permissions for %SystemDrive%\My Download Files properly. CC ID 05628 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Driver Cache\I386\Driver.cab properly. CC ID 05629 | Configuration | Preventive | |
| Configure the permissions for the %SystemRoot%\$NtUninstall* directories properly. CC ID 05630 | Configuration | Preventive | |
| Configure the directory permissions for %SystemDrive%\NTDS properly. CC ID 05631 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\SYSVOL properly. CC ID 05632 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\SYSVOL\domain\Policies properly. CC ID 05633 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\repl properly. CC ID 05634 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\repl\export properly. CC ID 05635 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\repl\import properly. CC ID 05636 | Configuration | Preventive | |
| Configure the directory permissions for %ALL% properly. CC ID 05637 | Configuration | Preventive | |
| Configure the directory permissions for %ALL%\Program Files\MQSeries properly. CC ID 05638 | Configuration | Preventive | |
| Configure the directory permissions for %ALL%\Program Files\MQSeries\qmggr properly. CC ID 05639 | Configuration | Preventive | |
| Configure the directory permissions for %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL properly. CC ID 05640 | Configuration | Preventive | |
| Configure the directory permissions for %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL properly. CC ID 05641 | Configuration | Preventive | |
| Configure the directory permissions for %SystemDrive%\perflogs properly. CC ID 05642 | Configuration | Preventive | |
| Configure the directory permissions for %SystemDrive%\i386 properly. CC ID 05643 | Configuration | Preventive | |
| Configure the directory permissions for %ProgramFiles%\Common Files\SpeechEngines\TTS properly. CC ID 05644 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\_default.plf properly. CC ID 05645 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\addins properly. CC ID 05646 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\appPatch properly. CC ID 05647 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\clock.avi properly. CC ID 05648 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Connection Wizard properly. CC ID 05649 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\Driver Cache properly. CC ID 05650 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\explorer.scf properly. CC ID 05651 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\explorer.exe properly. CC ID 05652 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Help properly. CC ID 05653 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\inf\unregmp2.exe properly. CC ID 05654 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Java properly. CC ID 05655 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\mib.bin properly. CC ID 05656 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\msagent properly. CC ID 05657 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\msdfmap.ini properly. CC ID 05658 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\mui properly. CC ID 05659 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\security\templates properly. CC ID 05660 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\speech properly. CC ID 05661 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\system.ini properly. CC ID 05662 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\system\setup.inf properly. CC ID 05663 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\system\stdole.tlb properly. CC ID 05664 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\twain_32 properly. CC ID 05665 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\CatRoot properly. CC ID 05666 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\configf\systemprofile properly. CC ID 05667 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\dhcp properly. CC ID 05668 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\drivers properly. CC ID 05669 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\Export properly. CC ID 05670 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ipconfig.exe properly. CC ID 05671 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\LogFiles properly. CC ID 05672 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\mshta.exe properly. CC ID 05673 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\mui properly. CC ID 05674 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\ShellExt properly. CC ID 05675 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem properly. CC ID 05676 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\mof properly. CC ID 05677 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\repository properly. CC ID 05678 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\logs properly. CC ID 05679 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile% properly. CC ID 05680 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data properly. CC ID 05681 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft properly. CC ID 05682 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys properly. CC ID 05683 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys properly. CC ID 05684 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson properly. CC ID 05685 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log properly. CC ID 05686 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\HTML Help properly. CC ID 05687 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\MediaIndex properly. CC ID 05688 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Documents\desktop.ini properly. CC ID 05689 | Configuration | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\DRM properly. CC ID 05690 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Debug\UserMode\userenv.log properly. CC ID 05691 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\Installer properly. CC ID 05692 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\Prefetch properly. CC ID 05693 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Registration\CRMLog properly. CC ID 05694 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ciadv.msc properly. CC ID 05695 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\Com\comexp.msc properly. CC ID 05696 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\compmgmt.msc properly. CC ID 05697 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\Config properly. CC ID 05698 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\Config\*.evt properly. CC ID 05699 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\devmgmt.msc properly. CC ID 05700 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\dfrg.msc properly. CC ID 05701 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\diskmgmt.msc properly. CC ID 05702 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\system32\eventvwr.msc properly. CC ID 05703 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\fsmgmt.msc properly. CC ID 05704 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\gpedit.msc properly. CC ID 05705 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\lusrmgr.msg properly. CC ID 05706 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\MSDTC properly. CC ID 05707 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ntmsoprq.msc properly. CC ID 05708 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ntmsmgr.msc properly. CC ID 05709 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\perfmon.msc properly. CC ID 05710 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\RSoP.msc properly. CC ID 05711 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\secpol.msc properly. CC ID 05712 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\services.msc properly. CC ID 05713 | Configuration | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\wmimgmt.msc properly. CC ID 05714 | Configuration | Preventive | |
| Configure the directory permissions for %SystemRoot%\Web properly. CC ID 05715 | Configuration | Preventive | |
| Configure the BitLocker setting appropriately for fixed disk drives and removable disk drives. CC ID 06064 | Configuration | Preventive | |
| Configure the BitLocker identifiers. CC ID 06066 | Configuration | Preventive | |
| Enable the OS/2 subsystem, as appropriate. CC ID 05717 | Configuration | Preventive | |
| Configure the IPsec security association lifetime to organizational standards. CC ID 16508 | Configuration | Preventive | |
| Configure route filtering to organizational standards. CC ID 16359 | Configuration | Preventive | |
| Refrain from accepting routes from unauthorized parties. CC ID 16397 | Technical Security | Preventive | |
| Configure security gateways to organizational standards. CC ID 16352 | Configuration | Preventive | |
| Configure network elements to organizational standards. CC ID 16361 | Configuration | Preventive | |
| Configure network elements to ignore hop-by-hop options headers in transit packets. CC ID 16992 | Configuration | Preventive | |
| Configure devices having access to network elements to organizational standards. CC ID 16408 | Configuration | Preventive | |
| Configure routing tables to organizational standards. CC ID 15438 | Configuration | Preventive | |
| Configure "NetBT NodeType configuration" to organizational standards. CC ID 15383 | Configuration | Preventive | |
| Configure "Allow remote server management through WinRM" to organizational standards. CC ID 15364 | Configuration | Preventive | |
| Configure "Allow network connectivity during connected-standby (on battery)" to organizational standards. CC ID 15342 | Configuration | Preventive | |
| Support source port randomization in the transport protocol implementation. CC ID 16942 | Technical Security | Preventive | |
| Establish, implement, and maintain a network addressing plan. CC ID 16399 | Establish/Maintain Documentation | Preventive | |
| Define the location requirements for network elements and network devices. CC ID 16379 | Process or Activity | Preventive | |
| Configure Network Address Translation to organizational standards. CC ID 16395 | Configuration | Preventive | |
| Enable or disable tunneling, as necessary. CC ID 15235 | Configuration | Preventive | |
| Disable Pre-boot eXecution Environment unless it is absolutely necessary. CC ID 04819 | Configuration | Preventive | |
| Establish, implement, and maintain firewall rules in accordance with organizational standards. CC ID 16353 | Establish/Maintain Documentation | Preventive | |
| Create an access control list on Network Access and Control Points to restrict access. CC ID 04810 [The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03 {unauthorized hardware} The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes. DE.CM-09.03 The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems). DE.CM-01.04] | Configuration | Preventive | |
| Configure permissions for SSH private host key files to organizational standards. CC ID 15331 | Configuration | Preventive | |
| Configure permissions for SSH public host key files to organizational standards. CC ID 15333 | Configuration | Preventive | |
| Configure the "Prohibit use of Internet Connection Firewall on your DNS domain network" setting properly. CC ID 05743 | Configuration | Preventive | |
| Configure the "Restrict NTLM" settings properly. CC ID 06069 | Configuration | Preventive | |
| Configure the "Configure encryption types allowed for Kerberos" setting properly. CC ID 06071 | Configuration | Preventive | |
| Configure Automated Teller Machines in accordance with organizational standards. CC ID 12542 | Configuration | Preventive | |
| Keep current the time synchronization technology. CC ID 12548 | Technical Security | Preventive | |
| Enable or disable the Uninterruptible Power Supply service, as appropriate. CC ID 06037 | Configuration | Preventive | |
| Configure Service Set Identifiers in accordance with organizational standards. CC ID 16447 | Configuration | Preventive | |
| Reset wireless access points, as necessary. CC ID 14317 | Process or Activity | Corrective | |
| Configure Apple iOS to Organizational Standards. CC ID 09986 | Establish/Maintain Documentation | Preventive | |
| Configure the "Fraudulent Website Warning" setting to organizational standards. CC ID 10001 | Configuration | Preventive | |
| Configure the "With Authentication" setting to organizational standards. CC ID 10005 | Configuration | Preventive | |
| Configure mobile devices to separate organizational data from personal data. CC ID 16463 | Configuration | Preventive | |
| Disable the capability to automatically execute code on mobile devices absent user direction. CC ID 08705 | Configuration | Preventive | |
| Configure environmental sensors on mobile devices. CC ID 10667 | Configuration | Preventive | |
| Configure Cisco-specific applications and service in accordance with organizational standards. CC ID 06557 | Configuration | Preventive | |
| Configure custom Oracle-specific applications and services in accordance with organizational standards. CC ID 06565 | Configuration | Preventive | |
| Configure the Global Positioning System settings as appropriate. CC ID 06888 | Configuration | Preventive | |
| Configure endpoint security tools in accordance with organizational standards. CC ID 07049 [Endpoint systems implemented using virtualization technologies employ mechanisms to protect network, application, and data integrity, such as restricting access to local network and peripheral devices, multi-factor authentication, locking-down device source network locations, and data leakage protections. PR.PS-01.09] | Configuration | Preventive | |
| Configure web server security settings in accordance with organizational standards. CC ID 07059 | Configuration | Preventive | |
| Implement the security features of hypervisor to protect virtual machines. CC ID 12176 | Configuration | Preventive | |
| Configure Microsoft Office to Organizational Standards. CC ID 07147 | Configuration | Preventive | |
| Set custom Microsoft Office security options in accordance with organizational standards. CC ID 05757 | Configuration | Preventive | |
| Configure Universal settings for Microsoft Office in accordance with organizational standards. CC ID 07211 | Configuration | Preventive | |
| Configure Microsoft InfoPath settings for Microsoft Office in accordance with organizational standards. CC ID 07219 | Configuration | Preventive | |
| Configure Microsoft Access settings for Microsoft Office in accordance with organizational standards. CC ID 07222 | Configuration | Preventive | |
| Configure Microsoft Excel settings for Microsoft Office in accordance with organizational standards. CC ID 07232 | Configuration | Preventive | |
| Configure Microsoft Outlook settings for Microsoft Office in accordance with organizational standards. CC ID 07341 | Configuration | Preventive | |
| Configure Microsoft PowerPoint settings for Microsoft Office in accordance with organizational standards. CC ID 07433 | Configuration | Preventive | |
| Configure Microsoft Word settings for Microsoft Office in accordance with organizational standards. CC ID 07438 | Configuration | Preventive | |
| Configure Microsoft OneNote settings for Microsoft Office in accordance with organizational standards. CC ID 07908 | Configuration | Preventive | |
| Configure User Interface settings for Microsoft Office in accordance with organizational standards. CC ID 07923 | Configuration | Preventive | |
| Configure Signing settings for Microsoft Office in accordance with organizational standards. CC ID 07929 | Configuration | Preventive | |
| Configure Email Form settings for Microsoft Office in accordance with organizational standards. CC ID 07930 | Configuration | Preventive | |
| Configure Security settings for Microsoft Office in accordance with organizational standards. CC ID 07932 | Configuration | Preventive | |
| Configure Restricted Permissions settings for Microsoft Office in accordance with organizational standards. CC ID 07937 | Configuration | Preventive | |
| Configure Account settings for Microsoft Office in accordance with organizational standards. CC ID 07951 | Configuration | Preventive | |
| Configure Add-In settings for Microsoft Office in accordance with organizational standards. CC ID 07962 | Configuration | Preventive | |
| Configure File Format Converter settings for Microsoft Office in accordance with organizational standards. CC ID 07983 | Configuration | Preventive | |
| Configure Microsoft Project settings for Microsoft Office in accordance with organizational standards. CC ID 08036 | Configuration | Preventive | |
| Configure Meeting Workspace settings for Microsoft Office in accordance with organizational standards. CC ID 08050 | Configuration | Preventive | |
| Configure Miscellaneous settings for Microsoft Office in accordance with organizational standards. CC ID 08054 | Configuration | Preventive | |
| Configure Data Backup and Recovery settings for Microsoft Office in accordance with organizational standards. CC ID 08098 | Configuration | Preventive | |
| Configure Privacy settings for Microsoft Office in accordance with organizational standards. CC ID 08101 | Configuration | Preventive | |
| Configure Server Settings settings for Microsoft Office in accordance with organizational standards. CC ID 08154 | Configuration | Preventive | |
| Configure Smart Documents settings for Microsoft Office in accordance with organizational standards. CC ID 08158 | Configuration | Preventive | |
| Configure Fax settings for Microsoft Office in accordance with organizational standards. CC ID 08310 | Configuration | Preventive | |
| Configure Services settings to organizational standards. CC ID 07434 | Configuration | Preventive | |
| Configure Active Directory in accordance with organizational standards. CC ID 16434 | Configuration | Preventive | |
| Configure SID filtering in accordance with organizational standards. CC ID 16435 | Configuration | Preventive | |
| Configure AWS Config to organizational standards. CC ID 15440 | Configuration | Preventive | |
| Configure "Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service" to organizational standards. CC ID 15343 | Configuration | Preventive | |
| Configure the "namespace" to organizational standards. CC ID 14654 | Configuration | Preventive | |
| Configure the "ipc" argument to organizational standards. CC ID 14524 | Configuration | Preventive | |
| Configure the "networkpolicy" to organizational standards. CC ID 14655 | Configuration | Preventive | |
| Configure the "pid" argument to organizational standards. CC ID 14532 | Configuration | Preventive | |
| Configure the "uts" argument to organizational standards. CC ID 14526 | Configuration | Preventive | |
| Configure the "pids-limit" argument to organizational standards. CC ID 14537 | Configuration | Preventive | |
| Configure the "userns" argument to organizational standards. CC ID 14530 | Configuration | Preventive | |
| Configure Transmission Control Protocol/Internet Protocol (TCP/IP) to organizational standards. CC ID 16358 | Configuration | Preventive | |
| Configure network protection settings to organizational standards. CC ID 07601 | Configuration | Preventive | |
| Configure the "CNI" plugin to organizational standards. CC ID 14659 | Configuration | Preventive | |
| Configure the "data-path-addr" argument to organizational standards. CC ID 14546 | Configuration | Preventive | |
| Configure the "advertise-addr" argument to organizational standards. CC ID 14544 | Configuration | Preventive | |
| Configure the "nftables" to organizational standards. CC ID 15320 | Configuration | Preventive | |
| Configure the "iptables" to organizational standards. CC ID 14463 | Configuration | Preventive | |
| Configure the "ip6tables" settings to organizational standards. CC ID 15322 | Configuration | Preventive | |
| Configure the "insecure registries" to organizational standards. CC ID 14455 | Configuration | Preventive | |
| Configure the "net-host" argument to organizational standards. CC ID 14529 | Configuration | Preventive | |
| Configure the "firewalld" to organizational standards. CC ID 15321 | Configuration | Preventive | |
| Configure the "network bridge" to organizational standards. CC ID 14501 | Configuration | Preventive | |
| Configure the "publish" argument to organizational standards. CC ID 14500 | Configuration | Preventive | |
| Configure Account settings in accordance with organizational standards. CC ID 07603 | Configuration | Preventive | |
| Configure system integrity settings to organizational standards. CC ID 07605 | Configuration | Preventive | |
| Configure Protocol Configuration settings to organizational standards. CC ID 07607 | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure "CloudTrail" to organizational standards. CC ID 15443 | Configuration | Preventive | |
| Configure "CloudTrail log file validation" to organizational standards. CC ID 15437 | Configuration | Preventive | |
| Configure "VPC flow logging" to organizational standards. CC ID 15436 | Configuration | Preventive | |
| Configure "object-level logging" to organizational standards. CC ID 15433 | Configuration | Preventive | |
| Configure "Turn on PowerShell Transcription" to organizational standards. CC ID 15415 | Configuration | Preventive | |
| Configure "Turn on PowerShell Script Block Logging" to organizational standards. CC ID 15413 | Configuration | Preventive | |
| Configure "Audit PNP Activity" to organizational standards. CC ID 15393 | Configuration | Preventive | |
| Configure "Include command line in process creation events" to organizational standards. CC ID 15358 | Configuration | Preventive | |
| Configure "Audit Group Membership" to organizational standards. CC ID 15341 | Configuration | Preventive | |
| Configure the "audit_backlog_limit" setting to organizational standards. CC ID 15324 | Configuration | Preventive | |
| Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards. CC ID 14467 | Configuration | Detective | |
| Configure the "systemd-journald" to organizational standards. CC ID 15326 | Configuration | Preventive | |
| Configure the "/etc/docker" files and directories auditing to organizational standards. CC ID 14459 | Configuration | Detective | |
| Configure the "docker.socket" files and directories auditing to organizational standards. CC ID 14458 | Configuration | Detective | |
| Configure the "docker.service" files and directories auditing to organizational standards. CC ID 14454 | Configuration | Detective | |
| Configure the "/var/lib/docker" files and directories auditing to organizational standards. CC ID 14453 | Configuration | Detective | |
| Configure the "/usr/sbin/runc" files and directories auditing to organizational standards. CC ID 14452 | Configuration | Detective | |
| Configure the "/usr/bin/containerd" files and directories auditing to organizational standards. CC ID 14451 | Configuration | Detective | |
| Configure the "/etc/default/docker" files and directories auditing to organizational standards. CC ID 14450 | Configuration | Detective | |
| Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards. CC ID 14449 | Configuration | Detective | |
| Provide the reference database used to verify input data in the logging capability. CC ID 15018 | Log Management | Preventive | |
| Configure the security parameters for all logs. CC ID 01712 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Configuration | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Configuration | Preventive | |
| Configure the log to capture the details of electronic signature transactions. CC ID 16910 | Log Management | Preventive | |
| Configure the log to uniquely identify each accessed record. CC ID 16909 | Log Management | Preventive | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | Log Management | Preventive | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | Log Management | Preventive | |
| Configure the log to capture user queries and searches. CC ID 16479 | Log Management | Preventive | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | Log Management | Preventive | |
| Configure the log to capture error messages. CC ID 16477 | Log Management | Preventive | |
| Configure the log to capture system failures. CC ID 16475 | Log Management | Preventive | |
| Configure the log to capture account lockouts. CC ID 16470 | Configuration | Preventive | |
| Configure the log to capture execution events. CC ID 16469 | Configuration | Preventive | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | Log Management | Preventive | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | Configuration | Preventive | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | Configuration | Preventive | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | Configuration | Preventive | |
| Configure the log to capture route table changes. CC ID 15439 | Configuration | Preventive | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | Configuration | Preventive | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | Configuration | Preventive | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | Configuration | Preventive | |
| Configure the log to capture changes to network gateways. CC ID 15421 | Configuration | Preventive | |
| Configure the "logging level" to organizational standards. CC ID 14456 | Configuration | Detective | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [{privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Log Management | Detective | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | Log Management | Preventive | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | Configuration | Preventive | |
| Configure the "Turn on session logging" properly. CC ID 05618 | Configuration | Preventive | |
| Configure additional log file parameters appropriately. CC ID 06338 | Configuration | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | Configuration | Preventive | |
| Configure Kerberos pre-authentication to organizational standards. CC ID 16480 | Configuration | Preventive | |
| Configure time-based user access restrictions in accordance with organizational standards. CC ID 16436 | Configuration | Preventive | |
| Configure "MFA Delete" to organizational standards. CC ID 15430 | Configuration | Preventive | |
| Configure Identity and Access Management policies to organizational standards. CC ID 15422 | Configuration | Preventive | |
| Configure the Identity and Access Management Access analyzer to organizational standards. CC ID 15420 | Configuration | Preventive | |
| Configure "Support device authentication using certificate" to organizational standards. CC ID 15410 | Configuration | Preventive | |
| Install LAPS AdmPwd GPO Extension, as necessary. CC ID 15409 | Configuration | Preventive | |
| Configure "Require pin for pairing" to organizational standards. CC ID 15395 | Configuration | Preventive | |
| Configure "Do not allow password expiration time longer than required by policy" to organizational standards. CC ID 15390 | Configuration | Preventive | |
| Configure "Enable Local Admin Password Management" to organizational standards. CC ID 15387 | Configuration | Preventive | |
| Configure "Allow Microsoft accounts to be optional" to organizational standards. CC ID 15368 | Configuration | Preventive | |
| Configure "Turn off picture password sign-in" to organizational standards. CC ID 15347 | Configuration | Preventive | |
| Configure "Enable insecure guest logons" to organizational standards. CC ID 15344 | Configuration | Preventive | |
| Configure the "cert-expiry" argument to organizational standards. CC ID 14541 | Configuration | Preventive | |
| Configure "client certificate authentication" to organizational standards. CC ID 14608 | Configuration | Preventive | |
| Configure the "client certificate bundles" to organizational standards. CC ID 14518 | Configuration | Preventive | |
| Configure the "external-server-cert" argument to organizational standards. CC ID 14522 | Configuration | Preventive | |
| Configure the "Service Account Tokens" to organizational standards. CC ID 14646 | Configuration | Preventive | |
| Configure the "rotate" argument to organizational standards. CC ID 14548 | Configuration | Preventive | |
| Configure Encryption settings in accordance with organizational standards. CC ID 07625 | Configuration | Preventive | |
| Configure "Elastic Block Store volume encryption" to organizational standards. CC ID 15434 | Configuration | Preventive | |
| Configure "Encryption Oracle Remediation" to organizational standards. CC ID 15366 | Configuration | Preventive | |
| Configure the "encryption provider" to organizational standards. CC ID 14591 | Configuration | Preventive | |
| Configure the "opt encrypted" flag to organizational standards. CC ID 14534 | Configuration | Preventive | |
| Configure File Retention, Impact Level, and Classification Settings settings in accordance with organizational standards. CC ID 07715 | Configuration | Preventive | |
| Configure System settings in accordance with organizational standards. CC ID 07806 | Configuration | Preventive | |
| Configure Virus and Malware Protection settings in accordance with organizational standards. CC ID 07906 | Configuration | Preventive | |
| Configure "Turn on behavior monitoring" to organizational standards. CC ID 15407 | Configuration | Preventive | |
| Configure "Turn off real-time protection" to organizational standards. CC ID 15406 | Configuration | Preventive | |
| Configure "Scan all downloaded files and attachments" to organizational standards. CC ID 15404 | Configuration | Preventive | |
| Configure "Scan removable drives" to organizational standards. CC ID 15401 | Configuration | Preventive | |
| Configure "Configure Attack Surface Reduction rules: Set the state for each ASR rule" to organizational standards. CC ID 15392 | Configuration | Preventive | |
| Configure "Join Microsoft MAPS" to organizational standards. CC ID 15384 | Configuration | Preventive | |
| Configure "Configure detection for potentially unwanted applications" to organizational standards. CC ID 15375 | Configuration | Preventive | |
| Configure "Turn off Microsoft Defender AntiVirus" to organizational standards. CC ID 15371 | Configuration | Preventive | |
| Configure "Enable file hash computation feature" to organizational standards. CC ID 15340 | Configuration | Preventive | |
| Configure User Notification settings in accordance with organizational standards. CC ID 08201 | Configuration | Preventive | |
| Configure Windows Components settings in accordance with organizational standards. CC ID 08263 | Configuration | Preventive | |
| Configure File System settings in accordance with organizational standards. CC ID 08294 | Configuration | Preventive | |
| Configure Control Panel settings in accordance with organizational standards. CC ID 08311 | Configuration | Preventive | |
| Configure Capacity and Performance Management settings in accordance with organizational standards. CC ID 08353 | Configuration | Preventive | |
| Configure Personal Information Handling settings in accordance with organizational standards. CC ID 08396 | Configuration | Preventive | |
| Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406 | Configuration | Preventive | |
| Configure Nonrepudiation Configuration settings in accordance with organizational standards. CC ID 08432 | Configuration | Preventive | |
| Configure Device Installation settings in accordance with organizational standards. CC ID 08438 | Configuration | Preventive | |
| Configure Security settings in accordance with organizational standards. CC ID 08469 | Configuration | Preventive | |
| Configure AWS Security Hub to organizational standards. CC ID 17166 | Configuration | Preventive | |
| Configure Power Management settings in accordance with organizational standards. CC ID 08515 | Configuration | Preventive | |
| Configure Powershell to organizational standards. CC ID 15233 | Configuration | Preventive | |
| Configure Patch Management settings in accordance with organizational standards. CC ID 08519 | Configuration | Preventive | |
| Configure "Select when Preview Builds and Feature Updates are received" to organizational standards. CC ID 15399 | Configuration | Preventive | |
| Configure "Select when Quality Updates are received" to organizational standards. CC ID 15355 | Configuration | Preventive | |
| Configure Start Menu and Task Bar settings in accordance with organizational standards. CC ID 08615 | Configuration | Preventive | |
| Configure "Turn off notifications network usage" to organizational standards. CC ID 15337 | Configuration | Preventive | |
| Configure the jump server to organizational standards. CC ID 16863 | Configuration | Preventive | |
| Configure the proxy server to organizational standards. CC ID 12115 | Configuration | Preventive | |
| Configure Red Hat Enterprise Linux to Organizational Standards. CC ID 08713 | Establish/Maintain Documentation | Preventive | |
| Configure the "max_log_file" setting to organizational standards. CC ID 15323 | Configuration | Preventive | |
| Configure Polycom HDX to Organizational Standards. CC ID 08986 | Configuration | Preventive | |
| Set the IPv6 header field to a known value. CC ID 17047 | Configuration | Preventive | |
| Configure IPv6 extension headers to organizational standards. CC ID 16398 | Configuration | Preventive | |
| Filter packets based on IPv6 extension header types and fields. CC ID 16990 | Configuration | Preventive | |
| Require packet filtering and rate limiting for arriving packets based on IPv6 Extension Headers. CC ID 16988 | Technical Security | Preventive | |
| Drop packets that do not meet the recommended requirements for extension header order and repetition. CC ID 16943 | Technical Security | Preventive | |
| Configure ICMP destination unreachable messages to organizational standards. CC ID 17052 | Configuration | Preventive | |
| Configure Apache and Tomcat to Organizational Standards. CC ID 08987 | Configuration | Preventive | |
| Configure IIS to Organizational Standards. CC ID 08988 | Configuration | Preventive | |
| Configure Microsoft SQL Server to Organizational Standards. CC ID 08989 | Configuration | Preventive | |
| Configure "Set time limit for active but idle Remote Desktop Services sessions" to organizational standards. CC ID 15382 | Configuration | Preventive | |
| Configure Oracle WebLogic Server to Organizational Standards. CC ID 08990 | Configuration | Preventive | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints. PR.PS-05.01] | Testing | Detective | |
| Configure security and protection software to check e-mail messages. CC ID 00578 [The organization has policies, procedures, and tools in place to detect, isolate, and block the use of attached malware or malicious links present in email or message services. PR.PS-05.03] | Testing | Preventive | |
| Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515 | Configuration | Preventive | |
| Configure Windows Defender Credential Guard to organizational standards. CC ID 16514 | Configuration | Preventive | |
| Configure dedicated systems used for system management according to organizational standards. CC ID 12132 | Configuration | Preventive | |
| Configure Application Programming Interfaces in accordance with organizational standards. CC ID 12170 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Configuration | Preventive | |
| Configure Application Programming Interfaces to enforce authentication. CC ID 12172 | Configuration | Preventive | |
| Configure Application Programming Interfaces to employ strong cryptography. CC ID 12171 | Configuration | Preventive | |
| Configure the Domain Name System in accordance with organizational standards. CC ID 12202 | Configuration | Preventive | |
| Configure DNS records in accordance with organizational standards. CC ID 17083 | Configuration | Preventive | |
| Configure payment systems in accordance with organizational standards. CC ID 12217 | Configuration | Preventive | |
| Configure payment systems to disable storing transactions when offline. CC ID 12220 | Configuration | Preventive | |
| Configure payment systems to disable authorizing transactions when offline. CC ID 12219 | Configuration | Preventive | |
| Configure payment applications to become disabled when suspicious activity is detected. CC ID 12221 | Configuration | Corrective | |
| Configure File Integrity Monitoring Software to Organizational Standards. CC ID 11923 | Configuration | Preventive | |
| Unpair Bluetooth devices when the pairing is no longer required. CC ID 15232 | Configuration | Preventive | |
| Use authorized versions of Bluetooth to pair Bluetooth devices. CC ID 15231 | Configuration | Preventive | |
| Implement safeguards to prevent unauthorized code execution. CC ID 10686 [Installation and execution of unauthorized software are prevented PR.PS-05] | Configuration | Preventive | |
| Configure network switches to organizational standards. CC ID 12120 | Configuration | Preventive | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [{in-house developed application} The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects. PR.PS-06.01 The architecture, design, coding, testing, and operationalization of system solutions address the unique security, resilience, technical, and operational characteristics of the target platform environment(s) (e.g., distributed system, mainframe, cloud, API, mobile, database, etc.) PR.PS-06.02] | Systems Design, Build, and Implementation | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Establish/Maintain Documentation | Preventive | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 [DevOps/DevSecOps practices and procedures are aligned with Systems Development Lifecycle, security operations, and technology service management processes. PR.PS-06.07] | Acquisition/Sale of Assets or Services | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 [Systems development and testing tools, processes, and environments employ security mechanisms to protect and improve the integrity and confidentiality of both the SDLC process and the resulting product (e.g., secured code repositories, segmented environments, automated builds, etc.) PR.PS-06.04] | Systems Design, Build, and Implementation | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Communicate | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Define and document organizational structures for systems operations. CC ID 12553 [The design, configuration, security control, and operation of key applications and system services are documented sufficiently to support ongoing management, operation, change, and assessment. PR.PS-06.08] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system design requirements. CC ID 06618 | Establish/Maintain Documentation | Preventive | |
| Document stakeholder requirements and how they influence system design requirements. CC ID 06925 [Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making. GV.RM-08.06] | Establish/Maintain Documentation | Preventive | |
| Design and develop built-in redundancies, as necessary. CC ID 13064 [Mechanisms are implemented to achieve resilience requirements in normal and adverse situations PR.IR-03] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Establish/Maintain Documentation | Preventive | |
| Include data governance and management practices in the system design project management framework. CC ID 15053 | Establish/Maintain Documentation | Preventive | |
| Analyze business activities to ensure information is categorized for system design projects. CC ID 11794 | Monitor and Evaluate Occurrences | Detective | |
| Analyze current technology investment factors that could affect implementing the system design project. CC ID 01050 | Testing | Preventive | |
| Disseminate and communicate the implementation strategy to interested personnel and affected parties. CC ID 11796 | Communicate | Preventive | |
| Include system interoperability in the system requirements specification. CC ID 16256 | Systems Design, Build, and Implementation | Preventive | |
| Include equipment interoperability in the system requirements specification. CC ID 16257 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [Technology projects follow an established project management methodology to manage delivery and delivery risks, produce consistent quality, and achieve business objectives and value. GV.RM-08.07 Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Establish/Maintain Documentation | Preventive | |
| Include objectives in the project management standard. CC ID 17202 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the project management standard. CC ID 17199 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management procedures. CC ID 17200 | Establish/Maintain Documentation | Preventive | |
| Perform a risk assessment for each system development project. CC ID 01000 [The risks of technology assimilation and implementations are managed GV.RM-08 Technology and cybersecurity risk management frameworks are applied to all technology projects and procurements to ensure that security requirements (e.g., data confidentiality, access control, event logging, etc.) are addressed consistently from project onset. GV.RM-08.02] | Testing | Detective | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production environment} The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets. PR.IR-01.06] | Systems Design, Build, and Implementation | Preventive | |
| Implement security controls in development endpoints. CC ID 16389 | Testing | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [The organization establishes policies and procedures for the secure design, configuration, modification, and operation of databases, data stores, and data analytics platforms consistent with the criticality of the data being managed. PR.PS-06.10] | Systems Design, Build, and Implementation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems Design, Build, and Implementation | Preventive | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 [Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Establish/Maintain Documentation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Establish/Maintain Documentation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Establish/Maintain Documentation | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems Design, Build, and Implementation | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Technical Security | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Establish/Maintain Documentation | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Configuration | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Configuration | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Establish/Maintain Documentation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Configuration | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Configuration | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Configuration | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Configuration | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Configuration | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Configuration | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Configuration | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Configuration | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Configuration | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Configuration | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Configuration | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Configuration | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Configuration | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Process or Activity | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Configuration | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Configuration | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Configuration | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Configuration | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Configuration | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Configuration | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Configuration | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Configuration | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Configuration | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Establish/Maintain Documentation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Configuration | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Establish/Maintain Documentation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Establish/Maintain Documentation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Establish/Maintain Documentation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Establish/Maintain Documentation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Establish/Maintain Documentation | Preventive | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 [Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Human Resources Management | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Communicate | Preventive | |
| Implement data controls when developing systems. CC ID 15302 | Systems Design, Build, and Implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Technical Security | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems Design, Build, and Implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems Design, Build, and Implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems Design, Build, and Implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems Design, Build, and Implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems Design, Build, and Implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems Design, Build, and Implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Establish/Maintain Documentation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems Design, Build, and Implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems Design, Build, and Implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Establish/Maintain Documentation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Establish/Maintain Documentation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Establish/Maintain Documentation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Establish/Maintain Documentation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems Design, Build, and Implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems Design, Build, and Implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems Design, Build, and Implementation | Preventive | |
| Include the source code in the implementation representation document. CC ID 13089 | Establish/Maintain Documentation | Preventive | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Establish/Maintain Documentation | Preventive | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Process or Activity | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 | Establish/Maintain Documentation | Corrective | |
| Design the privacy architecture. CC ID 14671 | Systems Design, Build, and Implementation | Preventive | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Establish/Maintain Documentation | Preventive | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Process or Activity | Preventive | |
| Conduct a design review at each milestone or quality gate. CC ID 01087 [Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle PR.PS-06] | Systems Design, Build, and Implementation | Detective | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Technical Security | Preventive | |
| Document the results of the source code analysis. CC ID 14310 | Process or Activity | Detective | |
| Digitally sign software components. CC ID 16490 | Process or Activity | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle PR.PS-06 {in-house developed application} The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects. PR.PS-06.01] | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Technical Security | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Configuration | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 [Tehcnology and security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience PR.IR] | Establish/Maintain Documentation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [End-user developed solutions, to include models used to support critical business processes and decisions, are formally identified and managed in alignment with their criticality and risk. PR.PS-06.09] | Testing | Detective | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Communicate | Preventive | |
| Restrict production data from being used in the test environment. CC ID 01103 [{production environment} The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets. PR.IR-01.06] | Testing | Detective | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Communicate | Preventive | |
| Perform Quality Management on all newly developed or modified software. CC ID 11798 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Testing | Detective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Deploy applications based on best practices. CC ID 12738 [The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. PR.PS-01.04] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Business Processes | Preventive | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [Processes for receiving, analyzing, and responding to vulnerability disclosures are established ID.RA-08 The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from: ID.RA-08.01] | Establish/Maintain Documentation | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Include third party access in the access classification scheme. CC ID 11786 [Specific roles, responsibilities, and procedures to manage the risk of third-party access to organizational systems and facilities are defined and implemented. PR.AA-05.04] | Establish/Maintain Documentation | Preventive | |
| Review connection requirements for all systems. CC ID 06411 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02] | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [Identities and credentials for authorized users, services, and hardware are managed by the organization PR.AA-01] | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical Security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Establish/Maintain Documentation | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Establish/Maintain Documentation | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 [Identities are proofed and bound to credentials based on the context of interactions PR.AA-02 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Process or Activity | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Process or Activity | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Process or Activity | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Process or Activity | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Process or Activity | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Establish/Maintain Documentation | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Configuration | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Process or Activity | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Process or Activity | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Process or Activity | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Process or Activity | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Process or Activity | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Process or Activity | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Process or Activity | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Process or Activity | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Process or Activity | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Configuration | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Configuration | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Configuration | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Process or Activity | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Process or Activity | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Business Processes | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Process or Activity | Detective | |
| Verify proof of identity records. CC ID 13761 | Investigate | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Process or Activity | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Process or Activity | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Process or Activity | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Process or Activity | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Process or Activity | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Process or Activity | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Process or Activity | Detective | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical Security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 [Users, services, and hardware are authenticated PR.AA-03] | Technical Security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 [Identity assertions are protected, conveyed, and verified PR.AA-04] | Technical Security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical Security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical Security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical Security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical Security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 [Identity assertions are protected, conveyed, and verified PR.AA-04] | Technical Security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical Security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical Security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical Security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 [Identity assertions are protected, conveyed, and verified PR.AA-04 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical Security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical Security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical Security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical Security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical Security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical Security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical Security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical Security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical Security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical Security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical Security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical Security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical Security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical Security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical Security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical Security | Preventive | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical Security | Preventive | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical Security | Preventive | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical Security | Preventive | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical Security | Preventive | |
| Authenticate systems referenced in the allowlist. CC ID 13838 | Technical Security | Preventive | |
| Place nonmembers of allowlists and denylists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical Security | Preventive | |
| Require runtime decisions regarding authentication for organizations that are excluded from the allowlist. CC ID 13842 | Technical Security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Access credential and authorization mechanisms for internal systems and across security perimeters (e.g., leveraging directory services, directory synchronization, single sign-on, federated access, credential mapping, etc.) are designed to maintain security, integrity, and authenticity. PR.AA-04.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Identify information system users. CC ID 12081 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Identifying affected stakeholders or | Technical Security | Detective | |
| Match user accounts to authorized parties. CC ID 12126 [Identities are proofed and bound to credentials based on the context of interactions PR.AA-02] | Configuration | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05 The organization limits access privileges to the minimum necessary and with consideration of separation of duties (e.g., through role-based access control, asset owner access recertifications, etc.). PR.AA-05.01] | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 [{physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 Decisions to authorize user access to devices and other assets are made with consideration of: Business need for the access; PR.AA-03.02 (1)] | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Communicate | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Configuration | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Establish/Maintain Documentation | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Decisions to authorize user access to devices and other assets are made with consideration of: The type of data being accessed (e.g., customer PII, public data); PR.AA-03.02 (2) Decisions to authorize user access to devices and other assets are made with consideration of: The risk of the transaction (e.g., internal-to-internal, external-to-internal); PR.AA-03.02 (3) Decisions to authorize user access to devices and other assets are made with consideration of: The organization's level of trust for the accessing agent (e.g., external application, internal user); and PR.AA-03.02 (4) Decisions to authorize user access to devices and other assets are made with consideration of: The potential for harm. PR.AA-03.02 (5)] | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [{authorized user} Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, password strength requirements, automatic revocation of credentials under defined conditions, regular asset owner access review, etc.). PR.AA-01.01] | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Log Management | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical Security | Corrective | |
| Grant access to authorized personnel or systems. CC ID 12186 [{physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 Decisions to authorize user access to devices and other assets are made with consideration of: PR.AA-03.02] | Configuration | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Log Management | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Communicate | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Establish/Maintain Documentation | Preventive | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical Security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Employ unique identifiers. CC ID 01273 [The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Testing | Detective | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Configuration | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Communicate | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Process or Activity | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical Security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical Security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 [The organization defines and implements controls for securely configuring and operating Operational Technologies, Industrial Control Systems, and Internet-of-Things (IoT) devices (e.g., segregated printer networks, resetting of default passwords, etc.) PR.IR-01.07] | Technical Security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 [Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements. PR.IR-01.02 Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements. PR.IR-01.02] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Establish/Maintain Documentation | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Process or Activity | Preventive | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical Security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical Security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 [{communication network} The integrity and resilience of the organization's communications and control network services are enhanced through controls such as denial of service protections, secure name/address resolution, and/or alternate communications paths. PR.IR-01.03] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Communicate | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [Representations of the organization's authorized network communication and internal and external network data flows are maintained ID.AM-03 The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows. ID.AM-03.01] | Establish/Maintain Documentation | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Process or Activity | Detective | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [Representations of the organization's authorized network communication and internal and external network data flows are maintained ID.AM-03 The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows. ID.AM-03.01] | Establish/Maintain Documentation | Preventive | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Process or Activity | Detective | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Establish/Maintain Documentation | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Establish/Maintain Documentation | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Communicate | Preventive | |
| Manage all external network connections. CC ID 11842 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Technical Security | Preventive | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical Security | Preventive | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical Security | Preventive | |
| Implement a fault-tolerant architecture. CC ID 01626 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Technical Security | Preventive | |
| Implement segregation of duties. CC ID 11843 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical Security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01 Networks, systems, and external connections are segmented (e.g., using firewalls, software-defined networks, guest wireless networks, etc.) to implement defense-in-depth and access isolation principles. PR.IR-01.01] | Technical Security | Preventive | |
| Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical Security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical Security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical Security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Data and Information Management | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical Security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical Security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Data and Information Management | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical Security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Establish/Maintain Documentation | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 [The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). PR.IR-01.04] | Technical Security | Preventive | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 [The organization controls access to its wireless networks and the term_primary-noun">information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). PR.IR-01.04] | Configuration | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Configuration | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Communicate | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical Security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical Security | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 [{not be authorized} Networks and environments are protected from unauthorized logical access and usage PR.IR-01] | Configuration | Detective | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Establish/Maintain Documentation | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 [The organization implements measures to detect and block access to unauthorized, inappropriate, or malicious websites and services (e.g. social media, messaging, file sharing). DE.CM-01.05] | Technical Security | Preventive | |
| Revoke membership in the allowlist, as necessary. CC ID 13827 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 [{data destruction} The organization implements data loss identification and prevention tools to monitor and protect against confidential -color:#F0BBBC;" class="term_primary-noun">data theft or destruction by an employee or an external actor. PR.DS-01.02] | Establish/Maintain Documentation | Preventive | |
| Enforce privileged and non-privileged accounts for system access. CC ID 00558 [The organization institutes controls over privileged system access by strictly limiting and closely managing staff and services with elevated system entitlements (e.g., multi-factor authentication, dual accounts, privilege and time constraints, etc.) PR.AA-05.02] | Technical Security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical Security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Process or Activity | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Establish/Maintain Documentation | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical Security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Configuration | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical Security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical Security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Configuration | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [{encryption management} The organization employs defined encryption methods and management practices commensurate with the criticality of the information being protected and the inherent risk of the technical environment where used. PR.PS-01.06] | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Establish/Maintain Documentation | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Establish/Maintain Documentation | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 [{encryption method} {encryption management} Acceptable encryption standards, methods, and management practices are established in accordance with defined industry standards. PR.PS-01.05] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Cryptographic keys and certificates are tracked, managed, and protected throughout their lifecycles, to include for compromise and revocation. PR.PS-01.07] | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Establish/Maintain Documentation | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Communicate | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [The confidentiality, integrity, and availability of data-in-transit are protected PR.DS-02] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 [{data classification policy} {data protection policy} Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, and alternate transit paths). PR.DS-02.01] | Configuration | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints. PR.PS-05.01] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical Security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
| Establish, implement, and maintain an application security policy. CC ID 06438 [{security architecture}{security process}{security practice} The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. GV.RM-08.03 The organization establishes standards and practices for ongoing application management to ensure that applications remain secure and continue to meet organizational needs. PR.PS-02.02] | Establish/Maintain Documentation | Preventive | |
| Include allow lists of protocols, domains, paths and ports in the application security policy. CC ID 16852 | Establish/Maintain Documentation | Preventive | |
| Approve the application security policy. CC ID 17065 | Process or Activity | Preventive | |
| Disseminate and communicate the application security policy to interested personnel and affected parties. CC ID 17064 | Communicate | Preventive | |
| Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Establish/Maintain Documentation | Preventive | |
| Deactivate user credentials upon agreement termination. CC ID 12177 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Configuration | Corrective | |
| Sanitize customer data from all shared resources upon agreement termination. CC ID 12175 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Records Management | Preventive | |
| Return all unstructured data from all shared resources upon agreement termination. CC ID 12336 | Business Processes | Preventive | |
| Remove data remnants in terminated Virtual Machines. CC ID 12168 | Technical Security | Corrective | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [The risks posed by a third-party are monitored and managed over the course of the relationship EX.MM Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite. GV.SC-01.01 {personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Establish/Maintain Documentation | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 [Relationship terminations and the return or destruction of assets are performed in a controlled and safe manner EX.TR-02 Relationship termination is anticipated, planned for, and executed safely EX.TR] | Business Processes | Corrective | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [Relationship termination is anticipated, planned for, and executed safely EX.TR {technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01 {technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
| Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 [Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 [{be reasonable} The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms. EX.DD-02.02] | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location. ID.AM-08.06 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03] | Business Processes | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [Roles and responsibilities for the Third-Party Risk Management Program and for each third-party engagement are defined and assigned. GV.RR-02.04 The organization clearly defines, and includes in contractual agreements, the division of cybersecurity and technology risk management responsibilities between the organization and its third parties (e.g., a Shared Responsibilities Model). GV.SC-02.01 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 Contracts clearly specify the rights and responsibilities of each party and establish requirements to address the anticipated risks posed by a third party over the life of the relationship EX.CN-01] | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03 The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs. GV.SC-03.01 Inter-dependent and coordinated cybersecurity risk management practices with third parties are managed to ensure ongoing effectiveness EX.MM-02 {cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: GV.RM-05.02] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 [The organization periodically identifies and tests alternative solutions in case a critical external partner fails to perform as expected. EX.TR-01.02 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{security control} The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected. EX.MM-02.01 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Establish/Maintain Documentation | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and GV.RM-05.02 (3) The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place. GV.RM-05.02 (4) The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place. GV.RM-05.02 (4) A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04] | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Establish/Maintain Documentation | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 {personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 The organization anticipates and plans for the termination of critical relationships under both normal and adverse circumstances EX.TR-01 Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Establish/Maintain Documentation | Detective | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Responsibilities for responding to incidents, including forensic investigations; GV.RM-05.02 (2) The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location. ID.AM-08.06] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04 {security control} The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected. EX.MM-02.01 The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Testing | Detective | |
| Establish the third party's service continuity. CC ID 00797 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 Expected cybersecurity practices for critical third parties that meet the risk management objectives of the organization are identified, documented, and agreed EX.CN-02] | Testing | Detective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Communicate | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 [{absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01 {absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01] | Establish/Maintain Documentation | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Establish/Maintain Documentation | Detective | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the Third Party Service Provider list. CC ID 17287 | Data and Information Management | Preventive | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Establish/Maintain Documentation | Preventive | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 | Establish/Maintain Documentation | Preventive | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 | Establish/Maintain Documentation | Preventive | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [Inventories of services provided by suppliers are maintained ID.AM-04] | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Process or Activity | Preventive | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [Suppliers are known and prioritized by criticality GV.SC-04] | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite. GV.SC-01.01 {third party} Extend organizational risk management policy and practices over the life cycle of third- (and nth-) party relationships, products, and services EX] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 The organization regularly assesses the risk of its ongoing use of third parties in aggregate, considering factors such as critical service dependencies, vendor concentration, geographical/geopolitical exposure, fourth-party impacts, and financial sector co-dependencies. GV.SC-01.02 The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization. EX.MM-01.01 {technology capabilities} The organization assesses the risks and suitability of the technology and cybersecurity capabilities and risk management practices of prospective third parties EX.DD-03 The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship. EX.DD-02.01] | Testing | Detective | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Establish/Maintain Documentation | Preventive | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Business Processes | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 [{absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01] | Establish/Maintain Documentation | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 Contracts establish baseline protections to manage risk over the life of the third-party relationship EX.CN {technology capabilities} The organization assesses the risks and suitability of the technology and cybersecurity capabilities and risk management practices of prospective third parties EX.DD-03 Contracts clearly specify the rights and responsibilities of each party and establish requirements to address the anticipated risks posed by a third party over the life of the relationship EX.CN-01 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing. EX.CN-02.04 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs. GV.SC-03.01] | Establish/Maintain Documentation | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization performs thorough due diligence on prospective third parties, consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each third-party relationship EX.DD-02] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 [The organization collaborates with suppliers to maintain and improve the secure use of products, services, and external connections. EX.MM-02.03] | Business Processes | Preventive | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship. EX.DD-02.01] | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [Planning and due diligence are performed to reduce risks before entering into a formal third-party relationship EX.DD {be reasonable} The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms. EX.DD-02.02 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Business Processes | Preventive | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Business Processes | Detective | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 | Business Processes | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Business Processes | Detective | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Business Processes | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls. EX.DD-02.03 Third-party products and services are assessed relative to business, risk management, and cybersecurity requirements EX.DD-04 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Business Processes | Detective | |
| Assess third parties' financial stability during due diligence. CC ID 12066 | Business Processes | Detective | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04 The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05] | Business Processes | Detective | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Business Processes | Detective | |
| Assess the third parties' reputation during due diligence. CC ID 12068 | Business Processes | Detective | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Business Processes | Detective | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Business Processes | Detective | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01] | Testing | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls. EX.DD-02.03] | Process or Activity | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Investigate | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01] | Establish/Maintain Documentation | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{externally provided process, product and service} The organization defines and implements procedures for assessing the compatibility, security, integrity, and authenticity of externally-developed or externally-sourced applications, software, software components, and firmware before deployment and upon any major change. EX.DD-04.01] | Business Processes | Detective | |
| Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [{technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Business Processes | Preventive | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Establish/Maintain Documentation | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [Critical suppliers and third parties are monitored to confirm that they continue to satisfy their obligations as required; reviews of audits, test results, or other assessments of third parties are conducted EX.MM-01] | Business Processes | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09 External service provider activities and services are monitored to find potentially adverse events DE.CM-06 The organization regularly evaluates its third party relationships to determine if changes in the organization's circumstances, objectives, or third party use warrant a change in a third party's risk rating (e.g., a less critical third-party relationship evolves into being a critical relationship). EX.MM-01.02 The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 Critical suppliers and third parties are monitored to confirm that they continue to satisfy their obligations as required; reviews of audits, test results, or other assessments of third parties are conducted EX.MM-01] | Monitor and Evaluate Occurrences | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Establish/Maintain Documentation | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [Expected cybersecurity practices for critical third parties that meet the risk management objectives of the organization are identified, documented, and agreed EX.CN-02] | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [Adequate resources are allocated commensurate with technology and cybersecurity risk strategy, roles, responsibilities, and policies GV.RR-03] | Operational management | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Preventive | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 [DevOps/DevSecOps practices and procedures are aligned with Systems Development Lifecycle, security operations, and technology service management processes. PR.PS-06.07] | Systems design, build, and implementation | Preventive | |
| Include equipment interoperability in the system requirements specification. CC ID 16257 | Systems design, build, and implementation | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 [Planning is performed for procurements and agreements that involve elevated risk to the organization EX.DD-01 Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain acquisition notices. CC ID 16682 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the geographic locations of the organization in the acquisition notice. CC ID 16723 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include certification that the organizations meet applicable requirements in the acquisition notice. CC ID 16714 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the capital ratios in the acquisition notice. CC ID 16712 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the relevant authorities in the acquisition notice. CC ID 16711 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the subsidiary's activities in the acquisition notice. CC ID 16707 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the subsidiary's contact information in the acquisition notice. CC ID 16704 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include in scope transactions in the acquisition notice. CC ID 16700 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the acceptance criteria in system acquisition contracts. CC ID 14288 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include audit record generation capabilities in system acquisition contracts. CC ID 16427 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include environmental considerations in the acquisition feasibility study. CC ID 16224 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain the requirements for competitive bid documents. CC ID 16936 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain the requirements for off-contract purchases. CC ID 16929 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Require prior approval from the appropriate authority for any off-contract purchases. CC ID 16928 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Review and update the acquisition contracts, as necessary. CC ID 14279 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [The designated Technology Officer (e.g., CIO or CTO) regularly reports to the governing authority (e.g., the Board or one of its committees) on the status of technology use and risks within the organization. GV.OV-01.03] | Leadership and high level objectives | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Detective | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [The independent risk management function reports on the implementation of the technology and cybersecurity risk management frameworks to the governing authority (e.g., the Board or one of its committees) GV.IR-03 The independent risk management function reports to the governing authority (e.g., the Board or one of its committees) and to the designated risk management officer within the organization on the implementation of the technology and cybersecurity risk management frameworks throughout the organization and its independent assessment of risk posture. GV.IR-03.01] | Monitoring and measurement | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Monitoring and measurement | Preventive | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 [{business continuity program} Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees). GV.OV-03.02] | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Preventive | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the term_primary-noun">status of cybersecurity within the organization. The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization. GV.OV-01.02 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Monitoring and measurement | Corrective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Corrective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 [Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Audits and risk management | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results. ID.IM-02.07] | Operational and Systems Continuity | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Mitigate reported incidents. CC ID 12973 [Activities are performed to prevent expansion of an event and mitigate its effects RS.MI Incidents are eradicated RS.MI-02] | Operational management | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [The end of incident recovery is declared based on criteria, and incident-related documentation is completed RC.RP-06] | Operational management | Preventive | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [{network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02] | Monitoring and measurement | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
| Audit in scope audit items and compliance documents. CC ID 06730 [An independent audit function assesses compliance with applicable laws and <span style="background-color:#F0BBBC;" class="term_primary-noun">regulations. An independent audit function assesses compliance with applicable laws and regulations. GV.AU-01.05 The independent audit function assesses compliance with internal controls and applicable laws and regulations GV.AU-01 The independent audit function assesses compliance with internal controls and applicable laws and regulations GV.AU-01] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps. GV.AU-03.01] | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02] | Audits and risk management | Detective | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Audits and risk management | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining its color:#F0BBBC;" class="term_primary-noun">validity; ID.RA-08.02 (1) A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06] | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02] | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded ID.RA-04 The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized. ID.RA-04.01] | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized. ID.RA-04.01] | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes. ID.RA-05.04 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization ID.RA-05 The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02] | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 [The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01] | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The organization identifies, assesses, and documents the key dependencies, interdependencies, and potential points of failure to support the delivery of critical services (e.g., systems, business processes, workforce, third parties, facilities, etc.) GV.OC-05.01 The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance. GV.OV-02.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03 The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning. GV.OC-04.02] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04 The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01] | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the ;" class="term_primary-noun">impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02 Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded ID.RA-04] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization ID.RA-05 Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06 The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02 {cybersecurity control} Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls. ID.RA-06.01 {cybersecurity control} Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls. ID.RA-06.01 Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees). ID.RA-06.03 Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees). ID.RA-06.03 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01 The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Approve the risk treatment plan. CC ID 13495 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV {critical function} {post incident activity} Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms RC.RP-04 The organization has established, and maintains, technology and cybersecurity programs designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite and business needs. GV.RM-01.03] | Audits and risk management | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Promote a culture that recognizes that staff at all levels have important responsibilities in en0E5;" class="term_secondary-verb">suring the organization's ="term_primary-noun">cyber resilience; and PR.AT-02.07 (2)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive), that could affect the organization's ability to service internal and external stakeholders. ID.IM-02.05 {third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06 The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Monitoring and measurement | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 [The thoroughness and results of independent penetration testing are regularly reviewed to help determine the need to rotate testing vendors to obtain fresh independent perspectives. ID.IM-02.02] | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of d-color:#F0BBBC;" class="term_primary-noun">senior management in a timely manner, so that they can address and respond to emerging cyber risk. The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk. ID.RA-01.02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Lines of communication across the organization are established for technology and cybersecurity risks, including risks from suppliers and other third parties GV.RM-05 A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 {recovery procedure} The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders. RC.CO-03.01] | Audits and risk management | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM] | Audits and risk management | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets. GV.RR-04.02] | Physical and environmental protection | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [All personnel (employee and third party) are made aware of and are trained for their role and operational steps in response and recovery plans. PR.AT-02.03] | Operational and Systems Continuity | Preventive | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Preventive | |
| Train all new hires, as necessary. CC ID 06673 | Human Resources management | Preventive | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [As new technology is deployed or undergoes change that also requires changes in practices, all impacted personnel (e.g., end-users, developers, operators, etc.) are trained on the new system and any accompanying technology and cybersecurity risks. PR.AT-01.04 All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security. PR.AT-02.05] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [Mechanisms are in place to ensure that the personnel working with cybersecurity and technology (e.g., developers, DBAs, network admins, etc.) maintain current knowledge and skills related to changing threats, countermeasures, new tools, best practices, and their job responsibilities. PR.AT-02.01] | Human Resources management | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind PR.AT-01 Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind PR.AT-02 The organization maintains and enhances the skills and knowledge of the in-house staff performing incident management and forensic investigation activities. PR.AT-02.04] | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02 Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Human Resources management | Corrective | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01] | Human Resources management | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Detective | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Operational management | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 [Internal and external threats to the organization are identified and recorded ID.RA-03 The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03] | Leadership and high level objectives | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 [The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01] | Leadership and high level objectives | Preventive | |
| Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [Internal and external stakeholders are understood, and their needs and expectations regarding technology and cybersecurity risk management are understood and considered GV.OC-02] | Leadership and high level objectives | Preventive | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy ID.AM] | Leadership and high level objectives | Preventive | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Leadership and high level objectives | Preventive | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 [{IT architecture} The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs. GV.RM-08.05] | Leadership and high level objectives | Corrective | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Leadership and high level objectives | Preventive | |
| Implement a fraud detection system. CC ID 13081 [The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters. PR.AA-03.03] | Monitoring and measurement | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Report timely risk metrics. DE.AE-02.01 (3)] | Monitoring and measurement | Preventive | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 [The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices. GV.RM-02.02] | Audits and risk management | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 [{risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external). GV.RM-03.04] | Audits and risk management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 [Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Audits and risk management | Preventive | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Detective | |
| Return all unstructured data from all shared resources upon agreement termination. CC ID 12336 | Technical security | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Preventive | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Detective | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Follow the resource workload schedule. CC ID 00941 | Operational management | Detective | |
| Manage cloud services. CC ID 13144 | Operational management | Preventive | |
| Correlate business processes and applications. CC ID 16300 [The organization's technology operations and service and support functions are designed and managed to address business operational needs and stakeholder requirements. PR.PS-07] | Operational management | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 [The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization. EX.MM-01.01] | Operational management | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{protection process} A formal process is in place to improve protection controls and processes by integrating recommendations, findings, and lessons learned from exercises, testing, audits, assessments, and incidents. ID.IM-03.01] | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The organization's asset management processes ensure the protection of sensitive data throughout removal, transfers, maintenance, end-of-life, and secure disposal or re-use. ID.AM-08.04 The organization establishes and maintains asset lifecycle management policies and procedures to ensure that assets are acquired, tracked, implemented, used, decommissioned, and protected commensurate with their sensitivity, criticality, and business value. ID.AM-08.01 The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Operational management | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 [Assets are prioritized based on classification, criticality, resources, and impact on the mission ID.AM-05] | Operational management | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. ID.AM-01.01 The organization maintains an inventory of key internal assets, business functions, and external dependencies that includes mappings to other assets, business functions, and information flows. GV.OC-04.01] | Operational management | Preventive | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 | Operational management | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Operational management | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08 Possible cybersecurity attacks and compromises, and other operationally adverse events, are found and analyzed DE {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Analyze and respond to security alerts. CC ID 12504 [Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents DE.AE Potentially adverse events are analyzed to better understand associated activities DE.AE-02] | Operational management | Detective | |
| Collect evidence from the incident scene. CC ID 02236 [Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Operational management | Corrective | |
| Manage change requests. CC ID 00887 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 {change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02] | Operational management | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Corrective | |
| Perform destruction at authorized facilities. CC ID 17074 | Records management | Preventive | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Preventive | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Protect the integrity of application service transactions. CC ID 12017 [The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters. PR.AA-03.03] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain authorization for marketing new products. CC ID 16805 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Approve the privacy plan. CC ID 14700 [The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). GV.OC-03.02] | Privacy protection for information and data | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 [Relationship terminations and the return or destruction of assets are performed in a controlled and safe manner EX.TR-02 Relationship termination is anticipated, planned for, and executed safely EX.TR] | Third Party and supply chain oversight | Corrective | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location. ID.AM-08.06 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03] | Third Party and supply chain oversight | Preventive | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Third Party and supply chain oversight | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 [The organization collaborates with suppliers to maintain and improve the secure use of products, services, and external connections. EX.MM-02.03] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship. EX.DD-02.01] | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [Planning and due diligence are performed to reduce risks before entering into a formal third-party relationship EX.DD {be reasonable} The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms. EX.DD-02.02 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Detective | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 | Third Party and supply chain oversight | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Detective | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Third Party and supply chain oversight | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls. EX.DD-02.03 Third-party products and services are assessed relative to business, risk management, and cybersecurity requirements EX.DD-04 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Third Party and supply chain oversight | Detective | |
| Assess third parties' financial stability during due diligence. CC ID 12066 | Third Party and supply chain oversight | Detective | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04 The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05] | Third Party and supply chain oversight | Detective | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Detective | |
| Assess the third parties' reputation during due diligence. CC ID 12068 | Third Party and supply chain oversight | Detective | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Detective | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Detective | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Preventive | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{externally provided process, product and service} The organization defines and implements procedures for assessing the compatibility, security, integrity, and authenticity of externally-developed or externally-sourced applications, software, software components, and firmware before deployment and upon any major change. EX.DD-04.01] | Third Party and supply chain oversight | Detective | |
| Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [{technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Third Party and supply chain oversight | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [Critical suppliers and third parties are monitored to confirm that they continue to satisfy their obligations as required; reviews of audits, test results, or other assessments of third parties are conducted EX.MM-01] | Third Party and supply chain oversight | Detective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03 The independent audit function reports to the governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when risk tolerance has been exceeded in any part of the organization. GV.AU-03.03] | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Outcomes, capabilities, and services that the organization depends on are understood and communicated GV.OC-05] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [The organization ensures that cyber threat intelligence is made available, in a secure manner, to authorized staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization. RS.CO-03.01] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Corrective | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Preventive | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02] | Monitoring and measurement | Preventive | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV] | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 [Strategic direction that describes appropriate risk response options is established and communicated GV.RM-04] | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 [Risk management objectives are established and agreed to by organizational stakeholders GV.RM-01] | Audits and risk management | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Preventive | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Disseminate and communicate the application security policy to interested personnel and affected parties. CC ID 17064 | Technical security | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Corrective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Preventive | |
| Disseminate and communicate space weather information to interested personnel and affected parties. CC ID 17155 | Physical and environmental protection | Preventive | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 | Physical and environmental protection | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders RC.CO-03 {recovery procedure} The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders. RC.CO-03.01] | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 [Public updates on incident recovery are shared using approved methods and messaging RC.CO-04 The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as required or appropriate. RC.CO-03.02 The end of incident recovery is declared based on criteria, and incident-related documentation is completed RC.RP-06] | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 [{cybersecurity} The organization participates actively (in alignment with its business operations, inherent risk, and complexity) in information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats, and early warning indicators relating to cyber threats. ID.RA-02.01 The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party's approach to securing systems. ID.RA-02.02] | Operational management | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 [The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party's approach to securing systems. ID.RA-02.02] | Operational management | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 [Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01] | Operational management | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Communicate the service management program to interested personnel and affected parties. CC ID 13904 | Operational management | Preventive | |
| Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 | Operational management | Preventive | |
| Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 | Operational management | Preventive | |
| Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 | Operational management | Preventive | |
| Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 | Operational management | Preventive | |
| Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 | Operational management | Preventive | |
| Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 | Operational management | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Provide customer security advice, as necessary. CC ID 13674 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Operational management | Preventive | |
| Use simple understandable language when providing customer security advice. CC ID 13685 | Operational management | Preventive | |
| Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Operational management | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 [Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, etc.) are established, communicated, maintained, and improved ID.IM-04] | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [In the event of an incident, the organization notifies impacted stakeholders including, as required, government bodies, self-regulatory agencies and/or other supervisory bodies, within required timeframes. RS.CO-02.02] | Operational management | Corrective | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Preventive | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 [The organization pre-identifies, pre-qualifies, and retains third party incident management support and forensic service firms, as required, that can be called upon to quickly assist with incident response, investigation, and recovery. ID.IM-04.07] | Operational management | Detective | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Preventive | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Preventive | |
| Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 | System hardening through configuration management | Preventive | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Records management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the implementation strategy to interested personnel and affected parties. CC ID 11796 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Preventive | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Install and maintain an Intrusion Detection and Prevention System. CC ID 00581 [The organization deploys intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. DE.CM-01.01 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified. PR.PS-01.03] | Monitoring and measurement | Preventive | |
| Document the event information to be logged in the event information log specification. CC ID 00639 [{refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Preventive | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. PR.PS-01.04] | Monitoring and measurement | Preventive | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Preventive | |
| Match user accounts to authorized parties. CC ID 12126 [Identities are proofed and bound to credentials based on the context of interactions PR.AA-02] | Technical security | Detective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 [{physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 Decisions to authorize user access to devices and other assets are made with consideration of: PR.AA-03.02] | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical security | Preventive | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 [The organization controls access to its wireless networks and the term_primary-noun">information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). PR.IR-01.04] | Technical security | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 [{not be authorized} Networks and environments are protected from unauthorized logical access and usage PR.IR-01] | Technical security | Detective | |
| Implement multifactor authentication techniques. CC ID 00561 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 [{data classification policy} {data protection policy} Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, and alternate transit paths). PR.DS-02.01] | Technical security | Preventive | |
| Deactivate user credentials upon agreement termination. CC ID 12177 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Technical security | Corrective | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Corrective | |
| Encrypt backup data. CC ID 00958 [Backups of data are created, protected, maintained, and tested PR.DS-11] | Operational and Systems Continuity | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Operational management | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Preventive | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
| Document external connections for all systems. CC ID 06415 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | System hardening through configuration management | Preventive | |
| Configure “Docker” to organizational standards. CC ID 14457 | System hardening through configuration management | Preventive | |
| Configure the "autolock" argument to organizational standards. CC ID 14547 | System hardening through configuration management | Preventive | |
| Configure the "COPY" instruction to organizational standards. CC ID 14515 | System hardening through configuration management | Preventive | |
| Configure the "memory" argument to organizational standards. CC ID 14497 | System hardening through configuration management | Preventive | |
| Configure the "docker0" bridge to organizational standards. CC ID 14504 | System hardening through configuration management | Preventive | |
| Configure the "docker exec commands" to organizational standards. CC ID 14502 | System hardening through configuration management | Preventive | |
| Configure the "health-cmd" argument to organizational standards. CC ID 14527 | System hardening through configuration management | Preventive | |
| Configure the "HEALTHCHECK" to organizational standards. CC ID 14511 | System hardening through configuration management | Detective | |
| Configure the maximum number of images to organizational standards. CC ID 14545 | System hardening through configuration management | Preventive | |
| Configure the minimum number of manager nodes to organizational standards. CC ID 14543 | System hardening through configuration management | Preventive | |
| Configure the "on-failure" restart policy to organizational standards. CC ID 14542 | System hardening through configuration management | Preventive | |
| Configure the maximum number of containers to organizational standards. CC ID 14540 | System hardening through configuration management | Preventive | |
| Configure the "lifetime_minutes" to organizational standards. CC ID 14539 | System hardening through configuration management | Preventive | |
| Configure the "Linux kernel capabilities" to organizational standards. CC ID 14531 | System hardening through configuration management | Preventive | |
| Configure the "Docker socket" to organizational standards. CC ID 14506 | System hardening through configuration management | Preventive | |
| Configure the "read-only" argument to organizational standards. CC ID 14498 | System hardening through configuration management | Preventive | |
| Configure the signed image enforcement to organizational standards. CC ID 14517 | System hardening through configuration management | Preventive | |
| Configure the "storage-opt" argument to organizational standards. CC ID 14658 | System hardening through configuration management | Preventive | |
| Configure the "swarm services" to organizational standards. CC ID 14516 | System hardening through configuration management | Preventive | |
| Configure the "experimental" argument to organizational standards. CC ID 14494 | System hardening through configuration management | Preventive | |
| Configure the cluster role-based access control policies to organizational standards. CC ID 14514 | System hardening through configuration management | Preventive | |
| Configure the "secret management commands" to organizational standards. CC ID 14512 | System hardening through configuration management | Preventive | |
| Configure the "renewal_threshold_minutes" to organizational standards. CC ID 14538 | System hardening through configuration management | Preventive | |
| Configure the "docker swarm unlock-key" command to organizational standards. CC ID 14490 | System hardening through configuration management | Preventive | |
| Configure the "per_user_limit" to organizational standards. CC ID 14523 | System hardening through configuration management | Preventive | |
| Configure the "privileged" argument to organizational standards. CC ID 14510 | System hardening through configuration management | Preventive | |
| Configure the "update instructions" to organizational standards. CC ID 14525 | System hardening through configuration management | Preventive | |
| Configure the "swarm mode" to organizational standards. CC ID 14508 | System hardening through configuration management | Preventive | |
| Configure the "USER" directive to organizational standards. CC ID 14507 | System hardening through configuration management | Preventive | |
| Configure the "DOCKER_CONTENT_TRUST" to organizational standards. CC ID 14488 | System hardening through configuration management | Preventive | |
| Configure the "no-new-privileges" argument to organizational standards. CC ID 14474 | System hardening through configuration management | Preventive | |
| Configure the "seccomp-profile" argument to organizational standards. CC ID 14503 | System hardening through configuration management | Preventive | |
| Configure the "cpu-shares" argument to organizational standards. CC ID 14489 | System hardening through configuration management | Preventive | |
| Configure the "volume" argument to organizational standards. CC ID 14533 | System hardening through configuration management | Preventive | |
| Configure the "cgroup-parent" to organizational standards. CC ID 14466 | System hardening through configuration management | Preventive | |
| Configure the "live-restore" argument to organizational standards. CC ID 14465 | System hardening through configuration management | Preventive | |
| Configure the "userland-proxy" argument to organizational standards. CC ID 14464 | System hardening through configuration management | Preventive | |
| Configure the "user namespace support" to organizational standards. CC ID 14462 | System hardening through configuration management | Preventive | |
| Configure "etcd" to organizational standards. CC ID 14535 | System hardening through configuration management | Preventive | |
| Configure the "auto-tls" argument to organizational standards. CC ID 14621 | System hardening through configuration management | Preventive | |
| Configure the "peer-auto-tls" argument to organizational standards. CC ID 14636 | System hardening through configuration management | Preventive | |
| Configure the "peer-client-cert-auth" argument to organizational standards. CC ID 14614 | System hardening through configuration management | Preventive | |
| Configure the "peer-cert-file" argument to organizational standards. CC ID 14606 | System hardening through configuration management | Preventive | |
| Configure the "key-file" argument to organizational standards. CC ID 14604 | System hardening through configuration management | Preventive | |
| Configure the "cert-file" argument to organizational standards. CC ID 14602 | System hardening through configuration management | Preventive | |
| Configure the "client-cert-auth" argument to organizational standards. CC ID 14596 | System hardening through configuration management | Preventive | |
| Configure the "peer-key-file" argument to organizational standards. CC ID 14595 | System hardening through configuration management | Preventive | |
| Configure "Kubernetes" to organizational standards. CC ID 14528 | System hardening through configuration management | Preventive | |
| Configure the "ImagePolicyWebhook" admission controller to organizational standards. CC ID 14657 | System hardening through configuration management | Preventive | |
| Configure the "allowedCapabilities" to organizational standards. CC ID 14653 | System hardening through configuration management | Preventive | |
| Configure the "allowPrivilegeEscalation" flag to organizational standards. CC ID 14645 | System hardening through configuration management | Preventive | |
| Configure the "Security Context" to organizational standards. CC ID 14656 | System hardening through configuration management | Preventive | |
| Configure the "cluster-admin" role to organizational standards. CC ID 14642 | System hardening through configuration management | Preventive | |
| Configure the "automountServiceAccountToken" to organizational standards. CC ID 14639 | System hardening through configuration management | Preventive | |
| Configure the "audit-log-maxsize" argument to organizational standards. CC ID 14624 | System hardening through configuration management | Detective | |
| Configure the "seccomp" profile to organizational standards. CC ID 14652 | System hardening through configuration management | Preventive | |
| Configure the "securityContext.privileged" flag to organizational standards. CC ID 14641 | System hardening through configuration management | Preventive | |
| Configure the "audit-log-path" argument to organizational standards. CC ID 14622 | System hardening through configuration management | Detective | |
| Configure the "audit-log-maxbackup" argument to organizational standards. CC ID 14613 | System hardening through configuration management | Detective | |
| Configure the "audit-policy-file" to organizational standards. CC ID 14610 | System hardening through configuration management | Preventive | |
| Configure the "audit-log-maxage" argument to organizational standards. CC ID 14605 | System hardening through configuration management | Detective | |
| Configure the "bind-address" argument to organizational standards. CC ID 14601 | System hardening through configuration management | Preventive | |
| Configure the "request-timeout" argument to organizational standards. CC ID 14583 | System hardening through configuration management | Preventive | |
| Configure the "secure-port" argument to organizational standards. CC ID 14582 | System hardening through configuration management | Preventive | |
| Configure the "service-account-key-file" argument to organizational standards. CC ID 14581 | System hardening through configuration management | Preventive | |
| Configure the "insecure-bind-address" argument to organizational standards. CC ID 14580 | System hardening through configuration management | Preventive | |
| Configure the "service-account-lookup" argument to organizational standards. CC ID 14579 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin PodSecurityPolicy" to organizational standards. CC ID 14578 | System hardening through configuration management | Preventive | |
| Configure the "profiling" argument to organizational standards. CC ID 14577 | System hardening through configuration management | Preventive | |
| Configure the "hostNetwork" flag to organizational standards. CC ID 14649 | System hardening through configuration management | Preventive | |
| Configure the "hostPID" flag to organizational standards. CC ID 14648 | System hardening through configuration management | Preventive | |
| Configure the "etcd-certfile" argument to organizational standards. CC ID 14584 | System hardening through configuration management | Preventive | |
| Configure the "runAsUser.rule" to organizational standards. CC ID 14651 | System hardening through configuration management | Preventive | |
| Configure the "requiredDropCapabilities" to organizational standards. CC ID 14650 | System hardening through configuration management | Preventive | |
| Configure the "hostIPC" flag to organizational standards. CC ID 14643 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin ServiceAccount" to organizational standards. CC ID 14576 | System hardening through configuration management | Preventive | |
| Configure the "insecure-port" argument to organizational standards. CC ID 14575 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin AlwaysPullImages" to organizational standards. CC ID 14574 | System hardening through configuration management | Preventive | |
| Configure the "pod" to organizational standards. CC ID 14644 | System hardening through configuration management | Preventive | |
| Configure the "ClusterRoles" to organizational standards. CC ID 14637 | System hardening through configuration management | Preventive | |
| Configure the "event-qps" argument to organizational standards. CC ID 14633 | System hardening through configuration management | Preventive | |
| Configure the "Kubelet" to organizational standards. CC ID 14635 | System hardening through configuration management | Preventive | |
| Configure the "NET_RAW" to organizational standards. CC ID 14647 | System hardening through configuration management | Preventive | |
| Configure the "make-iptables-util-chains" argument to organizational standards. CC ID 14638 | System hardening through configuration management | Preventive | |
| Configure the "hostname-override" argument to organizational standards. CC ID 14631 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin NodeRestriction" to organizational standards. CC ID 14573 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin AlwaysAdmit" to organizational standards. CC ID 14572 | System hardening through configuration management | Preventive | |
| Configure the "etcd-cafile" argument to organizational standards. CC ID 14592 | System hardening through configuration management | Preventive | |
| Configure the "encryption-provider-config" argument to organizational standards. CC ID 14587 | System hardening through configuration management | Preventive | |
| Configure the "rotate-certificates" argument to organizational standards. CC ID 14640 | System hardening through configuration management | Preventive | |
| Configure the "etcd-keyfile" argument to organizational standards. CC ID 14586 | System hardening through configuration management | Preventive | |
| Configure the "client-ca-file" argument to organizational standards. CC ID 14585 | System hardening through configuration management | Preventive | |
| Configure the "kube-apiserver" to organizational standards. CC ID 14589 | System hardening through configuration management | Preventive | |
| Configure the "tls-private-key-file" argument to organizational standards. CC ID 14590 | System hardening through configuration management | Preventive | |
| Configure the "streaming-connection-idle-timeout" argument to organizational standards. CC ID 14634 | System hardening through configuration management | Preventive | |
| Configure the "RotateKubeletServerCertificate" argument to organizational standards. CC ID 14626 | System hardening through configuration management | Preventive | |
| Configure the "protect-kernel-defaults" argument to organizational standards. CC ID 14629 | System hardening through configuration management | Preventive | |
| Configure the "read-only-port" argument to organizational standards. CC ID 14627 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin NamespaceLifecycle" to organizational standards. CC ID 14571 | System hardening through configuration management | Preventive | |
| Configure the "terminated-pod-gc-threshold" argument to organizational standards. CC ID 14593 | System hardening through configuration management | Preventive | |
| Configure the "tls-cert-file" argument to organizational standards. CC ID 14588 | System hardening through configuration management | Preventive | |
| Configure the "kubelet-certificate-authority" argument to organizational standards. CC ID 14570 | System hardening through configuration management | Preventive | |
| Configure the "service-account-private-key-file" argument to organizational standards. CC ID 14607 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin SecurityContextDeny" to organizational standards. CC ID 14569 | System hardening through configuration management | Preventive | |
| Configure the "kubelet-client-certificate" argument to organizational standards. CC ID 14568 | System hardening through configuration management | Preventive | |
| Configure the "root-ca-file" argument to organizational standards. CC ID 14599 | System hardening through configuration management | Preventive | |
| Configure the "admission control plugin EventRateLimit" to organizational standards. CC ID 14567 | System hardening through configuration management | Preventive | |
| Configure the "use-service-account-credentials" argument to organizational standards. CC ID 14594 | System hardening through configuration management | Preventive | |
| Configure the "token-auth-file" argument to organizational standards. CC ID 14566 | System hardening through configuration management | Preventive | |
| Configure the "authorization-mode" argument to organizational standards. CC ID 14565 | System hardening through configuration management | Preventive | |
| Configure the "anonymous-auth" argument to organizational standards. CC ID 14564 | System hardening through configuration management | Preventive | |
| Configure the "kubelet-client-key" argument to organizational standards. CC ID 14563 | System hardening through configuration management | Preventive | |
| Configure the "kubelet-https" argument to organizational standards. CC ID 14561 | System hardening through configuration management | Preventive | |
| Configure the "basic-auth-file" argument to organizational standards. CC ID 14559 | System hardening through configuration management | Preventive | |
| Configure the Remote Deposit Capture system to organizational standards. CC ID 13569 | System hardening through configuration management | Preventive | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [Software is maintained, replaced, and removed commensurate with risk PR.PS-02 Installation and execution of unauthorized software are prevented PR.PS-05] | System hardening through configuration management | Preventive | |
| Configure the system's booting configuration. CC ID 10656 | System hardening through configuration management | Preventive | |
| Configure Least Functionality and Least Privilege settings to organizational standards. CC ID 07599 [The organization's systems are configured to provide only essential capabilities to implement the und-color:#F0BBBC;" class="term_primaryry-verb">-noun">principle of least functionality. The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality. PR.PS-01.02] | System hardening through configuration management | Preventive | |
| Prohibit directories from having read/write capability, as appropriate. CC ID 16313 | System hardening through configuration management | Preventive | |
| Configure "Block public access (bucket settings)" to organizational standards. CC ID 15444 | System hardening through configuration management | Preventive | |
| Configure S3 Bucket Policies to organizational standards. CC ID 15431 | System hardening through configuration management | Preventive | |
| Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards. CC ID 15417 | System hardening through configuration management | Preventive | |
| Configure "Allow Cloud Search" to organizational standards. CC ID 15416 | System hardening through configuration management | Preventive | |
| Configure "Configure Watson events" to organizational standards. CC ID 15414 | System hardening through configuration management | Preventive | |
| Configure "Allow Clipboard synchronization across devices" to organizational standards. CC ID 15412 | System hardening through configuration management | Preventive | |
| Configure "Prevent users from modifying settings" to organizational standards. CC ID 15411 | System hardening through configuration management | Preventive | |
| Configure "Prevent users from sharing files within their profile" to organizational standards. CC ID 15408 | System hardening through configuration management | Preventive | |
| Configure "Manage preview builds" to organizational standards. CC ID 15405 | System hardening through configuration management | Preventive | |
| Configure "Turn off Help Experience Improvement Program" to organizational standards. CC ID 15403 | System hardening through configuration management | Preventive | |
| Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards. CC ID 15402 | System hardening through configuration management | Preventive | |
| Configure "Hardened UNC Paths" to organizational standards. CC ID 15400 | System hardening through configuration management | Preventive | |
| Configure "Turn off all Windows spotlight features" to organizational standards. CC ID 15397 | System hardening through configuration management | Preventive | |
| Configure "Allow Message Service Cloud Sync" to organizational standards. CC ID 15396 | System hardening through configuration management | Preventive | |
| Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards. CC ID 15394 | System hardening through configuration management | Preventive | |
| Configure "Configure Windows spotlight on lock screen" to organizational standards. CC ID 15391 | System hardening through configuration management | Preventive | |
| Configure "Do not suggest third-party content in Windows spotlight" to organizational standards. CC ID 15389 | System hardening through configuration management | Preventive | |
| Configure "Enable Font Providers" to organizational standards. CC ID 15388 | System hardening through configuration management | Preventive | |
| Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards. CC ID 15386 | System hardening through configuration management | Preventive | |
| Configure "Do not display network selection UI" to organizational standards. CC ID 15381 | System hardening through configuration management | Preventive | |
| Configure "Turn off KMS Client Online AVS Validation" to organizational standards. CC ID 15380 | System hardening through configuration management | Preventive | |
| Configure "Allow Telemetry" to organizational standards. CC ID 15378 | System hardening through configuration management | Preventive | |
| Configure "Allow users to enable online speech recognition services" to organizational standards. CC ID 15377 | System hardening through configuration management | Preventive | |
| Configure "Prevent enabling lock screen camera" to organizational standards. CC ID 15373 | System hardening through configuration management | Preventive | |
| Configure "Continue experiences on this device" to organizational standards. CC ID 15372 | System hardening through configuration management | Preventive | |
| Configure "Prevent the usage of OneDrive for file storage" to organizational standards. CC ID 15369 | System hardening through configuration management | Preventive | |
| Configure "Do not use diagnostic data for tailored experiences" to organizational standards. CC ID 15367 | System hardening through configuration management | Preventive | |
| Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards. CC ID 15365 | System hardening through configuration management | Preventive | |
| Configure "Turn off Microsoft consumer experiences" to organizational standards. CC ID 15363 | System hardening through configuration management | Preventive | |
| Configure "Allow Use of Camera" to organizational standards. CC ID 15362 | System hardening through configuration management | Preventive | |
| Configure "Allow Online Tips" to organizational standards. CC ID 15360 | System hardening through configuration management | Preventive | |
| Configure "Turn off cloud optimized content" to organizational standards. CC ID 15357 | System hardening through configuration management | Preventive | |
| Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards. CC ID 15356 | System hardening through configuration management | Preventive | |
| Configure "Toggle user control over Insider builds" to organizational standards. CC ID 15354 | System hardening through configuration management | Preventive | |
| Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards. CC ID 15353 | System hardening through configuration management | Preventive | |
| Configure "Do not show feedback notifications" to organizational standards. CC ID 15350 | System hardening through configuration management | Preventive | |
| Configure "Prevent enabling lock screen slide show" to organizational standards. CC ID 15349 | System hardening through configuration management | Preventive | |
| Configure "Turn off the advertising ID" to organizational standards. CC ID 15348 | System hardening through configuration management | Preventive | |
| Configure "Allow Windows Ink Workspace" to organizational standards. CC ID 15346 | System hardening through configuration management | Preventive | |
| Configure "Allow a Windows app to share application data between users" to organizational standards. CC ID 15345 | System hardening through configuration management | Preventive | |
| Configure "Turn off handwriting personalization data sharing" to organizational standards. CC ID 15339 | System hardening through configuration management | Preventive | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | System hardening through configuration management | Preventive | |
| Invalidate unexpected session identifiers. CC ID 15307 | System hardening through configuration management | Preventive | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | System hardening through configuration management | Preventive | |
| Reject session identifiers that are not valid. CC ID 15306 | System hardening through configuration management | Preventive | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | System hardening through configuration management | Preventive | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | System hardening through configuration management | Preventive | |
| Install custom applications, only if they are trusted. CC ID 04822 | System hardening through configuration management | Preventive | |
| Configure Simple Network Management Protocol (SNMP) to organizational standards. CC ID 12423 | System hardening through configuration management | Preventive | |
| Configure the system's storage media. CC ID 10618 | System hardening through configuration management | Preventive | |
| Configure the "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting. CC ID 04910 | System hardening through configuration management | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Preventive | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Preventive | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Preventive | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Preventive | |
| Configure the system to refrain from completing authentication methods when a security breach is detected. CC ID 13790 | System hardening through configuration management | Preventive | |
| Configure the "/etc/shadow" settings to organizational standards. CC ID 15332 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Require removal card" setting. CC ID 06053 | System hardening through configuration management | Preventive | |
| Configure the TCP/IP Dead Gateway Detection as appropriate. CC ID 06025 | System hardening through configuration management | Preventive | |
| Verify the environment variable "Os2LibPath" exists, as appropriate. CC ID 05142 | System hardening through configuration management | Preventive | |
| Define the path to the Microsoft OS/2 version 1.x library properly. CC ID 05143 | System hardening through configuration management | Preventive | |
| Set the "Specify intranet Microsoft update service location" properly. CC ID 05144 | System hardening through configuration management | Preventive | |
| Set the path to the debugger used for Just-In-Time debugging properly. CC ID 05145 | System hardening through configuration management | Preventive | |
| Set the OS/2 Subsystem location properly. CC ID 05146 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_CLASSES_ROOT properly. CC ID 05154 | System hardening through configuration management | Preventive | |
| Set the registry key HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Os2 properly. CC ID 05155 | System hardening through configuration management | Preventive | |
| Set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger properly. CC ID 05156 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command properly. CC ID 05157 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography properly. CC ID 05158 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hlp properly. CC ID 05159 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\helpfile properly. CC ID 05160 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing properly. CC ID 05161 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais properly. CC ID 05162 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell properly. CC ID 05163 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony properly. CC ID 05164 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability properly. CC ID 05165 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell properly. CC ID 05166 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion properly. CC ID 05167 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech properly. CC ID 05168 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC properly. CC ID 05169 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem properly. CC ID 05170 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates properly. CC ID 05171 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports properly. CC ID 05172 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing properly. CC ID 05173 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Policies properly. CC ID 05174 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor properly. CC ID 05175 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ads\Providers\WinNT properly. CC ID 05176 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT properly. CC ID 05177 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS properly. CC ID 05178 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions properly. CC ID 05179 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots properly. CC ID 05180 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager properly. CC ID 05181 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help properly. CC ID 05182 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip properly. CC ID 05183 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing properly. CC ID 05184 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceManager properly. CC ID 05185 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security properly. CC ID 05186 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP properly. CC ID 05187 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent properly. CC ID 05188 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security properly. CC ID 05189 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security properly. CC ID 05190 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security properly. CC ID 05191 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security properly. CC ID 05192 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security properly. CC ID 05193 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security properly. CC ID 05194 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security properly. CC ID 05195 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security properly. CC ID 05196 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility properly. CC ID 05197 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security properly. CC ID 05198 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security properly. CC ID 05199 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services properly. CC ID 05200 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers properly. CC ID 05201 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network properly. CC ID 05202 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\LSA\Data properly. CC ID 05203 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG properly. CC ID 05204 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1 properly. CC ID 05205 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD properly. CC ID 05206 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control properly. CC ID 05207 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wbem properly. CC ID 05208 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security properly. CC ID 05209 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font properly. CC ID 05210 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog properly. CC ID 05211 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares properly. CC ID 05212 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status properly. CC ID 05213 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Secure properly. CC ID 05214 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups properly. CC ID 05215 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon properly. CC ID 05216 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones properly. CC ID 05217 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping properly. CC ID 05218 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS properly. CC ID 05219 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper properly. CC ID 05220 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility properly. CC ID 05221 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug properly. CC ID 05222 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx properly. CC ID 05223 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce properly. CC ID 05224 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run properly. CC ID 05225 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows properly. CC ID 05226 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Secure properly. CC ID 05227 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC properly. CC ID 05228 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options properly. CC ID 05229 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole properly. CC ID 05230 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions properly. CC ID 05231 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout properly. CC ID 05232 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex properly. CC ID 05233 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName properly. CC ID 05234 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy properly. CC ID 05235 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule properly. CC ID 05236 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost properly. CC ID 05237 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit properly. CC ID 05238 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList properly. CC ID 05239 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS properly. CC ID 05240 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 properly. CC ID 05241 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes properly. CC ID 05242 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion properly. CC ID 05243 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates properly. CC ID 05244 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows properly. CC ID 05245 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole properly. CC ID 05246 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers properly. CC ID 05247 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies properly. CC ID 05248 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey properly. CC ID 05249 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host properly. CC ID 05250 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings properly. CC ID 05251 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class properly. CC ID 05252 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security properly. CC ID 05253 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache properly. CC ID 05254 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security properly. CC ID 05255 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security properly. CC ID 05256 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt properly. CC ID 05257 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess properly. CC ID 05259 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security properly. CC ID 05260 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security properly. CC ID 05261 | System hardening through configuration management | Preventive | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries properly. CC ID 05262 | System hardening through configuration management | Preventive | |
| Configure the "%SystemRoot%$NtServicePackUninstall$" directory permissions to organizational standards. CC ID 10126 | System hardening through configuration management | Preventive | |
| Configure the "HKEY_CLASSES_ROOT" registry key permissions to organizational standards. CC ID 10200 | System hardening through configuration management | Preventive | |
| Configure the "%SystemRoot%System32 eg.exe" file permissions to organizational standards. CC ID 10312 | System hardening through configuration management | Preventive | |
| Configure the "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup Policy" registry key permissions to organizational standards. CC ID 10404 | System hardening through configuration management | Preventive | |
| Configure authenticator activation codes in accordance with organizational standards. CC ID 17032 | System hardening through configuration management | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | System hardening through configuration management | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Preventive | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as proper names, as necessary. CC ID 17030 | System hardening through configuration management | Preventive | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Preventive | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Preventive | |
| Configure the authenticator display screen to organizational standards. CC ID 13794 | System hardening through configuration management | Preventive | |
| Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 | System hardening through configuration management | Preventive | |
| Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 | System hardening through configuration management | Preventive | |
| Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 | System hardening through configuration management | Corrective | |
| Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 | System hardening through configuration management | Preventive | |
| Configure the system to allow paste functionality for the authenticator field. CC ID 13819 | System hardening through configuration management | Preventive | |
| Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 | System hardening through configuration management | Preventive | |
| Obscure authentication information during the login process. CC ID 15316 | System hardening through configuration management | Preventive | |
| Change authenticators, as necessary. CC ID 15315 | System hardening through configuration management | Preventive | |
| Change all default authenticators. CC ID 15309 | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Preventive | |
| Configure knowledge-based authentication tools in accordance with organizational standards. CC ID 13740 | System hardening through configuration management | Preventive | |
| Configure the session timeout for the knowledge-based authentication tool used for the identity proofing process according to organizational standards. CC ID 13754 | System hardening through configuration management | Preventive | |
| Configure the knowledge-based authentication tool to restart after a session timeout. CC ID 13753 | System hardening through configuration management | Preventive | |
| Configure the number of attempts allowed to complete the knowledge-based authentication in the knowledge-based authentication tool. CC ID 13751 | System hardening through configuration management | Preventive | |
| Configure Windows User Account Control in accordance with organizational standards. CC ID 16437 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Change default usernames, as necessary. CC ID 14661 | System hardening through configuration management | Corrective | |
| Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Preventive | |
| Configure "SYSVOL" to organizational standards. CC ID 15398 | System hardening through configuration management | Preventive | |
| Configure the "docker.service" file ownership to organizational standards. CC ID 14477 | System hardening through configuration management | Preventive | |
| Set the /usr/bin/at file file permissions properly. CC ID 05456 | System hardening through configuration management | Preventive | |
| Configure the "/etc/default/docker" file permissions to organizational standards. CC ID 14487 | System hardening through configuration management | Preventive | |
| Configure the "/etc/default/docker" file ownership to organizational standards. CC ID 14484 | System hardening through configuration management | Preventive | |
| Configure the "/etc/docker" directory permissions to organizational standards. CC ID 14470 | System hardening through configuration management | Preventive | |
| Configure the "/etc/docker" directory ownership to organizational standards. CC ID 14469 | System hardening through configuration management | Preventive | |
| Configure the "/etc/kubernetes/pki/*.crt" file permissions to organizational standards. CC ID 14562 | System hardening through configuration management | Preventive | |
| Configure the "/etc/kubernetes/pki/*.key" file permissions to organizational standards. CC ID 14557 | System hardening through configuration management | Preventive | |
| Configure the "/etc/kubernetes/pki" file ownership to organizational standards. CC ID 14555 | System hardening through configuration management | Preventive | |
| Configure the "/etc/sysconfig/docker" file ownership to organizational standards. CC ID 14491 | System hardening through configuration management | Preventive | |
| Configure the "/etc/sysconfig/docker" file permissions to organizational standards. CC ID 14486 | System hardening through configuration management | Preventive | |
| Configure the "docker.socket" file ownership to organizational standards. CC ID 14472 | System hardening through configuration management | Preventive | |
| Configure the "docker.socket" file permissions to organizational standards. CC ID 14468 | System hardening through configuration management | Preventive | |
| Set the /etc/security/audit/events file file permissions properly. CC ID 05520 | System hardening through configuration management | Preventive | |
| Set the /etc/hosts.lpd file file permissions properly. CC ID 05526 | System hardening through configuration management | Preventive | |
| Configure the "docker.service" file permissions to organizational standards. CC ID 14479 | System hardening through configuration management | Preventive | |
| Set the Cron log file file permissions properly. CC ID 05553 | System hardening through configuration management | Preventive | |
| Set the /etc/fs file permissions properly. CC ID 05556 | System hardening through configuration management | Preventive | |
| Configure the "Docker socket" file ownership to organizational standards. CC ID 14493 | System hardening through configuration management | Preventive | |
| Configure the "daemon.json" file permissions to organizational standards. CC ID 14492 | System hardening through configuration management | Preventive | |
| Configure the "Docker server certificate" file ownership to organizational standards. CC ID 14471 | System hardening through configuration management | Preventive | |
| Configure the "Docker server certificate key" file permissions to organizational standards. CC ID 14485 | System hardening through configuration management | Preventive | |
| Configure the "daemon.json" file ownership to organizational standards. CC ID 14482 | System hardening through configuration management | Preventive | |
| Configure the "Docker socket" file permissions to organizational standards. CC ID 14480 | System hardening through configuration management | Preventive | |
| Configure the "Docker server certificate key" file ownership to organizational standards. CC ID 14478 | System hardening through configuration management | Preventive | |
| Configure the "admin.conf" file ownership to organizational standards. CC ID 14556 | System hardening through configuration management | Preventive | |
| Configure the "admin.conf" file permissions to organizational standards. CC ID 14554 | System hardening through configuration management | Preventive | |
| Configure the "Certificate Authority" file ownership to organizational standards. CC ID 14630 | System hardening through configuration management | Preventive | |
| Configure the "Docker server certificate" file permissions to organizational standards. CC ID 14476 | System hardening through configuration management | Preventive | |
| Configure the "etcd" data directory ownership to organizational standards. CC ID 14620 | System hardening through configuration management | Preventive | |
| Configure the "etcd" data directory permissions to organizational standards. CC ID 14618 | System hardening through configuration management | Preventive | |
| Configure the "etcd.yaml" file ownership to organizational standards. CC ID 14615 | System hardening through configuration management | Preventive | |
| Configure the "etcd.yaml" file permissions to organizational standards. CC ID 14609 | System hardening through configuration management | Preventive | |
| Configure the "Certificate Authority" file permissions to organizational standards. CC ID 14623 | System hardening through configuration management | Preventive | |
| Configure the "kubelet --config" file ownership to organizational standards. CC ID 14632 | System hardening through configuration management | Preventive | |
| Configure the "kubelet.conf" file ownership to organizational standards. CC ID 14628 | System hardening through configuration management | Preventive | |
| Configure the "kubelet --config" file permissions to organizational standards. CC ID 14625 | System hardening through configuration management | Preventive | |
| Configure the "kubelet service" file permissions to organizational standards. CC ID 14660 | System hardening through configuration management | Preventive | |
| Configure the "kubelet.conf" file permissions to organizational standards. CC ID 14619 | System hardening through configuration management | Preventive | |
| Configure the "controller-manager.conf" file ownership to organizational standards. CC ID 14560 | System hardening through configuration management | Preventive | |
| Configure the "kubeconfig" file ownership to organizational standards. CC ID 14617 | System hardening through configuration management | Preventive | |
| Configure the "kubeconfig" file permissions to organizational standards. CC ID 14616 | System hardening through configuration management | Preventive | |
| Configure the "kubelet service" file ownership to organizational standards. CC ID 14612 | System hardening through configuration management | Preventive | |
| Configure the "kube-scheduler.yaml" file ownership to organizational standards. CC ID 14611 | System hardening through configuration management | Preventive | |
| Configure the "kube-scheduler.yaml" file permissions to organizational standards. CC ID 14603 | System hardening through configuration management | Preventive | |
| Configure the "kube-controller-manager.yaml" file ownership to organizational standards. CC ID 14600 | System hardening through configuration management | Preventive | |
| Configure the "kube-controller-manager.yaml" file permissions to organizational standards. CC ID 14598 | System hardening through configuration management | Preventive | |
| Configure the "kube-apiserver.yaml" file ownership to organizational standards. CC ID 14597 | System hardening through configuration management | Preventive | |
| Configure the "scheduler.conf" file ownership to organizational standards. CC ID 14558 | System hardening through configuration management | Preventive | |
| Configure the "controller-manager.conf" file permissions to organizational standards. CC ID 14553 | System hardening through configuration management | Preventive | |
| Configure the "Container Network Interface" file ownership to organizational standards. CC ID 14552 | System hardening through configuration management | Preventive | |
| Configure the "Container Network Interface" file permissions to organizational standards. CC ID 14550 | System hardening through configuration management | Preventive | |
| Configure the "scheduler.conf" file permissions to organizational standards. CC ID 14551 | System hardening through configuration management | Preventive | |
| Configure the "kube-apiserver.yaml" file permissions to organizational standards. CC ID 14549 | System hardening through configuration management | Preventive | |
| Configure the "registry certificate" file permissions to organizational standards. CC ID 14483 | System hardening through configuration management | Preventive | |
| Configure the "registry certificate" file ownership to organizational standards. CC ID 14481 | System hardening through configuration management | Preventive | |
| Configure the "setgid" permissions to organizational standards. CC ID 14513 | System hardening through configuration management | Preventive | |
| Configure the "TLS CA certificate" file permissions to organizational standards. CC ID 14475 | System hardening through configuration management | Preventive | |
| Configure the "TLS CA certificate" file ownership to organizational standards. CC ID 14473 | System hardening through configuration management | Preventive | |
| Configure the "setuid" permissions to organizational standards. CC ID 14509 | System hardening through configuration management | Preventive | |
| Configure the "User Account Control: Allow UIAccess applications to prompt for elevation" setting. CC ID 05586 | System hardening through configuration management | Preventive | |
| Configure the "Do Not Allow New Client Connections" policy for Terminal Services properly. CC ID 05587 | System hardening through configuration management | Preventive | |
| Configure the service permissions for NetMeeting, as appropriate. CC ID 06045 | System hardening through configuration management | Preventive | |
| Configure the "sudo" to organizational standards. CC ID 15325 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwts32.log properly. CC ID 05627 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemDrive%\My Download Files properly. CC ID 05628 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Driver Cache\I386\Driver.cab properly. CC ID 05629 | System hardening through configuration management | Preventive | |
| Configure the permissions for the %SystemRoot%\$NtUninstall* directories properly. CC ID 05630 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemDrive%\NTDS properly. CC ID 05631 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\SYSVOL properly. CC ID 05632 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\SYSVOL\domain\Policies properly. CC ID 05633 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\repl properly. CC ID 05634 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\repl\export properly. CC ID 05635 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\repl\import properly. CC ID 05636 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %ALL% properly. CC ID 05637 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %ALL%\Program Files\MQSeries properly. CC ID 05638 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %ALL%\Program Files\MQSeries\qmggr properly. CC ID 05639 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL properly. CC ID 05640 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL properly. CC ID 05641 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemDrive%\perflogs properly. CC ID 05642 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemDrive%\i386 properly. CC ID 05643 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %ProgramFiles%\Common Files\SpeechEngines\TTS properly. CC ID 05644 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\_default.plf properly. CC ID 05645 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\addins properly. CC ID 05646 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\appPatch properly. CC ID 05647 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\clock.avi properly. CC ID 05648 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Connection Wizard properly. CC ID 05649 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\Driver Cache properly. CC ID 05650 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\explorer.scf properly. CC ID 05651 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\explorer.exe properly. CC ID 05652 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Help properly. CC ID 05653 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\inf\unregmp2.exe properly. CC ID 05654 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Java properly. CC ID 05655 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\mib.bin properly. CC ID 05656 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\msagent properly. CC ID 05657 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\msdfmap.ini properly. CC ID 05658 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\mui properly. CC ID 05659 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\security\templates properly. CC ID 05660 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\speech properly. CC ID 05661 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\system.ini properly. CC ID 05662 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\system\setup.inf properly. CC ID 05663 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\system\stdole.tlb properly. CC ID 05664 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\twain_32 properly. CC ID 05665 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\CatRoot properly. CC ID 05666 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\configf\systemprofile properly. CC ID 05667 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\dhcp properly. CC ID 05668 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\drivers properly. CC ID 05669 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\Export properly. CC ID 05670 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ipconfig.exe properly. CC ID 05671 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\LogFiles properly. CC ID 05672 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\mshta.exe properly. CC ID 05673 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\mui properly. CC ID 05674 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\ShellExt properly. CC ID 05675 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem properly. CC ID 05676 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\mof properly. CC ID 05677 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\repository properly. CC ID 05678 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\logs properly. CC ID 05679 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile% properly. CC ID 05680 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data properly. CC ID 05681 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft properly. CC ID 05682 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys properly. CC ID 05683 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys properly. CC ID 05684 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson properly. CC ID 05685 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log properly. CC ID 05686 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\HTML Help properly. CC ID 05687 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\MediaIndex properly. CC ID 05688 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\Documents\desktop.ini properly. CC ID 05689 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %AllUsersProfile%\DRM properly. CC ID 05690 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Debug\UserMode\userenv.log properly. CC ID 05691 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\Installer properly. CC ID 05692 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\Prefetch properly. CC ID 05693 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Registration\CRMLog properly. CC ID 05694 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ciadv.msc properly. CC ID 05695 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\Com\comexp.msc properly. CC ID 05696 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\compmgmt.msc properly. CC ID 05697 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\Config properly. CC ID 05698 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\Config\*.evt properly. CC ID 05699 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\devmgmt.msc properly. CC ID 05700 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\dfrg.msc properly. CC ID 05701 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\diskmgmt.msc properly. CC ID 05702 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\system32\eventvwr.msc properly. CC ID 05703 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\fsmgmt.msc properly. CC ID 05704 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\gpedit.msc properly. CC ID 05705 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\lusrmgr.msg properly. CC ID 05706 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\System32\MSDTC properly. CC ID 05707 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ntmsoprq.msc properly. CC ID 05708 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\ntmsmgr.msc properly. CC ID 05709 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\perfmon.msc properly. CC ID 05710 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\RSoP.msc properly. CC ID 05711 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\secpol.msc properly. CC ID 05712 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\services.msc properly. CC ID 05713 | System hardening through configuration management | Preventive | |
| Configure the file permissions for %SystemRoot%\System32\wmimgmt.msc properly. CC ID 05714 | System hardening through configuration management | Preventive | |
| Configure the directory permissions for %SystemRoot%\Web properly. CC ID 05715 | System hardening through configuration management | Preventive | |
| Configure the BitLocker setting appropriately for fixed disk drives and removable disk drives. CC ID 06064 | System hardening through configuration management | Preventive | |
| Configure the BitLocker identifiers. CC ID 06066 | System hardening through configuration management | Preventive | |
| Enable the OS/2 subsystem, as appropriate. CC ID 05717 | System hardening through configuration management | Preventive | |
| Configure the IPsec security association lifetime to organizational standards. CC ID 16508 | System hardening through configuration management | Preventive | |
| Configure route filtering to organizational standards. CC ID 16359 | System hardening through configuration management | Preventive | |
| Configure security gateways to organizational standards. CC ID 16352 | System hardening through configuration management | Preventive | |
| Configure network elements to organizational standards. CC ID 16361 | System hardening through configuration management | Preventive | |
| Configure network elements to ignore hop-by-hop options headers in transit packets. CC ID 16992 | System hardening through configuration management | Preventive | |
| Configure devices having access to network elements to organizational standards. CC ID 16408 | System hardening through configuration management | Preventive | |
| Configure routing tables to organizational standards. CC ID 15438 | System hardening through configuration management | Preventive | |
| Configure "NetBT NodeType configuration" to organizational standards. CC ID 15383 | System hardening through configuration management | Preventive | |
| Configure "Allow remote server management through WinRM" to organizational standards. CC ID 15364 | System hardening through configuration management | Preventive | |
| Configure "Allow network connectivity during connected-standby (on battery)" to organizational standards. CC ID 15342 | System hardening through configuration management | Preventive | |
| Configure Network Address Translation to organizational standards. CC ID 16395 | System hardening through configuration management | Preventive | |
| Enable or disable tunneling, as necessary. CC ID 15235 | System hardening through configuration management | Preventive | |
| Disable Pre-boot eXecution Environment unless it is absolutely necessary. CC ID 04819 | System hardening through configuration management | Preventive | |
| Create an access control list on Network Access and Control Points to restrict access. CC ID 04810 [The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03 {unauthorized hardware} The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes. DE.CM-09.03 The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems). DE.CM-01.04] | System hardening through configuration management | Preventive | |
| Configure permissions for SSH private host key files to organizational standards. CC ID 15331 | System hardening through configuration management | Preventive | |
| Configure permissions for SSH public host key files to organizational standards. CC ID 15333 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit use of Internet Connection Firewall on your DNS domain network" setting properly. CC ID 05743 | System hardening through configuration management | Preventive | |
| Configure the "Restrict NTLM" settings properly. CC ID 06069 | System hardening through configuration management | Preventive | |
| Configure the "Configure encryption types allowed for Kerberos" setting properly. CC ID 06071 | System hardening through configuration management | Preventive | |
| Configure Automated Teller Machines in accordance with organizational standards. CC ID 12542 | System hardening through configuration management | Preventive | |
| Enable or disable the Uninterruptible Power Supply service, as appropriate. CC ID 06037 | System hardening through configuration management | Preventive | |
| Configure Service Set Identifiers in accordance with organizational standards. CC ID 16447 | System hardening through configuration management | Preventive | |
| Configure the "Fraudulent Website Warning" setting to organizational standards. CC ID 10001 | System hardening through configuration management | Preventive | |
| Configure the "With Authentication" setting to organizational standards. CC ID 10005 | System hardening through configuration management | Preventive | |
| Configure mobile devices to separate organizational data from personal data. CC ID 16463 | System hardening through configuration management | Preventive | |
| Disable the capability to automatically execute code on mobile devices absent user direction. CC ID 08705 | System hardening through configuration management | Preventive | |
| Configure environmental sensors on mobile devices. CC ID 10667 | System hardening through configuration management | Preventive | |
| Configure Cisco-specific applications and service in accordance with organizational standards. CC ID 06557 | System hardening through configuration management | Preventive | |
| Configure custom Oracle-specific applications and services in accordance with organizational standards. CC ID 06565 | System hardening through configuration management | Preventive | |
| Configure the Global Positioning System settings as appropriate. CC ID 06888 | System hardening through configuration management | Preventive | |
| Configure endpoint security tools in accordance with organizational standards. CC ID 07049 [Endpoint systems implemented using virtualization technologies employ mechanisms to protect network, application, and data integrity, such as restricting access to local network and peripheral devices, multi-factor authentication, locking-down device source network locations, and data leakage protections. PR.PS-01.09] | System hardening through configuration management | Preventive | |
| Configure web server security settings in accordance with organizational standards. CC ID 07059 | System hardening through configuration management | Preventive | |
| Implement the security features of hypervisor to protect virtual machines. CC ID 12176 | System hardening through configuration management | Preventive | |
| Configure Microsoft Office to Organizational Standards. CC ID 07147 | System hardening through configuration management | Preventive | |
| Set custom Microsoft Office security options in accordance with organizational standards. CC ID 05757 | System hardening through configuration management | Preventive | |
| Configure Universal settings for Microsoft Office in accordance with organizational standards. CC ID 07211 | System hardening through configuration management | Preventive | |
| Configure Microsoft InfoPath settings for Microsoft Office in accordance with organizational standards. CC ID 07219 | System hardening through configuration management | Preventive | |
| Configure Microsoft Access settings for Microsoft Office in accordance with organizational standards. CC ID 07222 | System hardening through configuration management | Preventive | |
| Configure Microsoft Excel settings for Microsoft Office in accordance with organizational standards. CC ID 07232 | System hardening through configuration management | Preventive | |
| Configure Microsoft Outlook settings for Microsoft Office in accordance with organizational standards. CC ID 07341 | System hardening through configuration management | Preventive | |
| Configure Microsoft PowerPoint settings for Microsoft Office in accordance with organizational standards. CC ID 07433 | System hardening through configuration management | Preventive | |
| Configure Microsoft Word settings for Microsoft Office in accordance with organizational standards. CC ID 07438 | System hardening through configuration management | Preventive | |
| Configure Microsoft OneNote settings for Microsoft Office in accordance with organizational standards. CC ID 07908 | System hardening through configuration management | Preventive | |
| Configure User Interface settings for Microsoft Office in accordance with organizational standards. CC ID 07923 | System hardening through configuration management | Preventive | |
| Configure Signing settings for Microsoft Office in accordance with organizational standards. CC ID 07929 | System hardening through configuration management | Preventive | |
| Configure Email Form settings for Microsoft Office in accordance with organizational standards. CC ID 07930 | System hardening through configuration management | Preventive | |
| Configure Security settings for Microsoft Office in accordance with organizational standards. CC ID 07932 | System hardening through configuration management | Preventive | |
| Configure Restricted Permissions settings for Microsoft Office in accordance with organizational standards. CC ID 07937 | System hardening through configuration management | Preventive | |
| Configure Account settings for Microsoft Office in accordance with organizational standards. CC ID 07951 | System hardening through configuration management | Preventive | |
| Configure Add-In settings for Microsoft Office in accordance with organizational standards. CC ID 07962 | System hardening through configuration management | Preventive | |
| Configure File Format Converter settings for Microsoft Office in accordance with organizational standards. CC ID 07983 | System hardening through configuration management | Preventive | |
| Configure Microsoft Project settings for Microsoft Office in accordance with organizational standards. CC ID 08036 | System hardening through configuration management | Preventive | |
| Configure Meeting Workspace settings for Microsoft Office in accordance with organizational standards. CC ID 08050 | System hardening through configuration management | Preventive | |
| Configure Miscellaneous settings for Microsoft Office in accordance with organizational standards. CC ID 08054 | System hardening through configuration management | Preventive | |
| Configure Data Backup and Recovery settings for Microsoft Office in accordance with organizational standards. CC ID 08098 | System hardening through configuration management | Preventive | |
| Configure Privacy settings for Microsoft Office in accordance with organizational standards. CC ID 08101 | System hardening through configuration management | Preventive | |
| Configure Server Settings settings for Microsoft Office in accordance with organizational standards. CC ID 08154 | System hardening through configuration management | Preventive | |
| Configure Smart Documents settings for Microsoft Office in accordance with organizational standards. CC ID 08158 | System hardening through configuration management | Preventive | |
| Configure Fax settings for Microsoft Office in accordance with organizational standards. CC ID 08310 | System hardening through configuration management | Preventive | |
| Configure Services settings to organizational standards. CC ID 07434 | System hardening through configuration management | Preventive | |
| Configure Active Directory in accordance with organizational standards. CC ID 16434 | System hardening through configuration management | Preventive | |
| Configure SID filtering in accordance with organizational standards. CC ID 16435 | System hardening through configuration management | Preventive | |
| Configure AWS Config to organizational standards. CC ID 15440 | System hardening through configuration management | Preventive | |
| Configure "Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service" to organizational standards. CC ID 15343 | System hardening through configuration management | Preventive | |
| Configure the "namespace" to organizational standards. CC ID 14654 | System hardening through configuration management | Preventive | |
| Configure the "ipc" argument to organizational standards. CC ID 14524 | System hardening through configuration management | Preventive | |
| Configure the "networkpolicy" to organizational standards. CC ID 14655 | System hardening through configuration management | Preventive | |
| Configure the "pid" argument to organizational standards. CC ID 14532 | System hardening through configuration management | Preventive | |
| Configure the "uts" argument to organizational standards. CC ID 14526 | System hardening through configuration management | Preventive | |
| Configure the "pids-limit" argument to organizational standards. CC ID 14537 | System hardening through configuration management | Preventive | |
| Configure the "userns" argument to organizational standards. CC ID 14530 | System hardening through configuration management | Preventive | |
| Configure Transmission Control Protocol/Internet Protocol (TCP/IP) to organizational standards. CC ID 16358 | System hardening through configuration management | Preventive | |
| Configure network protection settings to organizational standards. CC ID 07601 | System hardening through configuration management | Preventive | |
| Configure the "CNI" plugin to organizational standards. CC ID 14659 | System hardening through configuration management | Preventive | |
| Configure the "data-path-addr" argument to organizational standards. CC ID 14546 | System hardening through configuration management | Preventive | |
| Configure the "advertise-addr" argument to organizational standards. CC ID 14544 | System hardening through configuration management | Preventive | |
| Configure the "nftables" to organizational standards. CC ID 15320 | System hardening through configuration management | Preventive | |
| Configure the "iptables" to organizational standards. CC ID 14463 | System hardening through configuration management | Preventive | |
| Configure the "ip6tables" settings to organizational standards. CC ID 15322 | System hardening through configuration management | Preventive | |
| Configure the "insecure registries" to organizational standards. CC ID 14455 | System hardening through configuration management | Preventive | |
| Configure the "net-host" argument to organizational standards. CC ID 14529 | System hardening through configuration management | Preventive | |
| Configure the "firewalld" to organizational standards. CC ID 15321 | System hardening through configuration management | Preventive | |
| Configure the "network bridge" to organizational standards. CC ID 14501 | System hardening through configuration management | Preventive | |
| Configure the "publish" argument to organizational standards. CC ID 14500 | System hardening through configuration management | Preventive | |
| Configure Account settings in accordance with organizational standards. CC ID 07603 | System hardening through configuration management | Preventive | |
| Configure system integrity settings to organizational standards. CC ID 07605 | System hardening through configuration management | Preventive | |
| Configure Protocol Configuration settings to organizational standards. CC ID 07607 | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure "CloudTrail" to organizational standards. CC ID 15443 | System hardening through configuration management | Preventive | |
| Configure "CloudTrail log file validation" to organizational standards. CC ID 15437 | System hardening through configuration management | Preventive | |
| Configure "VPC flow logging" to organizational standards. CC ID 15436 | System hardening through configuration management | Preventive | |
| Configure "object-level logging" to organizational standards. CC ID 15433 | System hardening through configuration management | Preventive | |
| Configure "Turn on PowerShell Transcription" to organizational standards. CC ID 15415 | System hardening through configuration management | Preventive | |
| Configure "Turn on PowerShell Script Block Logging" to organizational standards. CC ID 15413 | System hardening through configuration management | Preventive | |
| Configure "Audit PNP Activity" to organizational standards. CC ID 15393 | System hardening through configuration management | Preventive | |
| Configure "Include command line in process creation events" to organizational standards. CC ID 15358 | System hardening through configuration management | Preventive | |
| Configure "Audit Group Membership" to organizational standards. CC ID 15341 | System hardening through configuration management | Preventive | |
| Configure the "audit_backlog_limit" setting to organizational standards. CC ID 15324 | System hardening through configuration management | Preventive | |
| Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards. CC ID 14467 | System hardening through configuration management | Detective | |
| Configure the "systemd-journald" to organizational standards. CC ID 15326 | System hardening through configuration management | Preventive | |
| Configure the "/etc/docker" files and directories auditing to organizational standards. CC ID 14459 | System hardening through configuration management | Detective | |
| Configure the "docker.socket" files and directories auditing to organizational standards. CC ID 14458 | System hardening through configuration management | Detective | |
| Configure the "docker.service" files and directories auditing to organizational standards. CC ID 14454 | System hardening through configuration management | Detective | |
| Configure the "/var/lib/docker" files and directories auditing to organizational standards. CC ID 14453 | System hardening through configuration management | Detective | |
| Configure the "/usr/sbin/runc" files and directories auditing to organizational standards. CC ID 14452 | System hardening through configuration management | Detective | |
| Configure the "/usr/bin/containerd" files and directories auditing to organizational standards. CC ID 14451 | System hardening through configuration management | Detective | |
| Configure the "/etc/default/docker" files and directories auditing to organizational standards. CC ID 14450 | System hardening through configuration management | Detective | |
| Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards. CC ID 14449 | System hardening through configuration management | Detective | |
| Configure the security parameters for all logs. CC ID 01712 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | System hardening through configuration management | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | System hardening through configuration management | Preventive | |
| Configure the log to capture account lockouts. CC ID 16470 | System hardening through configuration management | Preventive | |
| Configure the log to capture execution events. CC ID 16469 | System hardening through configuration management | Preventive | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | System hardening through configuration management | Preventive | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | System hardening through configuration management | Preventive | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | System hardening through configuration management | Preventive | |
| Configure the log to capture route table changes. CC ID 15439 | System hardening through configuration management | Preventive | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | System hardening through configuration management | Preventive | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | System hardening through configuration management | Preventive | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | System hardening through configuration management | Preventive | |
| Configure the log to capture changes to network gateways. CC ID 15421 | System hardening through configuration management | Preventive | |
| Configure the "logging level" to organizational standards. CC ID 14456 | System hardening through configuration management | Detective | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | System hardening through configuration management | Preventive | |
| Configure the "Turn on session logging" properly. CC ID 05618 | System hardening through configuration management | Preventive | |
| Configure additional log file parameters appropriately. CC ID 06338 | System hardening through configuration management | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Preventive | |
| Configure Kerberos pre-authentication to organizational standards. CC ID 16480 | System hardening through configuration management | Preventive | |
| Configure time-based user access restrictions in accordance with organizational standards. CC ID 16436 | System hardening through configuration management | Preventive | |
| Configure "MFA Delete" to organizational standards. CC ID 15430 | System hardening through configuration management | Preventive | |
| Configure Identity and Access Management policies to organizational standards. CC ID 15422 | System hardening through configuration management | Preventive | |
| Configure the Identity and Access Management Access analyzer to organizational standards. CC ID 15420 | System hardening through configuration management | Preventive | |
| Configure "Support device authentication using certificate" to organizational standards. CC ID 15410 | System hardening through configuration management | Preventive | |
| Install LAPS AdmPwd GPO Extension, as necessary. CC ID 15409 | System hardening through configuration management | Preventive | |
| Configure "Require pin for pairing" to organizational standards. CC ID 15395 | System hardening through configuration management | Preventive | |
| Configure "Do not allow password expiration time longer than required by policy" to organizational standards. CC ID 15390 | System hardening through configuration management | Preventive | |
| Configure "Enable Local Admin Password Management" to organizational standards. CC ID 15387 | System hardening through configuration management | Preventive | |
| Configure "Allow Microsoft accounts to be optional" to organizational standards. CC ID 15368 | System hardening through configuration management | Preventive | |
| Configure "Turn off picture password sign-in" to organizational standards. CC ID 15347 | System hardening through configuration management | Preventive | |
| Configure "Enable insecure guest logons" to organizational standards. CC ID 15344 | System hardening through configuration management | Preventive | |
| Configure the "cert-expiry" argument to organizational standards. CC ID 14541 | System hardening through configuration management | Preventive | |
| Configure "client certificate authentication" to organizational standards. CC ID 14608 | System hardening through configuration management | Preventive | |
| Configure the "client certificate bundles" to organizational standards. CC ID 14518 | System hardening through configuration management | Preventive | |
| Configure the "external-server-cert" argument to organizational standards. CC ID 14522 | System hardening through configuration management | Preventive | |
| Configure the "Service Account Tokens" to organizational standards. CC ID 14646 | System hardening through configuration management | Preventive | |
| Configure the "rotate" argument to organizational standards. CC ID 14548 | System hardening through configuration management | Preventive | |
| Configure Encryption settings in accordance with organizational standards. CC ID 07625 | System hardening through configuration management | Preventive | |
| Configure "Elastic Block Store volume encryption" to organizational standards. CC ID 15434 | System hardening through configuration management | Preventive | |
| Configure "Encryption Oracle Remediation" to organizational standards. CC ID 15366 | System hardening through configuration management | Preventive | |
| Configure the "encryption provider" to organizational standards. CC ID 14591 | System hardening through configuration management | Preventive | |
| Configure the "opt encrypted" flag to organizational standards. CC ID 14534 | System hardening through configuration management | Preventive | |
| Configure File Retention, Impact Level, and Classification Settings settings in accordance with organizational standards. CC ID 07715 | System hardening through configuration management | Preventive | |
| Configure System settings in accordance with organizational standards. CC ID 07806 | System hardening through configuration management | Preventive | |
| Configure Virus and Malware Protection settings in accordance with organizational standards. CC ID 07906 | System hardening through configuration management | Preventive | |
| Configure "Turn on behavior monitoring" to organizational standards. CC ID 15407 | System hardening through configuration management | Preventive | |
| Configure "Turn off real-time protection" to organizational standards. CC ID 15406 | System hardening through configuration management | Preventive | |
| Configure "Scan all downloaded files and attachments" to organizational standards. CC ID 15404 | System hardening through configuration management | Preventive | |
| Configure "Scan removable drives" to organizational standards. CC ID 15401 | System hardening through configuration management | Preventive | |
| Configure "Configure Attack Surface Reduction rules: Set the state for each ASR rule" to organizational standards. CC ID 15392 | System hardening through configuration management | Preventive | |
| Configure "Join Microsoft MAPS" to organizational standards. CC ID 15384 | System hardening through configuration management | Preventive | |
| Configure "Configure detection for potentially unwanted applications" to organizational standards. CC ID 15375 | System hardening through configuration management | Preventive | |
| Configure "Turn off Microsoft Defender AntiVirus" to organizational standards. CC ID 15371 | System hardening through configuration management | Preventive | |
| Configure "Enable file hash computation feature" to organizational standards. CC ID 15340 | System hardening through configuration management | Preventive | |
| Configure User Notification settings in accordance with organizational standards. CC ID 08201 | System hardening through configuration management | Preventive | |
| Configure Windows Components settings in accordance with organizational standards. CC ID 08263 | System hardening through configuration management | Preventive | |
| Configure File System settings in accordance with organizational standards. CC ID 08294 | System hardening through configuration management | Preventive | |
| Configure Control Panel settings in accordance with organizational standards. CC ID 08311 | System hardening through configuration management | Preventive | |
| Configure Capacity and Performance Management settings in accordance with organizational standards. CC ID 08353 | System hardening through configuration management | Preventive | |
| Configure Personal Information Handling settings in accordance with organizational standards. CC ID 08396 | System hardening through configuration management | Preventive | |
| Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406 | System hardening through configuration management | Preventive | |
| Configure Nonrepudiation Configuration settings in accordance with organizational standards. CC ID 08432 | System hardening through configuration management | Preventive | |
| Configure Device Installation settings in accordance with organizational standards. CC ID 08438 | System hardening through configuration management | Preventive | |
| Configure Security settings in accordance with organizational standards. CC ID 08469 | System hardening through configuration management | Preventive | |
| Configure AWS Security Hub to organizational standards. CC ID 17166 | System hardening through configuration management | Preventive | |
| Configure Power Management settings in accordance with organizational standards. CC ID 08515 | System hardening through configuration management | Preventive | |
| Configure Powershell to organizational standards. CC ID 15233 | System hardening through configuration management | Preventive | |
| Configure Patch Management settings in accordance with organizational standards. CC ID 08519 | System hardening through configuration management | Preventive | |
| Configure "Select when Preview Builds and Feature Updates are received" to organizational standards. CC ID 15399 | System hardening through configuration management | Preventive | |
| Configure "Select when Quality Updates are received" to organizational standards. CC ID 15355 | System hardening through configuration management | Preventive | |
| Configure Start Menu and Task Bar settings in accordance with organizational standards. CC ID 08615 | System hardening through configuration management | Preventive | |
| Configure "Turn off notifications network usage" to organizational standards. CC ID 15337 | System hardening through configuration management | Preventive | |
| Configure the jump server to organizational standards. CC ID 16863 | System hardening through configuration management | Preventive | |
| Configure the proxy server to organizational standards. CC ID 12115 | System hardening through configuration management | Preventive | |
| Configure the "max_log_file" setting to organizational standards. CC ID 15323 | System hardening through configuration management | Preventive | |
| Configure Polycom HDX to Organizational Standards. CC ID 08986 | System hardening through configuration management | Preventive | |
| Set the IPv6 header field to a known value. CC ID 17047 | System hardening through configuration management | Preventive | |
| Configure IPv6 extension headers to organizational standards. CC ID 16398 | System hardening through configuration management | Preventive | |
| Filter packets based on IPv6 extension header types and fields. CC ID 16990 | System hardening through configuration management | Preventive | |
| Configure ICMP destination unreachable messages to organizational standards. CC ID 17052 | System hardening through configuration management | Preventive | |
| Configure Apache and Tomcat to Organizational Standards. CC ID 08987 | System hardening through configuration management | Preventive | |
| Configure IIS to Organizational Standards. CC ID 08988 | System hardening through configuration management | Preventive | |
| Configure Microsoft SQL Server to Organizational Standards. CC ID 08989 | System hardening through configuration management | Preventive | |
| Configure "Set time limit for active but idle Remote Desktop Services sessions" to organizational standards. CC ID 15382 | System hardening through configuration management | Preventive | |
| Configure Oracle WebLogic Server to Organizational Standards. CC ID 08990 | System hardening through configuration management | Preventive | |
| Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515 | System hardening through configuration management | Preventive | |
| Configure Windows Defender Credential Guard to organizational standards. CC ID 16514 | System hardening through configuration management | Preventive | |
| Configure dedicated systems used for system management according to organizational standards. CC ID 12132 | System hardening through configuration management | Preventive | |
| Configure Application Programming Interfaces in accordance with organizational standards. CC ID 12170 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | System hardening through configuration management | Preventive | |
| Configure Application Programming Interfaces to enforce authentication. CC ID 12172 | System hardening through configuration management | Preventive | |
| Configure Application Programming Interfaces to employ strong cryptography. CC ID 12171 | System hardening through configuration management | Preventive | |
| Configure the Domain Name System in accordance with organizational standards. CC ID 12202 | System hardening through configuration management | Preventive | |
| Configure DNS records in accordance with organizational standards. CC ID 17083 | System hardening through configuration management | Preventive | |
| Configure payment systems in accordance with organizational standards. CC ID 12217 | System hardening through configuration management | Preventive | |
| Configure payment systems to disable storing transactions when offline. CC ID 12220 | System hardening through configuration management | Preventive | |
| Configure payment systems to disable authorizing transactions when offline. CC ID 12219 | System hardening through configuration management | Preventive | |
| Configure payment applications to become disabled when suspicious activity is detected. CC ID 12221 | System hardening through configuration management | Corrective | |
| Configure File Integrity Monitoring Software to Organizational Standards. CC ID 11923 | System hardening through configuration management | Preventive | |
| Unpair Bluetooth devices when the pairing is no longer required. CC ID 15232 | System hardening through configuration management | Preventive | |
| Use authorized versions of Bluetooth to pair Bluetooth devices. CC ID 15231 | System hardening through configuration management | Preventive | |
| Implement safeguards to prevent unauthorized code execution. CC ID 10686 [Installation and execution of unauthorized software are prevented PR.PS-05] | System hardening through configuration management | Preventive | |
| Configure network switches to organizational standards. CC ID 12120 | System hardening through configuration management | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Preventive | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
| Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234 | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 [The organization defines and implements controls for the protection and use of removable media (e.g., access/use restrictions, encryption, malware scanning, data loss prevention, etc.) PR.DS-01.03] | Physical and environmental protection | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Corrective | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Operational management | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [Information on adverse events is provided to authorized staff and tools DE.AE-06 Internal and external stakeholders are notified of incidents RS.CO-02 {incident information} Information is shared with designated internal and external stakeholders RS.CO-03 In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants. RS.CO-03.02] | Operational management | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
| Use different SNMP community strings across devices to support least privilege. CC ID 17053 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a repository of authenticators. CC ID 16372 | System hardening through configuration management | Preventive | |
| Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Detective | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Preventive | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Preventive | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Include the organization's name in the Third Party Service Provider list. CC ID 17287 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [The organization has an independent audit function to support oversight of the technology and cybersecurity programs GV.AU The organization has an independent audit function (i.e., internal audit group or external auditor) that follows generally accepted audit practices and approved audit policies and procedures. GV.AU-01.01] | Audits and risk management | Preventive | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [Technology and cybersecurity risk management strategies identify and communicate the organization's role as it relates to other critical infrastructure sectors outside of the financial services sector and the interdependency risks. GV.OC-02.03] | Audits and risk management | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{business continuity program} Resilience program roles and responsibilities are assigned to management across the organization to ensure risk assessment, planning, testing, and execution coverage for all critical business functions. GV.RR-02.03 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02] | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [{business continuity program} The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages). GV.RM-09.02 Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05 Restoration activities are performed to ensure operational availability of systems and services affected by adverse incidents RC.RP] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 [The organization has designated a qualified Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing a cybersecurity strategy, overseeing and implementing its cybersecurity program, and enforcing its cybersecurity policy. GV.RR-01.04 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05] | Human Resources management | Preventive | |
| Define and assign the Public Information Officer's roles and responsibilities. CC ID 17059 | Human Resources management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Human Resources management | Preventive | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 [Technology and cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated GV.RR Roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-02 Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02] | Human Resources management | Detective | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics. RC.RP-02.01] | Operational management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain warning procedures. CC ID 12407 [The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders. DE.AE-06.01] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 [The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. DE.CM-06.02 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 {network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02 The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders. DE.AE-06.01] | Leadership and high level objectives | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 [The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in class="term_secondary-verb">need of improvement over time. The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. ID.IM-01.03] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
| Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
| Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
| Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 [Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction. ID.IM-01.04 The organization's technology operations and service and support functions are designed and managed to address business operational needs and stakeholder requirements. PR.PS-07] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The confidentiality, integrity, and availability of data-in-use are protected PR.DS-10 The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03 The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03] | Leadership and high level objectives | Preventive | |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Preventive | |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Preventive | |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Preventive | |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 [{IT architecture} The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs. GV.RM-08.05 Tehcnology and security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience PR.IR] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands. PR.IR-04.02] | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [{third party requirement} {third party contract} Consideration is specifically given to the implications of organizational third-party dependence, requirements, contracts, and interactions in the design, operation, monitoring, and improvement of policies, procedures, and controls to ensure the fulfillment of business requirements within risk appetite. GV.SC-09.01] | Leadership and high level objectives | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 [{technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Leadership and high level objectives | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Leadership and high level objectives | Preventive | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 [The organizational mission is understood and informs technology and cybersecurity risk management GV.OC-01 {strategic option} Strategic opportunities (i.e., positive risks) are characterized and are included in organizational technology and cybersecurity risk discussions GV.RM-07 The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions. GV.RR-02.02] | Leadership and high level objectives | Preventive | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Leadership and high level objectives | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [{technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [Possible cybersecurity attacks and compromises, and other operationally adverse events, are found and analyzed DE] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Preventive | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01 The risks posed by a third-party are monitored and managed over the course of the relationship EX.MM {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 [Improvements are identified from tests and exercises, including those done in coordination with suppliers and relevant third parties ID.IM-02] | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Preventive | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets. ID.RA-01.03] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Preventive | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators. GV.OV-03.01] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [{business continuity program} Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees). GV.OV-03.02] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [The organization implements a regular process to collect, store, report, benchmark, and assess trends in actionable performance indicators and risk metrics (e.g., threat KRIs, security incident metrics, vulnerability metrics, and operational measures). ID.IM-01.02] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 [The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in class="term_secondary-verb">need of improvement over time. The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. ID.IM-01.03] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [A formal process is in place for the independent audit function to review and update its procedures and audit plans regularly or in response to changes in relevant standards, the technology environment, or the business environment. GV.AU-02.01 A formal process is in place for the independent audit function to update its procedures and audit plans based on changes to the organization's risk appetite, risk tolerance, threat environment, and evolving risk profile. GV.AU-02.02] | Audits and risk management | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 [The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps. GV.AU-03.01] | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. GV.AU-03.02 The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03 The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04] | Audits and risk management | Corrective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Risk management objectives are established and agreed to by organizational stakeholders GV.RM-01 The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's technology and cybersecurity risk management decisions are understood GV.OC Technology and cybersecurity risk management activities and outcomes are included in enterprise risk management processes GV.RM-03 Technology and cybersecurity risk management strategies and frameworks are informed by applicable international, national, and financial services industry standards and guidelines. GV.RM-01.02 Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 {risk management framework} The organization's obligation to its customers, employees, and stakeholders to maintain safety and soundness, while balancing size and complexity, is reflected in the organization's risk management strategy and framework, its risk appetite and risk tolerance statements, and in a risk-aware culture. GV.OC-02.01 The organization's technology, cybersecurity, resilience, and third-party risk management programs, policies, resources, and priorities are aligned and mutually supporting. GV.RM-01.05 Technology and cybersecurity risk management frameworks are applied to, and are adapted as needed by, the organization's innovations in technology use and adoption of emerging technologies. GV.RM-08.01 {be consistent} The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended. GV.IR-01.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 The independent risk management function evaluates the appropriateness of the risk management program for the organization's risk appetite and proposes program improvements as warranted GV.IR-02] | Audits and risk management | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [The independent risk management function has sufficient independence, stature, authority, resources, and access to the governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's risk management frameworks. GV.IR-01.02] | Audits and risk management | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 [{mobile device} The organization implements policies, procedures, end-user agreements, and technical controls to address the risks of end-user mobile or personal computing devices accessing the organization's network and resources. PR.IR-01.08] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [Results of organization-wide technology and cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy GV.OV Technology and cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction GV.OV-01 The technology and cybersecurity risk management strategies are reviewed and adjusted to ensure coverage of organizational requirements and risks GV.OV-02 Organizational technology and cybersecurity risk management performance is evaluated and reviewed for adjustments needed GV.OV-03 Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. GV.RM-01.01 Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. GV.RM-01.01 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01] | Audits and risk management | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external). GV.RM-03.04 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01 The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Technology and cybersecurity risk management strategies identify and communicate the organization's role within the financial services sector as a component of critical infrastructure. GV.OC-02.02 The organization's budgeting and resourcing processes identify, prioritize, and address resource needs to manage identified technology and cybersecurity risks (e.g., skill shortages, headcount, new tools, incident-related expenses, and unsupported systems). GV.RR-03.01] | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 [The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. ID.RA-03.03 The technology and cybersecurity risks to the organization, assets, and individuals are understood by the organization ID.RA The organization's current technology and cybersecurity risks are understood ID {technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Audits and risk management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01] | Audits and risk management | Preventive | |
| Document cybersecurity risks. CC ID 12281 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction. ID.IM-01.04] | Audits and risk management | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [A supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-01] | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 [The organization regularly reviews and updates its threat analysis methodology, threat information sources, and supporting tools. ID.RA-03.04] | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01 The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance. GV.OV-02.01] | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM] | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01 The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices. GV.RM-02.02 {risk tolerance} The independent risk management function provides assurance that the technology and cybersecurity risk management frameworks have been implemented according to policy and are consistent with the organization's risk appetite and tolerance GV.IR-01 The independent risk management function regularly evaluates the appropriateness of the technology and cybersecurity risk management programs to the organization's risk appetite and inherent risk environment GV.IR-02.01 The organization determines and articulates how it intends to maintain an acceptable level of residual technology and cybersecurity risk as set by the governing authority (e.g., the Board or one of its committees). GV.OV-02.02 The independent risk management function evaluates the appropriateness of the risk management program for the organization's risk appetite and proposes program improvements as warranted GV.IR-02 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02 The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04] | Audits and risk management | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Audits and risk management | Corrective | |
| Include risk responses in the risk management program. CC ID 13195 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Audits and risk management | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 [Improvements are identified from evaluations ID.IM-01 Improvements are identified from execution of operational processes, procedures, and activities ID.IM-03 {risk management program} Improvements to organizational technology and cybersecurity risk management processes, procedures and activities are identified across all Profile Functions ID.IM The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [{external partner} The organization has established and implemented plans to identify and mitigate the "term_primary-noun">cyber risks it poses through interconnectedness to sector partners and external stakeholders. ID.IM-04.06 Strategic direction that describes appropriate risk response options is established and communicated GV.RM-04 Technology and cybersecurity processes, procedures, and controls are established in alignment with cybersecurity policy. GV.PO-01.05 Safeguards to manage the organization's technology and cybersecurity risks are used PR] | Audits and risk management | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01] | Audits and risk management | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 [A supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-01 The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Audits and risk management | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 [Supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders GV.SC {cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 [The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties. GV.RR-01.02 The organization maintains documented third-party risk management program policies and procedures approved by the governing authority (e.g., the Board or one of its committees). GV.PO-01.08] | Audits and risk management | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [{cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09] | Audits and risk management | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Audits and risk management | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Preventive | |
| Include risk management metrics in the disclosure report. CC ID 16345 [The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators. GV.OV-03.01 The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Audits and risk management | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 [Specific roles, responsibilities, and procedures to manage the risk of third-party access to organizational systems and facilities are defined and implemented. PR.AA-05.04] | Technical security | Preventive | |
| Review connection requirements for all systems. CC ID 06411 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02] | Technical security | Detective | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [Identities and credentials for authorized users, services, and hardware are managed by the organization PR.AA-01] | Technical security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Technical security | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Access credential and authorization mechanisms for internal systems and across security perimeters (e.g., leveraging directory services, directory synchronization, single sign-on, federated access, credential mapping, etc.) are designed to maintain security, integrity, and authenticity. PR.AA-04.01] | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 [Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements. PR.IR-01.02 Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements. PR.IR-01.02] | Technical security | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 [{communication network} The integrity and resilience of the organization's communications and control network services are enhanced through controls such as denial of service protections, secure name/address resolution, and/or alternate communications paths. PR.IR-01.03] | Technical security | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [Representations of the organization's authorized network communication and internal and external network data flows are maintained ID.AM-03 The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows. ID.AM-03.01] | Technical security | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [Representations of the organization's authorized network communication and internal and external network data flows are maintained ID.AM-03 The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows. ID.AM-03.01] | Technical security | Preventive | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Technical security | Preventive | |
| Revoke membership in the allowlist, as necessary. CC ID 13827 | Technical security | Corrective | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 [{data destruction} The organization implements data loss identification and prevention tools to monitor and protect against confidential -color:#F0BBBC;" class="term_primary-noun">data theft or destruction by an employee or an external actor. PR.DS-01.02] | Technical security | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [{encryption management} The organization employs defined encryption methods and management practices commensurate with the criticality of the information being protected and the inherent risk of the technical environment where used. PR.PS-01.06] | Technical security | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Technical security | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Technical security | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 [{encryption method} {encryption management} Acceptable encryption standards, methods, and management practices are established in accordance with defined industry standards. PR.PS-01.05] | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Cryptographic keys and certificates are tracked, managed, and protected throughout their lifecycles, to include for compromise and revocation. PR.PS-01.07] | Technical security | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints. PR.PS-05.01] | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
| Establish, implement, and maintain an application security policy. CC ID 06438 [{security architecture}{security process}{security practice} The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. GV.RM-08.03 The organization establishes standards and practices for ongoing application management to ensure that applications remain secure and continue to meet organizational needs. PR.PS-02.02] | Technical security | Preventive | |
| Include allow lists of protocols, domains, paths and ports in the application security policy. CC ID 16852 | Technical security | Preventive | |
| Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Technical security | Preventive | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security policy} Physical and environmental security policies are implemented and managed. GV.PO-01.06] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [{mobile device} End-user mobile or personal computing devices accessing the organization's network employ mechanisms to protect network, application, and data integrity, such as "Mobile Device Management (MDM)" and "Mobile Application Management (MAM)" technologies, device fingerprinting, storage containerization and encryption, integrity scanning, automated patch application, remote wipe, and data leakage protections. PR.PS-01.08] | Physical and environmental protection | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 [{personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 Relationship terminations and the return or destruction of assets are performed in a controlled and safe manner EX.TR-02] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain geomagnetic disturbance operating procedures. CC ID 17158 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the geomagnetic disturbance operating plan. CC ID 17157 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a geomagnetic disturbance operating plan. CC ID 17156 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the geomagnetic disturbance operating procedures. CC ID 17154 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a cold weather preparedness plan. CC ID 17131 | Physical and environmental protection | Preventive | |
| Include design specifications for applicable assets in the cold weather preparedness plan. CC ID 17144 | Physical and environmental protection | Preventive | |
| Include limitations in the cold weather preparedness plan. CC ID 17143 | Physical and environmental protection | Preventive | |
| Include performance data in the cold weather preparedness plan. CC ID 17142 | Physical and environmental protection | Preventive | |
| Include maintenance requirements in the cold weather preparedness plan. CC ID 17141 | Physical and environmental protection | Preventive | |
| Include freeze protection measures in the cold weather preparedness plan. CC ID 17140 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [{business continuity program} The organization maintains documented business continuity and resilience program policies and procedures approved by the governing authority (e.g., the Board or one of its committees). GV.PO-01.07 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations. RC.RP-01.01] | Operational and Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Operational and Systems Continuity | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Operational and Systems Continuity | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 | Operational and Systems Continuity | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Operational and Systems Continuity | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Preventive | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 [Resilience requirements to support the delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, and normal operations). GV.OC-04.03 The organization's business continuity and resilience requirement risks are managed GV.RM-09 {business continuity strategy} The organization has an enterprise-wide resilience strategy and program, including architecture, cyber resilience, business continuity, disaster recovery, and incident response, which support its mission, stakeholder obligations, critical infrastructure role, and risk appetite. GV.RM-09.01 The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04] | Operational and Systems Continuity | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [The organization defines objectives (e.g., Recovery Time Objective, Maximum Tolerable Downtime, Impact Tolerance) for the resumption of critical operations in alignment with business imperatives, stakeholder obligations, and critical infrastructure dependencies. GV.OC-05.03] | Operational and Systems Continuity | Preventive | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. EX.TR-01.01] | Operational and Systems Continuity | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity strategy} The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's resilience strategy and program and for managing the organization's ongoing resilience risks. GV.RR-01.03] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Joint maintenance of contingency plans; GV.RM-05.02 (1)] | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, etc.) are established, communicated, maintained, and improved ID.IM-04 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations. RC.RP-01.01] | Operational and Systems Continuity | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 [Recovery plans include service resumption steps for all operating environments, including traditional, alternate recovery, and highly available (e.g., cloud) infrastructures. ID.IM-04.03] | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05] | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [The criteria for initiating incident recovery are applied RS.MA-05 Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05 The organization's incident response plans define severity levels and associated criteria for initiating response plans and escalating event response to appropriate stakeholders and management levels. RS.MA-05.01] | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04 The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04] | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery plans are executed by first resuming critical services and core business functions, while minimizing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. RC.RP-02.02] | Operational and Systems Continuity | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{business continuity program} The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages). GV.RM-09.02] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04] | Operational and Systems Continuity | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 | Operational and Systems Continuity | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated GV.OC-04 {critical function} {post incident activity} Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms RC.RP-04 The organization prioritizes the resilience design, planning, testing, and monitoring of systems and other key internal and external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. GV.OC-04.04] | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [The organization has prioritized its external dependencies according to their criticality to the supported enterprise mission, business functions, and to the financial services sector. GV.OC-05.02] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 [The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02 The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02 The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02] | Operational and Systems Continuity | Detective | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 [The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding tyle="background-color:#F0BBBC;" class="term_primary-noun">recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04] | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 [The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. ID.IM-02.08] | Operational and Systems Continuity | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 [The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. ID.IM-02.08] | Operational and Systems Continuity | Preventive | |
| Define the scope for the security operations center. CC ID 15713 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Cybersecurity is included in human resources practices GV.RR-04] | Human Resources management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Preventive | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Preventive | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Preventive | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Preventive | |
| Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Preventive | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Preventive | |
| Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Preventive | |
| Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Preventive | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets. GV.RR-04.02] | Human Resources management | Preventive | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 [Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity and independent sources of expertise to discuss cybersecurity related matters. PR.AT-02.08] | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive term_primary-noun">cybersecurity situational awareness training to include appropriate skills and knowledge to: The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: PR.AT-02.07 The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Lead by or:#CBD0E5;" class="term_secondary-verb">und-color:#F0BBBC;" class="term_primary-noun">example. PR.AT-02.07 (3) High-risk groups, such as those with elevated privileges or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities. PR.AT-02.02 All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security. PR.AT-02.05] | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [All personnel receive cybersecurity awareness training upon hire and on a regular basis. PR.AT-01.01] | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 [{security baseline configuration} The organization establishes and maintains standard system security configuration baselines, informed by industry standards and hardening guidelines, to facilitate the consistent application of security settings, configurations, and versions. PR.PS-01.01] | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 [Adequate resource capacity to ensure availability is maintained PR.IR-04 Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands. PR.IR-04.02] | Operational management | Preventive | |
| Document the organization's business processes. CC ID 13035 [The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning. GV.OC-04.02] | Operational management | Detective | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Technology and cybersecurity strategies, architectures, and programs are formally governed to align with and support the organization's mission, objectives, priorities, tactical initiatives, and risk profile. GV.OC-01.01 Technology and cybersecurity risk management frameworks and programs are integrated into the enterprise risk management framework. GV.RM-03.01 Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making. GV.RM-08.06 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Operational management | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 [{IT architecture} The organization integrates the use of technology architecture in its governance processes to support consistent approaches to security and technology design, integration of third party services, consideration and adoption of new technologies, and investment and procurement decisioning. GV.RM-08.04] | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01 Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03 {malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | Operational management | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 [{incident alert threshold} The organization establishes, documents, and regularly reviews event alert parameters and thresholds, as well as rule-based triggers to support automated responses, when known attack patterns, signatures or behaviors are detected. DE.AE-02.02] | Operational management | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 [{information sharing forum}The organization has established enterprise processes for receiving and appropriately 8ED;" class="term_primary-verb">channeling vulnerability disclosures from: Vulnerability sharing forums (e.g., FS-ISAC); and ID.RA-08.01 (2) The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: Third-parties (e.g., cloud vendors); ID.RA-08.01 (3) The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: Internal sources (e.g., development teams). ID.RA-08.01 (4) The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from: Public sources (e.g., customers and security researchers); ID.RA-08.01 (1)] | Operational management | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 [{escalation procedure} The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon. RS.CO-02.01] | Operational management | Preventive | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Preventive | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Preventive | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Preventive | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 [Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01 Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01 The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01 The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated. GV.PO-01.02] | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [{security architecture}{security process}{security practice} The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. GV.RM-08.03] | Operational management | Preventive | |
| Include environmental security in the information security program. CC ID 12383 [{physical security policy} Physical and environmental security policies are implemented and managed. GV.PO-01.06] | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 [The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.) EX.MM-01.03] | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Operational management | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{cybersecurity program} The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned. GV.OC-03.01] | Operational management | Preventive | |
| Establish, implement, and maintain a service management program. CC ID 11388 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS] | Operational management | Preventive | |
| Include a service management plan in the service management program. CC ID 13902 | Operational management | Preventive | |
| Include the information security policy in the service management program. CC ID 13925 | Operational management | Preventive | |
| Include the change management policy in the service management program. CC ID 13923 | Operational management | Preventive | |
| Include known limitations in the service management program. CC ID 11391 [Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Operational management | Preventive | |
| Include continuity plans in the Service Management program. CC ID 13919 | Operational management | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 [The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Operational management | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 [The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy ID.AM] | Operational management | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what BBC;" class="term_primary-noun">level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02] | Operational management | Preventive | |
| Define confidentiality controls. CC ID 01908 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS] | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved. RC.RP-05.02] | Operational management | Preventive | |
| Define integrity controls. CC ID 01909 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS] | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The organization uses integrity checking mechanisms to verify hardware integrity. DE.CM-09.02] | Operational management | Preventive | |
| Define availability controls. CC ID 01911 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS The organization implements mechanisms (e.g., failsafe, load balancing, hot swaps, redundant equipment, alternate services, backup facilities, etc.) to achieve resilience requirements in normal and adverse situations. PR.IR-03.01] | Operational management | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 [{be risk-based} The organization establishes and maintains risk-based policies and procedures for the classification of hardware, software, and data assets based on sensitivity and criticality. ID.AM-05.01] | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02 The organization maintains a current inventory of the data being created, stored, or processed by its information assets and data flow diagrams depicting key internal and external data flows. ID.AM-07.01] | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 [Inventories of hardware managed by the organization are maintained ID.AM-01 Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Operational management | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02 The organization maintains a current and complete inventory of software platforms, business applications, and other software assets (e.g., virtual machines and virtual network devices). ID.AM-02.01 Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Operational management | Preventive | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [Inventories of data and corresponding metadata for designated data types are maintained ID.AM-07] | Operational management | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 [Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02] | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Operational management | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS Software is maintained, replaced, and removed commensurate with risk PR.PS-02] | Operational management | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The organization defines and implements controls for the on-site and remote maintenance and repair of the organization's technology assets (e.g., work must be performed by authorized personnel, use of approved procedures and tools, use of original or vendor-approved spare parts). PR.PS-03.01] | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 [Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed. PR.PS-02.03 Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed. PR.PS-02.03] | Operational management | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [Incidents are declared when adverse events meet the defined incident criteria DE.AE-08] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents DE.AE {incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [The estimated impact and scope of adverse events are understood DE.AE-04 An incident's magnitude is estimated and validated RS.AN-08 Defined criteria and severity levels are in place to facilitate the declaration, escalation, organization, and alignment of response activities to response plans within the organization and across relevant third parties. DE.AE-08.01] | Operational management | Preventive | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06] | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [Pre-established communication plans and message templates, and authorized protocols, contacts, media, and communications, are used to notify and inform the public and key external stakeholders about an incident. RC.CO-04.01] | Operational management | Corrective | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Operational management | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05 The organization maintains documented procedures for sanitizing, testing, authorizing, and returning systems to service following an incident or investigation. RC.RP-05.01] | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01 {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01] | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 [{incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [{incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03 {incident communication protocol} The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident. RS.CO-02.03] | Operational management | Preventive | |
| Display customer security advice prominently. CC ID 13667 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 Responses to detected adverse incidents are managed RS.MA] | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 [Incident reports are triaged and validated RS.MA-02] | Operational management | Preventive | |
| Include entities notified of the incident in the incident response report. CC ID 17294 | Operational management | Preventive | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 | Operational management | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 | Operational management | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Assessing its scope (e.g., affected assets); ID.RA-08.02 (2)] | Operational management | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 | Operational management | Preventive | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01] | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 [The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08] | Operational management | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 [{escalation procedure} The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon. RS.CO-02.01] | Operational management | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Preventive | |
| Include log management procedures in the incident response program. CC ID 17081 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Operational management | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Operational management | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Preventive | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 [The recovery portion of the incident response plan is executed once initiated from the incident response process RC.RP-01] | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01 Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value. RS.AN-07.01] | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Operational management | Preventive | |
| Include performance requirements in the Service Level Agreement. CC ID 00841 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{business continuity plan} Technology projects and system change processes ensure that requisite changes in security posture, data classification and flows, architecture, support documentation, business processes, and business resilience plans are addressed. ID.RA-07.03 {change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Preventive | |
| Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 [{emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [{change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Operational management | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Operational management | Preventive | |
| Include monitoring requirements in the transition strategy. CC ID 17290 | Operational management | Preventive | |
| Include resources in the transition strategy. CC ID 17289 | Operational management | Preventive | |
| Include time requirements in the transition strategy. CC ID 17288 | Operational management | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
| Document the organization's local environments. CC ID 06726 [The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: DE.AE-02.01] | Operational management | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Preventive | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 [Configuration management practices are established and applied PR.PS-01] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | System hardening through configuration management | Preventive | |
| Include the date and time that access was granted in the system record. CC ID 15174 | System hardening through configuration management | Preventive | |
| Include the access level granted in the system record. CC ID 15173 | System hardening through configuration management | Preventive | |
| Include when access is withdrawn in the system record. CC ID 15172 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 [Identities and credentials for authorized users, services, and hardware are managed by the organization PR.AA-01] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a network addressing plan. CC ID 16399 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain firewall rules in accordance with organizational standards. CC ID 16353 | System hardening through configuration management | Preventive | |
| Configure Apple iOS to Organizational Standards. CC ID 09986 | System hardening through configuration management | Preventive | |
| Configure Red Hat Enterprise Linux to Organizational Standards. CC ID 08713 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03] | Records management | Detective | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed. ID.AM-08.05] | Records management | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed. ID.AM-08.05] | Records management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Preventive | |
| Define and document organizational structures for systems operations. CC ID 12553 [The design, configuration, security control, and operation of key applications and system services are documented sufficiently to support ongoing management, operation, change, and assessment. PR.PS-06.08] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system design requirements. CC ID 06618 | Systems design, build, and implementation | Preventive | |
| Document stakeholder requirements and how they influence system design requirements. CC ID 06925 [Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making. GV.RM-08.06] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Systems design, build, and implementation | Preventive | |
| Include data governance and management practices in the system design project management framework. CC ID 15053 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [Technology projects follow an established project management methodology to manage delivery and delivery risks, produce consistent quality, and achieve business objectives and value. GV.RM-08.07 Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Systems design, build, and implementation | Preventive | |
| Include objectives in the project management standard. CC ID 17202 | Systems design, build, and implementation | Preventive | |
| Include time requirements in the project management standard. CC ID 17199 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management procedures. CC ID 17200 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 [Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Systems design, build, and implementation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Systems design, build, and implementation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Preventive | |
| Include the source code in the implementation representation document. CC ID 13089 | Systems design, build, and implementation | Preventive | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Systems design, build, and implementation | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 | Systems design, build, and implementation | Corrective | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Systems design, build, and implementation | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 [Tehcnology and security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience PR.IR] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [Processes for receiving, analyzing, and responding to vulnerability disclosures are established ID.RA-08 The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from: ID.RA-08.01] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include roles and responsibilities in system acquisition contracts. CC ID 14765 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include compliance requirements in the product and services acquisition policy. CC ID 14163 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include management commitment in the product and services acquisition policy. CC ID 14161 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the scope in the product and services acquisition policy. CC ID 14159 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the purpose in the product and services acquisition policy. CC ID 14158 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain acquisition approval requirements. CC ID 13704 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a software product acquisition methodology. CC ID 01138 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Align the service management program with the Code of Conduct. CC ID 14211 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). GV.OC-03.02] | Privacy protection for information and data | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Privacy protection for information and data | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Preventive | |
| Include opt-out instructions in the privacy policy. CC ID 00411 | Privacy protection for information and data | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [The risks posed by a third-party are monitored and managed over the course of the relationship EX.MM Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite. GV.SC-01.01 {personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [Relationship termination is anticipated, planned for, and executed safely EX.TR {technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01 {technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 [Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 [{be reasonable} The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms. EX.DD-02.02] | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [Roles and responsibilities for the Third-Party Risk Management Program and for each third-party engagement are defined and assigned. GV.RR-02.04 The organization clearly defines, and includes in contractual agreements, the division of cybersecurity and technology risk management responsibilities between the organization and its third parties (e.g., a Shared Responsibilities Model). GV.SC-02.01 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 Contracts clearly specify the rights and responsibilities of each party and establish requirements to address the anticipated risks posed by a third party over the life of the relationship EX.CN-01] | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03 The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs. GV.SC-03.01 Inter-dependent and coordinated cybersecurity risk management practices with third parties are managed to ensure ongoing effectiveness EX.MM-02 {cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: GV.RM-05.02] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 [The organization periodically identifies and tests alternative solutions in case a critical external partner fails to perform as expected. EX.TR-01.02 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{security control} The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected. EX.MM-02.01 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and GV.RM-05.02 (3) The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place. GV.RM-05.02 (4) The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place. GV.RM-05.02 (4) A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04] | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 {personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 The organization anticipates and plans for the termination of critical relationships under both normal and adverse circumstances EX.TR-01 Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Third Party and supply chain oversight | Detective | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Responsibilities for responding to incidents, including forensic investigations; GV.RM-05.02 (2) The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 [{absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01 {absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01] | Third Party and supply chain oversight | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Detective | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Third Party and supply chain oversight | Preventive | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 | Third Party and supply chain oversight | Preventive | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 | Third Party and supply chain oversight | Preventive | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [Inventories of services provided by suppliers are maintained ID.AM-04] | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [Suppliers are known and prioritized by criticality GV.SC-04] | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite. GV.SC-01.01 {third party} Extend organizational risk management policy and practices over the life cycle of third- (and nth-) party relationships, products, and services EX] | Third Party and supply chain oversight | Preventive | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Third Party and supply chain oversight | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 [{absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01] | Third Party and supply chain oversight | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 Contracts establish baseline protections to manage risk over the life of the third-party relationship EX.CN {technology capabilities} The organization assesses the risks and suitability of the technology and cybersecurity capabilities and risk management practices of prospective third parties EX.DD-03 Contracts clearly specify the rights and responsibilities of each party and establish requirements to address the anticipated risks posed by a third party over the life of the relationship EX.CN-01 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing. EX.CN-02.04 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs. GV.SC-03.01] | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization performs thorough due diligence on prospective third parties, consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each third-party relationship EX.DD-02] | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01] | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01] | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Third Party and supply chain oversight | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [Expected cybersecurity practices for critical third parties that meet the risk management objectives of the organization are identified, documented, and agreed EX.CN-02] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [The organization's business continuity and resilience requirement risks are managed GV.RM-09 {business continuity strategy} The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's resilience strategy and program and for managing the organization's ongoing resilience risks. GV.RR-01.03] | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Preventive | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01 The governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization's technology and cybersecurity risk management strategies and frameworks. GV.RR-01.01 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05 The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties. GV.RR-01.02] | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
| Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Preventive | |
| Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Preventive | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Preventive | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Preventive | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Preventive | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Preventive | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Preventive | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [{cybersecurity program} The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned. GV.OC-03.01] | Human Resources management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 [Technology and cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated GV.RR Roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-02 {business continuity program} The roles, responsibilities, qualifications, and skill requirements for personnel (employees and third parties) that implement, manage, and oversee the technology, cybersecurity, and resilience programs are defined, aligned, coordinated, and holistically managed. GV.RR-02.01 The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions. GV.RR-02.02] | Human Resources management | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02 The organization has an independent risk management function GV.IR {cybersecurity program} The independent risk management function has an understanding of the organization's structure, technology and cybersecurity strategies and programs, and relevant risks and threats. GV.IR-01.03] | Human Resources management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Preventive | |
| Analyze workforce management. CC ID 12844 [The organization regularly assesses its skill and resource level requirements against its current personnel complement to determine gaps in resource need. GV.RR-03.02 The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Human Resources management | Detective | |
| Identify root causes of staffing shortages, if any exist. CC ID 13276 | Human Resources management | Detective | |
| Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 | Human Resources management | Detective | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources management | Preventive | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Preventive | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Preventive | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Preventive | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Preventive | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Preventive | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Preventive | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Preventive | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Preventive | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 [{security policy} All personnel (employees and third party) consent to policies addressing acceptable technology use, social media use, personal device use (e.g., BYOD), confidentiality, and/or other security-related policies and agreements as warranted by their position. GV.PO-01.04] | Human Resources management | Preventive | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources management | Preventive | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
| Perform a background check during personnel screening. CC ID 11758 [{background check} The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems. GV.RR-04.01] | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 [{background check} The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems. GV.RR-04.01] | Human Resources management | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Preventive | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Preventive | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Corrective | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Detective | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies. GV.PO-01.03] | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [{emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 [Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Systems design, build, and implementation | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining it's -color:#F0BBBC;" class="term_primary-noun">severity and impact; ID.RA-08.02 (2) Vulnerabilities in assets are identified, validated, and recorded ID.RA-01] | Monitoring and measurement | Detective | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 [The governing authority (e.g., the Board or one of its committees) regularly reviews and evaluates the organization's ability to manage its technology, cybersecurity, third-party, and resilience risks. GV.OV-01.01 {risk tolerance} The independent risk management function provides assurance that the technology and cybersecurity risk management frameworks have been implemented according to policy and are consistent with the organization's risk appetite and tolerance GV.IR-01 {be consistent} The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended. GV.IR-01.01] | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 [The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01] | Audits and risk management | Preventive | |
| Verify proof of identity records. CC ID 13761 | Technical security | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 [Analysis is performed to establish what has taken place during an incident and the root cause of the incident Analysis is performed to establish what has taken place during an incident and the root cause of the incident RS.AN-03] | Operational management | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06 Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Operational management | Detective | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Operational management | Corrective | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01] | Operational management | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06 Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Operational management | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned. ID.IM-03.02 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. DE.CM-06.02 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 Account access, authentication, and authorization activities are logged and monitored, for both users and devices, to enforce authorized access. DE.CM-03.01] | Monitoring and measurement | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 [Log records are generated and made available for continuous monitoring PR.PS-04] | Monitoring and measurement | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03 {refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02 Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection. PR.IR-04.01] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Information is correlated from multiple sources DE.AE-03 The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned. ID.IM-03.02 Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation. DE.AE-07.02 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 [{refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02] | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03 The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 {timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01] | Monitoring and measurement | Detective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Log records are generated and made available for continuous monitoring PR.PS-04] | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03] | Monitoring and measurement | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Preventive | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Preventive | |
| Provide the reference database used to verify input data in the logging capability. CC ID 15018 | System hardening through configuration management | Preventive | |
| Configure the log to capture the details of electronic signature transactions. CC ID 16910 | System hardening through configuration management | Preventive | |
| Configure the log to uniquely identify each accessed record. CC ID 16909 | System hardening through configuration management | Preventive | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | System hardening through configuration management | Preventive | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | System hardening through configuration management | Preventive | |
| Configure the log to capture user queries and searches. CC ID 16479 | System hardening through configuration management | Preventive | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | System hardening through configuration management | Preventive | |
| Configure the log to capture error messages. CC ID 16477 | System hardening through configuration management | Preventive | |
| Configure the log to capture system failures. CC ID 16475 | System hardening through configuration management | Preventive | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | System hardening through configuration management | Preventive | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [{privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | System hardening through configuration management | Detective | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Preventive | |
| Include the sanitization method in the disposal record. CC ID 17073 | Records management | Preventive | |
| Include time information in the disposal record. CC ID 17072 | Records management | Preventive | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.) EX.MM-01.03] | Leadership and high level objectives | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Leadership and high level objectives | Detective | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Personnel activity and technology usage are monitored to find potentially adverse events DE.CM-03 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09] | Monitoring and measurement | Detective | |
| Monitor systems for errors and faults. CC ID 04544 [Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Monitoring and measurement | Detective | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03 The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events DE.CM The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03 {unauthorized hardware} The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes. DE.CM-09.03] | Monitoring and measurement | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 [The organization implements mechanisms, such as alerting and filtering of sudden high volumes and suspicious incoming traffic, to detect and mitigate Denial of Service, "bot", and credential stuffing attacks. DE.CM-01.02] | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 [The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03] | Monitoring and measurement | Preventive | |
| Monitor systems for unauthorized mobile code. CC ID 10034 [The organization implements safeguards against unauthorized mobile code (e.g., JavaScript, ActiveX, VBScript, PowerShell, etc.) on mobile, end point, and server systems. PR.PS-05.02] | Monitoring and measurement | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02] | Monitoring and measurement | Detective | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01 {timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01 {privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 [Networks and network services are monitored to find potentially adverse events DE.CM-01 The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems). DE.CM-01.04] | Monitoring and measurement | Preventive | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Detective | |
| Implement file integrity monitoring. CC ID 01205 [The organization uses integrity checking mechanisms to verify software, firmware and information integrity and provenance (e.g., checksums, Software Bill of Materials, etc.) DE.CM-09.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Detective | |
| Monitor and evaluate user account activity. CC ID 07066 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 {privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Monitoring and measurement | Detective | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Monitor and evaluate environmental threats. CC ID 13481 [{high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01] | Monitoring and measurement | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Personnel activity and technology usage are monitored to find potentially adverse events DE.CM-03] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities. ID.RA-06.05 The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 [The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified. PR.PS-01.03] | Monitoring and measurement | Detective | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02] | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV] | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 [Supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders GV.SC The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Audits and risk management | Preventive | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Detective | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The physical environment is monitored to find potentially adverse events DE.CM-02 {high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01] | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [An incident's magnitude is estimated and validated RS.AN-08 The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Assess and understand the nature, scope and method of the attack; DE.AE-02.01 (1)] | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Incident reports are triaged and validated RS.MA-02 The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems and services to the enterprise. RS.MA-03.01 Actions regarding a detected adverse incidents are taken RS The organization has a documented process to analyze and triage incidents to assess root cause, technical impact, mitigation priority, and business impact on the organization, as well as across the financial sector and other third party stakeholders. DE.AE-04.01] | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 [Incidents are categorized and prioritized RS.MA-03 Incidents are escalated or elevated as needed RS.MA-04] | Operational management | Corrective | |
| Analyze business activities to ensure information is categorized for system design projects. CC ID 11794 | Systems design, build, and implementation | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09 External service provider activities and services are monitored to find potentially adverse events DE.CM-06 The organization regularly evaluates its third party relationships to determine if changes in the organization's circumstances, objectives, or third party use warrant a change in a third party's risk rating (e.g., a less critical third-party relationship evolves into being a critical relationship). EX.MM-01.02 The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 Critical suppliers and third parties are monitored to confirm that they continue to satisfy their obligations as required; reviews of audits, test results, or other assessments of third parties are conducted EX.MM-01] | Third Party and supply chain oversight | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01 The organization manages and protects physical and visual access to sensitive information assets and physical records (e.g., session lockout, clean desk policies, printer/facsimile output trays, file cabinet/room security, document labelling, etc.) PR.AA-06.02 {environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Restrict physical access to distributed assets. CC ID 11865 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01] | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Preventive | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and environmental protection | Preventive | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and environmental protection | Preventive | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and environmental protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and environmental protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Preventive | |
| Install and maintain smoke control systems. CC ID 17291 | Physical and environmental protection | Preventive | |
| Install and maintain fire alarm systems. CC ID 17267 | Physical and environmental protection | Preventive | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Systems design, build, and implementation | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 [{incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03] | Leadership and high level objectives | Detective | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Preventive | |
| Involve all stakeholders in the architecture review process. CC ID 16935 | Leadership and high level objectives | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Detective | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Preventive | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Determine the time frame to take action based on cyber threat intelligence. CC ID 12748 | Monitoring and measurement | Preventive | |
| Evaluate cyber threat intelligence. CC ID 12747 [{adverse events} Cyber threat intelligence and other contextual information are integrated into the analysis DE.AE-07 The organization solicits and considers threat intelligence received from the organization's stakeholders, service and utility providers, and other industry and security organizations. ID.RA-03.02] | Monitoring and measurement | Detective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 [Identities are proofed and bound to credentials based on the context of interactions PR.AA-02 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical security | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Detective | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Detective | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Detective | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Approve the application security policy. CC ID 17065 | Technical security | Preventive | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Conduct fire drills, as necessary. CC ID 13985 | Physical and environmental protection | Preventive | |
| Employ environmental protections. CC ID 12570 [The organization's technology assets are protected from environmental threats PR.IR-02] | Physical and environmental protection | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Operational management | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [The organization has mechanisms in place to ensure that strategies, initiatives, opportunities, and emerging technologies (e.g., artificial intelligence, quantum computing, etc.) are evaluated both in terms of risks and uncertainties that are potentially detrimental to the organization, as well as potentially advantageous to the organization (i.e., positive risks). GV.RM-07.01] | Operational management | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 [The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). GV.RR-03.03] | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01] | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01] | Operational management | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated. GV.PO-01.02] | Operational management | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [Relevant suppliers and other third parties are included in incident planning, response, and recovery activities GV.SC-08 The incident response plan is executed in coordination with relevant third parties once an incident is declared RS.MA-01 Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies RS.CO The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01 The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics. RC.RP-02.01] | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 [Activities are performed to prevent expansion of an event and mitigate its effects RS.MI Incidents are contained RS.MI-01 The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01] | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01 The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01] | Operational management | Detective | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
| Establish, implement, and maintain a patch management program. CC ID 00896 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Preventive | |
| Prohibit files from containing wild cards, as necessary. CC ID 16318 | System hardening through configuration management | Preventive | |
| Issue temporary authenticators, as necessary. CC ID 17062 | System hardening through configuration management | Preventive | |
| Renew temporary authenticators, as necessary. CC ID 17061 | System hardening through configuration management | Preventive | |
| Disable authenticators, as necessary. CC ID 17060 | System hardening through configuration management | Preventive | |
| Change default accounts. CC ID 16468 | System hardening through configuration management | Preventive | |
| Define the location requirements for network elements and network devices. CC ID 16379 | System hardening through configuration management | Preventive | |
| Reset wireless access points, as necessary. CC ID 14317 | System hardening through configuration management | Corrective | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Preventive | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Preventive | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Systems design, build, and implementation | Preventive | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Systems design, build, and implementation | Preventive | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Detective | |
| Digitally sign software components. CC ID 16490 | Systems design, build, and implementation | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 [The organization implements measures for monitoring external sources (e.g., social media, the dark web, etc.) to integrate with other intelligence information to better detect and evaluate potential threats and compromises. DE.AE-07.01] | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls. EX.DD-02.03] | Third Party and supply chain oversight | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Sanitize customer data from all shared resources upon agreement termination. CC ID 12175 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Technical security | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Physical and environmental protection | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01] | Operational management | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01 Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value. RS.AN-07.01] | Operational management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03] | Records management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [{data classification policy} {data protection policy} Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, segregation, masking, tokenization, and file integrity monitoring). PR.DS-01.01] | Records management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 [{business continuity strategy} The organization's resilience strategy, plans, tests, and exercises incorporate its external dependencies and critical business partners. GV.SC-08.01] | Operational and Systems Continuity | Detective | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Restoration activities are coordinated with internal and external parties RC.CO] | Operational and Systems Continuity | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{business continuity strategy} The organization's business continuity and resilience strategy and program align with and support the overall enterprise risk management framework. GV.RM-03.02] | Operational and Systems Continuity | Detective | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05 Assets and operations affected by an adverse incident are restored RC Restoration activities are performed to ensure operational availability of systems and services affected by adverse incidents RC.RP Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved. RC.RP-05.02 {secure state} Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented. RS.MI-02.01] | Operational and Systems Continuity | Corrective | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Identify and document critical facilities. CC ID 17304 | Operational and Systems Continuity | Preventive | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [Recovery point objectives to support data integrity are consistent with the organization's recovery time objectives, information flow dependencies between systems, and business obligations. GV.OC-05.04] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backups of data are created, protected, maintained, and tested PR.DS-11 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Validate information security continuity controls regularly. CC ID 12008 [Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Operational and Systems Continuity | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
| Install and maintain power distribution boards. CC ID 16486 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Operational management | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA] | Operational management | Preventive | |
| Review each system's operational readiness. CC ID 06275 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05] | Operational management | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [{in-house developed application} The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects. PR.PS-06.01 The architecture, design, coding, testing, and operationalization of system solutions address the unique security, resilience, technical, and operational characteristics of the target platform environment(s) (e.g., distributed system, mainframe, cloud, API, mobile, database, etc.) PR.PS-06.02] | Systems design, build, and implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 [Systems development and testing tools, processes, and environments employ security mechanisms to protect and improve the integrity and confidentiality of both the SDLC process and the resulting product (e.g., secured code repositories, segmented environments, automated builds, etc.) PR.PS-06.04] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
| Design and develop built-in redundancies, as necessary. CC ID 13064 [Mechanisms are implemented to achieve resilience requirements in normal and adverse situations PR.IR-03] | Systems design, build, and implementation | Preventive | |
| Include system interoperability in the system requirements specification. CC ID 16256 | Systems design, build, and implementation | Preventive | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production environment} The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets. PR.IR-01.06] | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [The organization establishes policies and procedures for the secure design, configuration, modification, and operation of databases, data stores, and data analytics platforms consistent with the criticality of the data being managed. PR.PS-06.10] | Systems design, build, and implementation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems design, build, and implementation | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Preventive | |
| Implement data controls when developing systems. CC ID 15302 | Systems design, build, and implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems design, build, and implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems design, build, and implementation | Preventive | |
| Design the privacy architecture. CC ID 14671 | Systems design, build, and implementation | Preventive | |
| Conduct a design review at each milestone or quality gate. CC ID 01087 [Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle PR.PS-06] | Systems design, build, and implementation | Detective | |
| Develop new products based on secure coding techniques. CC ID 11733 [Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle PR.PS-06 {in-house developed application} The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects. PR.PS-06.01] | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
| Deploy applications based on best practices. CC ID 12738 [The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. PR.PS-01.04] | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Cyber threat intelligence is received from information sharing forums and sources ID.RA-02] | Leadership and high level objectives | Detective | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 [The organization employs deception techniques and technologies (e.g., honeypots) to detect and prevent a potential intrusion in its early stages to support timely containment and recovery. DE.CM-01.06] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 [{timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01] | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Corrective | |
| Conduct Red Team exercises, as necessary. CC ID 12131 [The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses. ID.IM-02.01] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets. ID.RA-01.03 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining it's severity and e="background-color:#F0BBBC;" class="term_primary-noun">impact; ID.RA-08.02 (3) Vulnerabilities in assets are identified, validated, and recorded ID.RA-01 Vulnerabilities in assets are identified, validated, and recorded ID.RA-01 The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes. ID.RA-05.04] | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: ID.RA-08.02] | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Analyzing options to nd-color:#CBD0E5;" class="term_secondary-verb">respond. ID.RA-08.02 (5)] | Monitoring and measurement | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities. ID.RA-06.05 The organization follows documented procedures, consistent with established risk response processes, for mitigating or accepting the risk of vulnerabilities or weaknesses identified in exercises and testing or when responding to incidents. ID.RA-06.06 The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01 The system development lifecycle remediates known critical vulnerabilities, and critical vulnerabilities discovered during testing, prior to production deployment. PR.PS-06.06 {secure state} Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented. RS.MI-02.01] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 [The organization establishes and maintains an exception management process for identified vulnerabilities that cannot be mitigated within target timeframes. ID.RA-07.05] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 [{network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02] | Monitoring and measurement | Preventive | |
| Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [{cyberattack} The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Predict and block a similar future attack; and DE.AE-02.01 (2)] | Monitoring and measurement | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Internal and external threats to the organization are identified and recorded ID.RA-03 The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Audits and risk management | Preventive | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical security | Preventive | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 [Users, services, and hardware are authenticated PR.AA-03] | Technical security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 [Identity assertions are protected, conveyed, and verified PR.AA-04] | Technical security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 [Identity assertions are protected, conveyed, and verified PR.AA-04] | Technical security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 [Identity assertions are protected, conveyed, and verified PR.AA-04 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical security | Preventive | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical security | Preventive | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical security | Preventive | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical security | Preventive | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical security | Preventive | |
| Authenticate systems referenced in the allowlist. CC ID 13838 | Technical security | Preventive | |
| Place nonmembers of allowlists and denylists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical security | Preventive | |
| Require runtime decisions regarding authentication for organizations that are excluded from the allowlist. CC ID 13842 | Technical security | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Identify information system users. CC ID 12081 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Identifying affected stakeholders or | Technical security | Detective | |
| Establish access rights based on least privilege. CC ID 01411 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05 The organization limits access privileges to the minimum necessary and with consideration of separation of duties (e.g., through role-based access control, asset owner access recertifications, etc.). PR.AA-05.01] | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 [{physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 Decisions to authorize user access to devices and other assets are made with consideration of: Business need for the access; PR.AA-03.02 (1)] | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Decisions to authorize user access to devices and other assets are made with consideration of: The type of data being accessed (e.g., customer PII, public data); PR.AA-03.02 (2) Decisions to authorize user access to devices and other assets are made with consideration of: The risk of the transaction (e.g., internal-to-internal, external-to-internal); PR.AA-03.02 (3) Decisions to authorize user access to devices and other assets are made with consideration of: The organization's level of trust for the accessing agent (e.g., external application, internal user); and PR.AA-03.02 (4) Decisions to authorize user access to devices and other assets are made with consideration of: The potential for harm. PR.AA-03.02 (5)] | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [{authorized user} Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, password strength requirements, automatic revocation of credentials under defined conditions, regular asset owner access review, etc.). PR.AA-01.01] | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical security | Corrective | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 [The organization defines and implements controls for securely configuring and operating Operational Technologies, Industrial Control Systems, and Internet-of-Things (IoT) devices (e.g., segregated printer networks, resetting of default passwords, etc.) PR.IR-01.07] | Technical security | Preventive | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Preventive | |
| Manage all external network connections. CC ID 11842 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Technical security | Preventive | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical security | Preventive | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Preventive | |
| Implement a fault-tolerant architecture. CC ID 01626 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Technical security | Preventive | |
| Implement segregation of duties. CC ID 11843 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01 Networks, systems, and external connections are segmented (e.g., using firewalls, software-defined networks, guest wireless networks, etc.) to implement defense-in-depth and access isolation principles. PR.IR-01.01] | Technical security | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 [The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). PR.IR-01.04] | Technical security | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 [The organization implements measures to detect and block access to unauthorized, inappropriate, or malicious websites and services (e.g. social media, messaging, file sharing). DE.CM-01.05] | Technical security | Preventive | |
| Enforce privileged and non-privileged accounts for system access. CC ID 00558 [The organization institutes controls over privileged system access by strictly limiting and closely managing staff and services with elevated system entitlements (e.g., multi-factor authentication, dual accounts, privilege and time constraints, etc.) PR.AA-05.02] | Technical security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical security | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [The confidentiality, integrity, and availability of data-in-transit are protected PR.DS-02] | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Preventive | |
| Remove data remnants in terminated Virtual Machines. CC ID 12168 | Technical security | Corrective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Physical and environmental protection | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Human Resources management | Corrective | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 | Operational management | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 [The estimated impact and scope of adverse events are understood DE.AE-04 Incidents are categorized and prioritized RS.MA-03 Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation. DE.AE-07.02] | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Establish, implement, and maintain rate limits for connection attempts. CC ID 16986 | Operational management | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
| Terminate all dependent sessions upon session termination. CC ID 16984 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain container orchestration. CC ID 16350 | System hardening through configuration management | Preventive | |
| Use the latest approved version of all assets. CC ID 00897 [Software is maintained, replaced, and removed commensurate with risk PR.PS-02] | System hardening through configuration management | Preventive | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | System hardening through configuration management | Preventive | |
| Establish access requirements for SNMP community strings. CC ID 16357 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | System hardening through configuration management | Detective | |
| Manage access credentials for service accounts. CC ID 13862 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | System hardening through configuration management | Preventive | |
| Restrict logons by specified source addresses. CC ID 16394 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
| Disallow personal data in authenticators. CC ID 13864 | System hardening through configuration management | Preventive | |
| Protect authenticators or authentication factors from unauthorized modification and disclosure. CC ID 15317 | System hardening through configuration management | Preventive | |
| Implement safeguards to protect authenticators from unauthorized access. CC ID 15310 | System hardening through configuration management | Preventive | |
| Configure each system's security alerts to organizational standards. CC ID 12113 | System hardening through configuration management | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Preventive | |
| Remove unnecessary accounts. CC ID 16476 | System hardening through configuration management | Corrective | |
| Refrain from accepting routes from unauthorized parties. CC ID 16397 | System hardening through configuration management | Preventive | |
| Support source port randomization in the transport protocol implementation. CC ID 16942 | System hardening through configuration management | Preventive | |
| Keep current the time synchronization technology. CC ID 12548 | System hardening through configuration management | Preventive | |
| Require packet filtering and rate limiting for arriving packets based on IPv6 Extension Headers. CC ID 16988 | System hardening through configuration management | Preventive | |
| Drop packets that do not meet the recommended requirements for extension header order and repetition. CC ID 16943 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 [The confidentiality, integrity, and availability of data-at-rest are protected PR.DS-01] | Records management | Preventive | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Systems design, build, and implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection. PR.IR-04.01] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 [{data classification policy} {data protection policy} Data-in-use is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, visual shielding, memory integrity monitoring, etc.) PR.DS-10.01] | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Validate all testing assumptions in the test plans. CC ID 00663 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Detective | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Monitoring and measurement | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Monitoring and measurement | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Monitoring and measurement | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses. ID.IM-02.01] | Monitoring and measurement | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Document and maintain test results. CC ID 17028 | Monitoring and measurement | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine the effectiveness of in scope controls. CC ID 06984 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 {business continuity} {design effectiveness} Technology, cybersecurity, and resilience controls are regularly assessed and/or tested for design and operating effectiveness. ID.IM-01.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02 The independent audit function updates its procedures and audit plans to adjust to the evolving technology and cybersecurity environment GV.AU-02] | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01] | Audits and risk management | Preventive | |
| Employ unique identifiers. CC ID 01273 [The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical security | Detective | |
| Test locks for physical security vulnerabilities. CC ID 04880 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Detective | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Detective | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04] | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 [The integrity of backups and other restoration assets is verified before using them for restoration RC.RP-03 Restoration steps include the verification of backups, data replications, system images, and other restoration assets prior to continued use. RC.RP-03.01 Restoration steps include the verification of data integrity, transaction positions, system functionality, and the operation of security controls by appropriate organizational stakeholders and system owners. RC.RP-04.01 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Detective | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backups of data are created, protected, maintained, and tested PR.DS-11 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05] | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Operational and Systems Continuity | Detective | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 [Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing. EX.CN-02.04] | Operational and Systems Continuity | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02] | Operational and Systems Continuity | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 [The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results. ID.IM-02.07] | Operational and Systems Continuity | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Operational and Systems Continuity | Detective | |
| Review all third party's continuity plan test results. CC ID 01365 [A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02] | Operational and Systems Continuity | Detective | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 | Operational and Systems Continuity | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Technology and cybersecurity risk management frameworks provide for segregation of duties between policy development, implementation, and oversight. GV.RR-02.07] | Human Resources management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [Available incident information is assessed to determine the extent of impact to the organization and its stakeholders, the potential near- and long-term financial implications, and whether or not the incident constitutes a material event. RS.AN-08.01 Analysis is performed to establish what has taken place during an incident and the root cause of the incident Analysis is performed to establish what has taken place during an incident and the root cause of the incident RS.AN-03] | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 [The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01] | Operational management | Corrective | |
| Test the incident response procedures. CC ID 01216 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 {incident communication protocol} The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident. RS.CO-02.03] | Operational management | Detective | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Operational management | Preventive | |
| Perform a patch test prior to deploying a patch. CC ID 00898 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Detective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Detective | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints. PR.PS-05.01] | System hardening through configuration management | Detective | |
| Configure security and protection software to check e-mail messages. CC ID 00578 [The organization has policies, procedures, and tools in place to detect, isolate, and block the use of attached malware or malicious links present in email or message services. PR.PS-05.03] | System hardening through configuration management | Preventive | |
| Analyze current technology investment factors that could affect implementing the system design project. CC ID 01050 | Systems design, build, and implementation | Preventive | |
| Perform a risk assessment for each system development project. CC ID 01000 [The risks of technology assimilation and implementations are managed GV.RM-08 Technology and cybersecurity risk management frameworks are applied to all technology projects and procurements to ensure that security requirements (e.g., data confidentiality, access control, event logging, etc.) are addressed consistently from project onset. GV.RM-08.02] | Systems design, build, and implementation | Detective | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [End-user developed solutions, to include models used to support critical business processes and decisions, are formally identified and managed in alignment with their criticality and risk. PR.PS-06.09] | Systems design, build, and implementation | Detective | |
| Restrict production data from being used in the test environment. CC ID 01103 [{production environment} The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets. PR.IR-01.06] | Systems design, build, and implementation | Detective | |
| Perform Quality Management on all newly developed or modified software. CC ID 11798 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Systems design, build, and implementation | Detective | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 [The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Acquisition or sale of facilities, technology, and services | Detective | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location. ID.AM-08.06] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04 {security control} The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected. EX.MM-02.01 The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 Expected cybersecurity practices for critical third parties that meet the risk management objectives of the organization are identified, documented, and agreed EX.CN-02] | Third Party and supply chain oversight | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 The organization regularly assesses the risk of its ongoing use of third parties in aggregate, considering factors such as critical service dependencies, vendor concentration, geographical/geopolitical exposure, fourth-party impacts, and financial sector co-dependencies. GV.SC-01.02 The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization. EX.MM-01.01 {technology capabilities} The organization assesses the risks and suitability of the technology and cybersecurity capabilities and risk management practices of prospective third parties EX.DD-03 The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship. EX.DD-02.01] | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Operational and Systems Continuity | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 [The organization integrates insider threat considerations into its human resource, risk management, and control programs to address the potential for malicious or unintentional harm by trusted employees or third parties. GV.RR-04.03] | Human Resources management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 [Personnel (employees and third parties) who fulfill the organization's physical security and cybersecurity objectives understand their roles and responsibilities. GV.RR-02.05] | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Cybersecurity awareness training is updated on a regular basis to reflect risks and threats identified by the organization, the organization's security policies and standards, applicable laws and regulations, and changes in individual responsibilities. PR.AT-01.03 {inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Evaluate and manage cyber risks; PR.AT-02.07 (1) The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks PR.AT The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies. GV.PO-01.03 Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 [{IT architecture} The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs. GV.RM-08.05] | Leadership and high level objectives | Business Processes | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Communicate | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Technical Security | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: ID.RA-08.02] | Monitoring and measurement | Technical Security | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Analyzing options to nd-color:#CBD0E5;" class="term_secondary-verb">respond. ID.RA-08.02 (5)] | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Correct or mitigate vulnerabilities. CC ID 12497 [The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities. ID.RA-06.05 The organization follows documented procedures, consistent with established risk response processes, for mitigating or accepting the risk of vulnerabilities or weaknesses identified in exercises and testing or when responding to incidents. ID.RA-06.06 The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01 The system development lifecycle remediates known critical vulnerabilities, and critical vulnerabilities discovered during testing, prior to production deployment. PR.PS-06.06 {secure state} Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented. RS.MI-02.01] | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 [The organization establishes and maintains an exception management process for identified vulnerabilities that cannot be mitigated within target timeframes. ID.RA-07.05] | Monitoring and measurement | Technical Security | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the term_primary-noun">status of cybersecurity within the organization. The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization. GV.OV-01.02 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Monitoring and measurement | Actionable Reports or Measurements | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. GV.AU-03.02 The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03 The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Audits and risk management | Establish/Maintain Documentation | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Implement out-of-band authentication, as necessary. CC ID 10606 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
| Revoke membership in the allowlist, as necessary. CC ID 13827 | Technical security | Establish/Maintain Documentation | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Deactivate user credentials upon agreement termination. CC ID 12177 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Technical security | Configuration | |
| Remove data remnants in terminated Virtual Machines. CC ID 12168 | Technical security | Technical Security | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Communicate | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Restore systems and environments to be operational. CC ID 13476 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05 Assets and operations affected by an adverse incident are restored RC Restoration activities are performed to ensure operational availability of systems and services affected by adverse incidents RC.RP Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved. RC.RP-05.02 {secure state} Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented. RS.MI-02.01] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Configuration | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Technical Security | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Human Resources management | Technical Security | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Data and Information Management | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Human Resources Management | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02 Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Human Resources management | Behavior | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [An incident's magnitude is estimated and validated RS.AN-08 The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Assess and understand the nature, scope and method of the attack; DE.AE-02.01 (1)] | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 [Incidents are categorized and prioritized RS.MA-03 Incidents are escalated or elevated as needed RS.MA-04] | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [Relevant suppliers and other third parties are included in incident planning, response, and recovery activities GV.SC-08 The incident response plan is executed in coordination with relevant third parties once an incident is declared RS.MA-01 Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies RS.CO The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01 The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics. RC.RP-02.01] | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 [Activities are performed to prevent expansion of an event and mitigate its effects RS.MI Incidents are contained RS.MI-01 The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01] | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [Available incident information is assessed to determine the extent of impact to the organization and its stakeholders, the potential near- and long-term financial implications, and whether or not the incident constitutes a material event. RS.AN-08.01 Analysis is performed to establish what has taken place during an incident and the root cause of the incident Analysis is performed to establish what has taken place during an incident and the root cause of the incident RS.AN-03] | Operational management | Testing | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [Information on adverse events is provided to authorized staff and tools DE.AE-06 Internal and external stakeholders are notified of incidents RS.CO-02 {incident information} Information is shared with designated internal and external stakeholders RS.CO-03 In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants. RS.CO-03.02] | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [Pre-established communication plans and message templates, and authorized protocols, contacts, media, and communications, are used to notify and inform the public and key external stakeholders about an incident. RC.CO-04.01] | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05 The organization maintains documented procedures for sanitizing, testing, authorizing, and returning systems to service following an incident or investigation. RC.RP-05.01] | Operational management | Establish/Maintain Documentation | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 [The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01] | Operational management | Testing | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [In the event of an incident, the organization notifies impacted stakeholders including, as required, government bodies, self-regulatory agencies and/or other supervisory bodies, within required timeframes. RS.CO-02.02] | Operational management | Communicate | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Operational management | Investigate | |
| Collect evidence from the incident scene. CC ID 02236 [Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Operational management | Business Processes | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Business Processes | |
| Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 | System hardening through configuration management | Configuration | |
| Remove unnecessary accounts. CC ID 16476 | System hardening through configuration management | Technical Security | |
| Change default usernames, as necessary. CC ID 14661 | System hardening through configuration management | Configuration | |
| Reset wireless access points, as necessary. CC ID 14317 | System hardening through configuration management | Process or Activity | |
| Configure payment applications to become disabled when suspicious activity is detected. CC ID 12221 | System hardening through configuration management | Configuration | |
| Review and update the security architecture, as necessary. CC ID 14277 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Review and update the acquisition contracts, as necessary. CC ID 14279 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Terminate supplier relationships, as necessary. CC ID 13489 [Relationship terminations and the return or destruction of assets are performed in a controlled and safe manner EX.TR-02 Relationship termination is anticipated, planned for, and executed safely EX.TR] | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 [{incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03] | Leadership and high level objectives | Process or Activity | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Cyber threat intelligence is received from information sharing forums and sources ID.RA-02] | Leadership and high level objectives | Technical Security | |
| Analyze organizational policies, as necessary. CC ID 14037 [{technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Personnel activity and technology usage are monitored to find potentially adverse events DE.CM-03 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for errors and faults. CC ID 04544 [Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned. ID.IM-03.02 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03 The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events DE.CM The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03 {unauthorized hardware} The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes. DE.CM-09.03] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for Denial of Service attacks. CC ID 01222 [The organization implements mechanisms, such as alerting and filtering of sudden high volumes and suspicious incoming traffic, to detect and mitigate Denial of Service, "bot", and credential stuffing attacks. DE.CM-01.02] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03 {refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02 Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection. PR.IR-04.01] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03 The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 {timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Log records are generated and made available for continuous monitoring PR.PS-04] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system performance. CC ID 00651 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01 {timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01 {privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Investigate | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Investigate | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Investigate | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Implement file integrity monitoring. CC ID 01205 [The organization uses integrity checking mechanisms to verify software, firmware and information integrity and provenance (e.g., checksums, Software Bill of Materials, etc.) DE.CM-09.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor and evaluate user account activity. CC ID 07066 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 {privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Monitor and evaluate environmental threats. CC ID 13481 [{high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Validate all testing assumptions in the test plans. CC ID 00663 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Testing | |
| Conduct Red Team exercises, as necessary. CC ID 12131 [The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses. ID.IM-02.01] | Monitoring and measurement | Technical Security | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Testing | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Process or Activity | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform penetration tests, as necessary. CC ID 00655 [The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses. ID.IM-02.01] | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 [The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets. ID.RA-01.03 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining it's severity and e="background-color:#F0BBBC;" class="term_primary-noun">impact; ID.RA-08.02 (3) Vulnerabilities in assets are identified, validated, and recorded ID.RA-01 Vulnerabilities in assets are identified, validated, and recorded ID.RA-01 The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes. ID.RA-05.04] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining it's -color:#F0BBBC;" class="term_primary-noun">severity and impact; ID.RA-08.02 (2) Vulnerabilities in assets are identified, validated, and recorded ID.RA-01] | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Personnel activity and technology usage are monitored to find potentially adverse events DE.CM-03] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [The independent risk management function reports on the implementation of the technology and cybersecurity risk management frameworks to the governing authority (e.g., the Board or one of its committees) GV.IR-03 The independent risk management function reports to the governing authority (e.g., the Board or one of its committees) and to the designated risk management officer within the organization on the implementation of the technology and cybersecurity risk management frameworks throughout the organization and its independent assessment of risk posture. GV.IR-03.01] | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 [{business continuity program} Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees). GV.OV-03.02] | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities. ID.RA-06.05 The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include monitoring in the corrective action plan. CC ID 11645 [The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified. PR.PS-01.03] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Evaluate cyber threat intelligence. CC ID 12747 [{adverse events} Cyber threat intelligence and other contextual information are integrated into the analysis DE.AE-07 The organization solicits and considers threat intelligence received from the organization's stakeholders, service and utility providers, and other industry and security organizations. ID.RA-03.02] | Monitoring and measurement | Process or Activity | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 [The governing authority (e.g., the Board or one of its committees) regularly reviews and evaluates the organization's ability to manage its technology, cybersecurity, third-party, and resilience risks. GV.OV-01.01 {risk tolerance} The independent risk management function provides assurance that the technology and cybersecurity risk management frameworks have been implemented according to policy and are consistent with the organization's risk appetite and tolerance GV.IR-01 {be consistent} The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended. GV.IR-01.01] | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of in scope controls. CC ID 06984 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 {business continuity} {design effectiveness} Technology, cybersecurity, and resilience controls are regularly assessed and/or tested for design and operating effectiveness. ID.IM-01.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Audits and risk management | Testing | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02 The independent audit function updates its procedures and audit plans to adjust to the evolving technology and cybersecurity environment GV.AU-02] | Audits and risk management | Testing | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02] | Audits and risk management | Audits and Risk Management | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 [The organization regularly reviews and updates its threat analysis methodology, threat information sources, and supporting tools. ID.RA-03.04] | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01 The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance. GV.OV-02.01] | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes. ID.RA-05.04 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The organization identifies, assesses, and documents the key dependencies, interdependencies, and potential points of failure to support the delivery of critical services (e.g., systems, business processes, workforce, third parties, facilities, etc.) GV.OC-05.01 The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance. GV.OV-02.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03 The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning. GV.OC-04.02] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04 The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01] | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the ;" class="term_primary-noun">impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02 Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded ID.RA-04] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 [Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Audits and risk management | Actionable Reports or Measurements | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02 The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
| Review connection requirements for all systems. CC ID 06411 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02] | Technical security | Establish/Maintain Documentation | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Process or Activity | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Process or Activity | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Process or Activity | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Process or Activity | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Process or Activity | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Process or Activity | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Process or Activity | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Business Processes | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Process or Activity | |
| Verify proof of identity records. CC ID 13761 | Technical security | Investigate | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Process or Activity | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Process or Activity | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical security | Technical Security | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical security | Technical Security | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical security | Technical Security | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical security | Technical Security | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Technical Security | |
| Identify information system users. CC ID 12081 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Identifying affected stakeholders or | Technical security | Technical Security | |
| Match user accounts to authorized parties. CC ID 12126 [Identities are proofed and bound to credentials based on the context of interactions PR.AA-02] | Technical security | Configuration | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical security | Testing | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Process or Activity | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Process or Activity | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Establish/Maintain Documentation | |
| Configure network access and control points to organizational standards. CC ID 12442 [{not be authorized} Networks and environments are protected from unauthorized logical access and usage PR.IR-01] | Technical security | Configuration | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Audits and Risk Management | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Test locks for physical security vulnerabilities. CC ID 04880 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Testing | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The physical environment is monitored to find potentially adverse events DE.CM-02 {high risk system} The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations. DE.CM-02.01] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Testing | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Investigate | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Investigate | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Testing | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 [{business continuity strategy} The organization's resilience strategy, plans, tests, and exercises incorporate its external dependencies and critical business partners. GV.SC-08.01] | Operational and Systems Continuity | Systems Continuity | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{business continuity strategy} The organization's business continuity and resilience strategy and program align with and support the overall enterprise risk management framework. GV.RM-03.02] | Operational and Systems Continuity | Systems Continuity | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04] | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 [The integrity of backups and other restoration assets is verified before using them for restoration RC.RP-03 Restoration steps include the verification of backups, data replications, system images, and other restoration assets prior to continued use. RC.RP-03.01 Restoration steps include the verification of data integrity, transaction positions, system functionality, and the operation of security controls by appropriate organizational stakeholders and system owners. RC.RP-04.01 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Systems Continuity | |
| Define and prioritize critical business functions. CC ID 00736 [Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated GV.OC-04 {critical function} {post incident activity} Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms RC.RP-04 The organization prioritizes the resilience design, planning, testing, and monitoring of systems and other key internal and external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. GV.OC-04.04] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 [The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02 The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02 The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services. ID.AM-05.02] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backups of data are created, protected, maintained, and tested PR.DS-11 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Testing | |
| Test each restored system for media integrity and information integrity. CC ID 01920 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05] | Operational and Systems Continuity | Testing | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Business Processes | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test the continuity plan, as necessary. CC ID 00755 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Operational and Systems Continuity | Testing | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 [The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results. ID.IM-02.07] | Operational and Systems Continuity | Testing | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [{business continuity strategy} The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required. ID.IM-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Operational and Systems Continuity | Testing | |
| Review all third party's continuity plan test results. CC ID 01365 [A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02] | Operational and Systems Continuity | Testing | |
| Analyze workforce management. CC ID 12844 [The organization regularly assesses its skill and resource level requirements against its current personnel complement to determine gaps in resource need. GV.RR-03.02 The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Human Resources management | Human Resources Management | |
| Identify root causes of staffing shortages, if any exist. CC ID 13276 | Human Resources management | Human Resources Management | |
| Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 | Human Resources management | Human Resources Management | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Testing | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
| Perform a background check during personnel screening. CC ID 11758 [{background check} The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems. GV.RR-04.01] | Human Resources management | Human Resources Management | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Monitor and Evaluate Occurrences | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Human Resources Management | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 [Technology and cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated GV.RR Roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-02 Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02] | Human Resources management | Establish Roles | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Technology and cybersecurity risk management frameworks provide for segregation of duties between policy development, implementation, and oversight. GV.RR-02.07] | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Follow the resource workload schedule. CC ID 00941 | Operational management | Business Processes | |
| Document the organization's business processes. CC ID 13035 [The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning. GV.OC-04.02] | Operational management | Establish/Maintain Documentation | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Communicate | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Behavior | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 [Analysis is performed to establish what has taken place during an incident and the root cause of the incident Analysis is performed to establish what has taken place during an incident and the root cause of the incident RS.AN-03] | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 [Incident reports are triaged and validated RS.MA-02 The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems and services to the enterprise. RS.MA-03.01 Actions regarding a detected adverse incidents are taken RS The organization has a documented process to analyze and triage incidents to assess root cause, technical impact, mitigation priority, and business impact on the organization, as well as across the financial sector and other third party stakeholders. DE.AE-04.01] | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 [{be effective} Investigations are conducted to ensure effective response and support forensics and recovery activities RS.AN The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01 The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01] | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Analyze and respond to security alerts. CC ID 12504 [Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents DE.AE Potentially adverse events are analyzed to better understand associated activities DE.AE-02] | Operational management | Business Processes | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06 Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Operational management | Investigate | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 [The organization pre-identifies, pre-qualifies, and retains third party incident management support and forensic service firms, as required, that can be called upon to quickly assist with incident response, investigation, and recovery. ID.IM-04.07] | Operational management | Communicate | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Investigate | |
| Secure devices containing digital forensic evidence. CC ID 08681 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01] | Operational management | Investigate | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06 Incident data and metadata are collected, and their integrity and provenance are preserved RS.AN-07] | Operational management | Investigate | |
| Test the incident response procedures. CC ID 01216 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 {incident communication protocol} The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident. RS.CO-02.03] | Operational management | Testing | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
| Perform a patch test prior to deploying a patch. CC ID 00898 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Testing | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Testing | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
| Configure the "HEALTHCHECK" to organizational standards. CC ID 14511 | System hardening through configuration management | Configuration | |
| Configure the "audit-log-maxsize" argument to organizational standards. CC ID 14624 | System hardening through configuration management | Configuration | |
| Configure the "audit-log-path" argument to organizational standards. CC ID 14622 | System hardening through configuration management | Configuration | |
| Configure the "audit-log-maxbackup" argument to organizational standards. CC ID 14613 | System hardening through configuration management | Configuration | |
| Configure the "audit-log-maxage" argument to organizational standards. CC ID 14605 | System hardening through configuration management | Configuration | |
| Review the ownership of service accounts, as necessary. CC ID 13863 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | System hardening through configuration management | Technical Security | |
| Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Data and Information Management | |
| Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards. CC ID 14467 | System hardening through configuration management | Configuration | |
| Configure the "/etc/docker" files and directories auditing to organizational standards. CC ID 14459 | System hardening through configuration management | Configuration | |
| Configure the "docker.socket" files and directories auditing to organizational standards. CC ID 14458 | System hardening through configuration management | Configuration | |
| Configure the "docker.service" files and directories auditing to organizational standards. CC ID 14454 | System hardening through configuration management | Configuration | |
| Configure the "/var/lib/docker" files and directories auditing to organizational standards. CC ID 14453 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/runc" files and directories auditing to organizational standards. CC ID 14452 | System hardening through configuration management | Configuration | |
| Configure the "/usr/bin/containerd" files and directories auditing to organizational standards. CC ID 14451 | System hardening through configuration management | Configuration | |
| Configure the "/etc/default/docker" files and directories auditing to organizational standards. CC ID 14450 | System hardening through configuration management | Configuration | |
| Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards. CC ID 14449 | System hardening through configuration management | Configuration | |
| Configure the "logging level" to organizational standards. CC ID 14456 | System hardening through configuration management | Configuration | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [{privileged account} The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented. DE.CM-03.03] | System hardening through configuration management | Log Management | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints. PR.PS-05.01] | System hardening through configuration management | Testing | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03] | Records management | Establish/Maintain Documentation | |
| Analyze business activities to ensure information is categorized for system design projects. CC ID 11794 | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Perform a risk assessment for each system development project. CC ID 01000 [The risks of technology assimilation and implementations are managed GV.RM-08 Technology and cybersecurity risk management frameworks are applied to all technology projects and procurements to ensure that security requirements (e.g., data confidentiality, access control, event logging, etc.) are addressed consistently from project onset. GV.RM-08.02] | Systems design, build, and implementation | Testing | |
| Conduct a design review at each milestone or quality gate. CC ID 01087 [Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle PR.PS-06] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Process or Activity | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [End-user developed solutions, to include models used to support critical business processes and decisions, are formally identified and managed in alignment with their criticality and risk. PR.PS-06.09] | Systems design, build, and implementation | Testing | |
| Restrict production data from being used in the test environment. CC ID 01103 [{production environment} The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets. PR.IR-01.06] | Systems design, build, and implementation | Testing | |
| Perform Quality Management on all newly developed or modified software. CC ID 11798 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Systems design, build, and implementation | Testing | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 [The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Acquisition or sale of facilities, technology, and services | Testing | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Search the Internet for evidence of data leakage. CC ID 10419 [The organization implements measures for monitoring external sources (e.g., social media, the dark web, etc.) to integrate with other intelligence information to better detect and evaluate potential threats and compromises. DE.AE-07.01] | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 {personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 The organization anticipates and plans for the termination of critical relationships under both normal and adverse circumstances EX.TR-01 Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location. ID.AM-08.06] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees). GV.AU-01.04 {security control} The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected. EX.MM-02.01 The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization. EX.CN-02.03] | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 Expected cybersecurity practices for critical third parties that meet the risk management objectives of the organization are identified, documented, and agreed EX.CN-02] | Third Party and supply chain oversight | Testing | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 The organization regularly assesses the risk of its ongoing use of third parties in aggregate, considering factors such as critical service dependencies, vendor concentration, geographical/geopolitical exposure, fourth-party impacts, and financial sector co-dependencies. GV.SC-01.02 The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization. EX.MM-01.01 {technology capabilities} The organization assesses the risks and suitability of the technology and cybersecurity capabilities and risk management practices of prospective third parties EX.DD-03 The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship. EX.DD-02.01] | Third Party and supply chain oversight | Testing | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 [The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls. EX.DD-02.03 Third-party products and services are assessed relative to business, risk management, and cybersecurity requirements EX.DD-04 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02 The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' financial stability during due diligence. CC ID 12066 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04 The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05] | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Business Processes | |
| Assess the third parties' reputation during due diligence. CC ID 12068 | Third Party and supply chain oversight | Business Processes | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Business Processes | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Business Processes | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01] | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls. EX.DD-02.03] | Third Party and supply chain oversight | Process or Activity | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Investigate | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner. RS.MI-01.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Request attestation of compliance from third parties. CC ID 12067 [{cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [{externally provided process, product and service} The organization defines and implements procedures for assessing the compatibility, security, integrity, and authenticity of externally-developed or externally-sourced applications, software, software components, and firmware before deployment and upon any major change. EX.DD-04.01] | Third Party and supply chain oversight | Business Processes | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 [Critical suppliers and third parties are monitored to confirm that they continue to satisfy their obligations as required; reviews of audits, test results, or other assessments of third parties are conducted EX.MM-01] | Third Party and supply chain oversight | Business Processes | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [{cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09 External service provider activities and services are monitored to find potentially adverse events DE.CM-06 The organization regularly evaluates its third party relationships to determine if changes in the organization's circumstances, objectives, or third party use warrant a change in a third party's risk rating (e.g., a less critical third-party relationship evolves into being a critical relationship). EX.MM-01.02 The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 Critical suppliers and third parties are monitored to confirm that they continue to satisfy their obligations as required; reviews of audits, test results, or other assessments of third parties are conducted EX.MM-01] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain warning procedures. CC ID 12407 [The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders. DE.AE-06.01] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures. CC ID 12406 [The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. DE.CM-06.02 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 {network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02 The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders. DE.AE-06.01] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03 The independent audit function reports to the governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when risk tolerance has been exceeded in any part of the organization. GV.AU-03.03] | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Process or Activity | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Leadership and high level objectives | Communicate | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.) EX.MM-01.03] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 [The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in class="term_secondary-verb">need of improvement over time. The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. ID.IM-01.03] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
| Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 [Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction. ID.IM-01.04 The organization's technology operations and service and support functions are designed and managed to address business operational needs and stakeholder requirements. PR.PS-07] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Outcomes, capabilities, and services that the organization depends on are understood and communicated GV.OC-05] | Leadership and high level objectives | Communicate | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 [Internal and external threats to the organization are identified and recorded ID.RA-03 The independent audit function identifies, tracks, and reports significant changes in the organization's risk exposure to the governing authority (e.g., the Board or one of its committees) GV.AU-03] | Leadership and high level objectives | Business Processes | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 [The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01] | Leadership and high level objectives | Business Processes | |
| Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [Internal and external stakeholders are understood, and their needs and expectations regarding technology and cybersecurity risk management are understood and considered GV.OC-02] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The confidentiality, integrity, and availability of data-in-use are protected PR.DS-10 The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03 The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset. ID.AM-08.03] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Data and Information Management | |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 [{IT architecture} The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs. GV.RM-08.05 Tehcnology and security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience PR.IR] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Involve all stakeholders in the architecture review process. CC ID 16935 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands. PR.IR-04.02] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [The organization ensures that cyber threat intelligence is made available, in a secure manner, to authorized staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization. RS.CO-03.01] | Leadership and high level objectives | Communicate | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy ID.AM] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [{third party requirement} {third party contract} Consideration is specifically given to the implications of organizational third-party dependence, requirements, contracts, and interactions in the design, operation, monitoring, and improvement of policies, procedures, and controls to ensure the fulfillment of business requirements within risk appetite. GV.SC-09.01] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Business Processes | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Leadership and high level objectives | Business Processes | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 [The organizational mission is understood and informs technology and cybersecurity risk management GV.OC-01 {strategic option} Strategic opportunities (i.e., positive risks) are characterized and are included in organizational technology and cybersecurity risk discussions GV.RM-07 The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions. GV.RR-02.02] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [{technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [The designated Technology Officer (e.g., CIO or CTO) regularly reports to the governing authority (e.g., the Board or one of its committees) on the status of technology use and risks within the organization. GV.OV-01.03] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Leadership and high level objectives | Business Processes | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Promote a culture that recognizes that staff at all levels have important responsibilities in en0E5;" class="term_secondary-verb">suring the organization's ="term_primary-noun">cyber resilience; and PR.AT-02.07 (2)] | Leadership and high level objectives | Behavior | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Communicate | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. DE.CM-06.02 Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events DE.CM-09 Account access, authentication, and authorization activities are logged and monitored, for both users and devices, to enforce authorized access. DE.CM-03.01] | Monitoring and measurement | Log Management | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [Possible cybersecurity attacks and compromises, and other operationally adverse events, are found and analyzed DE] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Establish/Maintain Documentation | |
| Install and maintain an Intrusion Detection and Prevention System. CC ID 00581 [The organization deploys intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. DE.CM-01.01 The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets. DE.AE-03.01 The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified. PR.PS-01.03] | Monitoring and measurement | Configuration | |
| Monitor systems for unauthorized data transfers. CC ID 12971 [The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Monitor systems for unauthorized mobile code. CC ID 10034 [The organization implements safeguards against unauthorized mobile code (e.g., JavaScript, ActiveX, VBScript, PowerShell, etc.) on mobile, end point, and server systems. PR.PS-05.02] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 [The organization employs deception techniques and technologies (e.g., honeypots) to detect and prevent a potential intrusion in its early stages to support timely containment and recovery. DE.CM-01.06] | Monitoring and measurement | Technical Security | |
| Make logs available for review by the owning entity. CC ID 12046 [Log records are generated and made available for continuous monitoring PR.PS-04] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Information is correlated from multiple sources DE.AE-03 The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned. ID.IM-03.02 Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation. DE.AE-07.02 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 [{refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02] | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [{network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02] | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 [{timely manner} Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes. RS.MA-02.01] | Monitoring and measurement | Technical Security | |
| Document the event information to be logged in the event information log specification. CC ID 00639 [{refrain from inhibiting} The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs. PR.PS-04.02 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Configuration | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Configuration | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. PR.PS-01.04] | Monitoring and measurement | Configuration | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02] | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 [Networks and network services are monitored to find potentially adverse events DE.CM-01 The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems). DE.CM-01.04] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01 The risks posed by a third-party are monitored and managed over the course of the relationship EX.MM {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Monitoring and measurement | Establish/Maintain Documentation | |
| Implement a fraud detection system. CC ID 13081 [The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters. PR.AA-03.03] | Monitoring and measurement | Business Processes | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a testing program. CC ID 00654 [The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive), that could affect the organization's ability to service internal and external stakeholders. ID.IM-02.05 {third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06 The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Human Resources Management | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Testing | |
| Document improvement actions based on test results and exercises. CC ID 16840 [Improvements are identified from tests and exercises, including those done in coordination with suppliers and relevant third parties ID.IM-02] | Monitoring and measurement | Establish/Maintain Documentation | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Testing | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Monitoring and measurement | Testing | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Data and Information Management | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Monitoring and measurement | Testing | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Behavior | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Testing | |
| Define the test requirements for each testing program. CC ID 13177 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Monitoring and measurement | Testing | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Communicate | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Process or Activity | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Process or Activity | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 [The thoroughness and results of independent penetration testing are regularly reviewed to help determine the need to rotate testing vendors to obtain fresh independent perspectives. ID.IM-02.02] | Monitoring and measurement | Behavior | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental controls in the business line testing strategy. CC ID 13246 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets. ID.RA-01.03] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Testing | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
| Document and maintain test results. CC ID 17028 | Monitoring and measurement | Testing | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators. GV.OV-03.01] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [{business continuity program} Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees). GV.OV-03.02] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [The organization implements a regular process to collect, store, report, benchmark, and assess trends in actionable performance indicators and risk metrics (e.g., threat KRIs, security incident metrics, vulnerability metrics, and operational measures). ID.IM-01.02] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 [The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in class="term_secondary-verb">need of improvement over time. The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. ID.IM-01.03] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Report timely risk metrics. DE.AE-02.01 (3)] | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01 The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Establish/Maintain Documentation | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Actionable Reports or Measurements | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Communicate | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 [{network alert} The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks. DE.AE-03.02] | Monitoring and measurement | Technical Security | |
| Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [{cyberattack} The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: Predict and block a similar future attack; and DE.AE-02.01 (2)] | Monitoring and measurement | Technical Security | |
| Determine the time frame to take action based on cyber threat intelligence. CC ID 12748 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [The organization has an independent audit function to support oversight of the technology and cybersecurity programs GV.AU The organization has an independent audit function (i.e., internal audit group or external auditor) that follows generally accepted audit practices and approved audit policies and procedures. GV.AU-01.01] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Process or Activity | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [A formal process is in place for the independent audit function to review and update its procedures and audit plans regularly or in response to changes in relevant standards, the technology environment, or the business environment. GV.AU-02.01 A formal process is in place for the independent audit function to update its procedures and audit plans based on changes to the organization's risk appetite, risk tolerance, threat environment, and evolving risk profile. GV.AU-02.02] | Audits and risk management | Establish/Maintain Documentation | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 [The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps. GV.AU-03.01] | Audits and risk management | Establish/Maintain Documentation | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [An independent audit function assesses compliance with applicable laws and <span style="background-color:#F0BBBC;" class="term_primary-noun">regulations. An independent audit function assesses compliance with applicable laws and regulations. GV.AU-01.05 The independent audit function assesses compliance with internal controls and applicable laws and regulations GV.AU-01 The independent audit function assesses compliance with internal controls and applicable laws and regulations GV.AU-01] | Audits and risk management | Audits and Risk Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 [{business continuity policy} The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls. GV.AU-01.03 The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps. GV.AU-03.01] | Audits and risk management | Audits and Risk Management | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 [{risk tolerance} The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance. GV.AU-01.02] | Audits and risk management | Monitor and Evaluate Occurrences | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Risk management objectives are established and agreed to by organizational stakeholders GV.RM-01 The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's technology and cybersecurity risk management decisions are understood GV.OC Technology and cybersecurity risk management activities and outcomes are included in enterprise risk management processes GV.RM-03 Technology and cybersecurity risk management strategies and frameworks are informed by applicable international, national, and financial services industry standards and guidelines. GV.RM-01.02 Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 {risk management framework} The organization's obligation to its customers, employees, and stakeholders to maintain safety and soundness, while balancing size and complexity, is reflected in the organization's risk management strategy and framework, its risk appetite and risk tolerance statements, and in a risk-aware culture. GV.OC-02.01 The organization's technology, cybersecurity, resilience, and third-party risk management programs, policies, resources, and priorities are aligned and mutually supporting. GV.RM-01.05 Technology and cybersecurity risk management frameworks are applied to, and are adapted as needed by, the organization's innovations in technology use and adoption of emerging technologies. GV.RM-08.01 {be consistent} The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended. GV.IR-01.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 The independent risk management function evaluates the appropriateness of the risk management program for the organization's risk appetite and proposes program improvements as warranted GV.IR-02] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [The independent risk management function has sufficient independence, stature, authority, resources, and access to the governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's risk management frameworks. GV.IR-01.02] | Audits and risk management | Establish/Maintain Documentation | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 [The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices. GV.RM-02.02] | Audits and risk management | Business Processes | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 [{risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external). GV.RM-03.04] | Audits and risk management | Business Processes | |
| Include managing mobile risks in the risk management program. CC ID 13535 [{mobile device} The organization implements policies, procedures, end-user agreements, and technical controls to address the risks of end-user mobile or personal computing devices accessing the organization's network and resources. PR.IR-01.08] | Audits and risk management | Establish/Maintain Documentation | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [Results of organization-wide technology and cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy GV.OV Technology and cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction GV.OV-01 The technology and cybersecurity risk management strategies are reviewed and adjusted to ensure coverage of organizational requirements and risks GV.OV-02 Organizational technology and cybersecurity risk management performance is evaluated and reviewed for adjustments needed GV.OV-03 Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. GV.RM-01.01 Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. GV.RM-01.01 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01] | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [Technology and cybersecurity risk management strategies identify and communicate the organization's role as it relates to other critical infrastructure sectors outside of the financial services sector and the interdependency risks. GV.OC-02.03] | Audits and risk management | Establish Roles | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external). GV.RM-03.04 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01 The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Technology and cybersecurity risk management strategies identify and communicate the organization's role within the financial services sector as a component of critical infrastructure. GV.OC-02.02 The organization's budgeting and resourcing processes identify, prioritize, and address resource needs to manage identified technology and cybersecurity risks (e.g., skill shortages, headcount, new tools, incident-related expenses, and unsupported systems). GV.RR-03.01] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 [The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. ID.RA-03.03 The technology and cybersecurity risks to the organization, assets, and individuals are understood by the organization ID.RA The organization's current technology and cybersecurity risks are understood ID {technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01 {technology risk} {cybersecurity risk} The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit. ID.RA-05.03 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01 Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.RM-06.01] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Document cybersecurity risks. CC ID 12281 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01] | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04] | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction. ID.IM-01.04] | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Internal and external threats to the organization are identified and recorded ID.RA-03 The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Determining its color:#F0BBBC;" class="term_primary-noun">validity; ID.RA-08.02 (1) A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06] | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02] | Audits and risk management | Audits and Risk Management | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded ID.RA-04 The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized. ID.RA-04.01] | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 [A supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-01] | Audits and risk management | Establish/Maintain Documentation | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{technology risk} {cybersecurity risk} Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization. ID.RA-05.01] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm. ID.RA-03.01] | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of d-color:#F0BBBC;" class="term_primary-noun">senior management in a timely manner, so that they can address and respond to emerging cyber risk. The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk. ID.RA-01.02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM Lines of communication across the organization are established for technology and cybersecurity risks, including risks from suppliers and other third parties GV.RM-05 A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 {risk measurement} {risk monitoring} {risk reporting} Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting. GV.RM-01.04 {recovery procedure} The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders. RC.CO-03.01] | Audits and risk management | Behavior | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized. ID.RA-04.01] | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM] | Audits and risk management | Establish/Maintain Documentation | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 [Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis. GV.RM-02.03] | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization ID.RA-05 The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02] | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 [The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections. ID.RA-01.01 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01] | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01 The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices. GV.RM-02.02 {risk tolerance} The independent risk management function provides assurance that the technology and cybersecurity risk management frameworks have been implemented according to policy and are consistent with the organization's risk appetite and tolerance GV.IR-01 The independent risk management function regularly evaluates the appropriateness of the technology and cybersecurity risk management programs to the organization's risk appetite and inherent risk environment GV.IR-02.01 The organization determines and articulates how it intends to maintain an acceptable level of residual technology and cybersecurity risk as set by the governing authority (e.g., the Board or one of its committees). GV.OV-02.02 The independent risk management function evaluates the appropriateness of the risk management program for the organization's risk appetite and proposes program improvements as warranted GV.IR-02 Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Audits and risk management | Establish/Maintain Documentation | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 [The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile. GV.RM-02.01] | Audits and risk management | Investigate | |
| Approve the risk acceptance level, as necessary. CC ID 17168 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Process or Activity | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [{risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite statement} Risk appetite and risk tolerance statements are established, communicated, and maintained GV.RM-02 {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM {risk appetite} The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions GV.RM] | Audits and risk management | Behavior | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization ID.RA-05 Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06 The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02 {cybersecurity control} Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls. ID.RA-06.01 {cybersecurity control} Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls. ID.RA-06.01 Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees). ID.RA-06.03 Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees). ID.RA-06.03 The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches. GV.RM-04.01 The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business. ID.RA-06.02] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Establish/Maintain Documentation | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Establish/Maintain Documentation | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Audits and risk management | Communicate | |
| Approve the risk treatment plan. CC ID 13495 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Audits and risk management | Audits and Risk Management | |
| Include risk responses in the risk management program. CC ID 13195 [Risk responses are chosen, prioritized, planned, tracked, and communicated ID.RA-06] | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV {critical function} {post incident activity} Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms RC.RP-04 The organization has established, and maintains, technology and cybersecurity programs designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite and business needs. GV.RM-01.03] | Audits and risk management | Audits and Risk Management | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 [Improvements are identified from evaluations ID.IM-01 Improvements are identified from execution of operational processes, procedures, and activities ID.IM-03 {risk management program} Improvements to organizational technology and cybersecurity risk management processes, procedures and activities are identified across all Profile Functions ID.IM The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements GV.IR-02.02] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV] | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 [Policies for managing technology and cybersecurity risks are reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission GV.PO-02 Policies for managing technology and cybersecurity risks are established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced GV.PO-01] | Audits and risk management | Communicate | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 [The organization's technology and cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored GV] | Audits and risk management | Communicate | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [{external partner} The organization has established and implemented plans to identify and mitigate the "term_primary-noun">cyber risks it poses through interconnectedness to sector partners and external stakeholders. ID.IM-04.06 Strategic direction that describes appropriate risk response options is established and communicated GV.RM-04 Technology and cybersecurity processes, procedures, and controls are established in alignment with cybersecurity policy. GV.PO-01.05 Safeguards to manage the organization's technology and cybersecurity risks are used PR] | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 [A standardized method for calculating, documenting, categorizing, and prioritizing technology and cybersecurity risks is established and communicated GV.RM-06 The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units. GV.RM-05.01] | Audits and risk management | Establish/Maintain Documentation | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 [Strategic direction that describes appropriate risk response options is established and communicated GV.RM-04] | Audits and risk management | Communicate | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 [A supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders GV.SC-01 The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 [Supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders GV.SC {cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 [Supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders GV.SC The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 [The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties. GV.RR-01.02 The organization maintains documented third-party risk management program policies and procedures approved by the governing authority (e.g., the Board or one of its committees). GV.PO-01.08] | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [{cybersecurity program} Supply chain security practices are integrated into technology, cybersecurity, and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle GV.SC-09] | Audits and risk management | Establish/Maintain Documentation | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 [Risk management objectives are established and agreed to by organizational stakeholders GV.RM-01] | Audits and risk management | Communicate | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management metrics in the disclosure report. CC ID 16345 [The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators. GV.OV-03.01 The organization's third-party risk management program is regularly assessed, reported on, and improved. ID.IM-01.05] | Audits and risk management | Establish/Maintain Documentation | |
| Include third party access in the access classification scheme. CC ID 11786 [Specific roles, responsibilities, and procedures to manage the risk of third-party access to organizational systems and facilities are defined and implemented. PR.AA-05.04] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [Identities and credentials for authorized users, services, and hardware are managed by the organization PR.AA-01] | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical security | Technical Security | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Technical security | Establish/Maintain Documentation | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Establish/Maintain Documentation | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 [Identities are proofed and bound to credentials based on the context of interactions PR.AA-02 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical security | Process or Activity | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Process or Activity | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Process or Activity | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Process or Activity | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Establish/Maintain Documentation | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Configuration | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Process or Activity | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Process or Activity | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Process or Activity | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Process or Activity | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Process or Activity | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Configuration | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Configuration | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Configuration | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Process or Activity | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Process or Activity | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Process or Activity | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Process or Activity | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Process or Activity | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Process or Activity | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Technical Security | |
| Authenticate all systems in a federated identity system. CC ID 13835 [Users, services, and hardware are authenticated PR.AA-03] | Technical security | Technical Security | |
| Send and receive authentication assertions, as necessary. CC ID 13839 [Identity assertions are protected, conveyed, and verified PR.AA-04] | Technical security | Technical Security | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Technical Security | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Technical Security | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Technical Security | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 [Identity assertions are protected, conveyed, and verified PR.AA-04] | Technical security | Technical Security | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Technical Security | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Technical Security | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Technical Security | |
| Validate each element within the authentication assertion. CC ID 13853 [Identity assertions are protected, conveyed, and verified PR.AA-04 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | Technical security | Technical Security | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Technical Security | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Technical Security | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Technical Security | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Technical Security | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Technical Security | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Technical Security | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Technical Security | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Technical Security | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical security | Technical Security | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical security | Technical Security | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical security | Technical Security | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical security | Technical Security | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical security | Technical Security | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical security | Technical Security | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical security | Technical Security | |
| Authenticate systems referenced in the allowlist. CC ID 13838 | Technical security | Technical Security | |
| Place nonmembers of allowlists and denylists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical security | Technical Security | |
| Require runtime decisions regarding authentication for organizations that are excluded from the allowlist. CC ID 13842 | Technical security | Technical Security | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Access credential and authorization mechanisms for internal systems and across security perimeters (e.g., leveraging directory services, directory synchronization, single sign-on, federated access, credential mapping, etc.) are designed to maintain security, integrity, and authenticity. PR.AA-04.01] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Establish access rights based on least privilege. CC ID 01411 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05 The organization limits access privileges to the minimum necessary and with consideration of separation of duties (e.g., through role-based access control, asset owner access recertifications, etc.). PR.AA-05.01] | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 [{physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 Decisions to authorize user access to devices and other assets are made with consideration of: Business need for the access; PR.AA-03.02 (1)] | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Communicate | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Configuration | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Establish/Maintain Documentation | |
| Review all user privileges, as necessary. CC ID 06784 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA Decisions to authorize user access to devices and other assets are made with consideration of: The type of data being accessed (e.g., customer PII, public data); PR.AA-03.02 (2) Decisions to authorize user access to devices and other assets are made with consideration of: The risk of the transaction (e.g., internal-to-internal, external-to-internal); PR.AA-03.02 (3) Decisions to authorize user access to devices and other assets are made with consideration of: The organization's level of trust for the accessing agent (e.g., external application, internal user); and PR.AA-03.02 (4) Decisions to authorize user access to devices and other assets are made with consideration of: The potential for harm. PR.AA-03.02 (5)] | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [{authorized user} Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, password strength requirements, automatic revocation of credentials under defined conditions, regular asset owner access review, etc.). PR.AA-01.01] | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Log Management | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 [{physical access} Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored. PR.AA-01.02 Decisions to authorize user access to devices and other assets are made with consideration of: PR.AA-03.02] | Technical security | Configuration | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Log Management | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Communicate | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Technical security | Establish/Maintain Documentation | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Technical Security | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02 {multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical security | Configuration | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Communicate | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Process or Activity | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Technical Security | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Technical Security | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 [The organization defines and implements controls for securely configuring and operating Operational Technologies, Industrial Control Systems, and Internet-of-Things (IoT) devices (e.g., segregated printer networks, resetting of default passwords, etc.) PR.IR-01.07] | Technical security | Technical Security | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 [Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements. PR.IR-01.02 Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements. PR.IR-01.02] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Establish/Maintain Documentation | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Process or Activity | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Technical Security | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Technical Security | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 [{communication network} The integrity and resilience of the organization's communications and control network services are enhanced through controls such as denial of service protections, secure name/address resolution, and/or alternate communications paths. PR.IR-01.03] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Communicate | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
| Maintain up-to-date network diagrams. CC ID 00531 [Representations of the organization's authorized network communication and internal and external network data flows are maintained ID.AM-03 The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows. ID.AM-03.01] | Technical security | Establish/Maintain Documentation | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [Representations of the organization's authorized network communication and internal and external network data flows are maintained ID.AM-03 The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows. ID.AM-03.01] | Technical security | Establish/Maintain Documentation | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Establish/Maintain Documentation | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Communicate | |
| Manage all external network connections. CC ID 11842 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Technical security | Technical Security | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical security | Technical Security | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Technical Security | |
| Implement a fault-tolerant architecture. CC ID 01626 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Technical security | Technical Security | |
| Implement segregation of duties. CC ID 11843 [Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties PR.AA-05] | Technical security | Technical Security | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01 Networks, systems, and external connections are segmented (e.g., using firewalls, software-defined networks, guest wireless networks, etc.) to implement defense-in-depth and access isolation principles. PR.IR-01.01] | Technical security | Technical Security | |
| Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Technical Security | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Technical Security | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Technical Security | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Data and Information Management | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Technical Security | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Technical Security | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Data and Information Management | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Technical Security | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Establish/Maintain Documentation | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 [The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). PR.IR-01.04] | Technical security | Technical Security | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 [The organization controls access to its wireless networks and the term_primary-noun">information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). PR.IR-01.04] | Technical security | Configuration | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Configuration | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Technical security | Communicate | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Technical Security | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Technical Security | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Establish/Maintain Documentation | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 [The organization implements measures to detect and block access to unauthorized, inappropriate, or malicious websites and services (e.g. social media, messaging, file sharing). DE.CM-01.05] | Technical security | Technical Security | |
| Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234 | Technical security | Data and Information Management | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 [{data destruction} The organization implements data loss identification and prevention tools to monitor and protect against confidential -color:#F0BBBC;" class="term_primary-noun">data theft or destruction by an employee or an external actor. PR.DS-01.02] | Technical security | Establish/Maintain Documentation | |
| Enforce privileged and non-privileged accounts for system access. CC ID 00558 [The organization institutes controls over privileged system access by strictly limiting and closely managing staff and services with elevated system entitlements (e.g., multi-factor authentication, dual accounts, privilege and time constraints, etc.) PR.AA-05.02] | Technical security | Technical Security | |
| Control all methods of remote access and teleworking. CC ID 00559 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical security | Technical Security | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Process or Activity | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Establish/Maintain Documentation | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical security | Technical Security | |
| Implement multifactor authentication techniques. CC ID 00561 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | Technical security | Configuration | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Technical Security | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Technical Security | |
| Protect remote access accounts with encryption. CC ID 00562 [Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used). PR.IR-01.05] | Technical security | Configuration | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [{encryption management} The organization employs defined encryption methods and management practices commensurate with the criticality of the information being protected and the inherent risk of the technical environment where used. PR.PS-01.06] | Technical security | Establish/Maintain Documentation | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Technical security | Establish/Maintain Documentation | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Technical security | Establish/Maintain Documentation | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 [{encryption method} {encryption management} Acceptable encryption standards, methods, and management practices are established in accordance with defined industry standards. PR.PS-01.05] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Cryptographic keys and certificates are tracked, managed, and protected throughout their lifecycles, to include for compromise and revocation. PR.PS-01.07] | Technical security | Establish/Maintain Documentation | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Establish/Maintain Documentation | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Communicate | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [The confidentiality, integrity, and availability of data-in-transit are protected PR.DS-02] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 [{data classification policy} {data protection policy} Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, and alternate transit paths). PR.DS-02.01] | Technical security | Configuration | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints. PR.PS-05.01] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Communicate | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Technical Security | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
| Establish, implement, and maintain an application security policy. CC ID 06438 [{security architecture}{security process}{security practice} The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. GV.RM-08.03 The organization establishes standards and practices for ongoing application management to ensure that applications remain secure and continue to meet organizational needs. PR.PS-02.02] | Technical security | Establish/Maintain Documentation | |
| Include allow lists of protocols, domains, paths and ports in the application security policy. CC ID 16852 | Technical security | Establish/Maintain Documentation | |
| Approve the application security policy. CC ID 17065 | Technical security | Process or Activity | |
| Disseminate and communicate the application security policy to interested personnel and affected parties. CC ID 17064 | Technical security | Communicate | |
| Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Technical security | Establish/Maintain Documentation | |
| Sanitize customer data from all shared resources upon agreement termination. CC ID 12175 [{technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Technical security | Records Management | |
| Return all unstructured data from all shared resources upon agreement termination. CC ID 12336 | Technical security | Business Processes | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security policy} Physical and environmental security policies are implemented and managed. GV.PO-01.06] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Configuration | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Configuration | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Establish/Maintain Documentation | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Log Management | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Log Management | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Log Management | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Log Management | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Log Management | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Log Management | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Log Management | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01] | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Log Management | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01 The organization manages and protects physical and visual access to sensitive information assets and physical records (e.g., session lockout, clean desk policies, printer/facsimile output trays, file cabinet/room security, document labelling, etc.) PR.AA-06.02 {environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Physical and Environmental Protection | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict physical access to distributed assets. CC ID 11865 [Physical access to assets is managed, monitored, and enforced commensurate with risk PR.AA-06 The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure. PR.AA-06.01] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 [The organization defines and implements controls for the protection and use of removable media (e.g., access/use restrictions, encryption, malware scanning, data loss prevention, etc.) PR.DS-01.03] | Physical and environmental protection | Data and Information Management | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Physical and environmental protection | Records Management | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Physical and environmental protection | Business Processes | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. DE.CM-03.02] | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [{mobile device} End-user mobile or personal computing devices accessing the organization's network employ mechanisms to protect network, application, and data integrity, such as "Mobile Device Management (MDM)" and "Mobile Application Management (MAM)" technologies, device fingerprinting, storage containerization and encryption, integrity scanning, automated patch application, remote wipe, and data leakage protections. PR.PS-01.08] | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Process or Activity | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 [{personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03 Relationship terminations and the return or destruction of assets are performed in a controlled and safe manner EX.TR-02] | Physical and environmental protection | Establish/Maintain Documentation | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets. GV.RR-04.02] | Physical and environmental protection | Behavior | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Establish Roles | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Records Management | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Establish/Maintain Documentation | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [{environmental control} The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.) PR.IR-02.01] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain power distribution boards. CC ID 16486 | Physical and environmental protection | Systems Design, Build, and Implementation | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and environmental protection | Physical and Environmental Protection | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and environmental protection | Physical and Environmental Protection | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Physical and Environmental Protection | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Physical and environmental protection | Establish/Maintain Documentation | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain smoke control systems. CC ID 17291 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain fire alarm systems. CC ID 17267 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct fire drills, as necessary. CC ID 13985 | Physical and environmental protection | Process or Activity | |
| Employ environmental protections. CC ID 12570 [The organization's technology assets are protected from environmental threats PR.IR-02] | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain geomagnetic disturbance operating procedures. CC ID 17158 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the geomagnetic disturbance operating plan. CC ID 17157 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a geomagnetic disturbance operating plan. CC ID 17156 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate space weather information to interested personnel and affected parties. CC ID 17155 | Physical and environmental protection | Communicate | |
| Include roles and responsibilities in the geomagnetic disturbance operating procedures. CC ID 17154 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cold weather preparedness plan. CC ID 17131 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include design specifications for applicable assets in the cold weather preparedness plan. CC ID 17144 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include limitations in the cold weather preparedness plan. CC ID 17143 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include performance data in the cold weather preparedness plan. CC ID 17142 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include maintenance requirements in the cold weather preparedness plan. CC ID 17141 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include freeze protection measures in the cold weather preparedness plan. CC ID 17140 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Physical and Environmental Protection | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 | Physical and environmental protection | Communicate | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [{business continuity program} The organization maintains documented business continuity and resilience program policies and procedures approved by the governing authority (e.g., the Board or one of its committees). GV.PO-01.07 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations. RC.RP-01.01] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Systems Continuity | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include management commitment in the business continuity policy. CC ID 14233 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Communicate | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 [Resilience requirements to support the delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, and normal operations). GV.OC-04.03 The organization's business continuity and resilience requirement risks are managed GV.RM-09 {business continuity strategy} The organization has an enterprise-wide resilience strategy and program, including architecture, cyber resilience, business continuity, disaster recovery, and incident response, which support its mission, stakeholder obligations, critical infrastructure role, and risk appetite. GV.RM-09.01 The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [The organization defines objectives (e.g., Recovery Time Objective, Maximum Tolerable Downtime, Impact Tolerance) for the resumption of critical operations in alignment with business imperatives, stakeholder obligations, and critical infrastructure dependencies. GV.OC-05.03] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. EX.TR-01.01] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{business continuity program} Resilience program roles and responsibilities are assigned to management across the organization to ensure risk assessment, planning, testing, and execution coverage for all critical business functions. GV.RR-02.03 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02] | Operational and Systems Continuity | Establish Roles | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Restoration activities are coordinated with internal and external parties RC.CO] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Communicate | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity strategy} The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's resilience strategy and program and for managing the organization's ongoing resilience risks. GV.RR-01.03] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [The organization's business continuity and resilience requirement risks are managed GV.RM-09 {business continuity strategy} The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's resilience strategy and program and for managing the organization's ongoing resilience risks. GV.RR-01.03] | Operational and Systems Continuity | Human Resources Management | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Operational and Systems Continuity | Systems Continuity | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Joint maintenance of contingency plans; GV.RM-05.02 (1)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, etc.) are established, communicated, maintained, and improved ID.IM-04 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations. RC.RP-01.01] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 [Recovery plans include service resumption steps for all operating environments, including traditional, alternate recovery, and highly available (e.g., cloud) infrastructures. ID.IM-04.03] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [The criteria for initiating incident recovery are applied RS.MA-05 Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05 The organization's incident response plans define severity levels and associated criteria for initiating response plans and escalating event response to appropriate stakeholders and management levels. RS.MA-05.01] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04 The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders RC.CO-03 {recovery procedure} The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders. RC.CO-03.01] | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 [{business continuity program} The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages). GV.RM-09.02 Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps. ID.IM-04.05 Restoration activities are performed to ensure operational availability of systems and services affected by adverse incidents RC.RP] | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Recovery actions are selected, scoped, prioritized, and performed RC.RP-02 Recovery plans are executed by first resuming critical services and core business functions, while minimizing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. RC.RP-02.02] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{business continuity program} The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages). GV.RM-09.02] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 [Public updates on incident recovery are shared using approved methods and messaging RC.CO-04 The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as required or appropriate. RC.CO-03.02 The end of incident recovery is declared based on criteria, and incident-related documentation is completed RC.RP-06] | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Communicate | |
| Identify and document critical facilities. CC ID 17304 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks. ID.RA-06.04] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include outages in the emergency operating procedures. CC ID 17129 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [Recovery point objectives to support data integrity are consistent with the organization's recovery time objectives, information flow dependencies between systems, and business obligations. GV.OC-05.04] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [The organization has prioritized its external dependencies according to their criticality to the supported enterprise mission, business functions, and to the financial services sector. GV.OC-05.02] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 [The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backups of data are created, protected, maintained, and tested PR.DS-11 The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing. PR.DS-11.01] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Operational and Systems Continuity | Communicate | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 [The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding tyle="background-color:#F0BBBC;" class="term_primary-noun">recovery point objectives. The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. ID.IM-04.04] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Encrypt backup data. CC ID 00958 [Backups of data are created, protected, maintained, and tested PR.DS-11] | Operational and Systems Continuity | Configuration | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Validate information security continuity controls regularly. CC ID 12008 [Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception. ID.IM-02.09] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Communicate | |
| Train personnel on the continuity plan. CC ID 00759 [All personnel (employee and third party) are made aware of and are trained for their role and operational steps in response and recovery plans. PR.AT-02.03] | Operational and Systems Continuity | Behavior | |
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Operational and Systems Continuity | Training | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Training | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Training | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Training | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Training | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing all system components in the continuity test plan. CC ID 13508 [The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. ID.IM-02.08] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scenarios in the continuity test plan. CC ID 13506 [The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. ID.IM-02.08] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 [Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing. EX.CN-02.04] | Operational and Systems Continuity | Testing | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02] | Operational and Systems Continuity | Testing | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results. ID.IM-02.07] | Operational and Systems Continuity | Actionable Reports or Measurements | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 | Operational and Systems Continuity | Testing | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Communicate | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Human Resources management | Establish Roles | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Human Resources Management | |
| Define the scope for the security operations center. CC ID 15713 | Human Resources management | Establish/Maintain Documentation | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Human Resources Management | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Behavior | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01 The governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization's technology and cybersecurity risk management strategies and frameworks. GV.RR-01.01 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05 The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization's third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties. GV.RR-01.02] | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
| Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Human Resources Management | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Human Resources Management | |
| Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Human Resources Management | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Human Resources Management | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Human Resources Management | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Human Resources Management | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 [The organization has designated a qualified Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing a cybersecurity strategy, overseeing and implementing its cybersecurity program, and enforcing its cybersecurity policy. GV.RR-01.04 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05 The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy. GV.RR-01.05] | Human Resources management | Establish Roles | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Human Resources Management | |
| Define and assign the Public Information Officer's roles and responsibilities. CC ID 17059 | Human Resources management | Establish Roles | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Human Resources Management | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Human Resources Management | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Human Resources Management | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [{cybersecurity program} The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned. GV.OC-03.01] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 [Technology and cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated GV.RR Roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-02 {business continuity program} The roles, responsibilities, qualifications, and skill requirements for personnel (employees and third parties) that implement, manage, and oversee the technology, cybersecurity, and resilience programs are defined, aligned, coordinated, and holistically managed. GV.RR-02.01 The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions. GV.RR-02.02] | Human Resources management | Human Resources Management | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Roles, responsibilities, and authorities related to technology and cybersecurity risk management are established, communicated, understood, and enforced GV.RR-02 The organization has an independent risk management function GV.IR {cybersecurity program} The independent risk management function has an understanding of the organization's structure, technology and cybersecurity strategies and programs, and relevant risks and threats. GV.IR-01.03] | Human Resources management | Human Resources Management | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Human Resources Management | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
| Assign the role of data custodian to applicable controls. CC ID 04789 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Human Resources management | Establish Roles | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 [Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained. GV.RR-02.06] | Human Resources management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Human Resources Management | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Cybersecurity is included in human resources practices GV.RR-04] | Human Resources management | Establish/Maintain Documentation | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources management | Human Resources Management | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources management | Human Resources Management | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Human Resources Management | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Human Resources Management | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Human Resources Management | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Human Resources Management | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Human Resources Management | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Human Resources Management | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Human Resources Management | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 [{security policy} All personnel (employees and third party) consent to policies addressing acceptable technology use, social media use, personal device use (e.g., BYOD), confidentiality, and/or other security-related policies and agreements as warranted by their position. GV.PO-01.04] | Human Resources management | Human Resources Management | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Establish/Maintain Documentation | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Establish/Maintain Documentation | |
| Train all new hires, as necessary. CC ID 06673 | Human Resources management | Behavior | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Establish/Maintain Documentation | |
| Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Communicate | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources management | Human Resources Management | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Perform personnel screening procedures, as necessary. CC ID 11763 [{background check} The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems. GV.RR-04.01] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets. GV.RR-04.02] | Human Resources management | Establish/Maintain Documentation | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Human Resources Management | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Human Resources Management | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Human Resources management | Behavior | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Communicate | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Behavior | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Human Resources Management | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies. GV.PO-01.03] | Human Resources management | Human Resources Management | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Establish/Maintain Documentation | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Communicate | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Establish/Maintain Documentation | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Establish/Maintain Documentation | |
| Train all personnel and third parties, as necessary. CC ID 00785 [As new technology is deployed or undergoes change that also requires changes in practices, all impacted personnel (e.g., end-users, developers, operators, etc.) are trained on the new system and any accompanying technology and cybersecurity risks. PR.AT-01.04 All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security. PR.AT-02.05] | Human Resources management | Behavior | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Training | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 [Mechanisms are in place to ensure that the personnel working with cybersecurity and technology (e.g., developers, DBAs, network admins, etc.) maintain current knowledge and skills related to changing threats, countermeasures, new tools, best practices, and their job responsibilities. PR.AT-02.01] | Human Resources management | Behavior | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind PR.AT-01 Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind PR.AT-02 The organization maintains and enhances the skills and knowledge of the in-house staff performing incident management and forensic investigation activities. PR.AT-02.04] | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain training plans. CC ID 00828 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Establish/Maintain Documentation | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Training | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include insider threats in the security awareness program. CC ID 16963 [The organization integrates insider threat considerations into its human resource, risk management, and control programs to address the potential for malicious or unintentional harm by trusted employees or third parties. GV.RR-04.03] | Human Resources management | Training | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 [Personnel (employees and third parties) who fulfill the organization's physical security and cybersecurity objectives understand their roles and responsibilities. GV.RR-02.05] | Human Resources management | Training | |
| Conduct personal data processing training. CC ID 13757 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Human Resources management | Establish/Maintain Documentation | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 [Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity and independent sources of expertise to discuss cybersecurity related matters. PR.AT-02.08] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Cybersecurity awareness training is updated on a regular basis to reflect risks and threats identified by the organization, the organization's security policies and standards, applicable laws and regulations, and changes in individual responsibilities. PR.AT-01.03 {inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Evaluate and manage cyber risks; PR.AT-02.07 (1) The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks PR.AT The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies. GV.PO-01.03 Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [The organization's governing body (e.g., the Board or one of its committees) and senior management receive term_primary-noun">cybersecurity situational awareness training to include appropriate skills and knowledge to: The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: PR.AT-02.07 The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: Lead by or:#CBD0E5;" class="term_secondary-verb">und-color:#F0BBBC;" class="term_primary-noun">example. PR.AT-02.07 (3) High-risk groups, such as those with elevated privileges or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities. PR.AT-02.02 All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security. PR.AT-02.05] | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [All personnel receive cybersecurity awareness training upon hire and on a regular basis. PR.AT-01.01] | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 [{security baseline configuration} The organization establishes and maintains standard system security configuration baselines, informed by industry standards and hardening guidelines, to facilitate the consistent application of security settings, configurations, and versions. PR.PS-01.01] | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents. PR.AT-01.02] | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01] | Human Resources management | Behavior | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 [Adequate resource capacity to ensure availability is maintained PR.IR-04 Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands. PR.IR-04.02] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Operational management | Systems Design, Build, and Implementation | |
| Manage cloud services. CC ID 13144 | Operational management | Business Processes | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 | Operational management | Technical Security | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05 {test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Operational management | Process or Activity | |
| Correlate business processes and applications. CC ID 16300 [The organization's technology operations and service and support functions are designed and managed to address business operational needs and stakeholder requirements. PR.PS-07] | Operational management | Business Processes | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Technology and cybersecurity strategies, architectures, and programs are formally governed to align with and support the organization's mission, objectives, priorities, tactical initiatives, and risk profile. GV.OC-01.01 Technology and cybersecurity risk management frameworks and programs are integrated into the enterprise risk management framework. GV.RM-03.01 Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making. GV.RM-08.06 {problem management and processing system} The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders. PR.PS-07.01] | Operational management | Establish/Maintain Documentation | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 [{IT architecture} The organization integrates the use of technology architecture in its governance processes to support consistent approaches to security and technology design, integration of third party services, consideration and adoption of new technologies, and investment and procurement decisioning. GV.RM-08.04] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [Adequate resources are allocated commensurate with technology and cybersecurity risk strategy, roles, responsibilities, and policies GV.RR-03] | Operational management | Acquisition/Sale of Assets or Services | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [The organization has mechanisms in place to ensure that strategies, initiatives, opportunities, and emerging technologies (e.g., artificial intelligence, quantum computing, etc.) are evaluated both in terms of risks and uncertainties that are potentially detrimental to the organization, as well as potentially advantageous to the organization (i.e., positive risks). GV.RM-07.01] | Operational management | Process or Activity | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [{emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Human Resources Management | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Process or Activity | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Assign resources to implement the internal control framework. CC ID 00816 [The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization. EX.MM-01.01] | Operational management | Business Processes | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{protection process} A formal process is in place to improve protection controls and processes by integrating recommendations, findings, and lessons learned from exercises, testing, audits, assessments, and incidents. ID.IM-03.01] | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01 Supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-03 {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03 {malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | Operational management | Establish/Maintain Documentation | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Establish/Maintain Documentation | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Establish/Maintain Documentation | |
| Automate vulnerability management, as necessary. CC ID 11730 [{test plans} A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures). PR.PS-06.05] | Operational management | Configuration | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 [{incident alert threshold} The organization establishes, documents, and regularly reviews event alert parameters and thresholds, as well as rule-based triggers to support automated responses, when known attack patterns, signatures or behaviors are detected. DE.AE-02.02] | Operational management | Establish/Maintain Documentation | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 [{information sharing forum}The organization has established enterprise processes for receiving and appropriately 8ED;" class="term_primary-verb">channeling vulnerability disclosures from: Vulnerability sharing forums (e.g., FS-ISAC); and ID.RA-08.01 (2) The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: Third-parties (e.g., cloud vendors); ID.RA-08.01 (3) The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: Internal sources (e.g., development teams). ID.RA-08.01 (4) The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from: Public sources (e.g., customers and security researchers); ID.RA-08.01 (1)] | Operational management | Establish/Maintain Documentation | |
| Share security information with interested personnel and affected parties. CC ID 11732 [{cybersecurity} The organization participates actively (in alignment with its business operations, inherent risk, and complexity) in information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats, and early warning indicators relating to cyber threats. ID.RA-02.01 The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party's approach to securing systems. ID.RA-02.02] | Operational management | Communicate | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 [{escalation procedure} The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon. RS.CO-02.01] | Operational management | Establish/Maintain Documentation | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 [Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure. ID.RA-07.04] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 [The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party's approach to securing systems. ID.RA-02.02] | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Establish/Maintain Documentation | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Establish/Maintain Documentation | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 [Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01] | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 [Organizational technology and cybersecurity policies are established, communicated, and enforced GV.PO Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01 Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01 The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies. GV.PO-02.01 The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated. GV.PO-01.02] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 [{security architecture}{security process}{security practice} The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. GV.RM-08.03] | Operational management | Establish/Maintain Documentation | |
| Include environmental security in the information security program. CC ID 12383 [{physical security policy} Physical and environmental security policies are implemented and managed. GV.PO-01.06] | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 [The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.) EX.MM-01.03] | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Provide management direction and support for the information security program. CC ID 11999 [The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). GV.RR-03.03] | Operational management | Process or Activity | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive. GV.PO-01.01] | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Operational management | Establish/Maintain Documentation | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Establish/Maintain Documentation | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Establish/Maintain Documentation | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Communicate | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [{risk awareness} {ethical culture} {continuous improvement} Organizational leadership is responsible and accountable for technology and cybersecurity risks and fosters a culture that is risk-aware, ethical, and continually improving GV.RR-01] | Operational management | Process or Activity | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated. GV.PO-01.02] | Operational management | Process or Activity | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{cybersecurity program} The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned. GV.OC-03.01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Business Processes | |
| Establish, implement, and maintain a service management program. CC ID 11388 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS] | Operational management | Establish/Maintain Documentation | |
| Communicate the service management program to interested personnel and affected parties. CC ID 13904 | Operational management | Communicate | |
| Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 | Operational management | Communicate | |
| Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 | Operational management | Communicate | |
| Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 | Operational management | Communicate | |
| Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 | Operational management | Communicate | |
| Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 | Operational management | Communicate | |
| Include a service management plan in the service management program. CC ID 13902 | Operational management | Establish/Maintain Documentation | |
| Include the information security policy in the service management program. CC ID 13925 | Operational management | Establish/Maintain Documentation | |
| Include the change management policy in the service management program. CC ID 13923 | Operational management | Establish/Maintain Documentation | |
| Include known limitations in the service management program. CC ID 11391 [Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Operational management | Establish/Maintain Documentation | |
| Include continuity plans in the Service Management program. CC ID 13919 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 | Operational management | Communicate | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The organization's asset management processes ensure the protection of sensitive data throughout removal, transfers, maintenance, end-of-life, and secure disposal or re-use. ID.AM-08.04 The organization establishes and maintains asset lifecycle management policies and procedures to ensure that assets are acquired, tracked, implemented, used, decommissioned, and protected commensurate with their sensitivity, criticality, and business value. ID.AM-08.01 The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Operational management | Business Processes | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 [The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 [The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy ID.AM] | Operational management | Establish/Maintain Documentation | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Business Processes | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 [Assets are prioritized based on classification, criticality, resources, and impact on the mission ID.AM-05] | Operational management | Business Processes | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
| Include installation requirements in the asset management program. CC ID 17195 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what BBC;" class="term_primary-noun">level of protection is needed for those critical assets, and what the impact would be if that protection failed. The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. ID.RA-05.02] | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 [Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access PR.AA] | Operational management | Systems Design, Build, and Implementation | |
| Define confidentiality controls. CC ID 01908 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved. RC.RP-05.02] | Operational management | Establish/Maintain Documentation | |
| Define integrity controls. CC ID 01909 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The organization uses integrity checking mechanisms to verify hardware integrity. DE.CM-09.02] | Operational management | Establish/Maintain Documentation | |
| Define availability controls. CC ID 01911 [Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information PR.DS The organization implements mechanisms (e.g., failsafe, load balancing, hot swaps, redundant equipment, alternate services, backup facilities, etc.) to achieve resilience requirements in normal and adverse situations. PR.IR-03.01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 [{be risk-based} The organization establishes and maintains risk-based policies and procedures for the classification of hardware, software, and data assets based on sensitivity and criticality. ID.AM-05.01] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. ID.AM-01.01 The organization maintains an inventory of key internal assets, business functions, and external dependencies that includes mappings to other assets, business functions, and information flows. GV.OC-04.01] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02 The organization maintains a current inventory of the data being created, stored, or processed by its information assets and data flow diagrams depicting key internal and external data flows. ID.AM-07.01] | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 [Inventories of hardware managed by the organization are maintained ID.AM-01 Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Operational management | Establish/Maintain Documentation | |
| Include software in the Information Technology inventory. CC ID 00692 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02 The organization maintains a current and complete inventory of software platforms, business applications, and other software assets (e.g., virtual machines and virtual network devices). ID.AM-02.01 Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [Inventories of data and corresponding metadata for designated data types are maintained ID.AM-07] | Operational management | Establish/Maintain Documentation | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 [Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security. ID.AM-04.01] | Operational management | Establish/Maintain Documentation | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
| Record services for applicable assets in the asset inventory. CC ID 13733 [Inventories of software, services, and systems managed by the organization are maintained ID.AM-02] | Operational management | Establish/Maintain Documentation | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Operational management | Data and Information Management | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Operational management | Data and Information Management | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Record all changes to assets in the asset inventory. CC ID 12190 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [Systems, hardware, software, services, and data are managed throughout their life cycles ID.AM-08 The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability PR.PS Software is maintained, replaced, and removed commensurate with risk PR.PS-02] | Operational management | Establish/Maintain Documentation | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Configuration | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 | Operational management | Business Processes | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The organization defines and implements controls for the on-site and remote maintenance and repair of the organization's technology assets (e.g., work must be performed by authorized personnel, use of approved procedures and tools, use of original or vendor-approved spare parts). PR.PS-03.01] | Operational management | Establish/Maintain Documentation | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Maintenance | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Maintenance | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Maintenance | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Maintenance | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Establish/Maintain Documentation | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Communicate | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Process or Activity | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Operational management | Behavior | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 [Hardware is maintained, replaced, and removed commensurate with risk PR.PS-03] | Operational management | Business Processes | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 [Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed. PR.PS-02.03 Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed. PR.PS-02.03] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Communicate | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
| Review each system's operational readiness. CC ID 06275 [The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed RC.RP-05] | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08 Possible cybersecurity attacks and compromises, and other operationally adverse events, are found and analyzed DE {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [Incidents are declared when adverse events meet the defined incident criteria DE.AE-08] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents DE.AE {incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 [The estimated impact and scope of adverse events are understood DE.AE-04 Incidents are categorized and prioritized RS.MA-03 Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation. DE.AE-07.02] | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [The estimated impact and scope of adverse events are understood DE.AE-04 An incident's magnitude is estimated and validated RS.AN-08 Defined criteria and severity levels are in place to facilitate the declaration, escalation, organization, and alignment of response activities to response plans within the organization and across relevant third parties. DE.AE-08.01] | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 [Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved RS.AN-06] | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01 {incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01] | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 [Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations. RS.MA-04.01] | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 [{incident management plan} Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified. RC.RP-06.01] | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [{incident reporting} The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders. ID.IM-02.03 {incident communication protocol} The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident. RS.CO-02.03] | Operational management | Establish/Maintain Documentation | |
| Provide customer security advice, as necessary. CC ID 13674 [{inform} The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate. PR.AT-02.06] | Operational management | Communicate | |
| Use simple understandable language when providing customer security advice. CC ID 13685 | Operational management | Communicate | |
| Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Operational management | Communicate | |
| Display customer security advice prominently. CC ID 13667 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 Responses to detected adverse incidents are managed RS.MA] | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 [Incident reports are triaged and validated RS.MA-02] | Operational management | Establish/Maintain Documentation | |
| Include entities notified of the incident in the incident response report. CC ID 17294 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in the incident response report. CC ID 17297 | Operational management | Establish/Maintain Documentation | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Establish/Maintain Documentation | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include the scope of the incident in the incident response report. CC ID 12717 [The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on: Assessing its scope (e.g., affected assets); ID.RA-08.02 (2)] | Operational management | Establish/Maintain Documentation | |
| Include recovery measures in the incident response report. CC ID 17299 | Operational management | Establish/Maintain Documentation | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted. RS.AN-03.01] | Operational management | Establish/Maintain Documentation | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Acquisition/Sale of Assets or Services | |
| Mitigate reported incidents. CC ID 12973 [Activities are performed to prevent expansion of an event and mitigate its effects RS.MI Incidents are eradicated RS.MI-02] | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 [The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services. RS.MA-01.01 The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents. ID.IM-04.01 The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on: ID.IM-04.08] | Operational management | Establish/Maintain Documentation | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Establish/Maintain Documentation | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Establish/Maintain Documentation | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Establish/Maintain Documentation | |
| Include addressing information sharing in the incident response plan. CC ID 13349 [{escalation procedure} The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon. RS.CO-02.01] | Operational management | Establish/Maintain Documentation | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Establish/Maintain Documentation | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Establish/Maintain Documentation | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Establish/Maintain Documentation | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Establish/Maintain Documentation | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Establish/Maintain Documentation | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 [Response and recovery plans (e.g., incident response plan, business continuity plan, disaster recovery plan, etc.) are established, communicated, maintained, and improved ID.IM-04] | Operational management | Communicate | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 {incident response plan} The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties. ID.IM-04.02 The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics. RC.RP-02.01] | Operational management | Establish Roles | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Establish/Maintain Documentation | |
| Include log management procedures in the incident response program. CC ID 17081 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Establish/Maintain Documentation | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Communicate | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 [The recovery portion of the incident response plan is executed once initiated from the incident response process RC.RP-01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Establish/Maintain Documentation | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Records Management | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Log Management | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Log Management | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Log Management | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01 Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value. RS.AN-07.01] | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards. RS.AN-06.01 Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value. RS.AN-07.01] | Operational management | Records Management | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [The end of incident recovery is declared based on criteria, and incident-related documentation is completed RC.RP-06] | Operational management | Actionable Reports or Measurements | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain rate limits for connection attempts. CC ID 16986 | Operational management | Technical Security | |
| Include performance requirements in the Service Level Agreement. CC ID 00841 [Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders. PR.PS-07.02 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{business continuity plan} Technology projects and system change processes ensure that requisite changes in security posture, data classification and flows, architecture, support documentation, business processes, and business resilience plans are addressed. ID.RA-07.03 {change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Establish/Maintain Documentation | |
| Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
| Manage change requests. CC ID 00887 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07 {change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02] | Operational management | Business Processes | |
| Establish and maintain a change request approver list. CC ID 06795 [{emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [{change approval} Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval. ID.RA-07.02 {emergency change management} The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards). ID.RA-07.01] | Operational management | Establish/Maintain Documentation | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Operational management | Testing | |
| Provide audit trails for all approved changes. CC ID 13120 [Changes and exceptions are managed, assessed for risk impact, recorded, and tracked ID.RA-07] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Operational management | Establish/Maintain Documentation | |
| Include monitoring requirements in the transition strategy. CC ID 17290 | Operational management | Establish/Maintain Documentation | |
| Include resources in the transition strategy. CC ID 17289 | Operational management | Establish/Maintain Documentation | |
| Include time requirements in the transition strategy. CC ID 17288 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Process or Activity | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [{patch management process} The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames. PR.PS-02.01] | Operational management | Business Processes | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
| Document the organization's local environments. CC ID 06726 [The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to: DE.AE-02.01] | Operational management | Establish/Maintain Documentation | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Communicate | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 [Configuration management practices are established and applied PR.PS-01] | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Communicate | |
| Document external connections for all systems. CC ID 06415 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | System hardening through configuration management | Establish/Maintain Documentation | |
| Terminate all dependent sessions upon session termination. CC ID 16984 | System hardening through configuration management | Technical Security | |
| Configure “Docker” to organizational standards. CC ID 14457 | System hardening through configuration management | Configuration | |
| Configure the "autolock" argument to organizational standards. CC ID 14547 | System hardening through configuration management | Configuration | |
| Configure the "COPY" instruction to organizational standards. CC ID 14515 | System hardening through configuration management | Configuration | |
| Configure the "memory" argument to organizational standards. CC ID 14497 | System hardening through configuration management | Configuration | |
| Configure the "docker0" bridge to organizational standards. CC ID 14504 | System hardening through configuration management | Configuration | |
| Configure the "docker exec commands" to organizational standards. CC ID 14502 | System hardening through configuration management | Configuration | |
| Configure the "health-cmd" argument to organizational standards. CC ID 14527 | System hardening through configuration management | Configuration | |
| Configure the maximum number of images to organizational standards. CC ID 14545 | System hardening through configuration management | Configuration | |
| Configure the minimum number of manager nodes to organizational standards. CC ID 14543 | System hardening through configuration management | Configuration | |
| Configure the "on-failure" restart policy to organizational standards. CC ID 14542 | System hardening through configuration management | Configuration | |
| Configure the maximum number of containers to organizational standards. CC ID 14540 | System hardening through configuration management | Configuration | |
| Configure the "lifetime_minutes" to organizational standards. CC ID 14539 | System hardening through configuration management | Configuration | |
| Configure the "Linux kernel capabilities" to organizational standards. CC ID 14531 | System hardening through configuration management | Configuration | |
| Configure the "Docker socket" to organizational standards. CC ID 14506 | System hardening through configuration management | Configuration | |
| Configure the "read-only" argument to organizational standards. CC ID 14498 | System hardening through configuration management | Configuration | |
| Configure the signed image enforcement to organizational standards. CC ID 14517 | System hardening through configuration management | Configuration | |
| Configure the "storage-opt" argument to organizational standards. CC ID 14658 | System hardening through configuration management | Configuration | |
| Configure the "swarm services" to organizational standards. CC ID 14516 | System hardening through configuration management | Configuration | |
| Configure the "experimental" argument to organizational standards. CC ID 14494 | System hardening through configuration management | Configuration | |
| Configure the cluster role-based access control policies to organizational standards. CC ID 14514 | System hardening through configuration management | Configuration | |
| Configure the "secret management commands" to organizational standards. CC ID 14512 | System hardening through configuration management | Configuration | |
| Configure the "renewal_threshold_minutes" to organizational standards. CC ID 14538 | System hardening through configuration management | Configuration | |
| Configure the "docker swarm unlock-key" command to organizational standards. CC ID 14490 | System hardening through configuration management | Configuration | |
| Configure the "per_user_limit" to organizational standards. CC ID 14523 | System hardening through configuration management | Configuration | |
| Configure the "privileged" argument to organizational standards. CC ID 14510 | System hardening through configuration management | Configuration | |
| Configure the "update instructions" to organizational standards. CC ID 14525 | System hardening through configuration management | Configuration | |
| Configure the "swarm mode" to organizational standards. CC ID 14508 | System hardening through configuration management | Configuration | |
| Configure the "USER" directive to organizational standards. CC ID 14507 | System hardening through configuration management | Configuration | |
| Configure the "DOCKER_CONTENT_TRUST" to organizational standards. CC ID 14488 | System hardening through configuration management | Configuration | |
| Configure the "no-new-privileges" argument to organizational standards. CC ID 14474 | System hardening through configuration management | Configuration | |
| Configure the "seccomp-profile" argument to organizational standards. CC ID 14503 | System hardening through configuration management | Configuration | |
| Configure the "cpu-shares" argument to organizational standards. CC ID 14489 | System hardening through configuration management | Configuration | |
| Configure the "volume" argument to organizational standards. CC ID 14533 | System hardening through configuration management | Configuration | |
| Configure the "cgroup-parent" to organizational standards. CC ID 14466 | System hardening through configuration management | Configuration | |
| Configure the "live-restore" argument to organizational standards. CC ID 14465 | System hardening through configuration management | Configuration | |
| Configure the "userland-proxy" argument to organizational standards. CC ID 14464 | System hardening through configuration management | Configuration | |
| Configure the "user namespace support" to organizational standards. CC ID 14462 | System hardening through configuration management | Configuration | |
| Configure "etcd" to organizational standards. CC ID 14535 | System hardening through configuration management | Configuration | |
| Configure the "auto-tls" argument to organizational standards. CC ID 14621 | System hardening through configuration management | Configuration | |
| Configure the "peer-auto-tls" argument to organizational standards. CC ID 14636 | System hardening through configuration management | Configuration | |
| Configure the "peer-client-cert-auth" argument to organizational standards. CC ID 14614 | System hardening through configuration management | Configuration | |
| Configure the "peer-cert-file" argument to organizational standards. CC ID 14606 | System hardening through configuration management | Configuration | |
| Configure the "key-file" argument to organizational standards. CC ID 14604 | System hardening through configuration management | Configuration | |
| Configure the "cert-file" argument to organizational standards. CC ID 14602 | System hardening through configuration management | Configuration | |
| Configure the "client-cert-auth" argument to organizational standards. CC ID 14596 | System hardening through configuration management | Configuration | |
| Configure the "peer-key-file" argument to organizational standards. CC ID 14595 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain container orchestration. CC ID 16350 | System hardening through configuration management | Technical Security | |
| Configure "Kubernetes" to organizational standards. CC ID 14528 | System hardening through configuration management | Configuration | |
| Configure the "ImagePolicyWebhook" admission controller to organizational standards. CC ID 14657 | System hardening through configuration management | Configuration | |
| Configure the "allowedCapabilities" to organizational standards. CC ID 14653 | System hardening through configuration management | Configuration | |
| Configure the "allowPrivilegeEscalation" flag to organizational standards. CC ID 14645 | System hardening through configuration management | Configuration | |
| Configure the "Security Context" to organizational standards. CC ID 14656 | System hardening through configuration management | Configuration | |
| Configure the "cluster-admin" role to organizational standards. CC ID 14642 | System hardening through configuration management | Configuration | |
| Configure the "automountServiceAccountToken" to organizational standards. CC ID 14639 | System hardening through configuration management | Configuration | |
| Configure the "seccomp" profile to organizational standards. CC ID 14652 | System hardening through configuration management | Configuration | |
| Configure the "securityContext.privileged" flag to organizational standards. CC ID 14641 | System hardening through configuration management | Configuration | |
| Configure the "audit-policy-file" to organizational standards. CC ID 14610 | System hardening through configuration management | Configuration | |
| Configure the "bind-address" argument to organizational standards. CC ID 14601 | System hardening through configuration management | Configuration | |
| Configure the "request-timeout" argument to organizational standards. CC ID 14583 | System hardening through configuration management | Configuration | |
| Configure the "secure-port" argument to organizational standards. CC ID 14582 | System hardening through configuration management | Configuration | |
| Configure the "service-account-key-file" argument to organizational standards. CC ID 14581 | System hardening through configuration management | Configuration | |
| Configure the "insecure-bind-address" argument to organizational standards. CC ID 14580 | System hardening through configuration management | Configuration | |
| Configure the "service-account-lookup" argument to organizational standards. CC ID 14579 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin PodSecurityPolicy" to organizational standards. CC ID 14578 | System hardening through configuration management | Configuration | |
| Configure the "profiling" argument to organizational standards. CC ID 14577 | System hardening through configuration management | Configuration | |
| Configure the "hostNetwork" flag to organizational standards. CC ID 14649 | System hardening through configuration management | Configuration | |
| Configure the "hostPID" flag to organizational standards. CC ID 14648 | System hardening through configuration management | Configuration | |
| Configure the "etcd-certfile" argument to organizational standards. CC ID 14584 | System hardening through configuration management | Configuration | |
| Configure the "runAsUser.rule" to organizational standards. CC ID 14651 | System hardening through configuration management | Configuration | |
| Configure the "requiredDropCapabilities" to organizational standards. CC ID 14650 | System hardening through configuration management | Configuration | |
| Configure the "hostIPC" flag to organizational standards. CC ID 14643 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin ServiceAccount" to organizational standards. CC ID 14576 | System hardening through configuration management | Configuration | |
| Configure the "insecure-port" argument to organizational standards. CC ID 14575 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin AlwaysPullImages" to organizational standards. CC ID 14574 | System hardening through configuration management | Configuration | |
| Configure the "pod" to organizational standards. CC ID 14644 | System hardening through configuration management | Configuration | |
| Configure the "ClusterRoles" to organizational standards. CC ID 14637 | System hardening through configuration management | Configuration | |
| Configure the "event-qps" argument to organizational standards. CC ID 14633 | System hardening through configuration management | Configuration | |
| Configure the "Kubelet" to organizational standards. CC ID 14635 | System hardening through configuration management | Configuration | |
| Configure the "NET_RAW" to organizational standards. CC ID 14647 | System hardening through configuration management | Configuration | |
| Configure the "make-iptables-util-chains" argument to organizational standards. CC ID 14638 | System hardening through configuration management | Configuration | |
| Configure the "hostname-override" argument to organizational standards. CC ID 14631 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin NodeRestriction" to organizational standards. CC ID 14573 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin AlwaysAdmit" to organizational standards. CC ID 14572 | System hardening through configuration management | Configuration | |
| Configure the "etcd-cafile" argument to organizational standards. CC ID 14592 | System hardening through configuration management | Configuration | |
| Configure the "encryption-provider-config" argument to organizational standards. CC ID 14587 | System hardening through configuration management | Configuration | |
| Configure the "rotate-certificates" argument to organizational standards. CC ID 14640 | System hardening through configuration management | Configuration | |
| Configure the "etcd-keyfile" argument to organizational standards. CC ID 14586 | System hardening through configuration management | Configuration | |
| Configure the "client-ca-file" argument to organizational standards. CC ID 14585 | System hardening through configuration management | Configuration | |
| Configure the "kube-apiserver" to organizational standards. CC ID 14589 | System hardening through configuration management | Configuration | |
| Configure the "tls-private-key-file" argument to organizational standards. CC ID 14590 | System hardening through configuration management | Configuration | |
| Configure the "streaming-connection-idle-timeout" argument to organizational standards. CC ID 14634 | System hardening through configuration management | Configuration | |
| Configure the "RotateKubeletServerCertificate" argument to organizational standards. CC ID 14626 | System hardening through configuration management | Configuration | |
| Configure the "protect-kernel-defaults" argument to organizational standards. CC ID 14629 | System hardening through configuration management | Configuration | |
| Configure the "read-only-port" argument to organizational standards. CC ID 14627 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin NamespaceLifecycle" to organizational standards. CC ID 14571 | System hardening through configuration management | Configuration | |
| Configure the "terminated-pod-gc-threshold" argument to organizational standards. CC ID 14593 | System hardening through configuration management | Configuration | |
| Configure the "tls-cert-file" argument to organizational standards. CC ID 14588 | System hardening through configuration management | Configuration | |
| Configure the "kubelet-certificate-authority" argument to organizational standards. CC ID 14570 | System hardening through configuration management | Configuration | |
| Configure the "service-account-private-key-file" argument to organizational standards. CC ID 14607 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin SecurityContextDeny" to organizational standards. CC ID 14569 | System hardening through configuration management | Configuration | |
| Configure the "kubelet-client-certificate" argument to organizational standards. CC ID 14568 | System hardening through configuration management | Configuration | |
| Configure the "root-ca-file" argument to organizational standards. CC ID 14599 | System hardening through configuration management | Configuration | |
| Configure the "admission control plugin EventRateLimit" to organizational standards. CC ID 14567 | System hardening through configuration management | Configuration | |
| Configure the "use-service-account-credentials" argument to organizational standards. CC ID 14594 | System hardening through configuration management | Configuration | |
| Configure the "token-auth-file" argument to organizational standards. CC ID 14566 | System hardening through configuration management | Configuration | |
| Configure the "authorization-mode" argument to organizational standards. CC ID 14565 | System hardening through configuration management | Configuration | |
| Configure the "anonymous-auth" argument to organizational standards. CC ID 14564 | System hardening through configuration management | Configuration | |
| Configure the "kubelet-client-key" argument to organizational standards. CC ID 14563 | System hardening through configuration management | Configuration | |
| Configure the "kubelet-https" argument to organizational standards. CC ID 14561 | System hardening through configuration management | Configuration | |
| Configure the "basic-auth-file" argument to organizational standards. CC ID 14559 | System hardening through configuration management | Configuration | |
| Configure the Remote Deposit Capture system to organizational standards. CC ID 13569 | System hardening through configuration management | Configuration | |
| Prohibit files from containing wild cards, as necessary. CC ID 16318 | System hardening through configuration management | Process or Activity | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [Software is maintained, replaced, and removed commensurate with risk PR.PS-02 Installation and execution of unauthorized software are prevented PR.PS-05] | System hardening through configuration management | Configuration | |
| Use the latest approved version of all assets. CC ID 00897 [Software is maintained, replaced, and removed commensurate with risk PR.PS-02] | System hardening through configuration management | Technical Security | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Communicate | |
| Configure the system's booting configuration. CC ID 10656 | System hardening through configuration management | Configuration | |
| Configure Least Functionality and Least Privilege settings to organizational standards. CC ID 07599 [The organization's systems are configured to provide only essential capabilities to implement the und-color:#F0BBBC;" class="term_primaryry-verb">-noun">principle of least functionality. The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality. PR.PS-01.02] | System hardening through configuration management | Configuration | |
| Prohibit directories from having read/write capability, as appropriate. CC ID 16313 | System hardening through configuration management | Configuration | |
| Configure "Block public access (bucket settings)" to organizational standards. CC ID 15444 | System hardening through configuration management | Configuration | |
| Configure S3 Bucket Policies to organizational standards. CC ID 15431 | System hardening through configuration management | Configuration | |
| Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards. CC ID 15417 | System hardening through configuration management | Configuration | |
| Configure "Allow Cloud Search" to organizational standards. CC ID 15416 | System hardening through configuration management | Configuration | |
| Configure "Configure Watson events" to organizational standards. CC ID 15414 | System hardening through configuration management | Configuration | |
| Configure "Allow Clipboard synchronization across devices" to organizational standards. CC ID 15412 | System hardening through configuration management | Configuration | |
| Configure "Prevent users from modifying settings" to organizational standards. CC ID 15411 | System hardening through configuration management | Configuration | |
| Configure "Prevent users from sharing files within their profile" to organizational standards. CC ID 15408 | System hardening through configuration management | Configuration | |
| Configure "Manage preview builds" to organizational standards. CC ID 15405 | System hardening through configuration management | Configuration | |
| Configure "Turn off Help Experience Improvement Program" to organizational standards. CC ID 15403 | System hardening through configuration management | Configuration | |
| Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards. CC ID 15402 | System hardening through configuration management | Configuration | |
| Configure "Hardened UNC Paths" to organizational standards. CC ID 15400 | System hardening through configuration management | Configuration | |
| Configure "Turn off all Windows spotlight features" to organizational standards. CC ID 15397 | System hardening through configuration management | Configuration | |
| Configure "Allow Message Service Cloud Sync" to organizational standards. CC ID 15396 | System hardening through configuration management | Configuration | |
| Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards. CC ID 15394 | System hardening through configuration management | Configuration | |
| Configure "Configure Windows spotlight on lock screen" to organizational standards. CC ID 15391 | System hardening through configuration management | Configuration | |
| Configure "Do not suggest third-party content in Windows spotlight" to organizational standards. CC ID 15389 | System hardening through configuration management | Configuration | |
| Configure "Enable Font Providers" to organizational standards. CC ID 15388 | System hardening through configuration management | Configuration | |
| Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards. CC ID 15386 | System hardening through configuration management | Configuration | |
| Configure "Do not display network selection UI" to organizational standards. CC ID 15381 | System hardening through configuration management | Configuration | |
| Configure "Turn off KMS Client Online AVS Validation" to organizational standards. CC ID 15380 | System hardening through configuration management | Configuration | |
| Configure "Allow Telemetry" to organizational standards. CC ID 15378 | System hardening through configuration management | Configuration | |
| Configure "Allow users to enable online speech recognition services" to organizational standards. CC ID 15377 | System hardening through configuration management | Configuration | |
| Configure "Prevent enabling lock screen camera" to organizational standards. CC ID 15373 | System hardening through configuration management | Configuration | |
| Configure "Continue experiences on this device" to organizational standards. CC ID 15372 | System hardening through configuration management | Configuration | |
| Configure "Prevent the usage of OneDrive for file storage" to organizational standards. CC ID 15369 | System hardening through configuration management | Configuration | |
| Configure "Do not use diagnostic data for tailored experiences" to organizational standards. CC ID 15367 | System hardening through configuration management | Configuration | |
| Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards. CC ID 15365 | System hardening through configuration management | Configuration | |
| Configure "Turn off Microsoft consumer experiences" to organizational standards. CC ID 15363 | System hardening through configuration management | Configuration | |
| Configure "Allow Use of Camera" to organizational standards. CC ID 15362 | System hardening through configuration management | Configuration | |
| Configure "Allow Online Tips" to organizational standards. CC ID 15360 | System hardening through configuration management | Configuration | |
| Configure "Turn off cloud optimized content" to organizational standards. CC ID 15357 | System hardening through configuration management | Configuration | |
| Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards. CC ID 15356 | System hardening through configuration management | Configuration | |
| Configure "Toggle user control over Insider builds" to organizational standards. CC ID 15354 | System hardening through configuration management | Configuration | |
| Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards. CC ID 15353 | System hardening through configuration management | Configuration | |
| Configure "Do not show feedback notifications" to organizational standards. CC ID 15350 | System hardening through configuration management | Configuration | |
| Configure "Prevent enabling lock screen slide show" to organizational standards. CC ID 15349 | System hardening through configuration management | Configuration | |
| Configure "Turn off the advertising ID" to organizational standards. CC ID 15348 | System hardening through configuration management | Configuration | |
| Configure "Allow Windows Ink Workspace" to organizational standards. CC ID 15346 | System hardening through configuration management | Configuration | |
| Configure "Allow a Windows app to share application data between users" to organizational standards. CC ID 15345 | System hardening through configuration management | Configuration | |
| Configure "Turn off handwriting personalization data sharing" to organizational standards. CC ID 15339 | System hardening through configuration management | Configuration | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | System hardening through configuration management | Technical Security | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | System hardening through configuration management | Configuration | |
| Invalidate unexpected session identifiers. CC ID 15307 | System hardening through configuration management | Configuration | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | System hardening through configuration management | Configuration | |
| Reject session identifiers that are not valid. CC ID 15306 | System hardening through configuration management | Configuration | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | System hardening through configuration management | Configuration | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | System hardening through configuration management | Configuration | |
| Install custom applications, only if they are trusted. CC ID 04822 | System hardening through configuration management | Configuration | |
| Configure Simple Network Management Protocol (SNMP) to organizational standards. CC ID 12423 | System hardening through configuration management | Configuration | |
| Establish access requirements for SNMP community strings. CC ID 16357 | System hardening through configuration management | Technical Security | |
| Use different SNMP community strings across devices to support least privilege. CC ID 17053 | System hardening through configuration management | Data and Information Management | |
| Configure the system's storage media. CC ID 10618 | System hardening through configuration management | Configuration | |
| Configure the "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting. CC ID 04910 | System hardening through configuration management | Configuration | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Configuration | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Configuration | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Technical Security | |
| Manage access credentials for service accounts. CC ID 13862 [{malicious use} The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. PR.AA-05.03] | System hardening through configuration management | Technical Security | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Configuration | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Configuration | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Configuration | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Configuration | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Configuration | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Configuration | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Configuration | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Configuration | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Configuration | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Configuration | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Configuration | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Configuration | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Configuration | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Configuration | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Configuration | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Configuration | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Configuration | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Configuration | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Configuration | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Configuration | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Configuration | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Configuration | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Configuration | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Configuration | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Configuration | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Configuration | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Configuration | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Configuration | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Configuration | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Configuration | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Configuration | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Configuration | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Configuration | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Configuration | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Configuration | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Configuration | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Configuration | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Configuration | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Configuration | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Configuration | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Configuration | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Configuration | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Configuration | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Configuration | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Configuration | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Configuration | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Configuration | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Configuration | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Configuration | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Configuration | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Configuration | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Configuration | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Configuration | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Configuration | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Configuration | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Configuration | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Configuration | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Configuration | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Configuration | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Configuration | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Configuration | |
| Configure the system to refrain from completing authentication methods when a security breach is detected. CC ID 13790 | System hardening through configuration management | Configuration | |
| Configure the "/etc/shadow" settings to organizational standards. CC ID 15332 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Require removal card" setting. CC ID 06053 | System hardening through configuration management | Configuration | |
| Configure the TCP/IP Dead Gateway Detection as appropriate. CC ID 06025 | System hardening through configuration management | Configuration | |
| Verify the environment variable "Os2LibPath" exists, as appropriate. CC ID 05142 | System hardening through configuration management | Configuration | |
| Define the path to the Microsoft OS/2 version 1.x library properly. CC ID 05143 | System hardening through configuration management | Configuration | |
| Set the "Specify intranet Microsoft update service location" properly. CC ID 05144 | System hardening through configuration management | Configuration | |
| Set the path to the debugger used for Just-In-Time debugging properly. CC ID 05145 | System hardening through configuration management | Configuration | |
| Set the OS/2 Subsystem location properly. CC ID 05146 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_CLASSES_ROOT properly. CC ID 05154 | System hardening through configuration management | Configuration | |
| Set the registry key HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Os2 properly. CC ID 05155 | System hardening through configuration management | Configuration | |
| Set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger properly. CC ID 05156 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command properly. CC ID 05157 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography properly. CC ID 05158 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hlp properly. CC ID 05159 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\helpfile properly. CC ID 05160 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing properly. CC ID 05161 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais properly. CC ID 05162 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell properly. CC ID 05163 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony properly. CC ID 05164 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability properly. CC ID 05165 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell properly. CC ID 05166 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion properly. CC ID 05167 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech properly. CC ID 05168 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC properly. CC ID 05169 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem properly. CC ID 05170 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates properly. CC ID 05171 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports properly. CC ID 05172 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing properly. CC ID 05173 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Policies properly. CC ID 05174 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor properly. CC ID 05175 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ads\Providers\WinNT properly. CC ID 05176 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT properly. CC ID 05177 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS properly. CC ID 05178 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions properly. CC ID 05179 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots properly. CC ID 05180 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager properly. CC ID 05181 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help properly. CC ID 05182 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip properly. CC ID 05183 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing properly. CC ID 05184 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceManager properly. CC ID 05185 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security properly. CC ID 05186 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP properly. CC ID 05187 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent properly. CC ID 05188 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security properly. CC ID 05189 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security properly. CC ID 05190 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security properly. CC ID 05191 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security properly. CC ID 05192 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security properly. CC ID 05193 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security properly. CC ID 05194 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security properly. CC ID 05195 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security properly. CC ID 05196 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility properly. CC ID 05197 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security properly. CC ID 05198 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security properly. CC ID 05199 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services properly. CC ID 05200 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers properly. CC ID 05201 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network properly. CC ID 05202 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\LSA\Data properly. CC ID 05203 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG properly. CC ID 05204 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1 properly. CC ID 05205 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD properly. CC ID 05206 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control properly. CC ID 05207 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wbem properly. CC ID 05208 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security properly. CC ID 05209 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font properly. CC ID 05210 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog properly. CC ID 05211 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares properly. CC ID 05212 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status properly. CC ID 05213 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Secure properly. CC ID 05214 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups properly. CC ID 05215 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon properly. CC ID 05216 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones properly. CC ID 05217 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping properly. CC ID 05218 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS properly. CC ID 05219 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper properly. CC ID 05220 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility properly. CC ID 05221 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug properly. CC ID 05222 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx properly. CC ID 05223 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce properly. CC ID 05224 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run properly. CC ID 05225 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows properly. CC ID 05226 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Secure properly. CC ID 05227 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC properly. CC ID 05228 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options properly. CC ID 05229 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole properly. CC ID 05230 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions properly. CC ID 05231 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout properly. CC ID 05232 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex properly. CC ID 05233 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName properly. CC ID 05234 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy properly. CC ID 05235 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule properly. CC ID 05236 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost properly. CC ID 05237 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit properly. CC ID 05238 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList properly. CC ID 05239 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS properly. CC ID 05240 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 properly. CC ID 05241 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes properly. CC ID 05242 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion properly. CC ID 05243 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates properly. CC ID 05244 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows properly. CC ID 05245 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole properly. CC ID 05246 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers properly. CC ID 05247 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies properly. CC ID 05248 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey properly. CC ID 05249 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host properly. CC ID 05250 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings properly. CC ID 05251 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class properly. CC ID 05252 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security properly. CC ID 05253 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache properly. CC ID 05254 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security properly. CC ID 05255 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security properly. CC ID 05256 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt properly. CC ID 05257 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess properly. CC ID 05259 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security properly. CC ID 05260 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security properly. CC ID 05261 | System hardening through configuration management | Configuration | |
| Set the registry permission for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries properly. CC ID 05262 | System hardening through configuration management | Configuration | |
| Configure the "%SystemRoot%$NtServicePackUninstall$" directory permissions to organizational standards. CC ID 10126 | System hardening through configuration management | Configuration | |
| Configure the "HKEY_CLASSES_ROOT" registry key permissions to organizational standards. CC ID 10200 | System hardening through configuration management | Configuration | |
| Configure the "%SystemRoot%System32 eg.exe" file permissions to organizational standards. CC ID 10312 | System hardening through configuration management | Configuration | |
| Configure the "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup Policy" registry key permissions to organizational standards. CC ID 10404 | System hardening through configuration management | Configuration | |
| Include the date and time that access was granted in the system record. CC ID 15174 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the access level granted in the system record. CC ID 15173 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include when access is withdrawn in the system record. CC ID 15172 | System hardening through configuration management | Establish/Maintain Documentation | |
| Restrict logons by specified source addresses. CC ID 16394 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
| Disallow personal data in authenticators. CC ID 13864 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 [Identities and credentials for authorized users, services, and hardware are managed by the organization PR.AA-01] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a repository of authenticators. CC ID 16372 | System hardening through configuration management | Data and Information Management | |
| Configure authenticator activation codes in accordance with organizational standards. CC ID 17032 | System hardening through configuration management | Configuration | |
| Configure authenticators to comply with organizational standards. CC ID 06412 [{multi-factor authentication} {risk mitigation measure} Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics. PR.AA-03.01] | System hardening through configuration management | Configuration | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Configuration | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Configuration | |
| Configure the authenticator policy to ban or allow authenticators as proper names, as necessary. CC ID 17030 | System hardening through configuration management | Configuration | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Configuration | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Configuration | |
| Configure the authenticator display screen to organizational standards. CC ID 13794 | System hardening through configuration management | Configuration | |
| Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 | System hardening through configuration management | Configuration | |
| Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 | System hardening through configuration management | Configuration | |
| Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 | System hardening through configuration management | Communicate | |
| Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 | System hardening through configuration management | Configuration | |
| Configure the system to allow paste functionality for the authenticator field. CC ID 13819 | System hardening through configuration management | Configuration | |
| Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 | System hardening through configuration management | Configuration | |
| Protect authenticators or authentication factors from unauthorized modification and disclosure. CC ID 15317 | System hardening through configuration management | Technical Security | |
| Obscure authentication information during the login process. CC ID 15316 | System hardening through configuration management | Configuration | |
| Issue temporary authenticators, as necessary. CC ID 17062 | System hardening through configuration management | Process or Activity | |
| Renew temporary authenticators, as necessary. CC ID 17061 | System hardening through configuration management | Process or Activity | |
| Disable authenticators, as necessary. CC ID 17060 | System hardening through configuration management | Process or Activity | |
| Change authenticators, as necessary. CC ID 15315 | System hardening through configuration management | Configuration | |
| Implement safeguards to protect authenticators from unauthorized access. CC ID 15310 | System hardening through configuration management | Technical Security | |
| Change all default authenticators. CC ID 15309 | System hardening through configuration management | Configuration | |
| Configure each system's security alerts to organizational standards. CC ID 12113 | System hardening through configuration management | Technical Security | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Configuration | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Configuration | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Configuration | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Configuration | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Configuration | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Configuration | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Configuration | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Configuration | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Configuration | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Configuration | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Configuration | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Configuration | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Configuration | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Configuration | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Configuration | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Configuration | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Configuration | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Configuration | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Configuration | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Configuration | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Configuration | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Configuration | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Configuration | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Configuration | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Configuration | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Configuration | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Configuration | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Technical Security | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Configuration | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Configuration | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Configuration | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Configuration | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Configuration | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Configuration | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Configuration | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Configuration | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Configuration | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Configuration | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Configuration | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Configuration | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Configuration | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Configuration | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Configuration | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Configuration | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Configuration | |
| Configure knowledge-based authentication tools in accordance with organizational standards. CC ID 13740 | System hardening through configuration management | Configuration | |
| Configure the session timeout for the knowledge-based authentication tool used for the identity proofing process according to organizational standards. CC ID 13754 | System hardening through configuration management | Configuration | |
| Configure the knowledge-based authentication tool to restart after a session timeout. CC ID 13753 | System hardening through configuration management | Configuration | |
| Configure the number of attempts allowed to complete the knowledge-based authentication in the knowledge-based authentication tool. CC ID 13751 | System hardening through configuration management | Configuration | |
| Configure Windows User Account Control in accordance with organizational standards. CC ID 16437 | System hardening through configuration management | Configuration | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Configuration | |
| Change default accounts. CC ID 16468 | System hardening through configuration management | Process or Activity | |
| Configure "SYSVOL" to organizational standards. CC ID 15398 | System hardening through configuration management | Configuration | |
| Configure the "docker.service" file ownership to organizational standards. CC ID 14477 | System hardening through configuration management | Configuration | |
| Set the /usr/bin/at file file permissions properly. CC ID 05456 | System hardening through configuration management | Configuration | |
| Configure the "/etc/default/docker" file permissions to organizational standards. CC ID 14487 | System hardening through configuration management | Configuration | |
| Configure the "/etc/default/docker" file ownership to organizational standards. CC ID 14484 | System hardening through configuration management | Configuration | |
| Configure the "/etc/docker" directory permissions to organizational standards. CC ID 14470 | System hardening through configuration management | Configuration | |
| Configure the "/etc/docker" directory ownership to organizational standards. CC ID 14469 | System hardening through configuration management | Configuration | |
| Configure the "/etc/kubernetes/pki/*.crt" file permissions to organizational standards. CC ID 14562 | System hardening through configuration management | Configuration | |
| Configure the "/etc/kubernetes/pki/*.key" file permissions to organizational standards. CC ID 14557 | System hardening through configuration management | Configuration | |
| Configure the "/etc/kubernetes/pki" file ownership to organizational standards. CC ID 14555 | System hardening through configuration management | Configuration | |
| Configure the "/etc/sysconfig/docker" file ownership to organizational standards. CC ID 14491 | System hardening through configuration management | Configuration | |
| Configure the "/etc/sysconfig/docker" file permissions to organizational standards. CC ID 14486 | System hardening through configuration management | Configuration | |
| Configure the "docker.socket" file ownership to organizational standards. CC ID 14472 | System hardening through configuration management | Configuration | |
| Configure the "docker.socket" file permissions to organizational standards. CC ID 14468 | System hardening through configuration management | Configuration | |
| Set the /etc/security/audit/events file file permissions properly. CC ID 05520 | System hardening through configuration management | Configuration | |
| Set the /etc/hosts.lpd file file permissions properly. CC ID 05526 | System hardening through configuration management | Configuration | |
| Configure the "docker.service" file permissions to organizational standards. CC ID 14479 | System hardening through configuration management | Configuration | |
| Set the Cron log file file permissions properly. CC ID 05553 | System hardening through configuration management | Configuration | |
| Set the /etc/fs file permissions properly. CC ID 05556 | System hardening through configuration management | Configuration | |
| Configure the "Docker socket" file ownership to organizational standards. CC ID 14493 | System hardening through configuration management | Configuration | |
| Configure the "daemon.json" file permissions to organizational standards. CC ID 14492 | System hardening through configuration management | Configuration | |
| Configure the "Docker server certificate" file ownership to organizational standards. CC ID 14471 | System hardening through configuration management | Configuration | |
| Configure the "Docker server certificate key" file permissions to organizational standards. CC ID 14485 | System hardening through configuration management | Configuration | |
| Configure the "daemon.json" file ownership to organizational standards. CC ID 14482 | System hardening through configuration management | Configuration | |
| Configure the "Docker socket" file permissions to organizational standards. CC ID 14480 | System hardening through configuration management | Configuration | |
| Configure the "Docker server certificate key" file ownership to organizational standards. CC ID 14478 | System hardening through configuration management | Configuration | |
| Configure the "admin.conf" file ownership to organizational standards. CC ID 14556 | System hardening through configuration management | Configuration | |
| Configure the "admin.conf" file permissions to organizational standards. CC ID 14554 | System hardening through configuration management | Configuration | |
| Configure the "Certificate Authority" file ownership to organizational standards. CC ID 14630 | System hardening through configuration management | Configuration | |
| Configure the "Docker server certificate" file permissions to organizational standards. CC ID 14476 | System hardening through configuration management | Configuration | |
| Configure the "etcd" data directory ownership to organizational standards. CC ID 14620 | System hardening through configuration management | Configuration | |
| Configure the "etcd" data directory permissions to organizational standards. CC ID 14618 | System hardening through configuration management | Configuration | |
| Configure the "etcd.yaml" file ownership to organizational standards. CC ID 14615 | System hardening through configuration management | Configuration | |
| Configure the "etcd.yaml" file permissions to organizational standards. CC ID 14609 | System hardening through configuration management | Configuration | |
| Configure the "Certificate Authority" file permissions to organizational standards. CC ID 14623 | System hardening through configuration management | Configuration | |
| Configure the "kubelet --config" file ownership to organizational standards. CC ID 14632 | System hardening through configuration management | Configuration | |
| Configure the "kubelet.conf" file ownership to organizational standards. CC ID 14628 | System hardening through configuration management | Configuration | |
| Configure the "kubelet --config" file permissions to organizational standards. CC ID 14625 | System hardening through configuration management | Configuration | |
| Configure the "kubelet service" file permissions to organizational standards. CC ID 14660 | System hardening through configuration management | Configuration | |
| Configure the "kubelet.conf" file permissions to organizational standards. CC ID 14619 | System hardening through configuration management | Configuration | |
| Configure the "controller-manager.conf" file ownership to organizational standards. CC ID 14560 | System hardening through configuration management | Configuration | |
| Configure the "kubeconfig" file ownership to organizational standards. CC ID 14617 | System hardening through configuration management | Configuration | |
| Configure the "kubeconfig" file permissions to organizational standards. CC ID 14616 | System hardening through configuration management | Configuration | |
| Configure the "kubelet service" file ownership to organizational standards. CC ID 14612 | System hardening through configuration management | Configuration | |
| Configure the "kube-scheduler.yaml" file ownership to organizational standards. CC ID 14611 | System hardening through configuration management | Configuration | |
| Configure the "kube-scheduler.yaml" file permissions to organizational standards. CC ID 14603 | System hardening through configuration management | Configuration | |
| Configure the "kube-controller-manager.yaml" file ownership to organizational standards. CC ID 14600 | System hardening through configuration management | Configuration | |
| Configure the "kube-controller-manager.yaml" file permissions to organizational standards. CC ID 14598 | System hardening through configuration management | Configuration | |
| Configure the "kube-apiserver.yaml" file ownership to organizational standards. CC ID 14597 | System hardening through configuration management | Configuration | |
| Configure the "scheduler.conf" file ownership to organizational standards. CC ID 14558 | System hardening through configuration management | Configuration | |
| Configure the "controller-manager.conf" file permissions to organizational standards. CC ID 14553 | System hardening through configuration management | Configuration | |
| Configure the "Container Network Interface" file ownership to organizational standards. CC ID 14552 | System hardening through configuration management | Configuration | |
| Configure the "Container Network Interface" file permissions to organizational standards. CC ID 14550 | System hardening through configuration management | Configuration | |
| Configure the "scheduler.conf" file permissions to organizational standards. CC ID 14551 | System hardening through configuration management | Configuration | |
| Configure the "kube-apiserver.yaml" file permissions to organizational standards. CC ID 14549 | System hardening through configuration management | Configuration | |
| Configure the "registry certificate" file permissions to organizational standards. CC ID 14483 | System hardening through configuration management | Configuration | |
| Configure the "registry certificate" file ownership to organizational standards. CC ID 14481 | System hardening through configuration management | Configuration | |
| Configure the "setgid" permissions to organizational standards. CC ID 14513 | System hardening through configuration management | Configuration | |
| Configure the "TLS CA certificate" file permissions to organizational standards. CC ID 14475 | System hardening through configuration management | Configuration | |
| Configure the "TLS CA certificate" file ownership to organizational standards. CC ID 14473 | System hardening through configuration management | Configuration | |
| Configure the "setuid" permissions to organizational standards. CC ID 14509 | System hardening through configuration management | Configuration | |
| Configure the "User Account Control: Allow UIAccess applications to prompt for elevation" setting. CC ID 05586 | System hardening through configuration management | Configuration | |
| Configure the "Do Not Allow New Client Connections" policy for Terminal Services properly. CC ID 05587 | System hardening through configuration management | Configuration | |
| Configure the service permissions for NetMeeting, as appropriate. CC ID 06045 | System hardening through configuration management | Configuration | |
| Configure the "sudo" to organizational standards. CC ID 15325 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwts32.log properly. CC ID 05627 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemDrive%\My Download Files properly. CC ID 05628 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Driver Cache\I386\Driver.cab properly. CC ID 05629 | System hardening through configuration management | Configuration | |
| Configure the permissions for the %SystemRoot%\$NtUninstall* directories properly. CC ID 05630 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemDrive%\NTDS properly. CC ID 05631 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\SYSVOL properly. CC ID 05632 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\SYSVOL\domain\Policies properly. CC ID 05633 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\repl properly. CC ID 05634 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\repl\export properly. CC ID 05635 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\repl\import properly. CC ID 05636 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %ALL% properly. CC ID 05637 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %ALL%\Program Files\MQSeries properly. CC ID 05638 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %ALL%\Program Files\MQSeries\qmggr properly. CC ID 05639 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL properly. CC ID 05640 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL properly. CC ID 05641 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemDrive%\perflogs properly. CC ID 05642 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemDrive%\i386 properly. CC ID 05643 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %ProgramFiles%\Common Files\SpeechEngines\TTS properly. CC ID 05644 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\_default.plf properly. CC ID 05645 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\addins properly. CC ID 05646 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\appPatch properly. CC ID 05647 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\clock.avi properly. CC ID 05648 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Connection Wizard properly. CC ID 05649 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\Driver Cache properly. CC ID 05650 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\explorer.scf properly. CC ID 05651 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\explorer.exe properly. CC ID 05652 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Help properly. CC ID 05653 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\inf\unregmp2.exe properly. CC ID 05654 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Java properly. CC ID 05655 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\mib.bin properly. CC ID 05656 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\msagent properly. CC ID 05657 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\msdfmap.ini properly. CC ID 05658 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\mui properly. CC ID 05659 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\security\templates properly. CC ID 05660 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\speech properly. CC ID 05661 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\system.ini properly. CC ID 05662 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\system\setup.inf properly. CC ID 05663 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\system\stdole.tlb properly. CC ID 05664 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\twain_32 properly. CC ID 05665 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\CatRoot properly. CC ID 05666 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\configf\systemprofile properly. CC ID 05667 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\dhcp properly. CC ID 05668 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\drivers properly. CC ID 05669 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\Export properly. CC ID 05670 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\ipconfig.exe properly. CC ID 05671 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\LogFiles properly. CC ID 05672 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\mshta.exe properly. CC ID 05673 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\mui properly. CC ID 05674 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\ShellExt properly. CC ID 05675 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\wbem properly. CC ID 05676 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\mof properly. CC ID 05677 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\repository properly. CC ID 05678 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\wbem\logs properly. CC ID 05679 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile% properly. CC ID 05680 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data properly. CC ID 05681 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft properly. CC ID 05682 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys properly. CC ID 05683 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys properly. CC ID 05684 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson properly. CC ID 05685 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log properly. CC ID 05686 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\HTML Help properly. CC ID 05687 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\MediaIndex properly. CC ID 05688 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\Documents\desktop.ini properly. CC ID 05689 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %AllUsersProfile%\DRM properly. CC ID 05690 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Debug\UserMode\userenv.log properly. CC ID 05691 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\Installer properly. CC ID 05692 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\Prefetch properly. CC ID 05693 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Registration\CRMLog properly. CC ID 05694 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\ciadv.msc properly. CC ID 05695 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\Com\comexp.msc properly. CC ID 05696 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\compmgmt.msc properly. CC ID 05697 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\Config properly. CC ID 05698 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\Config\*.evt properly. CC ID 05699 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\devmgmt.msc properly. CC ID 05700 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\dfrg.msc properly. CC ID 05701 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\diskmgmt.msc properly. CC ID 05702 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\system32\eventvwr.msc properly. CC ID 05703 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\fsmgmt.msc properly. CC ID 05704 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\gpedit.msc properly. CC ID 05705 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\lusrmgr.msg properly. CC ID 05706 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\System32\MSDTC properly. CC ID 05707 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\ntmsoprq.msc properly. CC ID 05708 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\ntmsmgr.msc properly. CC ID 05709 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\perfmon.msc properly. CC ID 05710 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\RSoP.msc properly. CC ID 05711 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\secpol.msc properly. CC ID 05712 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\services.msc properly. CC ID 05713 | System hardening through configuration management | Configuration | |
| Configure the file permissions for %SystemRoot%\System32\wmimgmt.msc properly. CC ID 05714 | System hardening through configuration management | Configuration | |
| Configure the directory permissions for %SystemRoot%\Web properly. CC ID 05715 | System hardening through configuration management | Configuration | |
| Configure the BitLocker setting appropriately for fixed disk drives and removable disk drives. CC ID 06064 | System hardening through configuration management | Configuration | |
| Configure the BitLocker identifiers. CC ID 06066 | System hardening through configuration management | Configuration | |
| Enable the OS/2 subsystem, as appropriate. CC ID 05717 | System hardening through configuration management | Configuration | |
| Configure the IPsec security association lifetime to organizational standards. CC ID 16508 | System hardening through configuration management | Configuration | |
| Configure route filtering to organizational standards. CC ID 16359 | System hardening through configuration management | Configuration | |
| Refrain from accepting routes from unauthorized parties. CC ID 16397 | System hardening through configuration management | Technical Security | |
| Configure security gateways to organizational standards. CC ID 16352 | System hardening through configuration management | Configuration | |
| Configure network elements to organizational standards. CC ID 16361 | System hardening through configuration management | Configuration | |
| Configure network elements to ignore hop-by-hop options headers in transit packets. CC ID 16992 | System hardening through configuration management | Configuration | |
| Configure devices having access to network elements to organizational standards. CC ID 16408 | System hardening through configuration management | Configuration | |
| Configure routing tables to organizational standards. CC ID 15438 | System hardening through configuration management | Configuration | |
| Configure "NetBT NodeType configuration" to organizational standards. CC ID 15383 | System hardening through configuration management | Configuration | |
| Configure "Allow remote server management through WinRM" to organizational standards. CC ID 15364 | System hardening through configuration management | Configuration | |
| Configure "Allow network connectivity during connected-standby (on battery)" to organizational standards. CC ID 15342 | System hardening through configuration management | Configuration | |
| Support source port randomization in the transport protocol implementation. CC ID 16942 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain a network addressing plan. CC ID 16399 | System hardening through configuration management | Establish/Maintain Documentation | |
| Define the location requirements for network elements and network devices. CC ID 16379 | System hardening through configuration management | Process or Activity | |
| Configure Network Address Translation to organizational standards. CC ID 16395 | System hardening through configuration management | Configuration | |
| Enable or disable tunneling, as necessary. CC ID 15235 | System hardening through configuration management | Configuration | |
| Disable Pre-boot eXecution Environment unless it is absolutely necessary. CC ID 04819 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain firewall rules in accordance with organizational standards. CC ID 16353 | System hardening through configuration management | Establish/Maintain Documentation | |
| Create an access control list on Network Access and Control Points to restrict access. CC ID 04810 [The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers. DE.CM-01.03 {unauthorized hardware} The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes. DE.CM-09.03 The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems). DE.CM-01.04] | System hardening through configuration management | Configuration | |
| Configure permissions for SSH private host key files to organizational standards. CC ID 15331 | System hardening through configuration management | Configuration | |
| Configure permissions for SSH public host key files to organizational standards. CC ID 15333 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit use of Internet Connection Firewall on your DNS domain network" setting properly. CC ID 05743 | System hardening through configuration management | Configuration | |
| Configure the "Restrict NTLM" settings properly. CC ID 06069 | System hardening through configuration management | Configuration | |
| Configure the "Configure encryption types allowed for Kerberos" setting properly. CC ID 06071 | System hardening through configuration management | Configuration | |
| Configure Automated Teller Machines in accordance with organizational standards. CC ID 12542 | System hardening through configuration management | Configuration | |
| Keep current the time synchronization technology. CC ID 12548 | System hardening through configuration management | Technical Security | |
| Enable or disable the Uninterruptible Power Supply service, as appropriate. CC ID 06037 | System hardening through configuration management | Configuration | |
| Configure Service Set Identifiers in accordance with organizational standards. CC ID 16447 | System hardening through configuration management | Configuration | |
| Configure Apple iOS to Organizational Standards. CC ID 09986 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Fraudulent Website Warning" setting to organizational standards. CC ID 10001 | System hardening through configuration management | Configuration | |
| Configure the "With Authentication" setting to organizational standards. CC ID 10005 | System hardening through configuration management | Configuration | |
| Configure mobile devices to separate organizational data from personal data. CC ID 16463 | System hardening through configuration management | Configuration | |
| Disable the capability to automatically execute code on mobile devices absent user direction. CC ID 08705 | System hardening through configuration management | Configuration | |
| Configure environmental sensors on mobile devices. CC ID 10667 | System hardening through configuration management | Configuration | |
| Configure Cisco-specific applications and service in accordance with organizational standards. CC ID 06557 | System hardening through configuration management | Configuration | |
| Configure custom Oracle-specific applications and services in accordance with organizational standards. CC ID 06565 | System hardening through configuration management | Configuration | |
| Configure the Global Positioning System settings as appropriate. CC ID 06888 | System hardening through configuration management | Configuration | |
| Configure endpoint security tools in accordance with organizational standards. CC ID 07049 [Endpoint systems implemented using virtualization technologies employ mechanisms to protect network, application, and data integrity, such as restricting access to local network and peripheral devices, multi-factor authentication, locking-down device source network locations, and data leakage protections. PR.PS-01.09] | System hardening through configuration management | Configuration | |
| Configure web server security settings in accordance with organizational standards. CC ID 07059 | System hardening through configuration management | Configuration | |
| Implement the security features of hypervisor to protect virtual machines. CC ID 12176 | System hardening through configuration management | Configuration | |
| Configure Microsoft Office to Organizational Standards. CC ID 07147 | System hardening through configuration management | Configuration | |
| Set custom Microsoft Office security options in accordance with organizational standards. CC ID 05757 | System hardening through configuration management | Configuration | |
| Configure Universal settings for Microsoft Office in accordance with organizational standards. CC ID 07211 | System hardening through configuration management | Configuration | |
| Configure Microsoft InfoPath settings for Microsoft Office in accordance with organizational standards. CC ID 07219 | System hardening through configuration management | Configuration | |
| Configure Microsoft Access settings for Microsoft Office in accordance with organizational standards. CC ID 07222 | System hardening through configuration management | Configuration | |
| Configure Microsoft Excel settings for Microsoft Office in accordance with organizational standards. CC ID 07232 | System hardening through configuration management | Configuration | |
| Configure Microsoft Outlook settings for Microsoft Office in accordance with organizational standards. CC ID 07341 | System hardening through configuration management | Configuration | |
| Configure Microsoft PowerPoint settings for Microsoft Office in accordance with organizational standards. CC ID 07433 | System hardening through configuration management | Configuration | |
| Configure Microsoft Word settings for Microsoft Office in accordance with organizational standards. CC ID 07438 | System hardening through configuration management | Configuration | |
| Configure Microsoft OneNote settings for Microsoft Office in accordance with organizational standards. CC ID 07908 | System hardening through configuration management | Configuration | |
| Configure User Interface settings for Microsoft Office in accordance with organizational standards. CC ID 07923 | System hardening through configuration management | Configuration | |
| Configure Signing settings for Microsoft Office in accordance with organizational standards. CC ID 07929 | System hardening through configuration management | Configuration | |
| Configure Email Form settings for Microsoft Office in accordance with organizational standards. CC ID 07930 | System hardening through configuration management | Configuration | |
| Configure Security settings for Microsoft Office in accordance with organizational standards. CC ID 07932 | System hardening through configuration management | Configuration | |
| Configure Restricted Permissions settings for Microsoft Office in accordance with organizational standards. CC ID 07937 | System hardening through configuration management | Configuration | |
| Configure Account settings for Microsoft Office in accordance with organizational standards. CC ID 07951 | System hardening through configuration management | Configuration | |
| Configure Add-In settings for Microsoft Office in accordance with organizational standards. CC ID 07962 | System hardening through configuration management | Configuration | |
| Configure File Format Converter settings for Microsoft Office in accordance with organizational standards. CC ID 07983 | System hardening through configuration management | Configuration | |
| Configure Microsoft Project settings for Microsoft Office in accordance with organizational standards. CC ID 08036 | System hardening through configuration management | Configuration | |
| Configure Meeting Workspace settings for Microsoft Office in accordance with organizational standards. CC ID 08050 | System hardening through configuration management | Configuration | |
| Configure Miscellaneous settings for Microsoft Office in accordance with organizational standards. CC ID 08054 | System hardening through configuration management | Configuration | |
| Configure Data Backup and Recovery settings for Microsoft Office in accordance with organizational standards. CC ID 08098 | System hardening through configuration management | Configuration | |
| Configure Privacy settings for Microsoft Office in accordance with organizational standards. CC ID 08101 | System hardening through configuration management | Configuration | |
| Configure Server Settings settings for Microsoft Office in accordance with organizational standards. CC ID 08154 | System hardening through configuration management | Configuration | |
| Configure Smart Documents settings for Microsoft Office in accordance with organizational standards. CC ID 08158 | System hardening through configuration management | Configuration | |
| Configure Fax settings for Microsoft Office in accordance with organizational standards. CC ID 08310 | System hardening through configuration management | Configuration | |
| Configure Services settings to organizational standards. CC ID 07434 | System hardening through configuration management | Configuration | |
| Configure Active Directory in accordance with organizational standards. CC ID 16434 | System hardening through configuration management | Configuration | |
| Configure SID filtering in accordance with organizational standards. CC ID 16435 | System hardening through configuration management | Configuration | |
| Configure AWS Config to organizational standards. CC ID 15440 | System hardening through configuration management | Configuration | |
| Configure "Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service" to organizational standards. CC ID 15343 | System hardening through configuration management | Configuration | |
| Configure the "namespace" to organizational standards. CC ID 14654 | System hardening through configuration management | Configuration | |
| Configure the "ipc" argument to organizational standards. CC ID 14524 | System hardening through configuration management | Configuration | |
| Configure the "networkpolicy" to organizational standards. CC ID 14655 | System hardening through configuration management | Configuration | |
| Configure the "pid" argument to organizational standards. CC ID 14532 | System hardening through configuration management | Configuration | |
| Configure the "uts" argument to organizational standards. CC ID 14526 | System hardening through configuration management | Configuration | |
| Configure the "pids-limit" argument to organizational standards. CC ID 14537 | System hardening through configuration management | Configuration | |
| Configure the "userns" argument to organizational standards. CC ID 14530 | System hardening through configuration management | Configuration | |
| Configure Transmission Control Protocol/Internet Protocol (TCP/IP) to organizational standards. CC ID 16358 | System hardening through configuration management | Configuration | |
| Configure network protection settings to organizational standards. CC ID 07601 | System hardening through configuration management | Configuration | |
| Configure the "CNI" plugin to organizational standards. CC ID 14659 | System hardening through configuration management | Configuration | |
| Configure the "data-path-addr" argument to organizational standards. CC ID 14546 | System hardening through configuration management | Configuration | |
| Configure the "advertise-addr" argument to organizational standards. CC ID 14544 | System hardening through configuration management | Configuration | |
| Configure the "nftables" to organizational standards. CC ID 15320 | System hardening through configuration management | Configuration | |
| Configure the "iptables" to organizational standards. CC ID 14463 | System hardening through configuration management | Configuration | |
| Configure the "ip6tables" settings to organizational standards. CC ID 15322 | System hardening through configuration management | Configuration | |
| Configure the "insecure registries" to organizational standards. CC ID 14455 | System hardening through configuration management | Configuration | |
| Configure the "net-host" argument to organizational standards. CC ID 14529 | System hardening through configuration management | Configuration | |
| Configure the "firewalld" to organizational standards. CC ID 15321 | System hardening through configuration management | Configuration | |
| Configure the "network bridge" to organizational standards. CC ID 14501 | System hardening through configuration management | Configuration | |
| Configure the "publish" argument to organizational standards. CC ID 14500 | System hardening through configuration management | Configuration | |
| Configure Account settings in accordance with organizational standards. CC ID 07603 | System hardening through configuration management | Configuration | |
| Configure system integrity settings to organizational standards. CC ID 07605 | System hardening through configuration management | Configuration | |
| Configure Protocol Configuration settings to organizational standards. CC ID 07607 | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure "CloudTrail" to organizational standards. CC ID 15443 | System hardening through configuration management | Configuration | |
| Configure "CloudTrail log file validation" to organizational standards. CC ID 15437 | System hardening through configuration management | Configuration | |
| Configure "VPC flow logging" to organizational standards. CC ID 15436 | System hardening through configuration management | Configuration | |
| Configure "object-level logging" to organizational standards. CC ID 15433 | System hardening through configuration management | Configuration | |
| Configure "Turn on PowerShell Transcription" to organizational standards. CC ID 15415 | System hardening through configuration management | Configuration | |
| Configure "Turn on PowerShell Script Block Logging" to organizational standards. CC ID 15413 | System hardening through configuration management | Configuration | |
| Configure "Audit PNP Activity" to organizational standards. CC ID 15393 | System hardening through configuration management | Configuration | |
| Configure "Include command line in process creation events" to organizational standards. CC ID 15358 | System hardening through configuration management | Configuration | |
| Configure "Audit Group Membership" to organizational standards. CC ID 15341 | System hardening through configuration management | Configuration | |
| Configure the "audit_backlog_limit" setting to organizational standards. CC ID 15324 | System hardening through configuration management | Configuration | |
| Configure the "systemd-journald" to organizational standards. CC ID 15326 | System hardening through configuration management | Configuration | |
| Provide the reference database used to verify input data in the logging capability. CC ID 15018 | System hardening through configuration management | Log Management | |
| Configure the security parameters for all logs. CC ID 01712 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | System hardening through configuration management | Configuration | |
| Configure the log to capture the user's identification. CC ID 01334 [The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01 The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions. PR.AA-02.01] | System hardening through configuration management | Configuration | |
| Configure the log to capture the details of electronic signature transactions. CC ID 16910 | System hardening through configuration management | Log Management | |
| Configure the log to uniquely identify each accessed record. CC ID 16909 | System hardening through configuration management | Log Management | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | System hardening through configuration management | Log Management | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | System hardening through configuration management | Log Management | |
| Configure the log to capture user queries and searches. CC ID 16479 | System hardening through configuration management | Log Management | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | System hardening through configuration management | Log Management | |
| Configure the log to capture error messages. CC ID 16477 | System hardening through configuration management | Log Management | |
| Configure the log to capture system failures. CC ID 16475 | System hardening through configuration management | Log Management | |
| Configure the log to capture account lockouts. CC ID 16470 | System hardening through configuration management | Configuration | |
| Configure the log to capture execution events. CC ID 16469 | System hardening through configuration management | Configuration | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | System hardening through configuration management | Log Management | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | System hardening through configuration management | Configuration | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | System hardening through configuration management | Configuration | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | System hardening through configuration management | Configuration | |
| Configure the log to capture route table changes. CC ID 15439 | System hardening through configuration management | Configuration | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | System hardening through configuration management | Configuration | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | System hardening through configuration management | Configuration | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | System hardening through configuration management | Configuration | |
| Configure the log to capture changes to network gateways. CC ID 15421 | System hardening through configuration management | Configuration | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Log Management | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | System hardening through configuration management | Configuration | |
| Configure the "Turn on session logging" properly. CC ID 05618 | System hardening through configuration management | Configuration | |
| Configure additional log file parameters appropriately. CC ID 06338 | System hardening through configuration management | Configuration | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Configuration | |
| Configure Kerberos pre-authentication to organizational standards. CC ID 16480 | System hardening through configuration management | Configuration | |
| Configure time-based user access restrictions in accordance with organizational standards. CC ID 16436 | System hardening through configuration management | Configuration | |
| Configure "MFA Delete" to organizational standards. CC ID 15430 | System hardening through configuration management | Configuration | |
| Configure Identity and Access Management policies to organizational standards. CC ID 15422 | System hardening through configuration management | Configuration | |
| Configure the Identity and Access Management Access analyzer to organizational standards. CC ID 15420 | System hardening through configuration management | Configuration | |
| Configure "Support device authentication using certificate" to organizational standards. CC ID 15410 | System hardening through configuration management | Configuration | |
| Install LAPS AdmPwd GPO Extension, as necessary. CC ID 15409 | System hardening through configuration management | Configuration | |
| Configure "Require pin for pairing" to organizational standards. CC ID 15395 | System hardening through configuration management | Configuration | |
| Configure "Do not allow password expiration time longer than required by policy" to organizational standards. CC ID 15390 | System hardening through configuration management | Configuration | |
| Configure "Enable Local Admin Password Management" to organizational standards. CC ID 15387 | System hardening through configuration management | Configuration | |
| Configure "Allow Microsoft accounts to be optional" to organizational standards. CC ID 15368 | System hardening through configuration management | Configuration | |
| Configure "Turn off picture password sign-in" to organizational standards. CC ID 15347 | System hardening through configuration management | Configuration | |
| Configure "Enable insecure guest logons" to organizational standards. CC ID 15344 | System hardening through configuration management | Configuration | |
| Configure the "cert-expiry" argument to organizational standards. CC ID 14541 | System hardening through configuration management | Configuration | |
| Configure "client certificate authentication" to organizational standards. CC ID 14608 | System hardening through configuration management | Configuration | |
| Configure the "client certificate bundles" to organizational standards. CC ID 14518 | System hardening through configuration management | Configuration | |
| Configure the "external-server-cert" argument to organizational standards. CC ID 14522 | System hardening through configuration management | Configuration | |
| Configure the "Service Account Tokens" to organizational standards. CC ID 14646 | System hardening through configuration management | Configuration | |
| Configure the "rotate" argument to organizational standards. CC ID 14548 | System hardening through configuration management | Configuration | |
| Configure Encryption settings in accordance with organizational standards. CC ID 07625 | System hardening through configuration management | Configuration | |
| Configure "Elastic Block Store volume encryption" to organizational standards. CC ID 15434 | System hardening through configuration management | Configuration | |
| Configure "Encryption Oracle Remediation" to organizational standards. CC ID 15366 | System hardening through configuration management | Configuration | |
| Configure the "encryption provider" to organizational standards. CC ID 14591 | System hardening through configuration management | Configuration | |
| Configure the "opt encrypted" flag to organizational standards. CC ID 14534 | System hardening through configuration management | Configuration | |
| Configure File Retention, Impact Level, and Classification Settings settings in accordance with organizational standards. CC ID 07715 | System hardening through configuration management | Configuration | |
| Configure System settings in accordance with organizational standards. CC ID 07806 | System hardening through configuration management | Configuration | |
| Configure Virus and Malware Protection settings in accordance with organizational standards. CC ID 07906 | System hardening through configuration management | Configuration | |
| Configure "Turn on behavior monitoring" to organizational standards. CC ID 15407 | System hardening through configuration management | Configuration | |
| Configure "Turn off real-time protection" to organizational standards. CC ID 15406 | System hardening through configuration management | Configuration | |
| Configure "Scan all downloaded files and attachments" to organizational standards. CC ID 15404 | System hardening through configuration management | Configuration | |
| Configure "Scan removable drives" to organizational standards. CC ID 15401 | System hardening through configuration management | Configuration | |
| Configure "Configure Attack Surface Reduction rules: Set the state for each ASR rule" to organizational standards. CC ID 15392 | System hardening through configuration management | Configuration | |
| Configure "Join Microsoft MAPS" to organizational standards. CC ID 15384 | System hardening through configuration management | Configuration | |
| Configure "Configure detection for potentially unwanted applications" to organizational standards. CC ID 15375 | System hardening through configuration management | Configuration | |
| Configure "Turn off Microsoft Defender AntiVirus" to organizational standards. CC ID 15371 | System hardening through configuration management | Configuration | |
| Configure "Enable file hash computation feature" to organizational standards. CC ID 15340 | System hardening through configuration management | Configuration | |
| Configure User Notification settings in accordance with organizational standards. CC ID 08201 | System hardening through configuration management | Configuration | |
| Configure Windows Components settings in accordance with organizational standards. CC ID 08263 | System hardening through configuration management | Configuration | |
| Configure File System settings in accordance with organizational standards. CC ID 08294 | System hardening through configuration management | Configuration | |
| Configure Control Panel settings in accordance with organizational standards. CC ID 08311 | System hardening through configuration management | Configuration | |
| Configure Capacity and Performance Management settings in accordance with organizational standards. CC ID 08353 | System hardening through configuration management | Configuration | |
| Configure Personal Information Handling settings in accordance with organizational standards. CC ID 08396 | System hardening through configuration management | Configuration | |
| Configure Data Backup and Recovery settings in accordance with organizational standards. CC ID 08406 | System hardening through configuration management | Configuration | |
| Configure Nonrepudiation Configuration settings in accordance with organizational standards. CC ID 08432 | System hardening through configuration management | Configuration | |
| Configure Device Installation settings in accordance with organizational standards. CC ID 08438 | System hardening through configuration management | Configuration | |
| Configure Security settings in accordance with organizational standards. CC ID 08469 | System hardening through configuration management | Configuration | |
| Configure AWS Security Hub to organizational standards. CC ID 17166 | System hardening through configuration management | Configuration | |
| Configure Power Management settings in accordance with organizational standards. CC ID 08515 | System hardening through configuration management | Configuration | |
| Configure Powershell to organizational standards. CC ID 15233 | System hardening through configuration management | Configuration | |
| Configure Patch Management settings in accordance with organizational standards. CC ID 08519 | System hardening through configuration management | Configuration | |
| Configure "Select when Preview Builds and Feature Updates are received" to organizational standards. CC ID 15399 | System hardening through configuration management | Configuration | |
| Configure "Select when Quality Updates are received" to organizational standards. CC ID 15355 | System hardening through configuration management | Configuration | |
| Configure Start Menu and Task Bar settings in accordance with organizational standards. CC ID 08615 | System hardening through configuration management | Configuration | |
| Configure "Turn off notifications network usage" to organizational standards. CC ID 15337 | System hardening through configuration management | Configuration | |
| Configure the jump server to organizational standards. CC ID 16863 | System hardening through configuration management | Configuration | |
| Configure the proxy server to organizational standards. CC ID 12115 | System hardening through configuration management | Configuration | |
| Configure Red Hat Enterprise Linux to Organizational Standards. CC ID 08713 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "max_log_file" setting to organizational standards. CC ID 15323 | System hardening through configuration management | Configuration | |
| Configure Polycom HDX to Organizational Standards. CC ID 08986 | System hardening through configuration management | Configuration | |
| Set the IPv6 header field to a known value. CC ID 17047 | System hardening through configuration management | Configuration | |
| Configure IPv6 extension headers to organizational standards. CC ID 16398 | System hardening through configuration management | Configuration | |
| Filter packets based on IPv6 extension header types and fields. CC ID 16990 | System hardening through configuration management | Configuration | |
| Require packet filtering and rate limiting for arriving packets based on IPv6 Extension Headers. CC ID 16988 | System hardening through configuration management | Technical Security | |
| Drop packets that do not meet the recommended requirements for extension header order and repetition. CC ID 16943 | System hardening through configuration management | Technical Security | |
| Configure ICMP destination unreachable messages to organizational standards. CC ID 17052 | System hardening through configuration management | Configuration | |
| Configure Apache and Tomcat to Organizational Standards. CC ID 08987 | System hardening through configuration management | Configuration | |
| Configure IIS to Organizational Standards. CC ID 08988 | System hardening through configuration management | Configuration | |
| Configure Microsoft SQL Server to Organizational Standards. CC ID 08989 | System hardening through configuration management | Configuration | |
| Configure "Set time limit for active but idle Remote Desktop Services sessions" to organizational standards. CC ID 15382 | System hardening through configuration management | Configuration | |
| Configure Oracle WebLogic Server to Organizational Standards. CC ID 08990 | System hardening through configuration management | Configuration | |
| Configure security and protection software to check e-mail messages. CC ID 00578 [The organization has policies, procedures, and tools in place to detect, isolate, and block the use of attached malware or malicious links present in email or message services. PR.PS-05.03] | System hardening through configuration management | Testing | |
| Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515 | System hardening through configuration management | Configuration | |
| Configure Windows Defender Credential Guard to organizational standards. CC ID 16514 | System hardening through configuration management | Configuration | |
| Configure dedicated systems used for system management according to organizational standards. CC ID 12132 | System hardening through configuration management | Configuration | |
| Configure Application Programming Interfaces in accordance with organizational standards. CC ID 12170 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01 The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | System hardening through configuration management | Configuration | |
| Configure Application Programming Interfaces to enforce authentication. CC ID 12172 | System hardening through configuration management | Configuration | |
| Configure Application Programming Interfaces to employ strong cryptography. CC ID 12171 | System hardening through configuration management | Configuration | |
| Configure the Domain Name System in accordance with organizational standards. CC ID 12202 | System hardening through configuration management | Configuration | |
| Configure DNS records in accordance with organizational standards. CC ID 17083 | System hardening through configuration management | Configuration | |
| Configure payment systems in accordance with organizational standards. CC ID 12217 | System hardening through configuration management | Configuration | |
| Configure payment systems to disable storing transactions when offline. CC ID 12220 | System hardening through configuration management | Configuration | |
| Configure payment systems to disable authorizing transactions when offline. CC ID 12219 | System hardening through configuration management | Configuration | |
| Configure File Integrity Monitoring Software to Organizational Standards. CC ID 11923 | System hardening through configuration management | Configuration | |
| Unpair Bluetooth devices when the pairing is no longer required. CC ID 15232 | System hardening through configuration management | Configuration | |
| Use authorized versions of Bluetooth to pair Bluetooth devices. CC ID 15231 | System hardening through configuration management | Configuration | |
| Implement safeguards to prevent unauthorized code execution. CC ID 10686 [Installation and execution of unauthorized software are prevented PR.PS-05] | System hardening through configuration management | Configuration | |
| Configure network switches to organizational standards. CC ID 12120 | System hardening through configuration management | Configuration | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Data and Information Management | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Process or Activity | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Data and Information Management | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards. PR.PS-04.03] | Records management | Records Management | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed. ID.AM-08.05] | Records management | Establish/Maintain Documentation | |
| Perform destruction at authorized facilities. CC ID 17074 | Records management | Business Processes | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Business Processes | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Data and Information Management | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Process or Activity | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Business Processes | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed. ID.AM-08.05] | Records management | Establish/Maintain Documentation | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Data and Information Management | |
| Include the sanitization method in the disposal record. CC ID 17073 | Records management | Log Management | |
| Include time information in the disposal record. CC ID 17072 | Records management | Log Management | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Records management | Communicate | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Records management | Records Management | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [{data classification policy} {data protection policy} Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, segregation, masking, tokenization, and file integrity monitoring). PR.DS-01.01] | Records management | Records Management | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 [The confidentiality, integrity, and availability of data-at-rest are protected PR.DS-01] | Records management | Technical Security | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [{in-house developed application} The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects. PR.PS-06.01 The architecture, design, coding, testing, and operationalization of system solutions address the unique security, resilience, technical, and operational characteristics of the target platform environment(s) (e.g., distributed system, mainframe, cloud, API, mobile, database, etc.) PR.PS-06.02] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 [DevOps/DevSecOps practices and procedures are aligned with Systems Development Lifecycle, security operations, and technology service management processes. PR.PS-06.07] | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Include information security throughout the system development life cycle. CC ID 12042 [Systems development and testing tools, processes, and environments employ security mechanisms to protect and improve the integrity and confidentiality of both the SDLC process and the resulting product (e.g., secured code repositories, segmented environments, automated builds, etc.) PR.PS-06.04] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Communicate | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Define and document organizational structures for systems operations. CC ID 12553 [The design, configuration, security control, and operation of key applications and system services are documented sufficiently to support ongoing management, operation, change, and assessment. PR.PS-06.08] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain system design requirements. CC ID 06618 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document stakeholder requirements and how they influence system design requirements. CC ID 06925 [Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making. GV.RM-08.06] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Design and develop built-in redundancies, as necessary. CC ID 13064 [Mechanisms are implemented to achieve resilience requirements in normal and adverse situations PR.IR-03] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 [{third-party resource} The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives. ID.IM-02.06] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include data governance and management practices in the system design project management framework. CC ID 15053 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Analyze current technology investment factors that could affect implementing the system design project. CC ID 01050 | Systems design, build, and implementation | Testing | |
| Disseminate and communicate the implementation strategy to interested personnel and affected parties. CC ID 11796 | Systems design, build, and implementation | Communicate | |
| Include system interoperability in the system requirements specification. CC ID 16256 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include equipment interoperability in the system requirements specification. CC ID 16257 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain project management standards. CC ID 00992 [Technology projects follow an established project management methodology to manage delivery and delivery risks, produce consistent quality, and achieve business objectives and value. GV.RM-08.07 Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include objectives in the project management standard. CC ID 17202 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include time requirements in the project management standard. CC ID 17199 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management procedures. CC ID 17200 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production environment} The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets. PR.IR-01.06] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Testing | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [The organization establishes policies and procedures for the secure design, configuration, modification, and operation of databases, data stores, and data analytics platforms consistent with the criticality of the data being managed. PR.PS-06.10] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Establish, implement, and maintain a system design specification. CC ID 04557 [Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 [The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs). DE.CM-06.01] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Systems design, build, and implementation | Technical Security | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Configuration | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Configuration | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Configuration | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Configuration | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Configuration | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Configuration | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Configuration | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Configuration | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Configuration | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Configuration | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Configuration | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Process or Activity | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Configuration | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Configuration | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Configuration | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Configuration | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Configuration | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Configuration | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Configuration | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Configuration | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Configuration | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 [Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery. PR.PS-06.03] | Systems design, build, and implementation | Human Resources Management | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Communicate | |
| Implement data controls when developing systems. CC ID 15302 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Technical Security | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include the source code in the implementation representation document. CC ID 13089 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Systems design, build, and implementation | Process or Activity | |
| Design the privacy architecture. CC ID 14671 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Systems design, build, and implementation | Process or Activity | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Systems design, build, and implementation | Technical Security | |
| Digitally sign software components. CC ID 16490 | Systems design, build, and implementation | Process or Activity | |
| Develop new products based on secure coding techniques. CC ID 11733 [Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle PR.PS-06 {in-house developed application} The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects. PR.PS-06.01] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Technical Security | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Configuration | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 [Tehcnology and security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience PR.IR] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Communicate | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Communicate | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Deploy applications based on best practices. CC ID 12738 [The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. PR.PS-01.04] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Business Processes | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [Processes for receiving, analyzing, and responding to vulnerability disclosures are established ID.RA-08 The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from: ID.RA-08.01] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection. PR.IR-04.01] | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Configuration | |
| Protect the integrity of application service transactions. CC ID 12017 [The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters. PR.AA-03.03] | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 [Planning is performed for procurements and agreements that involve elevated risk to the organization EX.DD-01 Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain acquisition notices. CC ID 16682 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include the geographic locations of the organization in the acquisition notice. CC ID 16723 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include certification that the organizations meet applicable requirements in the acquisition notice. CC ID 16714 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include the capital ratios in the acquisition notice. CC ID 16712 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include the relevant authorities in the acquisition notice. CC ID 16711 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include a description of the subsidiary's activities in the acquisition notice. CC ID 16707 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include the subsidiary's contact information in the acquisition notice. CC ID 16704 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include in scope transactions in the acquisition notice. CC ID 16700 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include roles and responsibilities in system acquisition contracts. CC ID 14765 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include the acceptance criteria in system acquisition contracts. CC ID 14288 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include audit record generation capabilities in system acquisition contracts. CC ID 16427 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include environmental considerations in the acquisition feasibility study. CC ID 16224 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain authorization for marketing new products. CC ID 16805 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Include compliance requirements in the product and services acquisition policy. CC ID 14163 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include management commitment in the product and services acquisition policy. CC ID 14161 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include the scope in the product and services acquisition policy. CC ID 14159 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include the purpose in the product and services acquisition policy. CC ID 14158 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain the requirements for competitive bid documents. CC ID 16936 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain the requirements for off-contract purchases. CC ID 16929 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Require prior approval from the appropriate authority for any off-contract purchases. CC ID 16928 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain acquisition approval requirements. CC ID 13704 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain a software product acquisition methodology. CC ID 01138 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Align the service management program with the Code of Conduct. CC ID 14211 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT"). ID.AM-08.02] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). GV.OC-03.02] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 [The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods. PR.PS-04.01] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include opt-out instructions in the privacy policy. CC ID 00411 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Process or Activity | |
| Approve the privacy plan. CC ID 14700 [The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). GV.OC-03.02] | Privacy protection for information and data | Business Processes | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Communicate | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Behavior | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Implement security measures to protect personal data. CC ID 13606 [{data classification policy} {data protection policy} Data-in-use is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, visual shielding, memory integrity monitoring, etc.) PR.DS-10.01] | Privacy protection for information and data | Technical Security | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [The risks posed by a third-party are monitored and managed over the course of the relationship EX.MM Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite. GV.SC-01.01 {personnel termination} The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support. EX.TR-01.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 [The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [Relationship termination is anticipated, planned for, and executed safely EX.TR {technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01 {technical matter} Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner. EX.TR-02.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Testing | |
| Include contingency plans in the third party management plan. CC ID 10030 [Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data). EX.DD-01.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 [{be reasonable} The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms. EX.DD-02.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location. ID.AM-08.06 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03] | Third Party and supply chain oversight | Business Processes | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [Roles and responsibilities for the Third-Party Risk Management Program and for each third-party engagement are defined and assigned. GV.RR-02.04 The organization clearly defines, and includes in contractual agreements, the division of cybersecurity and technology risk management responsibilities between the organization and its third parties (e.g., a Shared Responsibilities Model). GV.SC-02.01 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01 Contracts clearly specify the rights and responsibilities of each party and establish requirements to address the anticipated risks posed by a third party over the life of the relationship EX.CN-01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 [{legal requirement} {regulatory requirement} Legal, regulatory, and contractual requirements regarding technology and cybersecurity - including privacy and civil liberties obligations - are understood and managed GV.OC-03 The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs. GV.SC-03.01 Inter-dependent and coordinated cybersecurity risk management practices with third parties are managed to ensure ongoing effectiveness EX.MM-02 {cybersecurity supply chain risk management practice} {relationship lifecycle} The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis. EX.CN-02.01 {technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: GV.RM-05.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [{response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 [The organization periodically identifies and tests alternative solutions in case a critical external partner fails to perform as expected. EX.TR-01.02 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task. EX.DD-04.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [{security control} The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected. EX.MM-02.01 Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and GV.RM-05.02 (3) The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place. GV.RM-05.02 (4) The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place. GV.RM-05.02 (4) A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests. EX.MM-02.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests. EX.DD-02.04] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 {foreign-based third party} Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management. EX.CN-01.03 The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed. EX.MM-01.06] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including: Responsibilities for responding to incidents, including forensic investigations; GV.RM-05.02 (2) The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03 The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Communicate | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 [{absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01 {absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the organization's name in the Third Party Service Provider list. CC ID 17287 | Third Party and supply chain oversight | Data and Information Management | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [Inventories of services provided by suppliers are maintained ID.AM-04] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities. EX.CN-01.01] | Third Party and supply chain oversight | Process or Activity | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [Suppliers are known and prioritized by criticality GV.SC-04] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite. GV.SC-01.01 {third party} Extend organizational risk management policy and practices over the life cycle of third- (and nth-) party relationships, products, and services EX] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks. EX.DD-01.02] | Third Party and supply chain oversight | Business Processes | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 [{absent approval} The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval. GV.SC-04.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats. GV.RM-03.03 Contracts establish baseline protections to manage risk over the life of the third-party relationship EX.CN {technology capabilities} The organization assesses the risks and suitability of the technology and cybersecurity capabilities and risk management practices of prospective third parties EX.DD-03 Contracts clearly specify the rights and responsibilities of each party and establish requirements to address the anticipated risks posed by a third party over the life of the relationship EX.CN-01 Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing. EX.CN-02.04 {response plan} The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results. EX.DD-03.02 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs. GV.SC-03.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Select suppliers based on their qualifications. CC ID 00795 [Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms. EX.DD-01.01] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization performs thorough due diligence on prospective third parties, consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each third-party relationship EX.DD-02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Support third parties in building their capabilities. CC ID 08814 [The organization collaborates with suppliers to maintain and improve the secure use of products, services, and external connections. EX.MM-02.03] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship. EX.DD-02.01] | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [Planning and due diligence are performed to reduce risks before entering into a formal third-party relationship EX.DD {be reasonable} The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms. EX.DD-02.02 Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc. EX.CN-01.02] | Third Party and supply chain oversight | Business Processes | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
| Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [{technical controls} The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs. EX.DD-03.01] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation. EX.DD-03.03] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include quality standards in outsourcing contracts. CC ID 17191 [The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted. EX.MM-01.04] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.) EX.MM-01.05] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [Expected cybersecurity practices for critical third parties that meet the risk management objectives of the organization are identified, documented, and agreed EX.CN-02] | Third Party and supply chain oversight | Establish/Maintain Documentation | |