NIST Cybersecurity Framework

Title (CSF)
The 2.0Cybersecurity
NIST ReferenceFramework
Tool
Read Me (CSF)is 2.0
This a download from the CSF 2.0 Reference Tool, which assists users in exploring the CSF 2.0 Core. This export is a user generated version of the Core
Change Log Final
 The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework

Function Category Subcategory

GOVERN (GV): The organization's
cybersecurity risk management Organizational Context (GV.OC): The
circumstances - mission, stakeholder GV.OC-01: The organizational mission is
understood and informs
GV.OC-02: Internal cybersecurity
and external risk
stakeholders
are understood,
GV.OC-03: Legal,and their needs
regulatory, and and
contractual
requirements regarding cybersecurity - including
GV.OC-04: Critical objectives, capabilities, and
services that stakeholders depend on or expect
GV.OC-05: Outcomes, capabilities, and services
Risk Management Strategy (GV.RM): The that the organization depends on are
organization's priorities, constraints, risk GV.RM-01: Risk management objectives are
established and appetite
GV.RM-02: Risk agreed toand
by organizational
risk tolerance
statements
GV.RM-03: Cybersecurity risk management and
are established, communicated,
activities
GV.RM-04: and outcomes
Strategic are included
direction in
that describes
appropriate risk response
GV.RM-05: Lines options is across
of communication established
the
organization are established for
GV.RM-06: A standardized method for cybersecurity
calculating, documenting,
GV.RM-07: Strategic categorizing,
opportunities (i.e.,and
positive
Roles, Responsibilities, and Authorities risks) are characterized and are included in
(GV.RR): Cybersecurity roles, GV.RR-01: Organizational leadership is
responsible and accountable
GV.RR-02: Roles, for cybersecurity
responsibilities, and authorities
related to cybersecurity risk management
GV.RR-03: Adequate resources are allocated are
commensurate with the cybersecurity risk
GV.RR-04: Cybersecurity is included in human
Policy (GV.PO): Organizational resources practices
cybersecurity policy is established, GV.PO-01: Policy for managing cybersecurity
risks is established
GV.PO-02: based
Policy for on organizational
managing cybersecurity
Oversight (GV.OV): Results of organization- risks is reviewed, updated, communicated, and
wide cybersecurity risk management GV.OV-01: Cybersecurity risk management
strategy
GV.OV-02: outcomes are reviewed
The cybersecurity riskto inform and
management
strategy
GV.OV-03: is reviewed and adjusted
Organizational to ensure
cybersecurity risk
management performance is evaluated and
CSF 2.0 Page 2 of 11
 Function Category Subcategory
Cybersecurity Supply Chain Risk
Management (GV.SC): Cyber supply chain GV.SC-01: A cybersecurity supply chain risk
management program, strategy,
GV.SC-02: Cybersecurity roles andobjectives,
responsibilities for suppliers,
GV.SC-03: Cybersecurity customers,
supply chain riskand
management is integrated
GV.SC-04: Suppliers are knowninto and
cybersecurity
prioritized by
criticality
GV.SC-05: Requirements to address
cybersecurity risks inand
GV.SC-06: Planning supply
due chains areare
diligence
performed
GV.SC-07: The to reduce risks before
risks posed entering
by a supplier, into
their
products
GV.SC-08:and services,
Relevant and other
suppliers andthird
otherparties
third
parties are included in incident planning,
GV.SC-09: Supply chain security practices are
integrated into cybersecurity
GV.SC-10: Cybersecurity and
supply enterprise
chain risk risk
GOVERN (GV) management plans include provisions for
IDENTIFY (ID): The organization's
current cybersecurity risks are Asset Management (ID.AM): Assets (e.g.,
data, hardware, software, systems, ID.AM-01: Inventories of hardware managed by
the organization
ID.AM-02: are maintained
Inventories of software, services, and
systems managed by
ID.AM-03: Representations the organization are
of the organization's
authorized network communication
ID.AM-04: Inventories of services provided and internal
by
suppliers are maintained
ID.AM-05: Assets are prioritized based on
classification, criticality,ofresources,
ID.AM-07: Inventories data and and impact
corresponding
ID.AM-08: Systems,metadata for designated
hardware, software,data
Risk Assessment (ID.RA): The cybersecurity services, and data are managed throughout their
risk to the organization, assets, and ID.RA-01: Vulnerabilities in assets are identified,
validated, and recorded
ID.RA-02: Cyber threat intelligence is received
from
ID.RA-03: Internalsharing
information forumsthreats
and external and sources
to the
organization are identified and recorded
ID.RA-04: Potential impacts and likelihoods of
threats
ID.RA-05:exploiting
Threats,vulnerabilities
vulnerabilities,are identified
likelihoods,
and impacts
ID.RA-06: are
Risk used to understand
responses are chosen,inherent
prioritized,
planned, tracked, and communicated
ID.RA-07: Changes and exceptions are managed,
assessed
ID.RA-08:for risk impact,
Processes recorded,analyzing,
for receiving, and tracked
and
responding to vulnerability disclosures
ID.RA-09: The authenticity and integrity of are
hardware and software
ID.RA-10: Critical areare
suppliers assessed prior
assessed to to
prior
Improvement (ID.IM): Improvements to acquisition
organizational cybersecurity risk
CSF 2.0 Page 3 of 11
 Function Category Subcategory
ID.IM-01: Improvements are identified from
evaluations
ID.IM-02: Improvements are identified from
security
ID.IM-03:tests and exercises,
Improvements areincluding
identifiedthose
from
execution of operational processes, procedures,
ID.IM-04: Incident response plans and other
IDENTIFY (ID) cybersecurity plans that affect operations are
PROTECT (PR): Safeguards to manage
the organization's cybersecurity risks Identity Management, Authentication, and
Access Control (PR.AA): Access to physical PR.AA-01: Identities and credentials for
authorized users, services,
PR.AA-02: Identities and hardware
are proofed and boundareto
credentials based on the context of
PR.AA-03: Users, services, and hardware are interactions
authenticated
PR.AA-04: Identity assertions are protected,
conveyed,
PR.AA-05: and verified
Access permissions, entitlements, and
authorizations
PR.AA-06: Physicaldefined
are access to in assets
a policy, managed,
is managed,
Awareness and Training (PR.AT): The monitored, and enforced commensurate with
organization's personnel are provided with PR.AT-01: Personnel are provided with
awareness and training
PR.AT-02: Individuals in so that theyroles
specialized possess
are the
Data Security (PR.DS): Data are managed provided with awareness and training so that
consistent with the organization's risk PR.DS-01: The confidentiality, integrity, and
availability
PR.DS-02: Theof data-at-rest are protected
confidentiality, integrity, and
availability of data-in-transit are protected
PR.DS-10: The confidentiality, integrity, and
availability of data-in-use are protected
PR.DS-11: Backups of data are created,
Platform Security (PR.PS): The hardware, protected, maintained, and tested
software (e.g., firmware, operating systems, PR.PS-01: Configuration management practices
are established
PR.PS-02: and is
Software applied
maintained, replaced, and
removed commensurate with risk replaced, and
PR.PS-03: Hardware is maintained,
removed
PR.PS-04: Log records arewith
commensurate risk and made
generated
available
PR.PS-05:for continuous
Installation andmonitoring
execution of
unauthorized software are prevented
PR.PS-06: Secure software development
Technology Infrastructure Resilience practices are integrated, and their performance
(PR.IR): Security architectures are managed PR.IR-01: Networks and environments are
protected fromorganization's
PR.IR-02: The unauthorizedtechnology
logical access and
assets
are protected
PR.IR-03: from environmental
Mechanisms are implemented threats
to
achieve resilience requirements in normal
PR.IR-04: Adequate resource capacity to ensure and
availability is maintained
CSF 2.0 Page 4 of 11
 Function Category Subcategory
PROTECT (PR)
DETECT (DE): Possible cybersecurity
attacks and compromises are found Continuous Monitoring (DE.CM): Assets are
monitored to find anomalies, indicators of DE.CM-01: Networks and network services are
monitored
DE.CM-02: toThefind potentially
physical adverse is
environment events
monitored to find potentially adverse
DE.CM-03: Personnel activity and technologyevents
usage are monitored
DE.CM-06: to findprovider
External service potentially adverse
activities
and servicesComputing
DE.CM-09: are monitored to find
hardware potentially
and software,
Adverse Event Analysis (DE.AE): Anomalies, runtime environments, and their data are
indicators of compromise, and other DE.AE-02: Potentially adverse events are
analyzed
DE.AE-03:toInformation
better understand associated
is correlated from
multiple sources
DE.AE-04: The estimated impact and scope of
adverse
DE.AE-06:events are understood
Information on adverse events is
provided
DE.AE-07: Cyber threat staff
to authorized and tools
intelligence and other
contextual
DE.AE-08: Incidents are declared wheninto
information are integrated the
adverse
DETECT (DE) events meet the defined incident criteria
RESPOND (RS): Actions regarding a
detected cybersecurity incident are Incident Management (RS.MA): Responses
to detected cybersecurity incidents are RS.MA-01: The incident response plan is
executed
RS.MA-02:inIncident
coordination with
reports arerelevant
triaged third
and
validated
RS.MA-03: Incidents are categorized and
prioritized
RS.MA-04: Incidents are escalated or elevated as
needed
RS.MA-05: The criteria for initiating incident
Incident Analysis (RS.AN): Investigations recovery are applied
are conducted to ensure effective response RS.AN-03: Analysis is performed to establish
what has taken
RS.AN-06: place
Actions during anduring
performed incident
an and the
investigation are recorded,
RS.AN-07: Incident data andand the records'
metadata are
collected, and their integrity and provenance
RS.AN-08: An incident's magnitude is estimated are
Incident Response Reporting and and validated
Communication (RS.CO): Response RS.CO-02: Internal and external stakeholders are
notified
RS.CO-03:of Information
incidents is shared with designated
Incident Mitigation (RS.MI): Activities are internal and external stakeholders
performed to prevent expansion of an RS.MI-01: Incidents are contained

CSF 2.0 Page 5 of 11

 Function Category Subcategory
RS.MI-02: Incidents are eradicated
RESPOND (RS)
RECOVER (RC): Assets and operations
affected by a cybersecurity incident Incident Recovery Plan Execution (RC.RP):
Restoration activities are performed to RC.RP-01: The recovery portion of the incident
response
RC.RP-02:plan is executed
Recovery actionsonce initiated from
are selected, scoped,
prioritized, and performed
RC.RP-03: The integrity of backups and other
restoration assets mission
RC.RP-04: Critical is verified before using
functions and them
cybersecurity
RC.RP-05: Therisk management
integrity are assets
of restored considered
is
verified,
RC.RP-06: The end of incident recovery is and
systems and services are restored,
Incident Recovery Communication (RC.CO): declared based on criteria, and incident-related
Restoration activities are coordinated with RC.CO-03: Recovery activities and progress in
restoring
RC.CO-04:operational capabilities
Public updates are recovery
on incident
RECOVER (RC) are shared using approved methods and

CSF 2.0 Page 6 of 11

 Implementation Examples Informative References
CRI Profile v2.0: GV
CSF v1.1: ID.GV
CRI Profile v2.0: GV.OC
CSF v1.1: ID.BE
Ex1: Share the organization's mission (e.g., CRI Profile v2.0: GV.OC-01
through vision
Ex1: Identify and mission
relevant internalstatements,
stakeholders CRICRI Profile
Profile v2.0:
v2.0: GV.OC-01.01
GV.OC-02
and their cybersecurity-related
Ex1: Determine a process to track and CRI
CRI Profile v2.0: GV.OC-02.01
Profile v2.0: GV.OC-03
manage
Ex1: Establish criteria for determining the CRI Profile v2.0: GV.OC-03.01
legal and regulatory requirements CRI Profile v2.0: GV.OC-04
criticality of capabilities
Ex1: Create an inventory of theand services as CRI
CRI Profile v2.0: GV.OC-04.01
Profile v2.0: GV.OC-05
organization's dependencies on external CRI
CRI Profile
Profile v2.0:
v2.0: GV.OC-05.01
GV.RM
Ex1: Update near-term and long-term CSF v1.1: ID.RM
CRI Profile v2.0: GV.RM-01
cybersecurity risk management
Ex1: Determine and communicate risk objectives CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-01.01
GV.RM-02
appetite
Ex1: Aggregate and manage cybersecurity CRI Profile v2.0: GV.RM-02.01
statements that convey CRI Profile v2.0: GV.RM-03
risks alongside
Ex1: Specify otherfor
criteria enterprise
acceptingrisks
and(e.g., CRI
CRI Profile
Profile v2.0:
v2.0: GV.RM-03.01
GV.RM-04
avoiding cybersecurity risk
Ex1: Determine how to update seniorfor various CRI
CRI Profile v2.0: GV.RM-04.01
Profile v2.0: GV.RM-05
executives, directors, and management
Ex1: Establish criteria for using a on CRI
CRI Profile v2.0: GV.RM-05.01
Profile v2.0: GV.RM-06
quantitative
Ex1: Define and communicate guidance and CRI Profile v2.0: GV.RM-06.01
approach to cybersecurity risk CRI Profile v2.0: GV.RM-07
methods for identifying opportunities and CRI CRI Profile
Profile v2.0:
v2.0: GV.RM-07.01
GV.RR
CSF v1.1: ID.GV-2
Ex1: Leaders (e.g., directors) agree on their CIS Controls v8.0: 14.1
roles and responsibilities
Ex1: Document in developing,
risk management roles and CRI Profile v2.0:
CIS Controls v8.0:GV.RR-01
14.9
responsibilities in policy CRI Profile
Ex1: Conduct periodic management reviews CRI Profile v2.0: GV.RR-03v2.0: GV.RR-02
to ensure
Ex1: that cybersecurity
Integrate those given cybersecurity
risk CRI Profile v2.0:
CIS Controls v8.0:GV.RR-03.01
6.1
management considerations into human CIS Controls v8.0: 6.2
CRI Profile v2.0: GV.PO
Ex1: Create, disseminate, and maintain an CSF v1.1: ID.GV-1
CRI Profile v2.0: GV.PO-01
understandable, usable risk
Ex1: Update policy based on periodic management CRI
CRI Profile v2.0:
Profile v2.0: GV.PO-01.01
GV.PO-02
reviews of cybersecurity risk management CRI CRI Profile
Profile v2.0:
v2.0: GV.OV
GV.PO-02.01
Ex1: Measure how well the risk CRI Profile v2.0: GV.OV-01
management strategy and risk
Ex1: Review audit findings to confirm results have CRI
CRI Profile
Profile v2.0:
v2.0: GV.OV-01.01
GV.OV-02
whether the existing cybersecurity
Ex1: Review key performance indicators strategy CRI
CRI Profile v2.0: GV.OV-02.01
Profile v2.0: GV.OV-03
(KPIs) to ensure that organization-wide CRI Profile v2.0: GV.OV-03.01
CSF 2.0 Page 7 of 11
 Implementation Examples Informative References
CRI Profile v2.0: GV.SC
Ex1: Establish a strategy that expresses the CSF v1.1: ID.SC
CIS Controls v8.0: 15.2
objectives
Ex1: Identify one or more specific roles or CIS Controls v8.0:GV.SC-01
of the cybersecurity supply chain CRI Profile v2.0: 15.4
positions that will be responsible and CRI Profile v2.0:
Ex1: Identify areas of alignment and overlap CRI Profile v2.0: GV.SC-03 GV.SC-02
with cybersecurity
Ex1: Develop and
criteria forenterprise risk
supplier criticality CRI Profile v2.0:
CIS Controls v8.0:GV.SC-03.01
15.1
based on, for example, the sensitivity
Ex1: Establish security requirements for of CIS
CIS Controls v8.0:
Controls v8.0: 15.3
15.4
suppliers, products, and services
Ex1: Perform thorough due diligence on CRI Profile v2.0: EX.CN
CIS Controls v8.0: 15.5
prospective suppliers that
Ex1: Adjust assessment formats and is consistent with CRI Profile v2.0:
CIS Controls v8.0:EX.DD
15.6
frequencies based on the third party's CRI Profile
Ex1: Define and use rules and protocols for CIS Controls v8.0: 15.4v2.0: EX.MM
reporting incident
Ex1: Policies response and
and procedures recovery CRI
require Profile v2.0:
CIS Controls v8.0:GV.SC-08
15.6
provenance records for all acquired
Ex1: Establish processes for terminating CRI Profile v2.0: GV.SC-09
CIS Controls v8.0: 15.7
critical relationships under both normal and CRI Profile v2.0: EX.TR
CRI Profile v2.0: ID
CSF v1.1: IDv2.0: ID.AM
CRI Profile
Ex1: Maintain inventories for all types of CSF v1.1: ID.AM
CIS Controls v8.0: 1.1
hardware, including IT, IoT, OT,
Ex1: Maintain inventories for all types of and mobile CRI
CIS Controls v8.0:ID.AM-01
Profile v2.0: 2.1
software and services, including CRI Profile
Ex1: Maintain baselines of communication CIS Controls v8.0: 3.8 v2.0: ID.AM-02
and
Ex1:data flows all
Inventory within the organization's
external services used by CRI Profile v2.0:
CIS Controls v8.0:ID.AM-03
15.1
the organization, including third-party
Ex1: Define criteria for prioritizing each CRI Profile v2.0: ID.AM-04
CIS Controls v8.0: 3.7
class
Ex1: Maintain a list of the designated data CRI
of assets Profile v2.0:
CIS Controls v8.0:ID.AM-05
3.2
types of interest (e.g., personally CRI Profile
Ex1: Integrate cybersecurity considerations CIS Controls v8.0: 1.1 v2.0: ID.AM-07
throughout the life cycles of systems, CIS
CRI Controls v8.0:ID.RA
Profile v2.0: 3.5
Ex1: Use vulnerability management CSF v1.1: ID.RA
CIS Controls v8.0: 7.1
technologies to identify unpatched
Ex1: Configure cybersecurity tools and and CRI
CRI Profile v2.0: ID.RA-01
Profile v2.0: ID.RA-02
technologies with detection
Ex1: Use cyber threat intelligence to or response CRI
CRI Profile v2.0: ID.RA-02.01
Profile v2.0: ID.RA-03
maintain
Ex1: Business leaders and cybersecurity risk CRI
awareness of the types of threat CRI Profile
Profile v2.0:
v2.0: ID.RA-03.01
ID.RA-04
management practitioners
Ex1: Develop threat models to better work together to CRI
CRI Profile v2.0: ID.RA-04.01
Profile v2.0: ID.RA-05
understand
Ex1: Apply the vulnerability management CRI Profile v2.0: ID.RA-05.01
risks to the data and identify CRI Profile v2.0: ID.RA-06
plan's
Ex1: Implement and follow procedures for CRI Profile v2.0: ID.RA-06.01
criteria for deciding whether to CRI Profile v2.0: ID.RA-07
the
Ex1:formal
Conduct documentation, review, testing, CRI
vulnerability information Profile v2.0:
CIS Controls v8.0:ID.RA-07.01
7.2
sharing between the organization
Ex1: Assess the authenticity and and its CRI Profile v2.0: ID.RA-08
CRI Profile v2.0: EX.DD-04
cybersecurity of critical technology
Ex1: Conduct supplier risk assessments CRI
CRI Profile
Profile v2.0:
v2.0: EX.DD-04.01
EX.DD-03
against business and applicable CRI
CRI Profile v2.0: EX.DD-03.01
Profile v2.0: ID.IM
CSF v1.1: RS.IM
CSF 2.0 Page 8 of 11
 Implementation Examples Informative References
Ex1: Perform self-assessments of critical CRI Profile v2.0: ID.IM-01
services that improvements
Ex1: Identify take current threats and TTPs
for future CRI Profile v2.0:
CIS Controls v8.0:ID.IM-01.01
17.7
incident response
Ex1: Conduct activities lessons
collaborative based on
learned CRI Profile v2.0: ID.IM-02
CRI Profile v2.0: ID.IM-03
sessions with suppliers
Ex1: Establish contingency plans (e.g., CRI
CRI Profile
Profile v2.0:
v2.0: ID.IM-03.01
ID.IM-04
incident response, business continuity, CRI Profile v2.0: ID.IM-04.01
CRI Profile v2.0: PR
CSF v1.1: PRv2.0: PR.AA
CRI Profile
Ex1: Initiate requests for new access or CSF v1.1: PR.AC
CIS Controls v8.0: 5.1
additional access for employees,
Ex1: Verify a person's claimed identity at CIS Controls v8.0:PR.AA-02
CRI Profile v2.0: 6.7
enrollment time using government-issued
Ex1: Require multifactor authentication CRI Profile v2.0: PR.AA-02.01
CRI Profile v2.0: PR.AA-03
Ex2: Enforce policies for the minimum
Ex1: Protect identity assertions that are CRI
CRI Profile
Profile v2.0:
v2.0: PR.AA-03.01
PR.AA-04
used to convey authentication and
Ex1: Review logical and physical access user CRI
CIS Controls v8.0:PR.AA-04.01
Profile v2.0: 3.3
privileges periodically and whenever CIS Controls v8.0:
Ex1: Use security guards, security cameras, CRI Profile v2.0: PR.AA-06 6.8
locked entrances, alarm systems, and other CRI Profile v2.0: PR.AA-06.01
CRI Profile v2.0: PR.AT
Ex1: Provide basic cybersecurity awareness CSF v1.1: PR.AT
CIS Controls v8.0: 14.1
and
Ex1: Identify the specialized roles within the CIS Controls v8.0:PR.AT-01
training to employees, contractors, CRI Profile v2.0: 14.9
organization that require additional CRI Profile v2.0: PR.AT-02
CRI Profile v2.0: PR.DS
Ex1: Use encryption, digital signatures, and CSF v1.1: PR.DS
CIS Controls v8.0: 3.11
cryptographic
Ex1: Use encryption, digital signatures, and CIS Controls v8.0:PR.DS-01
hashes to protect the CRI Profile v2.0: 3.10
cryptographic hashes to protect
Ex1: Remove data that must remain the CRI Profile v2.0: PR.DS-02
CRI Profile v2.0: PR.DS-10
confidential (e.g., from processors
Ex1: Continuously back up critical data inand CRI Profile v2.0:
CIS Controls v8.0:PR.DS-10.01
11.2
near-real-time, and back up other data CIS Controls v8.0:PR.PS
CRI Profile v2.0: 11.3
Ex1: Establish, test, deploy, and maintain CIS Controls v8.0: 4.1
hardened baselines that enforce
Ex1: Perform routine and emergency the CIS
CIS Controls
Controls v8.0:
v8.0: 4.2
2.2
patching within the timeframes
Ex1: Replace hardware when it lacks specified in CIS
CIS Controls v8.0: 2.3
Controls v8.0: 1.2
needed security capabilities or
Ex1: Configure all operating systems, when it CRI Profile v2.0:
CIS Controls v8.0:PR.PS-03
8.2
applications, and services (including cloud- CRI Profile v2.0:
Ex1: When risk warrants it, restrict software CIS Controls v8.0: 2.5 PR.PS-04
execution
Ex1: Protectto all
permitted products
components of only or CRI Profile v2.0:
CIS Controls v8.0:PR.PS-05
16.1
organization-developed software from CRI Profile v2.0: PR.PS-06
CRI Profile v2.0: PR.IR
Ex1: Logically segment organization CIS Controls v8.0: 3.12
networks
Ex1: Protect organizational equipment from CIS
and cloud-based platforms CRI Controls v8.0:PR.IR-02
Profile v2.0: 12.2
known environmental
Ex1: Avoid single pointsthreats, such
of failure in as CRI
CRI Profile
Profile v2.0:
v2.0: PR.IR-02.01
PR.IR-03
systems and infrastructure
Ex1: Monitor usage of storage, power, CRI
CRI Profile v2.0: PR.IR-03.01
Profile v2.0: PR.IR-04
compute, network bandwidth, and other CRI Profile v2.0: PR.IR-04.01
CSF 2.0 Page 9 of 11
 Implementation Examples Informative References

CRI Profile v2.0: DE

CSF v1.1: DE
CRI Profile v2.0: DE.CM
CSF v1.1:
Ex1: Monitor DNS, BGP, and other network CIS Controls v8.0: 13.1 DE.CM
services for adverse
Ex1: Monitor logs fromevents
physical access CRI
CRI Profile
Profile v2.0:
v2.0: DE.CM-01
DE.CM-02
control systems (e.g., badge readers)
Ex1: Use behavior analytics software to to find CRI
CIS Controlsv2.0:
Profile v8.0:DE.CM-02.01
10.7
detect anomalous user
Ex1: Monitor remote and onsiteactivity to mitigate CRI Profile v2.0: DE.CM-03
CIS Controls v8.0: 15.2
administration and maintenance
Ex1: Monitor email, web, file sharing, activities CIS
CIS Controls
Controls v8.0:
v8.0: 15.6
10.1
collaboration services, and other common CRI Profile v2.0: DE.CM-09
CRI Profile v2.0: DE.AE
Ex1: Use security information and event CSF v1.1: DE.AE
CIS Controls v8.0: 8.11
management
Ex1: Constantly transfer log data generated CRI Profile v2.0: DE.AE-02
(SIEM) or other tools to CRI Profile v2.0: DE.AE-03
by
Ex1: Use SIEMs or other tools to estimate CRI Profile v2.0: DE.AE-03.01
other sources to a relatively small CRI Profile v2.0: DE.AE-04
impact
Ex1: Use cybersecurity software to generate CRI Profile v2.0: DE.AE-04.01
and scope, and review and refine CRI Profile v2.0: DE.AE-06
alerts and provide
Ex1: Securely providethem to the
cyber security
threat CRI
CRI Profile
Profile v2.0:
v2.0: DE.AE-06.01
DE.AE-07
intelligence
Ex1: Apply incident criteria to known and CRI Profile v2.0: DE.AE-07.01
feeds to detection CRI Profile v2.0: DE.AE-08
assumed characteristics of activity in order CRI Profile v2.0: DE.AE-08.01
CRI Profile v2.0: RS
CSF v1.1: RSv2.0: RS.MA
CRI Profile
Ex1: Detection technologies automatically CSF v1.1: RS.RP
CIS Controls v8.0: 17.4
report
Ex1: Preliminarily review incident reports to CRI Profile v2.0: RS.MA-01
confirmed incidents CRI Profile v2.0: RS.MA-02
confirm that they are cybersecurity-related
Ex1: Further review and categorize CRI
CRI Profile v2.0: RS.MA-02.01
Profile v2.0: RS.MA-03
incidents based on the type of incident
Ex1: Track and validate the status of all CRI
CRI Profile
Profile v2.0:
v2.0: RS.MA-03.01
RS.MA-04
ongoing incidents
Ex1: Apply incident recovery criteria to CRI
CIS Controls v8.0:RS.MA-04.01
Profile v2.0: 17.9
known and assumed characteristics of the CRI Profile v2.0: RS.MA-05
CRI Profile v2.0: RS.AN
Ex1: Determine the sequence of events that CSF v1.1: RS.AN
CIS Controls v8.0: 17.8
occurred
Ex1: Require each incident responder and CRI Profile v2.0:
during the incident and which CRI Profile v2.0: RS.AN-03
RS.AN-06
others (e.g., system administrators,
Ex1: Collect, preserve, and safeguard the CRI
CRI Profile v2.0: RS.AN-06.01
Profile v2.0: RS.AN-07
integrity
Ex1: Review other potential targets of the CRI Profile v2.0: RS.AN-07.01
of all pertinent incident data and CRI Profile v2.0: RS.AN-08
incident to search for indicators of CRI
CRI Profile v2.0: RS.AN-08.01
Profile v2.0: RS.CO
Ex1: Follow the organization's breach CSF v1.1: RS.CO
CIS Controls v8.0: 17.2
notification
Ex1: Securely procedures after discovering
share information a CRI
consistent Profile v2.0:
CIS Controls v8.0:RS.CO-02
17.2
with response plans and information CRI Profile v2.0: RS.CO-03
CRI Profile v2.0: RS.MI
Ex1: Cybersecurity technologies (e.g., CSF v1.1: RS.MI
CRI Profile v2.0: RS.MI-01
antivirus software) and cybersecurity CRI Profile v2.0: RS.MI-01.01
CSF 2.0 Page 10 of 11
 Implementation Examples Informative References
Ex1: Cybersecurity technologies and CRI Profile v2.0: RS.MI-02
cybersecurity features of other CRI Profile v2.0: RS.MI-02.01
CRI Profile v2.0: RC
CSF v1.1: RCv2.0: RC.RP
CRI Profile
Ex1: Begin recovery procedures during or CSF v1.1: RC.RP
CRI Profile v2.0: RC.RP-01
after incident
Ex1: Select response
recovery processes
actions based on the CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-01.01
RC.RP-02
criteria defined in the incident
Ex1: Check restoration assets for response
indicators CRI
CIS Controls v8.0:RC.RP-02.01
Profile v2.0: 11.5
of
Ex1: Use business impact and systemother
compromise, file corruption, and CRI Profile v2.0: RC.RP-03
CRI Profile v2.0: RC.RP-04
categorization records
Ex1: Check restored (including
assets service of
for indicators CRI
CRI Profile
Profile v2.0:
v2.0: RC.RP-04.01
RC.RP-05
compromise and remediation of root
Ex1: Prepare an after-action report that CRI
CRI Profile v2.0:
Profile v2.0: RC.RP-05.01
RC.RP-06
documents the incident itself, the response CRI
CRI Profile v2.0: RC.RP-06.01
Profile v2.0: RC.CO
Ex1: Securely share recovery information, CSF v1.1: RC.CO
CRI Profile v2.0: RC.CO-03
including
Ex1: Followrestoration progress,breach
the organization's consistent CRI Profile v2.0:
CIS Controls v8.0:RC.CO-03.01
17.2
notification procedures for recovering from CIS Controls v8.0: 17.6

CSF 2.0 Page 11 of 11