Skip to main content

NIST Framework

logo

Summary

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector.

Definitions

DefinitionRequirements
ID_AM-3. Organizational communication and data flows are mapped
337. Make critical logic flows thread safe
ID_AM-4. External information systems are catalogued
330. Verify Subresource Integrity
ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established
095. Define users with privileges
096. Set user's required privileges
262. Verify third-party components
ID_BE-4. Dependencies and critical functions for delivery of critical services are established
302. Declare dependencies explicitly
PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes
025. Manage concurrent sessions
035. Manage privilege modifications
122. Validate credential ownership
142. Change system default credentials
143. Unique access credentials
380. Define a password management tool
PR_AC-2. Physical access to assets is managed and protected
257. Access based on user credentials
266. Disable insecure functionalities
273. Define a fixed security suite
PR_AC-3. Remote access is managed
181. Transmit data using secure protocols
213. Allow geographic location
PR_AC-4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
186. Use the principle of least privilege
PR_AC-5. Network integrity is protected
253. Restrict network access
255. Allow access only to the necessary ports
PR_AC-6. Identities are proofed and bound to credentials and asserted in interactions
033. Restrict administrative access
PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction
225. Proper authentication responses
229. Request access credentials
264. Request authentication
362. Assign MFA mechanisms to a single account
PR_DS-1. Data at rest is protected
176. Restrict system objects
PR_DS-2. Data in transit is protected
181. Transmit data using secure protocols
PR_DS-4. Adequate capacity to ensure availability is maintained
062. Define standard configurations
PR_DS-5. Protections against data leaks are implemented
032. Avoid session ID leakages
PR_DS-6. Integrity checking mechanisms are used to verify software, firmware and information integrity
046. Manage the integrity of critical files
321. Avoid deserializing untrusted data
354. Prevent firmware downgrades
PR_DS-7. The development and testing environments are separate from the production environment
036. Do not deploy temporary files
078. Disable debugging events
154. Eliminate backdoors
PR_IP-5. Policy and regulations regarding the physical operating environment for organizational assets are met
273. Define a fixed security suite
331. Guarantee legal compliance
PR_IP-6. Data is destroyed according to policy
183. Delete sensitive data securely
210. Delete information from mobile devices
214. Allow data destruction
317. Allow erasure requests
PR_PT-1. Audit/log records are determined, documented, implemented and reviewed in accordance with policy
080. Prevent log modification
377. Store logs based on valid regulation
378. Use of log management system
PR_PT-2. Removable media is protected and its use restricted according to policy
153. Out of band transactions
205. Configure PIN
206. Configure communication protocols
326. Detect rooted devices
PR_PT-4. Communications and control networks are protected
206. Configure communication protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
DE_AE-2. Detected events are analyzed to understand attack targets and methods
079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level
DE_AE-5. Incident alert thresholds are established
075. Record exceptional events in logs
DE_CM-1. The network is monitored to detect potential cybersecurity events
376. Register severity level
DE_CM-4. Malicious code is detected
155. Application free of malicious code
DE_CM-6. External service provider activity is monitored to detect potential cybersecurity events
262. Verify third-party components
DE_DP-1. Roles and responsibilities for detection are well defined to ensure accountability
035. Manage privilege modifications
DE_DP-4. Event detection information is communicated
227. Display access notification
301. Notify configuration changes
RS_RP-1. Response plan is executed during or after an incident
225. Proper authentication responses
RS_CO-2. Incidents are reported consistent with established criteria
363. Synchronize system clocks
RC_RP-1. Recovery plan is executed during or after a cybersecurity incident
238. Establish safe recovery
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.