Skip to main content

NIST Framework

logo

Summary

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector.

Definitions

DefinitionRequirements
DE_AE-2. Detected events are analyzed to understand attack targets and methods079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level
DE_AE-5. Incident alert thresholds are established075. Record exceptional events in logs
DE_CM-1. The network is monitored to detect potential cybersecurity events376. Register severity level
DE_CM-4. Malicious code is detected155. Application free of malicious code
DE_CM-6. External service provider activity is monitored to detect potential cybersecurity events262. Verify third-party components
DE_DP-1. Roles and responsibilities for detection are well defined to ensure accountability035. Manage privilege modifications
DE_DP-4. Event detection information is communicated227. Display access notification
301. Notify configuration changes
ID_AM-3. Organizational communication and data flows are mapped337. Make critical logic flows thread safe
ID_AM-4. External information systems are catalogued330. Verify Subresource Integrity
ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established095. Define users with privileges
096. Set user's required privileges
262. Verify third-party components
ID_BE-4. Dependencies and critical functions for delivery of critical services are established302. Declare dependencies explicitly
PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes025. Manage concurrent sessions
035. Manage privilege modifications
122. Validate credential ownership
142. Change system default credentials
143. Unique access credentials
380. Define a password management tool
PR_AC-2. Physical access to assets is managed and protected257. Access based on user credentials
266. Disable insecure functionalities
273. Define a fixed security suite
PR_AC-3. Remote access is managed181. Transmit data using secure protocols
213. Allow geographic location
PR_AC-4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties186. Use the principle of least privilege
PR_AC-5. Network integrity is protected253. Restrict network access
255. Allow access only to the necessary ports
PR_AC-6. Identities are proofed and bound to credentials and asserted in interactions033. Restrict administrative access
PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction225. Proper authentication responses
229. Request access credentials
264. Request authentication
362. Assign MFA mechanisms to a single account
PR_DS-1. Data at rest is protected176. Restrict system objects
PR_DS-2. Data in transit is protected181. Transmit data using secure protocols
PR_DS-4. Adequate capacity to ensure availability is maintained062. Define standard configurations
PR_DS-5. Protections against data leaks are implemented032. Avoid session ID leakages
PR_DS-6. Integrity checking mechanisms are used to verify software, firmware and information integrity046. Manage the integrity of critical files
321. Avoid deserializing untrusted data
354. Prevent firmware downgrades
PR_DS-7. The development and testing environments are separate from the production environment036. Do not deploy temporary files
078. Disable debugging events
154. Eliminate backdoors
PR_IP-5. Policy and regulations regarding the physical operating environment for organizational assets are met273. Define a fixed security suite
331. Guarantee legal compliance
PR_IP-6. Data is destroyed according to policy183. Delete sensitive data securely
210. Delete information from mobile devices
214. Allow data destruction
317. Allow erasure requests
PR_PT-1. Audit/log records are determined, documented, implemented and reviewed in accordance with policy080. Prevent log modification
377. Store logs based on valid regulation
378. Use of log management system
PR_PT-2. Removable media is protected and its use restricted according to policy153. Out of band transactions
205. Configure PIN
206. Configure communication protocols
326. Detect rooted devices
PR_PT-4. Communications and control networks are protected206. Configure communication protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
RC_RP-1. Recovery plan is executed during or after a cybersecurity incident238. Establish safe recovery
RS_CO-2. Incidents are reported consistent with established criteria363. Synchronize system clocks
RS_RP-1. Response plan is executed during or after an incident225. Proper authentication responses