NIST Framework

Summary

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector.

Definitions

Definition	Requirements
ID_AM-3. Organizational communication and data flows are mapped	337. Make critical logic flows thread safe
ID_AM-4. External information systems are catalogued	330. Verify Subresource Integrity
ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established	095. Define users with privileges 096. Set user's required privileges 262. Verify third-party components
ID_BE-4. Dependencies and critical functions for delivery of critical services are established	302. Declare dependencies explicitly
PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes	025. Manage concurrent sessions 035. Manage privilege modifications 122. Validate credential ownership 142. Change system default credentials 143. Unique access credentials 380. Define a password management tool
PR_AC-2. Physical access to assets is managed and protected	257. Access based on user credentials 266. Disable insecure functionalities 273. Define a fixed security suite
PR_AC-3. Remote access is managed	181. Transmit data using secure protocols 213. Allow geographic location
PR_AC-4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties	186. Use the principle of least privilege
PR_AC-5. Network integrity is protected	253. Restrict network access 255. Allow access only to the necessary ports
PR_AC-6. Identities are proofed and bound to credentials and asserted in interactions	033. Restrict administrative access
PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction	225. Proper authentication responses 229. Request access credentials 264. Request authentication 362. Assign MFA mechanisms to a single account
PR_DS-1. Data at rest is protected	176. Restrict system objects
PR_DS-2. Data in transit is protected	181. Transmit data using secure protocols
PR_DS-4. Adequate capacity to ensure availability is maintained	062. Define standard configurations
PR_DS-5. Protections against data leaks are implemented	032. Avoid session ID leakages
PR_DS-6. Integrity checking mechanisms are used to verify software, firmware and information integrity	046. Manage the integrity of critical files 321. Avoid deserializing untrusted data 354. Prevent firmware downgrades
PR_DS-7. The development and testing environments are separate from the production environment	036. Do not deploy temporary files 078. Disable debugging events 154. Eliminate backdoors
PR_IP-5. Policy and regulations regarding the physical operating environment for organizational assets are met	273. Define a fixed security suite 331. Guarantee legal compliance
PR_IP-6. Data is destroyed according to policy	183. Delete sensitive data securely 210. Delete information from mobile devices 214. Allow data destruction 317. Allow erasure requests
PR_PT-1. Audit/log records are determined, documented, implemented and reviewed in accordance with policy	080. Prevent log modification 377. Store logs based on valid regulation 378. Use of log management system
PR_PT-2. Removable media is protected and its use restricted according to policy	153. Out of band transactions 205. Configure PIN 206. Configure communication protocols 326. Detect rooted devices
PR_PT-4. Communications and control networks are protected	206. Configure communication protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
DE_AE-2. Detected events are analyzed to understand attack targets and methods	079. Record exact occurrence time of events 080. Prevent log modification 376. Register severity level
DE_AE-5. Incident alert thresholds are established	075. Record exceptional events in logs
DE_CM-1. The network is monitored to detect potential cybersecurity events	376. Register severity level
DE_CM-4. Malicious code is detected	155. Application free of malicious code
DE_CM-6. External service provider activity is monitored to detect potential cybersecurity events	262. Verify third-party components
DE_DP-1. Roles and responsibilities for detection are well defined to ensure accountability	035. Manage privilege modifications
DE_DP-4. Event detection information is communicated	227. Display access notification 301. Notify configuration changes
RS_RP-1. Response plan is executed during or after an incident	225. Proper authentication responses
RS_CO-2. Incidents are reported consistent with established criteria	363. Synchronize system clocks
RC_RP-1. Recovery plan is executed during or after a cybersecurity incident	238. Establish safe recovery

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.