NIST CSF

Summary

The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector. The version used in this section NIST CSF v2.0.

Definitions

Definition	Requirements
ID_AM-03. Representations of the organization’s authorized network communication and internal and external network data flows are maintained	337. Make critical logic flows thread safe
ID_AM-04. Inventories of services provided by suppliers are maintained	330. Verify Subresource Integrity
PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization	025. Manage concurrent sessions 035. Manage privilege modifications 122. Validate credential ownership 142. Change system default credentials 143. Unique access credentials 380. Define a password management tool
PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions	033. Restrict administrative access
PR_AA-03. Users, services, and hardware are authenticated	225. Proper authentication responses 229. Request access credentials 264. Request authentication 362. Assign MFA mechanisms to a single account
PR_AA-04. Identity assertions are protected, conveyed, and verified	096. Set user's required privileges
PR_AA-05. Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties	186. Use the principle of least privilege
PR_AA-06. Physical access to assets is managed, monitored, and enforced commensurate with risk	257. Access based on user credentials 266. Disable insecure functionalities 273. Define a fixed security suite
PR_DS-01. The confidentiality, integrity, and availability of data-at-rest are protected	176. Restrict system objects
PR_DS-02. The confidentiality, integrity, and availability of data-in-transit are protected	181. Transmit data using secure protocols
PR_DS-10. The confidentiality, integrity, and availability of data-in-use are protected	062. Define standard configurations
PR_DS-11. Backups of data are created, protected, maintained, and tested	185. Encrypt sensitive information
PR_PS-02. Software is maintained, replaced, and removed commensurate with risk	262. Verify third-party components
PR_PS-04. Log records are generated and made available for continuous monitoring	377. Store logs based on valid regulation 378. Use of log management system
PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle	062. Define standard configurations 158. Use a secure programming language 161. Define secure default options
PR_IR-01. Networks and environments are protected from unauthorized logical access and usage	259. Segment the organization network 341. Use the principle of deny by default
DE_CM-01. Networks and network services are monitored to find potentially adverse events	376. Register severity level
DE_CM-03. Personnel activity and technology usage are monitored to find potentially adverse events	075. Record exceptional events in logs 079. Record exact occurrence time of events 376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system
DE_CM-06. External service provider activities and services are monitored to find potentially adverse events	262. Verify third-party components
DE_AE-02. Potentially adverse events are analyzed to better understand associated activities	079. Record exact occurrence time of events 080. Prevent log modification 376. Register severity level
RS_MA-01. The incident response plan is executed in coordination with relevant third parties once an incident is declared	225. Proper authentication responses
RS_AN-07. Incident data and metadata are collected, and their integrity and provenance are preserved	046. Manage the integrity of critical files 080. Prevent log modification 377. Store logs based on valid regulation
RC_RP-01. The recovery portion of the incident response plan is executed once initiated from the incident response process	238. Establish safe recovery

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.