
Summary
The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector.
Definitions
Definition | Requirements |
---|
DE_AE-2. Detected events are analyzed to understand attack targets and methods | 079. Record exact occurrence time of events 080. Prevent log modification 376. Register severity level |
DE_AE-5. Incident alert thresholds are established | 075. Record exceptional events in logs |
DE_CM-1. The network is monitored to detect potential cybersecurity events | 376. Register severity level |
DE_CM-4. Malicious code is detected | 155. Application free of malicious code |
DE_CM-6. External service provider activity is monitored to detect potential cybersecurity events | 262. Verify third-party components |
DE_DP-1. Roles and responsibilities for detection are well defined to ensure accountability | 035. Manage privilege modifications |
DE_DP-4. Event detection information is communicated | 227. Display access notification 301. Notify configuration changes |
ID_AM-3. Organizational communication and data flows are mapped | 337. Make critical logic flows thread safe |
ID_AM-4. External information systems are catalogued | 330. Verify Subresource Integrity |
ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established | 095. Define users with privileges 096. Set user's required privileges 262. Verify third-party components |
ID_BE-4. Dependencies and critical functions for delivery of critical services are established | 302. Declare dependencies explicitly |
PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes | 025. Manage concurrent sessions 035. Manage privilege modifications 122. Validate credential ownership 142. Change system default credentials 143. Unique access credentials 380. Define a password management tool |
PR_AC-2. Physical access to assets is managed and protected | 257. Access based on user credentials 266. Disable insecure functionalities 273. Define a fixed security suite |
PR_AC-3. Remote access is managed | 181. Transmit data using secure protocols 213. Allow geographic location |
PR_AC-4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | 186. Use the principle of least privilege |
PR_AC-5. Network integrity is protected | 253. Restrict network access 255. Allow access only to the necessary ports |
PR_AC-6. Identities are proofed and bound to credentials and asserted in interactions | 033. Restrict administrative access |
PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction | 225. Proper authentication responses 229. Request access credentials 264. Request authentication 362. Assign MFA mechanisms to a single account |
PR_DS-1. Data at rest is protected | 176. Restrict system objects |
PR_DS-2. Data in transit is protected | 181. Transmit data using secure protocols |
PR_DS-4. Adequate capacity to ensure availability is maintained | 062. Define standard configurations |
PR_DS-5. Protections against data leaks are implemented | 032. Avoid session ID leakages |
PR_DS-6. Integrity checking mechanisms are used to verify software, firmware and information integrity | 046. Manage the integrity of critical files 321. Avoid deserializing untrusted data 354. Prevent firmware downgrades |
PR_DS-7. The development and testing environments are separate from the production environment | 036. Do not deploy temporary files 078. Disable debugging events 154. Eliminate backdoors |
PR_IP-5. Policy and regulations regarding the physical operating environment for organizational assets are met | 273. Define a fixed security suite 331. Guarantee legal compliance |
PR_IP-6. Data is destroyed according to policy | 183. Delete sensitive data securely 210. Delete information from mobile devices 214. Allow data destruction 317. Allow erasure requests |
PR_PT-1. Audit/log records are determined, documented, implemented and reviewed in accordance with policy | 080. Prevent log modification 377. Store logs based on valid regulation 378. Use of log management system |
PR_PT-2. Removable media is protected and its use restricted according to policy | 153. Out of band transactions 205. Configure PIN 206. Configure communication protocols 326. Detect rooted devices |
PR_PT-4. Communications and control networks are protected | 206. Configure communication protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy |
RC_RP-1. Recovery plan is executed during or after a cybersecurity incident | 238. Establish safe recovery |
RS_CO-2. Incidents are reported consistent with established criteria | 363. Synchronize system clocks |
RS_RP-1. Response plan is executed during or after an incident | 225. Proper authentication responses |