Summary
The NIST Cybersecurity Framework is a guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. This set of requirements was developed by the National Institute of Standards and Technology (NIST) in close collaboration with the private sector.
Definitions
| Definition | Requirements |
|---|
| DE_AE-2. Detected events are analyzed to understand attack targets and methods | 079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level |
| DE_AE-5. Incident alert thresholds are established | 075. Record exceptional events in logs |
| DE_CM-1. The network is monitored to detect potential cybersecurity events | 376. Register severity level |
| DE_CM-4. Malicious code is detected | 155. Application free of malicious code |
| DE_CM-6. External service provider activity is monitored to detect potential cybersecurity events | 262. Verify third-party components |
| DE_DP-1. Roles and responsibilities for detection are well defined to ensure accountability | 035. Manage privilege modifications |
| DE_DP-4. Event detection information is communicated | 227. Display access notification
301. Notify configuration changes |
| ID_AM-3. Organizational communication and data flows are mapped | 337. Make critical logic flows thread safe |
| ID_AM-4. External information systems are catalogued | 330. Verify Subresource Integrity |
| ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established | 095. Define users with privileges
096. Set user's required privileges
262. Verify third-party components |
| ID_BE-4. Dependencies and critical functions for delivery of critical services are established | 302. Declare dependencies explicitly |
| PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes | 025. Manage concurrent sessions
035. Manage privilege modifications
122. Validate credential ownership
142. Change system default credentials
143. Unique access credentials
380. Define a password management tool |
| PR_AC-2. Physical access to assets is managed and protected | 257. Access based on user credentials
266. Disable insecure functionalities
273. Define a fixed security suite |
| PR_AC-3. Remote access is managed | 181. Transmit data using secure protocols
213. Allow geographic location |
| PR_AC-4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | 186. Use the principle of least privilege |
| PR_AC-5. Network integrity is protected | 253. Restrict network access
255. Allow access only to the necessary ports |
| PR_AC-6. Identities are proofed and bound to credentials and asserted in interactions | 033. Restrict administrative access |
| PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction | 225. Proper authentication responses
229. Request access credentials
264. Request authentication
362. Assign MFA mechanisms to a single account |
| PR_DS-1. Data at rest is protected | 176. Restrict system objects |
| PR_DS-2. Data in transit is protected | 181. Transmit data using secure protocols |
| PR_DS-4. Adequate capacity to ensure availability is maintained | 062. Define standard configurations |
| PR_DS-5. Protections against data leaks are implemented | 032. Avoid session ID leakages |
| PR_DS-6. Integrity checking mechanisms are used to verify software, firmware and information integrity | 046. Manage the integrity of critical files
321. Avoid deserializing untrusted data
354. Prevent firmware downgrades |
| PR_DS-7. The development and testing environments are separate from the production environment | 036. Do not deploy temporary files
078. Disable debugging events
154. Eliminate backdoors |
| PR_IP-5. Policy and regulations regarding the physical operating environment for organizational assets are met | 273. Define a fixed security suite
331. Guarantee legal compliance |
| PR_IP-6. Data is destroyed according to policy | 183. Delete sensitive data securely
210. Delete information from mobile devices
214. Allow data destruction
317. Allow erasure requests |
| PR_PT-1. Audit/log records are determined, documented, implemented and reviewed in accordance with policy | 080. Prevent log modification
377. Store logs based on valid regulation
378. Use of log management system |
| PR_PT-2. Removable media is protected and its use restricted according to policy | 153. Out of band transactions
205. Configure PIN
206. Configure communication protocols
326. Detect rooted devices |
| PR_PT-4. Communications and control networks are protected | 206. Configure communication protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy |
| RC_RP-1. Recovery plan is executed during or after a cybersecurity incident | 238. Establish safe recovery |
| RS_CO-2. Incidents are reported consistent with established criteria | 363. Synchronize system clocks |
| RS_RP-1. Response plan is executed during or after an incident | 225. Proper authentication responses |