NIST Cybersecurity Framework: Comprehensive Self-Assessment Tool

Introduction to NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. Developed for critical infrastructure in the United States, it has been widely adopted across various industries and organizations worldwide. The framework is designed to be flexible and adaptable, allowing entities to manage cybersecurity risk according to their specific needs, objectives, and capabilities. It's structured around five core functions: Identify, Protect, Detect, Respond, and Recover, providing a strategic view of the lifecycle of an organization's management of cybersecurity risk.

Identify

Asset Management (ID.AM)

Physical devices and systems within the organization are inventoried.

Software platforms and applications within the organization are inventoried.

Organizational communication and data flows are mapped.

External information systems are cataloged.

Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value.

Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

Business Environment (ID.BE)

The organization.s role in the supply chain is identified and communicated.

The organization.s place in critical infrastructure and its industry sector is identified and communicated.

Priorities for organizational mission, objectives, and activities are established and communicated.

Dependencies and critical functions for delivery of critical services are established.

Resilience requirements for the delivery of critical services are established.

Governance (ID.GV)

Organizational cybersecurity policy is established and communicated.

Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.

Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.

Governance and risk management processes address cybersecurity risks.

Risk Assessment (ID.RA)

Asset vulnerabilities are identified and documented.

Threat and vulnerability information is received from information sharing forums and sources.

Threats, both internal and external, are identified and documented.

Potential business impacts and likelihoods are identified.

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.

Risk responses are identified and prioritized.

Risk Management Strategy (ID.RM)

Risk management processes are established, managed, and agreed upon by organizational stakeholders.

Organizational risk tolerance is determined and clearly expressed.

The organization.s determination of risk tolerance is informed by its role in critical infrastructure and sector-specific risk analysis.

Supply Chain Risk Management (ID.SC)

Cybersecurity risks are identified and managed as an integral part of the organization.s risk management and governance process.

The organization.s place in critical infrastructure and its industry sector is identified and communicated.

Priorities for organizational mission, objectives, and activities are established and communicated.

Dependencies and critical functions for delivery of critical services are established.

Resilience requirements for the delivery of critical services are established.

Protect

Identity Management and Access Control (PR.AC)

Identities and credentials are managed for authorized devices and users.

Physical access to assets is managed and protected.

Remote access is managed.

Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

Network integrity is protected (e.g., network segregation, network segmentation).

Identities are proofed and bound to credentials and asserted in interactions.

Users, devices, and other assets are authenticated commensurate with the risk of the transaction (e.g., individuals. security and privacy risks and other organizational risks).

Awareness and Training (PR.AT)

All users are informed and trained.

Privileged users understand their roles and responsibilities.

Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.

Senior executives understand their roles and responsibilities.

Physical and cybersecurity personnel understand their roles and responsibilities.

Data Security (PR.DS)

Data-at-rest is protected.

Data-in-transit is protected.

Assets are formally managed throughout removal, transfers, and disposal.

Adequate capacity to ensure availability is maintained.

Protections against data leaks are implemented.

Integrity checking mechanisms are used to verify software, firmware, and information integrity.

The development and testing environment(s) are separate from the production environment.

Information Protection Processes and Procedures (PR.IP)

A baseline configuration of information technology and industrial control systems is created and maintained.

A system development life cycle to manage systems is implemented.

Configuration change control processes are in place.

Backups of information are conducted, maintained, and tested.

Policy and regulations regarding the physical operating environment for organizational assets are met.

Data is destroyed according to policy.

Protection processes are improved.

Effectiveness of protection technologies is shared.

Response and recovery plans (incident response and business continuity) and processes are established and managed.

Response and recovery testing and exercises are conducted.

Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening).

A vulnerability management plan is developed and implemented.

Maintenance (PR.MA)

Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.

Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.

Protective Technology (PR.PT)

Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.

Removable media is protected and its use restricted according to policy.

Access to systems and assets is controlled, incorporating the principle of least functionality.

Communications and control networks are protected.

Mechanisms to protect data-at-rest are implemented.

Detect

Anomalies and Events (DE.AE)

A baseline of network operations and expected data flows for users and systems is established and managed.

Detected events are analyzed to understand attack targets and methods.

Event data are aggregated and correlated from multiple sources and sensors.

Impact of events is determined.

Incident alert thresholds are established.

Security Continuous Monitoring (DE.CM)

The network is monitored to detect potential cybersecurity events.

The physical environment is monitored to detect potential cybersecurity events.

Personnel activity is monitored to detect potential cybersecurity events.

Malicious code is detected.

Unauthorized mobile code is detected.

External service provider activity is monitored to detect potential cybersecurity events.

Monitoring for unauthorized personnel, connections, devices, and software is performed.

Vulnerability scans are performed.

Detection Processes (DE.DP)

Roles and responsibilities for detection are well defined to ensure accountability.

Detection activities comply with all applicable requirements.

Detection processes are tested.

Event detection information is communicated.

Detection processes are continuously improved.

Respond

Response Planning (RS.RP)

Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.

Communications (RS.CO)

Personnel know their roles and order of operations when a response is needed.

Physical and cybersecurity personnel are coordinated during and after an event.

Information is shared consistent with response plans.

Resilient networks and systems are leveraged.

Volunteers and other external stakeholders are coordinated.

Analysis (RS.AN)

Notifications from detection systems are investigated.

The impact of the incident is understood.

Forensics are performed.

Incidents are categorized consistent with response criteria.

Processes are established to receive, analyze, and respond to vulnerabilities disclosed to the organization from external sources.

Mitigation (RS.MI)

Incidents are contained.

Incidents are mitigated.

Newly identified vulnerabilities are mitigated or documented.

Improvements (RS.IM)

Organizational response activities are improved by incorporating lessons learned.

Response strategies are updated.

Recover

Recovery Planning (RC.RP)

Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.

Improvements (RC.IM)

Recovery planning and processes are improved by incorporating lessons learned.

Recovery strategies are updated.

Communications (RC.CO)

Public relations are managed.

Reputation after an event is repaired.

Recovery activities are communicated to internal stakeholders and executive and management teams.