The GOVERN (GV) category in NIST CSF v2.0 focuses on establishing leadership, accountability, policies, and oversight for cybersecurity risk management, ensuring alignment with organizational goals, legal requirements, and risk appetite. It integrates cybersecurity into overall governance and continuous improvement processes.

• Cybersecurity Supply Chain Risk Management (GV.SC-10)

  GV.SC-10 focuses on strengthening the resilience of the supply chain by ensuring that organizations proactively assess, monitor, and manage cybersecurity risks introduced by suppliers and third-party partners. This subcontrol encourages continuous integration of cybersecurity risk management practices into the entire supply chain lifecycle, from vendor selection to ongoing monitoring.

• Cybersecurity Supply Chain Risk Management (GV.SC-09)

  GV.SC-09 emphasizes the importance of embedding a proactive and systematic approach to managing cybersecurity risks across the supply chain. This subcontrol focuses on continuously assessing, monitoring, and strengthening supply chain cybersecurity practices, ensuring that organizations address potential threats and vulnerabilities introduced through third-party relationships.

• Cybersecurity Supply Chain Risk Management (GV.SC-07)

  GV.SC-07 focuses on establishing cybersecurity risk management practices for assessing, managing, and mitigating risks within the supply chain ecosystem. This subcontrol emphasizes the importance of continuous improvement and risk adjustment to adapt to the evolving cybersecurity landscape within the supply chain.

• Cybersecurity Supply Chain Risk Management (GV.SC-08)

  GV.SC-08 focuses on integrating risk management practices into the broader cybersecurity governance framework for managing and mitigating risks originating within the supply chain. This subcontrol emphasizes the need for organizations to assess, monitor, and manage cybersecurity risks related to third-party and vendor relationships throughout the entire lifecycle of supply chain engagements.

• Cybersecurity Supply Chain Risk Management (GV.SC-06)

  GV.SC-06 focuses on ensuring that cybersecurity risk management practices within the supply chain are consistently assessed, improved, and refined to address emerging threats and vulnerabilities. This subcontrol emphasizes developing a structured process for integrating risk management into every phase of the supply chain lifecycle—from planning and procurement to operations and decommissioning.

• Cybersecurity Supply Chain Risk Management (GV.SC-05)

  GV.SC-05 focuses on the continuous improvement of cybersecurity risk management processes within the supply chain by emphasizing risk assessment, resilience, and transparency. This subcontrol ensures that organizations have established processes for monitoring, managing, and mitigating the cybersecurity risks associated with third-party vendors and the broader supply chain ecosystem over time.

• Cybersecurity Supply Chain Risk Management (GV.SC-04)

  GV.SC-04 focuses on the implementation of a robust cybersecurity risk management process that addresses the critical vulnerabilities and risks arising from third-party relationships and supply chains. This subcontrol emphasizes the necessity of protecting the organization by ensuring that suppliers and service providers uphold strong cybersecurity practices, aligning them with the organization's cybersecurity goals and ensuring resilience in the face of evolving threats.

• Cybersecurity Supply Chain Risk Management (GV.SC-03)

  GV.SC-03 is aimed at ensuring organizations have a comprehensive, structured approach to managing cybersecurity risks associated with their supply chain. This subcontrol focuses on integrating cybersecurity into the procurement process, fostering collaboration with suppliers, and continuously improving the security of the supply chain by identifying, assessing, and mitigating risks over time.

• Cybersecurity Supply Chain Risk Management (GV.SC-02)

  GV.SC-02 focuses on the establishment of ongoing processes for managing risks associated with the cybersecurity of an organization's supply chain. This includes the development and execution of risk assessments, monitoring, and mitigation strategies for third-party vendors, service providers, and other external parties that could impact the security of the organization's information systems and data.

• Oversight (GV.OV-03)

  GV.OV-03 emphasizes the need for a structured oversight mechanism to monitor the performance and effectiveness of the cybersecurity program. This subcontrol calls for regular evaluations of cybersecurity activities, assessing both their alignment with organizational objectives and their ability to manage and mitigate cyber risks effectively. Oversight ensures continuous improvement and adaptation to emerging threats and regulatory requirements.

• Cybersecurity Supply Chain Risk Management (GV.SC-01)

  GV.SC-01 emphasizes the integration of cybersecurity risk management practices into the supply chain management process. It focuses on identifying, assessing, and mitigating cybersecurity risks related to external parties, vendors, and service providers that can impact an organization’s cybersecurity posture.

• Oversight (GV.OV-02)

  GV.OV-02 focuses on the continuous monitoring and reviewing of the effectiveness of the cybersecurity program. It emphasizes the need for periodic assessments of the program’s performance, effectiveness, and alignment with organizational goals. This ensures that the cybersecurity program remains responsive to evolving threats and business priorities.

• Oversight (GV.OV-01)

  GV.OV-01 focuses on the establishment of governance structures for overseeing the cybersecurity program, ensuring it is appropriately resourced, supported, and aligned with organizational priorities. This subcontrol emphasizes senior management's active involvement in steering cybersecurity efforts, making it a key component for effective program execution and alignment with strategic objectives.

• Organizational Context (GV.OC-01)

  The "Organizational Context (GV.OC-01)" subcontrol emphasizes understanding the external and internal factors that influence the organization’s approach to cybersecurity risk management. It covers how the organization’s mission, legal environment, industry sector, and overall business goals shape its cybersecurity framework and decision-making.

• Organizational Context (GV.OC-02)

  The Organizational Context (GV.OC-02) subcontrol ensures that the organization evaluates and continuously updates its understanding of its internal and external context. This context includes stakeholders, legal and regulatory requirements, risk management frameworks, and overall strategic goals. This subcontrol requires ongoing alignment of cybersecurity strategies with evolving business needs and external changes.

• Organizational Context (GV.OC-03)

  The Organizational Context (GV.OC-03) subcontrol requires the organization to establish clear governance structures that define roles and responsibilities for cybersecurity within the organizational context. This includes clarifying decision-making processes, accountability, and oversight to ensure cybersecurity governance is integrated throughout the organizational framework. By clearly defining these roles, the organization ensures that all aspects of cybersecurity are properly managed and aligned with strategic goals.

• Organizational Context (GV.OC-04)

  The GV.OC-04 subcontrol focuses on the identification and alignment of the organization's cybersecurity needs with its overall business objectives and strategy. It emphasizes ensuring that cybersecurity efforts are in harmony with organizational priorities, resources, and risk tolerance, ensuring effective risk management. This alignment allows organizations to support business operations while maintaining a secure environment.

• Organizational Context (GV.OC-05)

  The GV.OC-05 subcontrol focuses on the establishment of governance structures to ensure effective oversight and accountability for cybersecurity activities across the organization. This includes creating roles, responsibilities, and reporting mechanisms to align cybersecurity efforts with organizational objectives and risk tolerance. The subcontrol emphasizes the need for continuous monitoring and improvement to ensure that governance structures adapt to evolving organizational needs.

• Risk Management Strategy (GV.RM-01)

  GV.RM-01 establishes the need for organizations to define, implement, and maintain a comprehensive risk management strategy that integrates cybersecurity into overall organizational risk management processes. The subcontrol focuses on aligning cybersecurity risk management with business objectives, ensuring that risk is managed proactively and aligned with the organization’s risk tolerance.

• Risk Management Strategy (GV.RM-02)

  GV.RM-02 emphasizes the development, implementation, and continuous refinement of a risk management strategy that proactively identifies and addresses cybersecurity risks within the organization's broader risk management processes. The strategy should be integrated into decision-making, resource allocation, and ongoing risk assessment to maintain an adaptive and resilient risk posture.

• Risk Management Strategy (GV.RM-03)

  GV.RM-03 emphasizes the integration of cybersecurity risk management within the organization's overarching enterprise risk management framework. It focuses on ensuring that the organization applies systematic processes for managing risks in a way that aligns with business objectives, regulatory requirements, and the organization's risk appetite.

• Risk Management Strategy (GV.RM-04)

  GV.RM-04 focuses on the continuous assessment and adaptation of an organization’s cybersecurity risk management strategy to ensure it remains aligned with evolving business objectives, regulatory changes, and the shifting cybersecurity landscape. This subcontrol emphasizes the need for organizations to consistently reassess risk exposure and adjust strategies to maintain resilience.

• Risk Management Strategy (GV.RM-05)

  GV.RM-05 focuses on defining the processes, frameworks, and tools required to identify, evaluate, and manage cybersecurity risks within an organization's broader risk management strategy. This subcontrol emphasizes the integration of risk management activities into the organization’s operational processes to ensure comprehensive and consistent risk oversight.

• Risk Management Strategy (GV.RM-06)

  GV.RM-06 emphasizes the need for organizations to establish risk management strategies that are adaptable, comprehensive, and capable of addressing emerging cybersecurity threats. This subcontrol focuses on ensuring that risk management activities not only address current risks but are also agile enough to evolve with the changing cybersecurity landscape.

• Risk Management Strategy (GV.RM-07)

  GV.RM-07 focuses on integrating cybersecurity risk management with the organization's overall governance structure. This subcontrol ensures that risk management efforts are aligned with strategic business objectives, ensuring cybersecurity risks are addressed at all levels of decision-making. It emphasizes cross-departmental collaboration, accountability, and long-term planning.

• Roles, Responsibilities, and Authorities (GV.RR-01)

  GV.RR-01 outlines the establishment of clear roles, responsibilities, and authorities within the organization to manage cybersecurity risks effectively. This subcontrol ensures that the risk management process is supported by well-defined governance structures, accountability, and decision-making authority, helping to coordinate the overall cybersecurity risk efforts across the enterprise.

• Roles, Responsibilities, and Authorities (GV.RR-02)

  GV.RR-02 focuses on defining, assigning, and communicating specific roles, responsibilities, and authorities related to cybersecurity risk management across the organization. This subcontrol ensures that roles are clearly articulated, responsibilities are distributed, and the necessary decision-making authority is given to key stakeholders, facilitating effective and responsive risk management.

• Roles, Responsibilities, and Authorities (GV.RR-03)

  GV.RR-03 ensures that roles, responsibilities, and authorities for cybersecurity risk management are aligned with the organization’s risk management strategy. It focuses on clearly defining the authority to manage risks across various organizational levels, ensuring that risk ownership is well-distributed and individuals are empowered to take necessary actions.

• Roles, Responsibilities, and Authorities (GV.RR-04)

  GV.RR-04 ensures the establishment of a robust governance structure that aligns roles, responsibilities, and authorities with the organization’s cybersecurity risk management strategy. This subcontrol emphasizes the need for clearly defined roles across the organization that empower individuals with the authority to manage and mitigate risks efficiently and in alignment with organizational priorities.

• Policy (GV.PO-01)

  GV.PO-01 emphasizes the need for establishing and maintaining cybersecurity policies within an organization. These policies should outline clear rules, guidelines, and expectations for managing cybersecurity risks, ensuring alignment with both business objectives and regulatory requirements. Policy development is central to establishing a formalized approach for governance and compliance.

• Policy (GV.PO-02)

  GV.PO-02 focuses on the implementation, enforcement, and ongoing management of the cybersecurity policies established by an organization. It ensures that the policies outlined in GV.PO-01 are not only developed but also effectively communicated, monitored, and enforced across the organization. This subcontrol emphasizes the need for a structured and consistent approach to policy execution, compliance monitoring, and corrective actions when necessary.

The DETECT (DE) category in NIST CSF v2.0 focuses on timely identification of cybersecurity events. It includes controls for continuous monitoring, detection processes, and security awareness, ensuring that anomalies and incidents are identified swiftly to mitigate threats and reduce potential damage to systems and data.

• Adverse Event Analysis (DE.AE-06)

  Adverse Event Analysis (DE.AE-06) focuses on conducting root cause analysis after an adverse event or security incident occurs. This subcontrol emphasizes the importance of identifying the underlying factors that contributed to the event, such as weaknesses in policies, processes, technologies, or human behaviors. The goal is to prevent recurrence and improve future event detection, response, and prevention capabilities by addressing systemic issues rather than merely treating symptoms.

• Adverse Event Analysis (DE.AE-05)

  This subcontrol focuses on the continuous review and enhancement of the organization's incident analysis processes based on past adverse events. It emphasizes the importance of leveraging historical data and post-event analysis to refine detection capabilities, improve security monitoring systems, and strengthen the organization’s overall cybersecurity resilience. The goal is to not only understand what happened during an adverse event but to ensure that lessons learned are systematically applied to enhance future threat detection and incident response.

• Adverse Event Analysis (DE.AE-04)

  This subcontrol focuses on leveraging advanced analytical tools and techniques to track and analyze adverse security events over time, including correlating multiple incidents and integrating external threat intelligence. The aim is to identify evolving threats, enhance detection capabilities, and improve the organization's ability to respond to security incidents before they escalate.

• Adverse Event Analysis (DE.AE-03)

  This subcontrol focuses on performing detailed analysis and reporting of adverse security events to understand their impact on organizational systems, operations, and business objectives. The goal is to create actionable insights from the event’s root cause, timeline, and sequence, and to provide these insights to key stakeholders to inform both tactical and strategic cybersecurity decisions.

• Adverse Event Analysis (DE.AE-02)

  This subcontrol focuses on the comprehensive analysis of adverse security events after their detection, specifically targeting the identification of patterns, trends, and indicators of compromise (IOCs) that can provide insights into the threat landscape. The purpose of this analysis is to detect potential ongoing or recurring attacks, identify systemic weaknesses, and improve the overall security posture through continuous learning.

• Adverse Event Analysis (DE.AE-01)

  This subcontrol focuses on analyzing and assessing adverse security events that have occurred within the environment. The goal is to identify the root causes, the scope of impact, and to understand how the event evolved. This process allows organizations to gain insights into vulnerabilities or weaknesses in their security posture and helps in improving future detection and response strategies.

• Continuous Monitoring (DE.CM-05)

  This subcontrol focuses on continuously monitoring security events across an organization’s environment to identify malicious activities, operational failures, or threats that could lead to data breaches or system compromises. The objective is to gather and analyze relevant security data from a variety of sources (such as systems, networks, and applications) to detect cybersecurity incidents promptly.

• Continuous Monitoring (DE.CM-04)

  This subcontrol focuses on continuously monitoring for unauthorized access or anomalous activity that could indicate potential cybersecurity threats. By detecting irregular patterns of behavior and unauthorized access, organizations can quickly identify and respond to potential security incidents, thereby minimizing the risk of compromise.

• Continuous Monitoring (DE.CM-02)

  This subcontrol emphasizes the importance of continuously monitoring security events and activities across the organization's network and systems to detect anomalous behavior, security breaches, and emerging threats in real time. Continuous monitoring involves the collection and analysis of data from various sources to identify cybersecurity risks and vulnerabilities early.

• Continuous Monitoring (DE.CM-03)

  This subcontrol focuses on maintaining continuous monitoring of system configurations and vulnerabilities to ensure that cybersecurity threats, risks, and weaknesses are detected early. It involves regularly scanning for misconfigurations, outdated software, and other vulnerabilities that could be exploited by adversaries.

• Continuous Monitoring (DE.CM-01)

  DE.CM-01 focuses on the continuous monitoring of organizational assets to detect cybersecurity events in real-time. This subcontrol emphasizes the need for establishing monitoring capabilities that provide up-to-date visibility into the activities across the entire IT environment. By continuously tracking network traffic, system logs, user activities, and other indicators of potential security incidents, organizations can identify malicious activities and anomalies at the earliest possible stage, allowing for timely responses.

The RESPOND (RS) category in NIST CSF v2.0 outlines processes for addressing detected cybersecurity incidents. It focuses on response planning, communication, analysis, mitigation, and improvements, ensuring effective actions are taken to contain and minimize the impact of incidents on an organization’s operations and security.

• Incident Response Reporting and Communication (RS.CO-02)

  Incident Response Reporting and Communication (RS.CO-02) emphasizes the process of ensuring that all necessary stakeholders are updated on the ongoing progress of an incident and that communication is managed consistently throughout the incident lifecycle. This includes maintaining clear lines of communication both internally within the organization and externally to any third parties, ensuring that incident response actions, containment efforts, and resolution status are communicated in a timely and accurate manner.
  
  The goal of RS.CO-02 is to provide continued, transparent updates on incident status, ensuring that affected parties are well-informed, regulatory compliance is met, and the organization maintains its credibility during and after an incident.

• Incident Mitigation (RS.MI-02)

  Incident Mitigation (RS.MI-02) involves applying long-term strategies to reduce the impact of cybersecurity incidents after initial containment. This subcontrol emphasizes the application of targeted corrective actions designed to mitigate the underlying vulnerabilities exploited during the incident, restore affected systems, and implement preventive measures to avoid future recurrences. RS.MI-02 goes beyond immediate incident containment (such as disconnecting infected systems) and addresses the root cause of the incident, ensuring long-term stability and recovery.

• Incident Response Reporting and Communication (RS.CO-01)

  Incident Response Reporting and Communication (RS.CO-01) focuses on the process of documenting, reporting, and communicating incident details to relevant stakeholders, both internally and externally, during and after a cybersecurity event. The goal is to ensure that all necessary parties are informed in a timely and accurate manner to support an effective response and to comply with legal, regulatory, and contractual obligations.

• Incident Mitigation (RS.MI-01)

  Incident Mitigation (RS.MI-01) focuses on the active containment, limitation, and neutralization of cybersecurity incidents to prevent further damage. The goal of this subcontrol is to reduce the impact of incidents, minimize the time to recovery, and prevent the recurrence of similar incidents. This subcontrol outlines the specific actions to take when an incident is identified, such as isolating affected systems, blocking malicious activities, or applying remediation steps to prevent further damage.
  
  Mitigation actions must be timely and aligned with the severity of the incident. They involve technical, procedural, and sometimes legal measures, depending on the nature of the threat.

• Incident Analysis (RS.AN-03)

  Incident Analysis (RS.AN-03) focuses on assessing and documenting the root causes, impact, and lessons learned from cybersecurity incidents in a detailed and structured manner. This subcontrol emphasizes conducting in-depth post-incident analysis to improve security practices, mitigate future risks, and identify opportunities to enhance the organization’s overall cybersecurity posture. The goal is to evaluate the incident comprehensively and ensure that all lessons are captured to inform future cybersecurity measures and response strategies.

• Incident Analysis (RS.AN-04)

  Incident Analysis (RS.AN-04) focuses on evaluating the effectiveness of organizational communication during and after a cybersecurity incident. This subcontrol emphasizes the need to assess how internal and external communications were managed, ensuring they were clear, timely, and aligned with the organization's response strategies. Proper communication can mitigate damage to reputation, facilitate informed decision-making, and ensure compliance with regulatory reporting requirements.

• Incident Analysis (RS.AN-02)

  Incident Analysis (RS.AN-02) focuses on the ongoing evaluation and documentation of cybersecurity incidents as they unfold, providing actionable insights during the incident response process. This subcontrol emphasizes the importance of analyzing incident data in real-time to understand its scope, nature, and potential consequences. It aims to identify indicators of compromise (IoC), detect patterns, and inform tactical decisions for mitigating the impact of the incident while maintaining business continuity.

• Incident Analysis (RS.AN-01)

  Incident Analysis (RS.AN-01) focuses on the assessment, investigation, and documentation of cybersecurity incidents in order to understand their impact, identify root causes, and determine the effectiveness of the response. The goal is to identify trends, refine security posture, and improve incident response capabilities. This subcontrol encourages organizations to conduct thorough post-incident analyses and leverage these findings to prevent future incidents or mitigate their effects.

• Incident Management (RS.MA-05)

  Incident Management (RS.MA-05) focuses on the timely recovery and restoration of systems and services following a cybersecurity incident. This subcontrol emphasizes the importance of developing, testing, and implementing effective recovery procedures to minimize downtime and ensure that the organization can return to normal operations swiftly and securely. RS.MA-05 ensures that organizations have a structured approach for recovery that minimizes business disruption while maintaining security controls to prevent further compromise.

• Incident Management (RS.MA-04)

  Incident Management (RS.MA-04) focuses on ensuring that lessons learned from cybersecurity incidents are documented, communicated, and used to improve the organization’s overall security posture and incident response capabilities. This subcontrol emphasizes the need for post-incident reviews, the integration of findings into policies and procedures, and the development of recommendations for preventing future incidents. The goal is to create a feedback loop that continuously enhances security practices by leveraging real-world experiences.

• Incident Management (RS.MA-03)

  Incident Management (RS.MA-03) involves conducting detailed root cause analysis and performing continuous monitoring to improve the organization's ability to respond to cybersecurity incidents. This subcontrol emphasizes the need for a systematic approach to investigating and analyzing incidents to understand their origin, how they progressed, and what vulnerabilities were exploited. The focus is on learning from each incident to enhance future preparedness and response capabilities.

• Incident Management (RS.MA-02)

  Incident Management (RS.MA-02) focuses on the identification, categorization, and effective management of cybersecurity incidents once they have been detected. This subcontrol emphasizes the need for immediate action to contain and mitigate the impact of incidents, ensuring that business continuity is maintained while preventing further damage. It covers the entire process of managing an incident, from the initial detection and classification through to resolution and recovery.

• Incident Management (RS.MA-01)

  Incident Management (RS.MA-01) addresses the need for an organized, structured approach to managing cybersecurity incidents as they occur. This subcontrol focuses on developing and implementing processes for identifying, analyzing, and responding to security incidents in a timely and effective manner. It emphasizes the coordination of resources, communication among stakeholders, and the application of predefined response procedures to minimize the impact of incidents and ensure a rapid recovery.

The RECOVER (RC) category in NIST CSF v2.0 focuses on restoring services and capabilities after a cybersecurity incident. It includes planning for recovery, improving resilience, and coordinating communication, ensuring timely restoration of systems and minimizing impact on business operations.

• Incident Recovery Plan Execution (RC.RP-04)

  Incident Recovery Plan Execution (RC.RP-04) focuses on the long-term resilience and recovery capabilities of an organization. This subcontrol emphasizes the continuous development of recovery capabilities to ensure preparedness for future incidents and to improve the organization's ability to restore normal operations efficiently. The goal is to enhance the organization’s resilience by developing robust recovery strategies that are scalable and adaptive to evolving threats.

• Incident Recovery Communication (RC.CO-02)

  Incident Recovery Communication (RC.CO-02) focuses on ensuring the timely and coordinated sharing of recovery status information to external stakeholders. This subcontrol aims to establish structured processes to communicate with external parties, such as customers, partners, regulators, and the public, during and after an incident recovery effort, helping to maintain transparency and trust.

• Incident Recovery Plan Execution (RC.RP-05)

  Incident Recovery Plan Execution (RC.RP-05) focuses on integrating the lessons learned from incident recovery efforts into the organization’s broader recovery strategy. This subcontrol emphasizes the need to capture insights and experiences from recovery activities to identify gaps, improve processes, and enhance future recovery capabilities. It ensures that recovery efforts lead to continuous improvement and more resilient future responses to incidents.

• Incident Recovery Plan Execution (RC.RP-06)

  Incident Recovery Plan Execution (RC.RP-06) emphasizes the importance of validating and sustaining recovery capabilities through ongoing testing and exercises. The goal is to ensure that the recovery plans and procedures are actionable, effective, and aligned with the organization’s needs. This subcontrol requires organizations to conduct regular simulations, tabletop exercises, and full-scale recovery drills to confirm that recovery plans can be executed under real-world conditions.

• Incident Recovery Plan Execution (RC.RP-03)

  Incident Recovery Plan Execution (RC.RP-03) focuses on the integration of third-party services, external stakeholders, and resources during the execution of an organization’s incident recovery plan. This subcontrol emphasizes the need for coordination with external partners, such as cloud service providers, managed security service providers (MSSPs), and other third-party entities, to ensure that recovery efforts are comprehensive and aligned across all involved parties.

• Incident Recovery Plan Execution (RC.RP-01)

  Incident Recovery Plan Execution (RC.RP-01) focuses on the application of the recovery plan following a cybersecurity incident. This subcontrol ensures that after an incident occurs, the organization can execute its predefined recovery strategies and restore systems and operations to a fully functional state. RC.RP-01 outlines the critical steps necessary for restoring operations while minimizing disruption, data loss, and other potential impacts on the organization.

• Incident Recovery Plan Execution (RC.RP-02)

  Incident Recovery Plan Execution (RC.RP-02) focuses on the execution and continuous improvement of the recovery process following a cybersecurity incident. This subcontrol emphasizes not only the initial restoration of systems and operations but also a structured approach to refining the recovery procedures over time. The goal is to ensure that the recovery plan remains adaptive, responsive, and capable of addressing emerging threats and evolving technologies.

• Incident Recovery Communication (RC.CO-01)

  Incident Recovery Communication (RC.CO-01) focuses on the importance of coordinated communication during and after a recovery event. It ensures that information is accurately disseminated to relevant stakeholders, including internal teams, external partners, regulators, and customers, to manage expectations, provide updates on recovery progress, and maintain transparency.

The PROTECT (PR) category in NIST CSF v2.0 focuses on implementing safeguards to ensure the security and resilience of critical systems and assets. It includes controls related to access management, data protection, maintenance, and training to minimize the impact of cybersecurity events.

• Awareness and Training (PR.AT-02)

  PR.AT-02 focuses on ensuring that privileged users—those with elevated access to systems, data, or configurations—receive tailored training specific to their roles. The goal of this subcontrol is to reduce the risk associated with the potential misuse, abuse, or compromise of privileged accounts by ensuring that these users are well-equipped to understand and mitigate the unique risks associated with their higher-level access.
  
  Privileged users include system administrators, network engineers, security personnel, and others who hold access to critical or sensitive functions, data, and systems within the organization.

• Data Security (PR.DS-01)

  PR.DS-01 focuses on managing and protecting sensitive data across its lifecycle, ensuring that data is securely handled, processed, stored, and transmitted. This subcontrol emphasizes the need for organizations to implement technical, administrative, and physical controls to protect the confidentiality, integrity, and availability of their data. It covers various data types, including Personally Identifiable Information (PII), business-critical information, intellectual property, and regulated data.

• Data Security (PR.DS-02)

  PR.DS-02 focuses on the protection of information during its storage (data at rest) to ensure its confidentiality, integrity, and availability. This subcontrol emphasizes implementing security measures such as encryption, access control, and monitoring to safeguard stored data from unauthorized access, tampering, or destruction.

• Data Security (PR.DS-03)

  PR.DS-03 focuses on protecting data in transit (i.e., data being transmitted across networks or between devices). This subcontrol emphasizes using encryption, secure protocols, and other security mechanisms to ensure that sensitive information is not exposed to unauthorized access, tampering, or interception during transmission.

• Data Security (PR.DS-04)

  PR.DS-04 focuses on ensuring that data at rest is protected from unauthorized access, tampering, or destruction. This subcontrol emphasizes implementing encryption, access control mechanisms, and other security controls to protect sensitive information stored on physical and digital media.

• Platform Security (PR.PS-01)

  PR.PS-01 focuses on ensuring that platforms, such as hardware, software, operating systems, and cloud environments, are secure and protected from potential threats. This subcontrol highlights the need to implement security measures that address vulnerabilities within these platforms to reduce risks and maintain the integrity, availability, and confidentiality of the systems and data hosted on them.

• Platform Security (PR.PS-02)

  PR.PS-02 focuses on ensuring that security policies and procedures are applied to the lifecycle of platforms, including their deployment, operation, and decommissioning. This subcontrol emphasizes maintaining security throughout the platform's lifecycle by integrating security measures during the design, implementation, and eventual retirement or replacement of platform systems. Effective platform security requires a consistent approach to risk management across all stages of the platform's lifecycle.

• Platform Security (PR.PS-03)

  PR.PS-03 emphasizes the implementation and management of robust platform security controls designed to ensure the resilience of organizational platforms against threats. This subcontrol focuses on applying security practices to protect platforms from known vulnerabilities, ensuring that security controls are continuously adapted and integrated throughout the operational phase of a platform’s lifecycle. The primary goal is to minimize risks associated with platform vulnerabilities, unauthorized access, and system failures through the consistent application of defensive measures and best practices.

• Platform Security (PR.PS-04)

  PR.PS-04 focuses on securing the platforms that support critical infrastructure, applications, and data against threats, ensuring the platform's resilience through continuous testing, monitoring, and management of security controls. This subcontrol stresses the importance of securing the physical and virtual environments on which critical data and services run, leveraging both preventive and detective security measures. It includes not only securing the underlying hardware and software but also addressing platform-specific configurations, protocols, and communication channels to maintain high security and minimize vulnerabilities.

• Platform Security (PR.PS-05)

  PR.PS-05 focuses on the use of platform-specific security features to safeguard against unauthorized access, data breaches, and other security threats. This subcontrol emphasizes the implementation of security measures that are inherent to the platform itself, such as hardware-based security (TPM, HSM), secure boot mechanisms, and the use of platform-specific encryption capabilities to protect data and applications. The goal is to leverage the unique security features of the platform to enhance protection, streamline secure operations, and reduce the risk of exploitation.

• Platform Security (PR.PS-06)

  PR.PS-06 focuses on implementing strong security measures for platform security, particularly around ensuring the physical security of platforms and their configurations. This subcontrol addresses the protection of devices, infrastructure, and other hardware that are part of the organization’s technology ecosystem. It emphasizes the need for safeguarding hardware against tampering, theft, and unauthorized access, while ensuring that secure configurations are maintained across the platform lifecycle.

• Technology Infrastructure Resilience (PR.IR-01)

  PR.IR-01 emphasizes the importance of establishing resilient technology infrastructure that ensures continuity, availability, and reliability in the face of threats, disruptions, or failures. This subcontrol involves identifying critical technology infrastructure components and implementing measures to maintain operations and minimize downtime during incidents, ensuring that core systems can recover quickly and continue to perform their essential functions.

• Technology Infrastructure Resilience (PR.IR-02)

  PR.IR-02 emphasizes the need for establishing robust processes and practices to ensure the resilience of an organization's technology infrastructure against disruptions. This includes implementing proactive measures that maintain operational continuity in the face of technological failures, cyber incidents, and natural disasters. The focus of this subcontrol is on identifying vulnerabilities in the infrastructure, understanding potential impacts, and preparing the systems for quick recovery while minimizing disruptions to critical business processes.

• Technology Infrastructure Resilience (PR.IR-03)

  PR.IR-03 addresses the need to implement and maintain strategies that ensure the security, availability, and resilience of critical technology infrastructure. This subcontrol focuses on the proactive identification and remediation of weaknesses in the technology infrastructure that may affect its ability to remain operational during disruptions or security incidents. This includes ensuring that resilience strategies are not only reactive but also proactive, preventing failures from occurring or minimizing the impact when failures do occur.

• Technology Infrastructure Resilience (PR.IR-04)

  PR.IR-04 focuses on integrating resilience measures into technology infrastructure lifecycle management. This subcontrol involves establishing proactive processes to maintain and enhance the resilience of the infrastructure throughout its lifecycle, from design to retirement. It ensures that resilience considerations are continuously addressed during upgrades, repairs, and changes to the technology infrastructure. This subcontrol highlights the importance of planning for infrastructure durability, redundancy, and recovery across all stages of its life.

• Awareness and Training (PR.AT-01)

  PR.AT-01 focuses on the development and implementation of a cybersecurity awareness and training program. The goal is to ensure that all employees, including senior executives and contractors, are informed of and understand their cybersecurity responsibilities. This subcontrol emphasizes the need to raise awareness of cybersecurity threats and train personnel on how to protect the organization's assets, systems, and data.
  
  A well-implemented awareness and training program is essential to promote a culture of security within the organization, where everyone is vigilant and knowledgeable about potential cyber threats, risks, and their role in safeguarding against them.

• Identity Management, Authentication, and Access Control (PR.AA-05)

  PR.AA-05 focuses on implementing and enforcing the principle of least privilege and ensuring that access to sensitive data, systems, and resources is appropriately restricted based on roles and responsibilities. This subcontrol highlights the importance of controlling user access through mechanisms that enforce permissions, effectively managing privilege levels, and regularly reviewing these settings to minimize unnecessary access rights.
  
  The goal of PR.AA-05 is to ensure that users are granted the least amount of access necessary for them to perform their job functions, reducing the likelihood of unauthorized access or misuse of sensitive data.

• Identity Management, Authentication, and Access Control (PR.AA-06)

  PR.AA-06 addresses the management and enforcement of account and access control policies to secure sensitive resources. This subcontrol focuses on ensuring the use of multi-factor authentication (MFA) and other advanced identity management practices to enhance the security of user and system access. By strengthening authentication mechanisms, organizations reduce the risk of unauthorized access and improve the overall resilience of the cybersecurity posture.
  
  PR.AA-06 emphasizes the importance of using MFA or other advanced authentication methods to ensure that only authorized users can access critical systems and data. It is particularly vital for protecting high-risk systems or environments where access needs to be restricted to authorized individuals only.

• Identity Management, Authentication, and Access Control (PR.AA-03)

  PR.AA-03 requires organizations to manage user identities and access control mechanisms throughout their lifecycle, ensuring they are designed, implemented, and maintained in a manner that ensures authorized users have access to only what is necessary to perform their roles. This subcontrol emphasizes not only the authentication of users but also the systematic management of user identities, roles, and associated access privileges. The focus is on ensuring that user access is appropriate, secure, and consistent, in line with organizational security policies.

• Identity Management, Authentication, and Access Control (PR.AA-04)

  PR.AA-04 focuses on enforcing secure and standardized identity management practices across the organization. This subcontrol emphasizes the need for organizations to establish and maintain mechanisms for ensuring the authentication and authorization processes are consistent, secure, and comply with internal and external requirements. It further mandates that identity management systems integrate well with other security infrastructure, ensuring that access is continuously monitored, controlled, and appropriately adjusted.

• Identity Management, Authentication, and Access Control (PR.AA-02)

  PR.AA-02 focuses on the continuous enforcement of access control mechanisms throughout an organization's information systems. It aims to ensure that appropriate levels of authentication are consistently applied, and that access to systems and data is properly controlled based on verified user identity. This subcontrol emphasizes the need for organizations to integrate authentication and access control mechanisms into daily operations, ensuring they are aligned with security policies and that users have access only to those resources necessary for their specific roles

• Identity Management, Authentication, and Access Control (PR.AA-01)

  PR.AA-01 ensures that organizations have effective identity management, authentication, and access control mechanisms in place. It focuses on managing and controlling who has access to organizational resources, ensuring that users are properly identified, authenticated, and granted the appropriate levels of access based on their roles, responsibilities, and the principle of least privilege. This subcontrol emphasizes the implementation of strong access management processes, including user identity lifecycle management, multifactor authentication (MFA), and role-based access control (RBAC), to mitigate unauthorized access risks.

The IDENTIFY (ID) category in NIST CSF v2.0 involves understanding and managing cybersecurity risks to systems, assets, data, and capabilities. It focuses on developing an organizational context, identifying critical resources, and assessing risks to establish a solid cybersecurity foundation for risk management and decision-making.

• Improvement (ID.IM-03)

  ID.IM-03 emphasizes the continual improvement of cybersecurity capabilities by establishing and maintaining a structured process for identifying and correcting deficiencies. This subcontrol highlights the importance of leveraging lessons learned from cybersecurity incidents, operational assessments, and audits to refine and enhance cybersecurity practices, tools, and resources, ensuring the organization's cybersecurity posture is robust and adaptive.

• Improvement (ID.IM-04)

  ID.IM-04 focuses on ensuring that cybersecurity improvement efforts are aligned with the organization’s strategic objectives and performance outcomes. This subcontrol mandates that improvements in the cybersecurity program are designed not only to address deficiencies but also to strengthen the overall security posture in alignment with the organization's risk management strategy, objectives, and goals. The focus is on creating a feedback loop between improvement actions and organizational performance, ensuring that lessons learned and improvements drive both security and operational excellence.

• Improvement (ID.IM-02)

  ID.IM-02 focuses on ensuring that the organization applies lessons learned from cybersecurity events and ongoing assessments to enhance and refine its cybersecurity processes, procedures, and capabilities. This subcontrol emphasizes the need for systematic integration of feedback from risk assessments, audits, and post-incident reviews into continuous cybersecurity improvement.

• Improvement (ID.IM-01)

  ID.IM-01 focuses on ensuring that the organization establishes and implements processes to track and improve its cybersecurity posture over time. This subcontrol emphasizes the need for continuous improvement of the organization’s cybersecurity practices through the identification of weaknesses, lessons learned, and opportunities for optimization based on feedback and assessments.

• Risk Assessment (ID.RA-10)

  ID.RA-10 requires organizations to ensure that cybersecurity risk assessments are continuously updated and periodically reassessed to address changes in the organization’s environment, technology, and threat landscape. This subcontrol emphasizes the importance of maintaining current risk assessment results and ensures that emerging risks are identified and managed proactively.

• Risk Assessment (ID.RA-09)

  ID.RA-09 focuses on the integration of risk assessment findings into decision-making processes across the organization. It requires that risk assessment results inform organizational strategies, policies, and procedures, ensuring that cybersecurity risks are managed effectively at all levels of the organization. This subcontrol emphasizes that risk assessments should not be standalone activities but should be woven into the fabric of the organization's operational and strategic planning.

• Risk Assessment (ID.RA-08)

  ID.RA-08 requires organizations to continually evaluate and assess the effectiveness of their risk mitigation strategies and cybersecurity controls. This subcontrol ensures that once risks are identified and mitigated, there is an ongoing process to verify whether the mitigation actions are effective and have reduced the identified risk to an acceptable level. It focuses on ensuring that mitigation measures remain aligned with the evolving threat landscape, organizational objectives, and risk tolerance. The goal is to achieve a state where risk levels are consistently managed and maintained, not just immediately following a risk assessment but over time.

• Risk Assessment (ID.RA-07)

  ID.RA-07 requires organizations to assess the likelihood of various cybersecurity risks and their potential impacts on the organization. This subcontrol emphasizes the need for a proactive approach in evaluating risks by considering various threat actors, vulnerabilities, and environmental factors that could increase or decrease the likelihood of a cybersecurity event. The goal is to use this analysis to prioritize the organization's cybersecurity efforts, improve resource allocation, and take steps to reduce risk exposure to an acceptable level based on organizational priorities and risk tolerance

• Risk Assessment (ID.RA-06)

  ID.RA-06 addresses the need for organizations to assess risks based on potential impacts to the organization's objectives, assets, operations, and reputation. It involves continuously identifying, understanding, and analyzing cybersecurity risks and their effects on the broader organizational goals and processes. This subcontrol emphasizes assessing risks in the context of the organization's specific operational environment and the potential harm that could be caused by cyber threats. The focus is on ensuring that the organization’s risk assessment considers both operational and reputational risks that might arise from security vulnerabilities.

• Risk Assessment (ID.RA-05)

  ID.RA-05 focuses on evaluating and assessing cybersecurity risks to critical assets, systems, and processes from both internal and external sources. This subcontrol emphasizes the need for ongoing risk assessments to ensure that evolving threats are continuously identified and appropriately mitigated. It requires organizations to assess how vulnerabilities within their systems, operations, and networks could be exploited by malicious actors, whether those actors are external or internal.

• Asset Management (ID.AM-02)

  ID.AM-02 requires organizations to identify and manage assets connected to their information systems, ensuring that all assets are cataloged, assigned ownership, and classified by criticality. This process helps secure key assets by understanding their functions, roles, and the risk they may pose to the organization.

• Asset Management (ID.AM-03)

  ID.AM-03 requires organizations to track and manage the lifecycle of assets, ensuring that assets are appropriately identified, protected, and maintained throughout their entire lifecycle. This includes the processes for asset acquisition, deployment, maintenance, and eventual decommissioning or disposal. Proper asset lifecycle management is critical for minimizing risks, ensuring compliance, and optimizing resource usage.

• Asset Management (ID.AM-04)

  ID.AM-04 focuses on ensuring that assets, including hardware, software, and data, are identified and categorized in accordance with their function, criticality, and risk to the organization. Proper asset categorization helps organizations apply appropriate security measures and manage risks effectively by distinguishing between assets that require high protection and those with less risk exposure.

• Asset Management (ID.AM-05)

  ID.AM-05 focuses on ensuring that all assets, particularly those related to information systems, are tracked and managed across their entire lifecycle. This includes the acquisition, deployment, maintenance, and retirement or disposal of assets. Proper lifecycle management ensures that risks associated with assets are minimized, and assets are properly decommissioned or sanitized at the end of their useful life.

• Asset Management (ID.AM-06)

  ID.AM-06 focuses on ensuring that organizations identify and manage all asset components related to information systems, including hardware, software, and firmware, within their enterprise architecture. This includes ensuring visibility and tracking of all critical asset components that may not be immediately visible or obvious. The goal is to ensure that any asset interacting with the organization's information systems is accounted for and that all associated risks are identified and mitigated.

• Asset Management (ID.AM-07)

  ID.AM-07 focuses on ensuring that organizations maintain an up-to-date and accurate inventory of information system assets, with particular attention to the classification and categorization of those assets. This subcontrol involves the categorization of assets based on criticality, function, or other relevant criteria, facilitating more effective risk management, monitoring, and response.

• Risk Assessment (ID.RA-01)

  ID.RA-01 focuses on the identification and evaluation of the organization's risk environment. This includes understanding the potential threats, vulnerabilities, and impacts to assets, systems, and operations. It involves establishing a comprehensive risk assessment process to provide insight into cybersecurity risks and help prioritize mitigation actions.

• Risk Assessment (ID.RA-02)

  ID.RA-02 focuses on analyzing the risk to organizational assets, systems, and operations from potential threats and vulnerabilities. This subcontrol emphasizes identifying, assessing, and understanding the likelihood and impact of cybersecurity threats in the context of critical organizational processes. It helps establish a clear risk profile that informs decision-making and resource allocation.

• Risk Assessment (ID.RA-03)

  ID.RA-03 focuses on the identification and assessment of risk in the context of organizational processes, including how risk factors impact business operations, reputation, and critical assets. This subcontrol ensures that risk is not only analyzed from a technical perspective but also from a strategic viewpoint, aligning with broader business objectives and resilience goals.

• Risk Assessment (ID.RA-04)

  ID.RA-04 emphasizes the identification, analysis, and assessment of potential risks stemming from external sources such as third-party vendors, partners, contractors, or even emerging threats from the broader threat landscape. This subcontrol aims to assess how these external risks can impact an organization's cybersecurity posture, its data, systems, and business processes.

• Asset Management (ID.AM-01)

  ID.AM-01 requires organizations to identify and manage physical and digital assets that support critical business functions. These assets include hardware, software, data, and other resources. Proper asset management ensures that organizations know what assets they have, where they are located, and their role in supporting operations.