bmad-plus 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +36 -0
  2. package/LICENSE +21 -21
  3. package/README.md +106 -86
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +23 -59
  181. package/tools/cli/commands/doctor.js +14 -0
  182. package/tools/cli/commands/install.js +29 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +44 -42
  185. package/tools/cli/commands/uninstall.js +10 -5
  186. package/tools/cli/commands/update.js +21 -3
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +16 -8
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +50 -0
@@ -1,278 +1,278 @@
1
- # NIST CSF 2.0 — Functions, Categories, and Subcategories
2
-
3
- Source: NIST Cybersecurity Framework 2.0 (February 2024)
4
- https://doi.org/10.6028/NIST.CSWP.29
5
-
6
- ---
7
-
8
- ## GOVERN (GV)
9
-
10
- The organizational cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
11
-
12
- ### GV.OC — Organizational Context
13
- The circumstances surrounding the organization's cybersecurity risk management decisions are understood.
14
-
15
- | ID | Subcategory |
16
- |----|-------------|
17
- | GV.OC-01 | The organizational mission is understood and informs cybersecurity risk management |
18
- | GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered |
19
- | GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed |
20
- | GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated |
21
- | GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated |
22
-
23
- ### GV.RM — Risk Management Strategy
24
- The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
25
-
26
- | ID | Subcategory |
27
- |----|-------------|
28
- | GV.RM-01 | Risk management objectives are established and agreed to by organizational stakeholders |
29
- | GV.RM-02 | Risk appetite and risk tolerance statements are established, communicated, and maintained |
30
- | GV.RM-03 | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes |
31
- | GV.RM-04 | Strategic direction that describes appropriate risk response options is established and communicated |
32
- | GV.RM-05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties |
33
- | GV.RM-06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated |
34
- | GV.RM-07 | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions |
35
-
36
- ### GV.RR — Roles, Responsibilities, and Authorities
37
- Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
38
-
39
- | ID | Subcategory |
40
- |----|-------------|
41
- | GV.RR-01 | Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving |
42
- | GV.RR-02 | Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced |
43
- | GV.RR-03 | Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies |
44
- | GV.RR-04 | Cybersecurity is included in human resources practices |
45
-
46
- ### GV.PO — Policy
47
- Organizational cybersecurity policy is established, communicated, and enforced.
48
-
49
- | ID | Subcategory |
50
- |----|-------------|
51
- | GV.PO-01 | Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced |
52
- | GV.PO-02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission |
53
-
54
- ### GV.OV — Oversight
55
- Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.
56
-
57
- | ID | Subcategory |
58
- |----|-------------|
59
- | GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction |
60
- | GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks |
61
- | GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed |
62
-
63
- ### GV.SC — Cybersecurity Supply Chain Risk Management
64
- Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders.
65
-
66
- | ID | Subcategory |
67
- |----|-------------|
68
- | GV.SC-01 | A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders |
69
- | GV.SC-02 | Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally |
70
- | GV.SC-03 | Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes |
71
- | GV.SC-04 | Suppliers are known and prioritized by criticality |
72
- | GV.SC-05 | Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties |
73
- | GV.SC-06 | Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships |
74
- | GV.SC-07 | The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship |
75
- | GV.SC-08 | Relevant suppliers and other third parties are included in incident planning, response, and recovery activities |
76
- | GV.SC-09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle |
77
- | GV.SC-10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or supply chain relationship |
78
-
79
- ---
80
-
81
- ## IDENTIFY (ID)
82
-
83
- The organization's current cybersecurity risks are understood.
84
-
85
- ### ID.AM — Asset Management
86
- Assets (data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy.
87
-
88
- | ID | Subcategory |
89
- |----|-------------|
90
- | ID.AM-01 | Inventories of hardware managed by the organization are maintained |
91
- | ID.AM-02 | Inventories of software, services, and systems managed by the organization are maintained |
92
- | ID.AM-03 | Representations of the organization's authorized network communication and internal and external network data flows are maintained |
93
- | ID.AM-04 | Inventories of services provided by suppliers are maintained |
94
- | ID.AM-05 | Assets are prioritized based on classification, criticality, resources, and impact on the mission |
95
- | ID.AM-07 | Inventories of data and corresponding metadata for designated data types are maintained |
96
- | ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycles |
97
-
98
- ### ID.RA — Risk Assessment
99
- The cybersecurity risk to the organization, assets, and individuals is understood by the organization.
100
-
101
- | ID | Subcategory |
102
- |----|-------------|
103
- | ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded |
104
- | ID.RA-02 | Cyber threat intelligence is received from information sharing forums and sources |
105
- | ID.RA-03 | Internal and external threats to the organization are identified and recorded |
106
- | ID.RA-04 | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded |
107
- | ID.RA-05 | Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response priorities |
108
- | ID.RA-06 | Risk responses are chosen, prioritized, planned, tracked, and communicated |
109
- | ID.RA-07 | Changes and exceptions are managed, assessed for risk impact, recorded, and tracked |
110
- | ID.RA-08 | Processes for receiving, analyzing, and responding to vulnerability disclosures are established |
111
- | ID.RA-09 | The authenticity and integrity of hardware and software are assessed prior to acquisition and use |
112
- | ID.RA-10 | Critical suppliers are assessed prior to acquisition |
113
-
114
- ### ID.IM — Improvement
115
- Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions.
116
-
117
- | ID | Subcategory |
118
- |----|-------------|
119
- | ID.IM-01 | Improvements are identified from evaluations |
120
- | ID.IM-02 | Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties |
121
- | ID.IM-03 | Improvements are identified from execution of operational processes, procedures, and activities |
122
- | ID.IM-04 | Incident, vulnerability, and other findings are communicated to designated internal and external stakeholders |
123
-
124
- ---
125
-
126
- ## PROTECT (PR)
127
-
128
- Safeguards to manage the organization's cybersecurity risks are used.
129
-
130
- ### PR.AA — Identity Management, Authentication, and Access Control
131
- Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access.
132
-
133
- | ID | Subcategory |
134
- |----|-------------|
135
- | PR.AA-01 | Identities and credentials for authorized users, services, and hardware are managed by the organization |
136
- | PR.AA-02 | Identities are proofed and bound to credentials based on the context of interactions |
137
- | PR.AA-03 | Users, services, and hardware are authenticated |
138
- | PR.AA-04 | Identity assertions are protected, conveyed, and verified |
139
- | PR.AA-05 | Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties |
140
- | PR.AA-06 | Physical access to assets is managed, monitored, and enforced commensurate with risk |
141
-
142
- ### PR.AT — Awareness and Training
143
- The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks.
144
-
145
- | ID | Subcategory |
146
- |----|-------------|
147
- | PR.AT-01 | Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind |
148
- | PR.AT-02 | Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind |
149
-
150
- ### PR.DS — Data Security
151
- Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.
152
-
153
- | ID | Subcategory |
154
- |----|-------------|
155
- | PR.DS-01 | The confidentiality, integrity, and availability of data-at-rest are protected |
156
- | PR.DS-02 | The confidentiality, integrity, and availability of data-in-transit are protected |
157
- | PR.DS-10 | The confidentiality, integrity, and availability of data-in-use are protected |
158
- | PR.DS-11 | Backups of data are created, protected, maintained, and tested |
159
-
160
- ### PR.PS — Platform Security
161
- The hardware, software (including firmware and code), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability.
162
-
163
- | ID | Subcategory |
164
- |----|-------------|
165
- | PR.PS-01 | Configuration management practices are established and applied |
166
- | PR.PS-02 | Software is maintained, replaced, and removed commensurate with risk |
167
- | PR.PS-03 | Hardware is maintained, replaced, and removed commensurate with risk |
168
- | PR.PS-04 | Log records are generated and made available for continuous monitoring |
169
- | PR.PS-05 | Installation and execution of unauthorized software are prevented |
170
- | PR.PS-06 | Secure software development practices are integrated, and their security is evaluated |
171
-
172
- ### PR.IR — Technology Infrastructure Resilience
173
- Security architectures are managed with the organization's risk strategy to protect asset and technology infrastructure, and appropriate redundancies are implemented.
174
-
175
- | ID | Subcategory |
176
- |----|-------------|
177
- | PR.IR-01 | Networks and environments are protected from unauthorized logical access and usage |
178
- | PR.IR-02 | The organization's technology assets are protected from environmental threats |
179
- | PR.IR-03 | Mechanisms are implemented to achieve resilience requirements in normal and adverse situations |
180
- | PR.IR-04 | Adequate resource capacity to ensure availability is maintained |
181
-
182
- ---
183
-
184
- ## DETECT (DE)
185
-
186
- Possible cybersecurity attacks and compromises are found and analyzed.
187
-
188
- ### DE.CM — Continuous Monitoring
189
- Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.
190
-
191
- | ID | Subcategory |
192
- |----|-------------|
193
- | DE.CM-01 | Networks and network services are monitored to find potentially adverse events |
194
- | DE.CM-02 | The physical environment is monitored to find potentially adverse events |
195
- | DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events |
196
- | DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events |
197
- | DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events |
198
-
199
- ### DE.AE — Adverse Event Analysis
200
- Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents.
201
-
202
- | ID | Subcategory |
203
- |----|-------------|
204
- | DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities |
205
- | DE.AE-03 | Information is correlated from multiple sources |
206
- | DE.AE-04 | The estimated impact and scope of adverse events are understood |
207
- | DE.AE-06 | Information on adverse events is provided to authorized staff and tools |
208
- | DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis |
209
- | DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria |
210
-
211
- ---
212
-
213
- ## RESPOND (RS)
214
-
215
- Actions regarding a detected cybersecurity incident are taken.
216
-
217
- ### RS.MA — Incident Management
218
- Responses to detected cybersecurity incidents are managed.
219
-
220
- | ID | Subcategory |
221
- |----|-------------|
222
- | RS.MA-01 | The incident response plan is executed in coordination with relevant third parties once an incident is declared |
223
- | RS.MA-02 | Incident reports are triaged and validated |
224
- | RS.MA-03 | Incidents are categorized and prioritized |
225
- | RS.MA-04 | Incidents are escalated or elevated as needed |
226
- | RS.MA-05 | The criteria for initiating incident recovery are applied |
227
-
228
- ### RS.AN — Incident Analysis
229
- Investigations are conducted to ensure effective response and support forensics and recovery activities.
230
-
231
- | ID | Subcategory |
232
- |----|-------------|
233
- | RS.AN-03 | Analysis is performed to establish what has taken place during an incident and the root cause of the incident |
234
- | RS.AN-06 | Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved |
235
- | RS.AN-07 | Incident data and metadata are collected, and their integrity is preserved |
236
- | RS.AN-08 | An incident's magnitude is estimated and validated |
237
-
238
- ### RS.CO — Incident Response Reporting and Communication
239
- Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies.
240
-
241
- | ID | Subcategory |
242
- |----|-------------|
243
- | RS.CO-02 | Internal and external stakeholders are notified of incidents |
244
- | RS.CO-03 | Information is shared with designated internal and external stakeholders |
245
-
246
- ### RS.MI — Incident Mitigation
247
- Activities are performed to prevent expansion of an event and mitigate its effects.
248
-
249
- | ID | Subcategory |
250
- |----|-------------|
251
- | RS.MI-01 | Incidents are contained |
252
- | RS.MI-02 | Incidents are eradicated |
253
-
254
- ---
255
-
256
- ## RECOVER (RC)
257
-
258
- Assets and operations affected by a cybersecurity incident are restored.
259
-
260
- ### RC.RP — Incident Recovery Plan Execution
261
- Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents.
262
-
263
- | ID | Subcategory |
264
- |----|-------------|
265
- | RC.RP-01 | The recovery portion of the incident response plan is executed once initiated from the RS.MA subcategory |
266
- | RC.RP-02 | Recovery actions are selected, scoped, prioritized, and performed |
267
- | RC.RP-03 | The integrity of backups and other restoration assets is verified before using them for restoration |
268
- | RC.RP-04 | Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms |
269
- | RC.RP-05 | The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed |
270
- | RC.RP-06 | The end of incident recovery is declared based on criteria, and incident-related documentation is completed |
271
-
272
- ### RC.CO — Incident Recovery Communication
273
- Restoration activities are coordinated with internal and external parties.
274
-
275
- | ID | Subcategory |
276
- |----|-------------|
277
- | RC.CO-03 | Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders |
278
- | RC.CO-04 | Public updates on incident recovery are shared using approved methods and messaging |
1
+ # NIST CSF 2.0 — Functions, Categories, and Subcategories
2
+
3
+ Source: NIST Cybersecurity Framework 2.0 (February 2024)
4
+ https://doi.org/10.6028/NIST.CSWP.29
5
+
6
+ ---
7
+
8
+ ## GOVERN (GV)
9
+
10
+ The organizational cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
11
+
12
+ ### GV.OC — Organizational Context
13
+ The circumstances surrounding the organization's cybersecurity risk management decisions are understood.
14
+
15
+ | ID | Subcategory |
16
+ |----|-------------|
17
+ | GV.OC-01 | The organizational mission is understood and informs cybersecurity risk management |
18
+ | GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered |
19
+ | GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed |
20
+ | GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated |
21
+ | GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated |
22
+
23
+ ### GV.RM — Risk Management Strategy
24
+ The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
25
+
26
+ | ID | Subcategory |
27
+ |----|-------------|
28
+ | GV.RM-01 | Risk management objectives are established and agreed to by organizational stakeholders |
29
+ | GV.RM-02 | Risk appetite and risk tolerance statements are established, communicated, and maintained |
30
+ | GV.RM-03 | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes |
31
+ | GV.RM-04 | Strategic direction that describes appropriate risk response options is established and communicated |
32
+ | GV.RM-05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties |
33
+ | GV.RM-06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated |
34
+ | GV.RM-07 | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions |
35
+
36
+ ### GV.RR — Roles, Responsibilities, and Authorities
37
+ Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
38
+
39
+ | ID | Subcategory |
40
+ |----|-------------|
41
+ | GV.RR-01 | Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving |
42
+ | GV.RR-02 | Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced |
43
+ | GV.RR-03 | Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies |
44
+ | GV.RR-04 | Cybersecurity is included in human resources practices |
45
+
46
+ ### GV.PO — Policy
47
+ Organizational cybersecurity policy is established, communicated, and enforced.
48
+
49
+ | ID | Subcategory |
50
+ |----|-------------|
51
+ | GV.PO-01 | Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced |
52
+ | GV.PO-02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission |
53
+
54
+ ### GV.OV — Oversight
55
+ Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.
56
+
57
+ | ID | Subcategory |
58
+ |----|-------------|
59
+ | GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction |
60
+ | GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks |
61
+ | GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed |
62
+
63
+ ### GV.SC — Cybersecurity Supply Chain Risk Management
64
+ Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders.
65
+
66
+ | ID | Subcategory |
67
+ |----|-------------|
68
+ | GV.SC-01 | A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders |
69
+ | GV.SC-02 | Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally |
70
+ | GV.SC-03 | Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes |
71
+ | GV.SC-04 | Suppliers are known and prioritized by criticality |
72
+ | GV.SC-05 | Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties |
73
+ | GV.SC-06 | Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships |
74
+ | GV.SC-07 | The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship |
75
+ | GV.SC-08 | Relevant suppliers and other third parties are included in incident planning, response, and recovery activities |
76
+ | GV.SC-09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle |
77
+ | GV.SC-10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or supply chain relationship |
78
+
79
+ ---
80
+
81
+ ## IDENTIFY (ID)
82
+
83
+ The organization's current cybersecurity risks are understood.
84
+
85
+ ### ID.AM — Asset Management
86
+ Assets (data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy.
87
+
88
+ | ID | Subcategory |
89
+ |----|-------------|
90
+ | ID.AM-01 | Inventories of hardware managed by the organization are maintained |
91
+ | ID.AM-02 | Inventories of software, services, and systems managed by the organization are maintained |
92
+ | ID.AM-03 | Representations of the organization's authorized network communication and internal and external network data flows are maintained |
93
+ | ID.AM-04 | Inventories of services provided by suppliers are maintained |
94
+ | ID.AM-05 | Assets are prioritized based on classification, criticality, resources, and impact on the mission |
95
+ | ID.AM-07 | Inventories of data and corresponding metadata for designated data types are maintained |
96
+ | ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycles |
97
+
98
+ ### ID.RA — Risk Assessment
99
+ The cybersecurity risk to the organization, assets, and individuals is understood by the organization.
100
+
101
+ | ID | Subcategory |
102
+ |----|-------------|
103
+ | ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded |
104
+ | ID.RA-02 | Cyber threat intelligence is received from information sharing forums and sources |
105
+ | ID.RA-03 | Internal and external threats to the organization are identified and recorded |
106
+ | ID.RA-04 | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded |
107
+ | ID.RA-05 | Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response priorities |
108
+ | ID.RA-06 | Risk responses are chosen, prioritized, planned, tracked, and communicated |
109
+ | ID.RA-07 | Changes and exceptions are managed, assessed for risk impact, recorded, and tracked |
110
+ | ID.RA-08 | Processes for receiving, analyzing, and responding to vulnerability disclosures are established |
111
+ | ID.RA-09 | The authenticity and integrity of hardware and software are assessed prior to acquisition and use |
112
+ | ID.RA-10 | Critical suppliers are assessed prior to acquisition |
113
+
114
+ ### ID.IM — Improvement
115
+ Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions.
116
+
117
+ | ID | Subcategory |
118
+ |----|-------------|
119
+ | ID.IM-01 | Improvements are identified from evaluations |
120
+ | ID.IM-02 | Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties |
121
+ | ID.IM-03 | Improvements are identified from execution of operational processes, procedures, and activities |
122
+ | ID.IM-04 | Incident, vulnerability, and other findings are communicated to designated internal and external stakeholders |
123
+
124
+ ---
125
+
126
+ ## PROTECT (PR)
127
+
128
+ Safeguards to manage the organization's cybersecurity risks are used.
129
+
130
+ ### PR.AA — Identity Management, Authentication, and Access Control
131
+ Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access.
132
+
133
+ | ID | Subcategory |
134
+ |----|-------------|
135
+ | PR.AA-01 | Identities and credentials for authorized users, services, and hardware are managed by the organization |
136
+ | PR.AA-02 | Identities are proofed and bound to credentials based on the context of interactions |
137
+ | PR.AA-03 | Users, services, and hardware are authenticated |
138
+ | PR.AA-04 | Identity assertions are protected, conveyed, and verified |
139
+ | PR.AA-05 | Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties |
140
+ | PR.AA-06 | Physical access to assets is managed, monitored, and enforced commensurate with risk |
141
+
142
+ ### PR.AT — Awareness and Training
143
+ The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks.
144
+
145
+ | ID | Subcategory |
146
+ |----|-------------|
147
+ | PR.AT-01 | Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind |
148
+ | PR.AT-02 | Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind |
149
+
150
+ ### PR.DS — Data Security
151
+ Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.
152
+
153
+ | ID | Subcategory |
154
+ |----|-------------|
155
+ | PR.DS-01 | The confidentiality, integrity, and availability of data-at-rest are protected |
156
+ | PR.DS-02 | The confidentiality, integrity, and availability of data-in-transit are protected |
157
+ | PR.DS-10 | The confidentiality, integrity, and availability of data-in-use are protected |
158
+ | PR.DS-11 | Backups of data are created, protected, maintained, and tested |
159
+
160
+ ### PR.PS — Platform Security
161
+ The hardware, software (including firmware and code), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability.
162
+
163
+ | ID | Subcategory |
164
+ |----|-------------|
165
+ | PR.PS-01 | Configuration management practices are established and applied |
166
+ | PR.PS-02 | Software is maintained, replaced, and removed commensurate with risk |
167
+ | PR.PS-03 | Hardware is maintained, replaced, and removed commensurate with risk |
168
+ | PR.PS-04 | Log records are generated and made available for continuous monitoring |
169
+ | PR.PS-05 | Installation and execution of unauthorized software are prevented |
170
+ | PR.PS-06 | Secure software development practices are integrated, and their security is evaluated |
171
+
172
+ ### PR.IR — Technology Infrastructure Resilience
173
+ Security architectures are managed with the organization's risk strategy to protect asset and technology infrastructure, and appropriate redundancies are implemented.
174
+
175
+ | ID | Subcategory |
176
+ |----|-------------|
177
+ | PR.IR-01 | Networks and environments are protected from unauthorized logical access and usage |
178
+ | PR.IR-02 | The organization's technology assets are protected from environmental threats |
179
+ | PR.IR-03 | Mechanisms are implemented to achieve resilience requirements in normal and adverse situations |
180
+ | PR.IR-04 | Adequate resource capacity to ensure availability is maintained |
181
+
182
+ ---
183
+
184
+ ## DETECT (DE)
185
+
186
+ Possible cybersecurity attacks and compromises are found and analyzed.
187
+
188
+ ### DE.CM — Continuous Monitoring
189
+ Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.
190
+
191
+ | ID | Subcategory |
192
+ |----|-------------|
193
+ | DE.CM-01 | Networks and network services are monitored to find potentially adverse events |
194
+ | DE.CM-02 | The physical environment is monitored to find potentially adverse events |
195
+ | DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events |
196
+ | DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events |
197
+ | DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events |
198
+
199
+ ### DE.AE — Adverse Event Analysis
200
+ Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents.
201
+
202
+ | ID | Subcategory |
203
+ |----|-------------|
204
+ | DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities |
205
+ | DE.AE-03 | Information is correlated from multiple sources |
206
+ | DE.AE-04 | The estimated impact and scope of adverse events are understood |
207
+ | DE.AE-06 | Information on adverse events is provided to authorized staff and tools |
208
+ | DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis |
209
+ | DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria |
210
+
211
+ ---
212
+
213
+ ## RESPOND (RS)
214
+
215
+ Actions regarding a detected cybersecurity incident are taken.
216
+
217
+ ### RS.MA — Incident Management
218
+ Responses to detected cybersecurity incidents are managed.
219
+
220
+ | ID | Subcategory |
221
+ |----|-------------|
222
+ | RS.MA-01 | The incident response plan is executed in coordination with relevant third parties once an incident is declared |
223
+ | RS.MA-02 | Incident reports are triaged and validated |
224
+ | RS.MA-03 | Incidents are categorized and prioritized |
225
+ | RS.MA-04 | Incidents are escalated or elevated as needed |
226
+ | RS.MA-05 | The criteria for initiating incident recovery are applied |
227
+
228
+ ### RS.AN — Incident Analysis
229
+ Investigations are conducted to ensure effective response and support forensics and recovery activities.
230
+
231
+ | ID | Subcategory |
232
+ |----|-------------|
233
+ | RS.AN-03 | Analysis is performed to establish what has taken place during an incident and the root cause of the incident |
234
+ | RS.AN-06 | Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved |
235
+ | RS.AN-07 | Incident data and metadata are collected, and their integrity is preserved |
236
+ | RS.AN-08 | An incident's magnitude is estimated and validated |
237
+
238
+ ### RS.CO — Incident Response Reporting and Communication
239
+ Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies.
240
+
241
+ | ID | Subcategory |
242
+ |----|-------------|
243
+ | RS.CO-02 | Internal and external stakeholders are notified of incidents |
244
+ | RS.CO-03 | Information is shared with designated internal and external stakeholders |
245
+
246
+ ### RS.MI — Incident Mitigation
247
+ Activities are performed to prevent expansion of an event and mitigate its effects.
248
+
249
+ | ID | Subcategory |
250
+ |----|-------------|
251
+ | RS.MI-01 | Incidents are contained |
252
+ | RS.MI-02 | Incidents are eradicated |
253
+
254
+ ---
255
+
256
+ ## RECOVER (RC)
257
+
258
+ Assets and operations affected by a cybersecurity incident are restored.
259
+
260
+ ### RC.RP — Incident Recovery Plan Execution
261
+ Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents.
262
+
263
+ | ID | Subcategory |
264
+ |----|-------------|
265
+ | RC.RP-01 | The recovery portion of the incident response plan is executed once initiated from the RS.MA subcategory |
266
+ | RC.RP-02 | Recovery actions are selected, scoped, prioritized, and performed |
267
+ | RC.RP-03 | The integrity of backups and other restoration assets is verified before using them for restoration |
268
+ | RC.RP-04 | Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms |
269
+ | RC.RP-05 | The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed |
270
+ | RC.RP-06 | The end of incident recovery is declared based on criteria, and incident-related documentation is completed |
271
+
272
+ ### RC.CO — Incident Recovery Communication
273
+ Restoration activities are coordinated with internal and external parties.
274
+
275
+ | ID | Subcategory |
276
+ |----|-------------|
277
+ | RC.CO-03 | Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders |
278
+ | RC.CO-04 | Public updates on incident recovery are shared using approved methods and messaging |