framework-mcp 1.3.6 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/.claude/agents/mcp-developer.md +41 -0
  2. package/.claude/agents/project-orchestrator.md +43 -0
  3. package/.claude/agents/version-consistency-reviewer.md +50 -0
  4. package/COPILOT_INTEGRATION.md +49 -62
  5. package/DEPLOYMENT_GUIDE.md +48 -49
  6. package/MCP_INTEGRATION_GUIDE.md +96 -129
  7. package/MIGRATION_GUIDE_v1.4.0.md +190 -0
  8. package/README.md +149 -173
  9. package/RELEASE_NOTES_v1.3.7.md +275 -0
  10. package/RELEASE_NOTES_v1.4.0.md +178 -0
  11. package/SAFEGUARDS_VERIFICATION_LOG.md +157 -0
  12. package/dist/core/safeguard-manager.d.ts.map +1 -1
  13. package/dist/core/safeguard-manager.js +747 -1191
  14. package/dist/core/safeguard-manager.js.map +1 -1
  15. package/dist/index.d.ts +0 -1
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +1 -2
  18. package/dist/index.js.map +1 -1
  19. package/dist/interfaces/http/http-server.d.ts +0 -4
  20. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  21. package/dist/interfaces/http/http-server.js +6 -113
  22. package/dist/interfaces/http/http-server.js.map +1 -1
  23. package/dist/interfaces/mcp/mcp-server.d.ts +0 -5
  24. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  25. package/dist/interfaces/mcp/mcp-server.js +4 -120
  26. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  27. package/dist/shared/types.d.ts +0 -37
  28. package/dist/shared/types.d.ts.map +1 -1
  29. package/examples/example-usage.md +43 -38
  30. package/examples/llm-analysis-patterns.md +553 -0
  31. package/package.json +2 -3
  32. package/scripts/validate-documentation.sh +4 -4
  33. package/src/core/safeguard-manager.ts +729 -1173
  34. package/src/index.ts +1 -2
  35. package/src/interfaces/http/http-server.ts +6 -139
  36. package/src/interfaces/mcp/mcp-server.ts +4 -145
  37. package/src/shared/types.ts +0 -40
  38. package/swagger.json +64 -313
  39. package/dist/core/capability-analyzer.d.ts +0 -29
  40. package/dist/core/capability-analyzer.d.ts.map +0 -1
  41. package/dist/core/capability-analyzer.js +0 -568
  42. package/dist/core/capability-analyzer.js.map +0 -1
  43. package/src/core/capability-analyzer.ts +0 -708
@@ -165,42 +165,40 @@ export class SafeguardManager {
165
165
  assetType: ["end-user devices", "network devices", "IoT devices", "servers"],
166
166
  securityFunction: ["Identify"],
167
167
  governanceElements: [
168
- "establish inventory process",
169
- "maintain inventory process",
170
- "documented process",
171
- "review and update bi-annually",
172
- "enterprise asset management policy"
173
- ],
174
- coreRequirements: [
175
- "accurate inventory",
176
- "detailed inventory",
177
- "up-to-date inventory",
178
- "all enterprise assets",
179
- "potential to store or process data"
180
- ],
181
- subTaxonomicalElements: [
182
- "network address (if static)",
183
- "hardware address",
184
- "machine name",
185
- "enterprise asset owner",
186
- "department for each asset",
187
- "approved to connect to network",
188
- "end-user devices (portable and mobile)",
189
- "network devices",
190
- "non-computing/IoT devices",
191
- "servers",
192
- "physical connection",
193
- "virtual connection",
194
- "remote connection",
195
- "cloud environments",
196
- "regularly connected devices not under enterprise control"
197
- ],
198
- implementationSuggestions: [
199
- "MDM type tools for mobile devices",
200
- "enterprise and software asset management tool",
201
- "asset discovery tools",
202
- "DHCP logging",
203
- "passive discovery tools"
168
+ "Establish",
169
+ "Maintain",
170
+ "Enterprise Asset Management Policy / Process",
171
+ "Review and update the inventory of all enterprise assets bi-annually, or more frequently"
172
+ ],
173
+ coreRequirements: [
174
+ "accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data"
175
+ ],
176
+ subTaxonomicalElements: [
177
+ "Network Address (IF STATIC)",
178
+ "Hardware Address",
179
+ "Machine Name",
180
+ "Enterprise asset owner",
181
+ "Department for each asset",
182
+ "Asset has been approved to connect to the network",
183
+ "End-User Devices",
184
+ "Mobile",
185
+ "Portable",
186
+ "Network Devices",
187
+ "IOT Devices",
188
+ "Servers",
189
+ "Connected to Infrastructure",
190
+ "Physically",
191
+ "Virtually",
192
+ "Remotely",
193
+ "Those within cloud environments",
194
+ "Regularly Connected Devices - NOT Under Control of Enterprise",
195
+ "Detailed",
196
+ "Accurate",
197
+ "Up-to-date",
198
+ "Potential to store or process data"
199
+ ],
200
+ implementationSuggestions: [
201
+ "For mobile end-user devices, MDM type tools can support this process, where appropriate"
204
202
  ],
205
203
  relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"],
206
204
  keywords: ["asset", "inventory", "device", "network", "mobile", "IoT", "server", "detailed", "accurate", "up-to-date"]
@@ -208,81 +206,72 @@ export class SafeguardManager {
208
206
  "5.1": {
209
207
  id: "5.1",
210
208
  title: "Establish and Maintain an Inventory of Accounts",
211
- description: "Establish and maintain an inventory of all accounts managed in the enterprise",
209
+ description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
212
210
  implementationGroup: "IG1",
213
211
  assetType: ["users"],
214
212
  securityFunction: ["Identify"],
215
213
  governanceElements: [
216
- "establish inventory process",
217
- "maintain inventory process",
218
- "validate all active accounts are authorized",
219
- "recurring schedule minimum quarterly",
220
- "account management policy"
214
+ "Establish and maintain an inventory of all accounts managed in the enterprise",
215
+ "The inventory must include both user and administrator accounts",
216
+ "At a minimum, should contain the person's name, username, start/stop dates, and department",
217
+ "Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
221
218
  ],
222
219
  coreRequirements: [
223
- "inventory of all accounts",
224
- "user accounts",
225
- "administrator accounts",
226
- "managed in the enterprise"
220
+ "Inventory of Accounts"
227
221
  ],
228
222
  subTaxonomicalElements: [
229
- "person's name",
230
- "username",
231
- "start/stop dates",
232
- "department",
233
- "account status",
234
- "account type",
235
- "access rights",
236
- "last login date"
223
+ "Establish",
224
+ "Maintain",
225
+ "Validate that all active accounts are authorized",
226
+ "Recurring schedule",
227
+ "Must Include",
228
+ "At a minimum",
229
+ "Minimum Quarterly",
230
+ "More Frequently",
231
+ "User Accounts",
232
+ "Administrator Accounts",
233
+ "Name",
234
+ "Username",
235
+ "Start Stop Dates",
236
+ "Department"
237
237
  ],
238
238
  implementationSuggestions: [
239
- "identity and access management tool",
240
- "directory services",
241
- "automated account provisioning",
242
- "account lifecycle management",
243
- "role-based access control system"
239
+ "Account and Access Control Management",
240
+ "Identity and Access Management Tool"
244
241
  ],
245
- relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2"],
246
- keywords: ["accounts", "inventory", "user", "administrator", "name", "username", "dates", "department", "quarterly"]
242
+ relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
243
+ keywords: ["establish", "maintain", "inventory", "accounts", "user", "administrator", "name", "username", "dates", "department", "quarterly", "validate", "authorized", "recurring"]
247
244
  },
248
245
  "6.3": {
249
246
  id: "6.3",
250
247
  title: "Require MFA for Externally-Exposed Applications",
251
- description: "Require all externally-exposed enterprise or third-party applications to enforce MFA",
248
+ description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
252
249
  implementationGroup: "IG1",
253
250
  assetType: ["users"],
254
251
  securityFunction: ["Protect"],
255
252
  governanceElements: [
256
- "require MFA enforcement",
257
- "policy for externally-exposed applications",
258
- "MFA compliance verification"
253
+ "Require",
254
+ "Account and Access Control Management",
255
+ "Multi-Factor Authentication Tool"
259
256
  ],
260
257
  coreRequirements: [
261
- "multi-factor authentication",
262
- "all externally-exposed applications",
263
- "enterprise applications",
264
- "third-party applications",
265
- "enforce MFA where supported"
258
+ "all externally-exposed enterprise or third-party applications to enforce MFA",
259
+ "where supported"
266
260
  ],
267
261
  subTaxonomicalElements: [
268
- "authentication factors",
269
- "something you know (password)",
270
- "something you have (token)",
271
- "something you are (biometric)",
272
- "external access points",
273
- "application inventory",
274
- "exposure assessment"
262
+ "ALL Externally Exposed Applications",
263
+ "Enforce",
264
+ "Where supported"
275
265
  ],
276
266
  implementationSuggestions: [
277
- "directory service enforcement",
278
- "SSO provider enforcement",
279
- "multi-factor authentication tools",
280
- "SAML integration",
281
- "OAuth implementation",
282
- "conditional access policies"
267
+ "Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard",
268
+ "Directory service",
269
+ "SSO Provider",
270
+ "Account and Access Control Management",
271
+ "Multi-Factor Authentication Tool"
283
272
  ],
284
- relatedSafeguards: ["2.1", "4.1", "5.1", "6.1", "6.2"],
285
- keywords: ["MFA", "multi-factor", "authentication", "externally-exposed", "applications", "third-party", "SSO", "directory"]
273
+ relatedSafeguards: ["2.1", "4.1"],
274
+ keywords: ["require", "externally-exposed", "enterprise", "third-party", "applications", "enforce", "MFA", "supported", "directory", "service", "SSO", "provider"]
286
275
  },
287
276
  "7.1": {
288
277
  id: "7.1",
@@ -334,27 +323,17 @@ export class SafeguardManager {
334
323
  assetType: ["devices"],
335
324
  securityFunction: ["Respond"],
336
325
  governanceElements: [
337
- "ensure process exists",
338
- "weekly basis requirement",
339
- "unauthorized asset handling policy"
326
+ "Ensure that a process exists to address unauthorized assets on a weekly basis"
340
327
  ],
341
328
  coreRequirements: [
342
- "address unauthorized assets",
343
- "process to handle unauthorized devices",
344
- "weekly execution"
329
+ "Address Unauthorized Assets"
345
330
  ],
346
331
  subTaxonomicalElements: [
347
- "unauthorized asset detection",
348
- "asset classification",
349
- "response timeline",
350
- "documentation requirements"
332
+ "On a weekly basis",
333
+ "Ensure"
351
334
  ],
352
335
  implementationSuggestions: [
353
- "remove asset from network",
354
- "deny asset from connecting remotely",
355
- "quarantine asset",
356
- "automated response systems",
357
- "network access control"
336
+ "The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset"
358
337
  ],
359
338
  relatedSafeguards: ["1.1", "1.3"],
360
339
  keywords: ["unauthorized", "assets", "weekly", "remove", "deny", "quarantine", "process"]
@@ -362,79 +341,51 @@ export class SafeguardManager {
362
341
  "1.3": {
363
342
  id: "1.3",
364
343
  title: "Utilize an Active Discovery Tool",
365
- description: "Use an active discovery tool to identify assets connected to the enterprise's network",
344
+ description: "Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.",
366
345
  implementationGroup: "IG2",
367
346
  assetType: ["network"],
368
- securityFunction: ["Identify"],
347
+ securityFunction: ["Detect"],
369
348
  governanceElements: [
370
- "use active discovery tool",
371
- "identify assets requirement",
372
- "network discovery policy",
373
- "discovery tool management"
349
+ "Utilize an active discovery tool to identify assets connected to the enterprise's network",
350
+ "Configure the active discovery tool to execute daily, or more frequently"
374
351
  ],
375
352
  coreRequirements: [
376
- "active discovery tool",
377
- "identify assets connected to network",
378
- "enterprise network coverage",
379
- "asset discovery capability"
353
+ "Active discovery tool"
380
354
  ],
381
355
  subTaxonomicalElements: [
382
- "network scanning",
383
- "asset identification",
384
- "network mapping",
385
- "device fingerprinting",
386
- "service discovery",
387
- "port scanning",
388
- "protocol analysis",
389
- "network topology discovery"
356
+ "Utilize",
357
+ "Configure",
358
+ "Execute daily",
359
+ "Execute daily, or more frequently"
390
360
  ],
391
- implementationSuggestions: [
392
- "network discovery scanners",
393
- "SNMP-based discovery",
394
- "ping sweeps",
395
- "ARP table analysis",
396
- "network monitoring tools",
397
- "automated discovery systems"
361
+ implementationSuggestions: [ // Gray - Implementation suggestions
398
362
  ],
399
363
  relatedSafeguards: ["1.1", "1.2", "1.4", "1.5"],
400
364
  keywords: ["active", "discovery", "tool", "identify", "assets", "network", "scanning", "mapping"]
401
365
  },
402
366
  "1.4": {
403
367
  id: "1.4",
404
- title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Asset Inventory",
405
- description: "Use DHCP logging functionality to update the enterprise asset inventory",
368
+ title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory",
369
+ description: "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.",
406
370
  implementationGroup: "IG2",
407
371
  assetType: ["network"],
408
372
  securityFunction: ["Identify"],
409
373
  governanceElements: [
410
- "use DHCP logging",
411
- "update asset inventory requirement",
412
- "DHCP log management policy",
413
- "inventory integration process"
374
+ "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory",
375
+ "Review and use logs to update the enterprise's asset inventory weekly, or more frequently"
414
376
  ],
415
377
  coreRequirements: [
416
- "DHCP logging functionality",
417
- "update enterprise asset inventory",
418
- "network device tracking",
419
- "IP address assignment logging"
378
+ "DHCP Logging on all DHCP servers",
379
+ "IPAM"
420
380
  ],
421
381
  subTaxonomicalElements: [
422
- "DHCP lease information",
423
- "IP address assignments",
424
- "MAC address mapping",
425
- "device hostnames",
426
- "lease duration tracking",
427
- "DHCP server logs",
428
- "network join events",
429
- "device identification data"
382
+ "Use",
383
+ "Review and Use Logs",
384
+ "Update asset inventory",
385
+ "Weekly",
386
+ "More Frequently"
430
387
  ],
431
- implementationSuggestions: [
432
- "DHCP server log analysis",
433
- "automated parsing tools",
434
- "inventory integration scripts",
435
- "SIEM integration",
436
- "log aggregation systems",
437
- "real-time monitoring"
388
+ implementationSuggestions: [ // Gray - Implementation suggestions
438
389
  ],
439
390
  relatedSafeguards: ["1.1", "1.2", "1.3", "1.5"],
440
391
  keywords: ["DHCP", "logging", "update", "asset", "inventory", "IP", "address", "network", "tracking"]
@@ -442,39 +393,25 @@ export class SafeguardManager {
442
393
  "1.5": {
443
394
  id: "1.5",
444
395
  title: "Use a Passive Asset Discovery Tool",
445
- description: "Use a passive discovery tool to identify assets connected to the enterprise's network",
396
+ description: "Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.",
446
397
  implementationGroup: "IG3",
447
398
  assetType: ["network"],
448
- securityFunction: ["Identify"],
399
+ securityFunction: ["Detect"],
449
400
  governanceElements: [
450
- "use passive discovery tool",
451
- "identify assets requirement",
452
- "passive monitoring policy",
453
- "discovery tool governance"
401
+ "Use a passive discovery tool to identify assets connected to the enterprise's network",
402
+ "Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently"
454
403
  ],
455
404
  coreRequirements: [
456
- "passive discovery tool",
457
- "identify assets connected to network",
458
- "non-intrusive asset identification",
459
- "network traffic analysis"
405
+ "Passive Discovery Tool"
460
406
  ],
461
407
  subTaxonomicalElements: [
462
- "network traffic monitoring",
463
- "passive packet analysis",
464
- "protocol identification",
465
- "device behavior analysis",
466
- "communication pattern analysis",
467
- "network flow analysis",
468
- "asset fingerprinting",
469
- "service identification"
470
- ],
471
- implementationSuggestions: [
472
- "network tap monitoring",
473
- "span port analysis",
474
- "flow analysis tools",
475
- "packet capture systems",
476
- "network behavior analysis",
477
- "passive scanning tools"
408
+ "Use",
409
+ "Review and Use scans",
410
+ "Update asset inventory",
411
+ "Weekly",
412
+ "More Frequently"
413
+ ],
414
+ implementationSuggestions: [ // Gray - Implementation suggestions
478
415
  ],
479
416
  relatedSafeguards: ["1.1", "1.2", "1.3", "1.4"],
480
417
  keywords: ["passive", "discovery", "tool", "identify", "assets", "network", "traffic", "monitoring", "non-intrusive"]
@@ -487,36 +424,32 @@ export class SafeguardManager {
487
424
  assetType: ["applications"],
488
425
  securityFunction: ["Identify"],
489
426
  governanceElements: [
490
- "establish inventory process",
491
- "maintain inventory process",
492
- "detailed software inventory requirement",
493
- "licensed software tracking",
494
- "enterprise asset coverage"
427
+ "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
428
+ "The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date",
429
+ "Review and update the software inventory bi-annually, or more frequently"
495
430
  ],
496
431
  coreRequirements: [
497
- "detailed inventory",
498
- "all licensed software",
499
- "installed on enterprise assets",
500
- "software asset management",
501
- "comprehensive coverage"
432
+ "Detailed inventory of all licensed software",
433
+ "Installed on enterprise Assets"
502
434
  ],
503
435
  subTaxonomicalElements: [
504
- "software name",
505
- "version",
506
- "publisher",
507
- "install date",
508
- "business purpose",
509
- "supported vs. unsupported software",
510
- "authorized vs. unauthorized software",
511
- "licensing information",
512
- "installation location"
436
+ "Establish",
437
+ "Maintain",
438
+ "Must Document",
439
+ "Title",
440
+ "Publisher",
441
+ "Initial Install / Use Date",
442
+ "Business Purpose",
443
+ "URL",
444
+ "App Store(s)",
445
+ "App Version(s)",
446
+ "Deployment mechanism",
447
+ "Decomm. Date",
448
+ "Where appropriate",
449
+ "bi-annually",
450
+ "More Frequently"
513
451
  ],
514
- implementationSuggestions: [
515
- "software asset management tools",
516
- "automated discovery agents",
517
- "network-based scanning",
518
- "endpoint detection tools",
519
- "software metering solutions"
452
+ implementationSuggestions: [ // Gray - Implementation suggestions
520
453
  ],
521
454
  relatedSafeguards: ["1.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7"],
522
455
  keywords: ["software", "inventory", "licensed", "detailed", "enterprise", "assets", "applications"]
@@ -529,32 +462,24 @@ export class SafeguardManager {
529
462
  assetType: ["applications"],
530
463
  securityFunction: ["Identify"],
531
464
  governanceElements: [
532
- "ensure only supported software authorized",
533
- "authorization designation process",
534
- "supported software verification",
535
- "software lifecycle management"
465
+ "Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
536
466
  ],
537
467
  coreRequirements: [
538
- "currently supported software only",
539
- "designated as authorized",
540
- "software inventory integration",
541
- "support status verification"
468
+ "Currently supported software",
469
+ "Authorized in the software inventory"
542
470
  ],
543
471
  subTaxonomicalElements: [
544
- "software support status",
545
- "end-of-life identification",
546
- "vendor support agreements",
547
- "patch availability",
548
- "security update availability",
549
- "authorization workflows",
550
- "approval processes"
472
+ "Ensure",
473
+ "Determine if Authorized Software Is Currently Supported",
474
+ "If Unsupported",
475
+ "Determine Necessity for Business",
476
+ "Document Exception detailing mitigating controls",
477
+ "Document Residual risk acceptance",
478
+ "Review the software list",
479
+ "Monthly",
480
+ "More frequently"
551
481
  ],
552
- implementationSuggestions: [
553
- "vendor support databases",
554
- "automated support checking",
555
- "software lifecycle tracking",
556
- "end-of-life notifications",
557
- "authorization workflow tools"
482
+ implementationSuggestions: [ // Gray - Implementation suggestions
558
483
  ],
559
484
  relatedSafeguards: ["2.1", "2.3", "2.4", "2.5", "2.6", "2.7"],
560
485
  keywords: ["supported", "software", "authorized", "designated", "inventory", "lifecycle", "end-of-life"]
@@ -562,36 +487,25 @@ export class SafeguardManager {
562
487
  "2.3": {
563
488
  id: "2.3",
564
489
  title: "Address Unauthorized Software",
565
- description: "Ensure that unauthorized software is either removed from use on enterprise assets or approved for use",
490
+ description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
566
491
  implementationGroup: "IG1",
567
492
  assetType: ["applications"],
568
493
  securityFunction: ["Respond"],
569
494
  governanceElements: [
570
- "ensure unauthorized software addressed",
571
- "removal or approval requirement",
572
- "unauthorized software handling policy"
495
+ "Ensure",
496
+ "Review monthly, or more frequently"
573
497
  ],
574
498
  coreRequirements: [
575
- "unauthorized software identification",
576
- "removed from use",
577
- "approved for use",
578
- "enterprise assets coverage"
499
+ "unauthorized software is either removed from use on enterprise assets or receives a documented exception"
579
500
  ],
580
501
  subTaxonomicalElements: [
581
- "unauthorized software detection",
582
- "software classification",
583
- "approval workflows",
584
- "removal procedures",
585
- "business justification",
586
- "exception processes",
587
- "documentation requirements"
502
+ "Address Unauthorized Software",
503
+ "Remove from use",
504
+ "Document Exception",
505
+ "Monthly",
506
+ "More Frequently"
588
507
  ],
589
- implementationSuggestions: [
590
- "automated removal tools",
591
- "application control systems",
592
- "software whitelisting",
593
- "policy enforcement tools",
594
- "approval workflow systems"
508
+ implementationSuggestions: [ // Gray - Implementation suggestions
595
509
  ],
596
510
  relatedSafeguards: ["2.1", "2.2", "2.4", "2.5", "2.6", "2.7"],
597
511
  keywords: ["unauthorized", "software", "removed", "approved", "enterprise", "assets", "address"]
@@ -599,37 +513,25 @@ export class SafeguardManager {
599
513
  "2.4": {
600
514
  id: "2.4",
601
515
  title: "Utilize Automated Software Inventory Tools",
602
- description: "Utilize automated software inventory tools, where possible, throughout the enterprise",
516
+ description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
603
517
  implementationGroup: "IG2",
604
518
  assetType: ["applications"],
605
- securityFunction: ["Identify"],
519
+ securityFunction: ["Detect"],
606
520
  governanceElements: [
607
- "utilize automated tools",
608
- "where possible requirement",
609
- "throughout enterprise coverage",
610
- "automated inventory management"
521
+ "Utilize",
522
+ "when possible"
611
523
  ],
612
524
  coreRequirements: [
613
- "automated software inventory tools",
614
- "enterprise-wide deployment",
615
- "comprehensive coverage",
616
- "automated discovery capability"
525
+ "software inventory tools",
526
+ "automate the discovery and documentation of installed software"
617
527
  ],
618
528
  subTaxonomicalElements: [
619
- "automated discovery agents",
620
- "network-based scanning",
621
- "agent-based collection",
622
- "real-time inventory updates",
623
- "centralized reporting",
624
- "integration capabilities",
625
- "deployment strategies"
529
+ "Automate Discovery",
530
+ "Automate Documentation",
531
+ "Installed Software",
532
+ "When possible"
626
533
  ],
627
- implementationSuggestions: [
628
- "endpoint agents",
629
- "network scanners",
630
- "SCCM integration",
631
- "vulnerability scanners",
632
- "asset management platforms"
534
+ implementationSuggestions: [ // Gray - Implementation suggestions
633
535
  ],
634
536
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.5", "2.6", "2.7"],
635
537
  keywords: ["automated", "software", "inventory", "tools", "enterprise", "deployment", "discovery"]
@@ -637,36 +539,30 @@ export class SafeguardManager {
637
539
  "2.5": {
638
540
  id: "2.5",
639
541
  title: "Allowlist Authorized Software",
640
- description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute",
542
+ description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
641
543
  implementationGroup: "IG2",
642
544
  assetType: ["applications"],
643
545
  securityFunction: ["Protect"],
644
546
  governanceElements: [
645
- "use technical controls",
646
- "ensure only authorized execution",
647
- "allowlisting implementation requirement"
547
+ "Use",
548
+ "Ensure",
549
+ "Reassess bi-annually, or more frequently"
648
550
  ],
649
551
  coreRequirements: [
650
552
  "technical controls",
651
- "application allowlisting",
652
- "only authorized software execution",
653
- "execution prevention"
553
+ "only authorized software can execute or be accessed"
654
554
  ],
655
555
  subTaxonomicalElements: [
656
- "allowlist management",
657
- "signature-based controls",
658
- "hash-based controls",
659
- "path-based controls",
660
- "certificate-based controls",
661
- "execution monitoring",
662
- "policy enforcement"
556
+ "Allowlist Authorized Software",
557
+ "Technical Controls",
558
+ "Execute",
559
+ "Accessed",
560
+ "Reassess",
561
+ "Bi-Annually",
562
+ "More Frequently"
663
563
  ],
664
564
  implementationSuggestions: [
665
- "application control software",
666
- "Windows AppLocker",
667
- "endpoint protection platforms",
668
- "code signing enforcement",
669
- "execution prevention tools"
565
+ "Application Allowlisting"
670
566
  ],
671
567
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.6", "2.7"],
672
568
  keywords: ["allowlist", "authorized", "software", "technical", "controls", "application", "execution"]
@@ -674,36 +570,34 @@ export class SafeguardManager {
674
570
  "2.6": {
675
571
  id: "2.6",
676
572
  title: "Allowlist Authorized Libraries",
677
- description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so files, can load into a system process",
573
+ description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
678
574
  implementationGroup: "IG2",
679
575
  assetType: ["applications"],
680
576
  securityFunction: ["Protect"],
681
577
  governanceElements: [
682
- "use technical controls",
683
- "ensure only authorized libraries",
684
- "system process protection requirement"
578
+ "Use",
579
+ "Ensure",
580
+ "Block unauthorized libraries from loading into a system process",
581
+ "Reassess bi-annually, or more frequently"
685
582
  ],
686
583
  coreRequirements: [
687
584
  "technical controls",
688
585
  "only authorized software libraries",
689
- "dll ocx so files",
690
- "system process loading"
586
+ "are allowed to load into a system process"
691
587
  ],
692
588
  subTaxonomicalElements: [
693
- "library allowlisting",
694
- "dynamic link library control",
695
- "shared object control",
696
- "process injection prevention",
697
- "library loading monitoring",
698
- "signature verification",
699
- "integrity checking"
589
+ "Only authorized software libraries",
590
+ "Are allowed to load into a system process",
591
+ "Technical Controls",
592
+ "Block unauthorized libraries from loading into a system process",
593
+ "Reassess",
594
+ "Bi-Annually",
595
+ "More Frequently"
700
596
  ],
701
597
  implementationSuggestions: [
702
- "library control tools",
703
- "process monitoring solutions",
704
- "endpoint detection platforms",
705
- "kernel-level controls",
706
- "signature enforcement"
598
+ "Specific .dll files",
599
+ "Specific .ocx files",
600
+ "Specific .so files"
707
601
  ],
708
602
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.7"],
709
603
  keywords: ["allowlist", "authorized", "libraries", "dll", "ocx", "so", "system", "process", "technical"]
@@ -711,36 +605,33 @@ export class SafeguardManager {
711
605
  "2.7": {
712
606
  id: "2.7",
713
607
  title: "Allowlist Authorized Scripts",
714
- description: "Use technical controls, such as digital signatures and version control systems, to ensure that only authorized scripts can execute",
608
+ description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
715
609
  implementationGroup: "IG3",
716
610
  assetType: ["applications"],
717
611
  securityFunction: ["Protect"],
718
612
  governanceElements: [
719
- "use technical controls",
720
- "ensure only authorized script execution",
721
- "script authorization requirement"
613
+ "Use",
614
+ "Ensure",
615
+ "Block unauthorized scripts from executing",
616
+ "Reassess bi-annually, or more frequently"
722
617
  ],
723
618
  coreRequirements: [
724
619
  "technical controls",
725
- "digital signatures",
726
- "version control systems",
727
- "only authorized scripts execution"
620
+ "only authorized files are allowed to execute"
728
621
  ],
729
622
  subTaxonomicalElements: [
730
- "script allowlisting",
731
- "digital signature verification",
732
- "version control integration",
733
- "script integrity checking",
734
- "execution policy enforcement",
735
- "script source validation",
736
- "runtime monitoring"
623
+ "Only authorized files are allowed to execute",
624
+ "Technical Controls",
625
+ "Block unauthorized scripts from executing",
626
+ "Reassess",
627
+ "Bi-Annually",
628
+ "More Frequently"
737
629
  ],
738
630
  implementationSuggestions: [
739
- "PowerShell execution policies",
740
- "script signing infrastructure",
741
- "version control systems",
742
- "script execution monitors",
743
- "code signing certificates"
631
+ "Digital signatures",
632
+ "Version control",
633
+ "Specific .ps1 files",
634
+ "Specific .py files"
744
635
  ],
745
636
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6"],
746
637
  keywords: ["allowlist", "authorized", "scripts", "digital", "signatures", "version", "control", "execution"]
@@ -748,37 +639,32 @@ export class SafeguardManager {
748
639
  "3.1": {
749
640
  id: "3.1",
750
641
  title: "Establish and Maintain a Data Management Process",
751
- description: "Establish and maintain a data management process",
642
+ description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
752
643
  implementationGroup: "IG1",
753
644
  assetType: ["data"],
754
645
  securityFunction: ["Govern"],
755
646
  governanceElements: [
756
- "establish data management process",
757
- "maintain data management process",
758
- "documented data governance",
759
- "data management policy"
647
+ "Establish",
648
+ "Maintain",
649
+ "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
760
650
  ],
761
651
  coreRequirements: [
762
- "data management process",
763
- "data governance framework",
764
- "data handling procedures",
765
- "data lifecycle management"
652
+ "documented data management process",
653
+ "address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
766
654
  ],
767
655
  subTaxonomicalElements: [
768
- "data classification scheme",
769
- "data inventory procedures",
770
- "data retention policies",
771
- "data disposal procedures",
772
- "data handling standards",
773
- "data access controls",
774
- "data sharing agreements"
656
+ "Documented Data management process",
657
+ "Data Sensitivity",
658
+ "Data Owner",
659
+ "Data Handling",
660
+ "Data Retention Limits",
661
+ "Disposal Requirements",
662
+ "Retention Standards",
663
+ "Review and update documentation",
664
+ "Annually",
665
+ "When significant enterprise changes occur that could impact this Safeguard"
775
666
  ],
776
- implementationSuggestions: [
777
- "data governance platforms",
778
- "data discovery tools",
779
- "data classification tools",
780
- "policy management systems",
781
- "data lineage tracking"
667
+ implementationSuggestions: [ // Gray - Implementation suggestions
782
668
  ],
783
669
  relatedSafeguards: ["3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
784
670
  keywords: ["data", "management", "process", "establish", "maintain", "governance", "lifecycle"]
@@ -786,38 +672,28 @@ export class SafeguardManager {
786
672
  "3.2": {
787
673
  id: "3.2",
788
674
  title: "Establish and Maintain a Data Inventory",
789
- description: "Establish and maintain a data inventory, based on the enterprise's data management process",
675
+ description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
790
676
  implementationGroup: "IG1",
791
677
  assetType: ["data"],
792
678
  securityFunction: ["Identify"],
793
679
  governanceElements: [
794
- "establish data inventory",
795
- "maintain data inventory",
796
- "based on data management process",
797
- "inventory management requirements"
680
+ "Establish",
681
+ "Maintain",
682
+ "Review and update inventory annually, at a minimum, with a priority on sensitive data"
798
683
  ],
799
684
  coreRequirements: [
800
- "data inventory",
801
- "enterprise data coverage",
802
- "data asset identification",
803
- "data location tracking"
685
+ "data inventory based on the enterprise's data management process",
686
+ "inventory sensitive data, at a minimum"
804
687
  ],
805
688
  subTaxonomicalElements: [
806
- "data types",
807
- "data locations",
808
- "data owners",
809
- "data classifications",
810
- "data sensitivity levels",
811
- "data volumes",
812
- "data formats",
813
- "data repositories"
689
+ "Data Inventory",
690
+ "Based on Data Management process",
691
+ "Sensitive Data at a Minimum",
692
+ "Review and update inventory",
693
+ "Annually, at a minimum",
694
+ "Priority on sensitive data"
814
695
  ],
815
- implementationSuggestions: [
816
- "data discovery scanners",
817
- "database inventory tools",
818
- "file system crawlers",
819
- "cloud data discovery",
820
- "automated data cataloging"
696
+ implementationSuggestions: [ // Gray - Implementation suggestions
821
697
  ],
822
698
  relatedSafeguards: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
823
699
  keywords: ["data", "inventory", "enterprise", "management", "process", "identification", "tracking"]
@@ -825,37 +701,27 @@ export class SafeguardManager {
825
701
  "3.3": {
826
702
  id: "3.3",
827
703
  title: "Configure Data Access Control Lists",
828
- description: "Configure data access control lists based on a user's need to know",
704
+ description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
829
705
  implementationGroup: "IG1",
830
706
  assetType: ["data"],
831
707
  securityFunction: ["Protect"],
832
708
  governanceElements: [
833
- "configure access control lists",
834
- "based on need to know",
835
- "data access governance",
836
- "access control policy"
709
+ "Configure",
710
+ "Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
837
711
  ],
838
712
  coreRequirements: [
839
- "data access control lists",
840
- "user need to know basis",
841
- "access restriction enforcement",
842
- "granular access controls"
713
+ "data access control lists based on a user's need to know"
843
714
  ],
844
715
  subTaxonomicalElements: [
845
- "user access requirements",
846
- "role-based permissions",
847
- "data sensitivity matching",
848
- "access review processes",
849
- "permission inheritance",
850
- "group-based access",
851
- "individual permissions"
716
+ "Data Access control lists",
717
+ "Based on \"Need to Know\"",
718
+ "ACLS - \"aka\" Access Permissions",
719
+ "Local",
720
+ "Remote File Systems",
721
+ "Applications",
722
+ "Databases"
852
723
  ],
853
- implementationSuggestions: [
854
- "file system ACLs",
855
- "database permissions",
856
- "application-level controls",
857
- "identity management systems",
858
- "access governance tools"
724
+ implementationSuggestions: [ // Gray - Implementation suggestions
859
725
  ],
860
726
  relatedSafeguards: ["3.1", "3.2", "3.4", "3.5", "3.6", "5.1", "6.1", "6.2"],
861
727
  keywords: ["data", "access", "control", "lists", "need", "know", "user", "permissions"]
@@ -863,37 +729,26 @@ export class SafeguardManager {
863
729
  "3.4": {
864
730
  id: "3.4",
865
731
  title: "Enforce Data Retention",
866
- description: "Retain data according to the enterprise's data management process",
732
+ description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
867
733
  implementationGroup: "IG1",
868
734
  assetType: ["data"],
869
735
  securityFunction: ["Protect"],
870
736
  governanceElements: [
871
- "retain data according to process",
872
- "enterprise data management process",
873
- "data retention governance",
874
- "retention policy enforcement"
737
+ "Retain",
738
+ "Enforce",
739
+ "must include both minimum and maximum timelines"
875
740
  ],
876
741
  coreRequirements: [
877
- "data retention enforcement",
878
- "retention schedule compliance",
879
- "data lifecycle management",
880
- "retention period adherence"
742
+ "data according to the enterprise's documented data management process",
743
+ "Data retention"
881
744
  ],
882
745
  subTaxonomicalElements: [
883
- "retention schedules",
884
- "legal requirements",
885
- "business requirements",
886
- "retention categories",
887
- "disposal timelines",
888
- "archive procedures",
889
- "retention monitoring"
746
+ "Data Retention",
747
+ "Must Include",
748
+ "Minimum Timelines",
749
+ "Maximum timelines"
890
750
  ],
891
- implementationSuggestions: [
892
- "automated retention tools",
893
- "data lifecycle management",
894
- "archival systems",
895
- "retention scheduling tools",
896
- "compliance monitoring"
751
+ implementationSuggestions: [ // Gray - Implementation suggestions
897
752
  ],
898
753
  relatedSafeguards: ["3.1", "3.2", "3.5", "3.6", "3.10"],
899
754
  keywords: ["data", "retention", "enterprise", "management", "process", "lifecycle", "schedule"]
@@ -901,37 +756,23 @@ export class SafeguardManager {
901
756
  "3.5": {
902
757
  id: "3.5",
903
758
  title: "Securely Dispose of Data",
904
- description: "Securely dispose of data as outlined in the enterprise's data management process",
759
+ description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
905
760
  implementationGroup: "IG1",
906
761
  assetType: ["data"],
907
762
  securityFunction: ["Protect"],
908
763
  governanceElements: [
909
- "securely dispose data",
910
- "outlined in management process",
911
- "data disposal governance",
912
- "secure disposal policy"
764
+ "Securely dispose of data",
765
+ "Ensure"
913
766
  ],
914
767
  coreRequirements: [
915
- "secure data disposal",
916
- "data management process alignment",
917
- "disposal method security",
918
- "data destruction assurance"
768
+ "as outlined in the enterprise's data management process",
769
+ "the disposal process and method are commensurate with the data sensitivity"
919
770
  ],
920
771
  subTaxonomicalElements: [
921
- "disposal methods",
922
- "data sanitization",
923
- "media destruction",
924
- "digital shredding",
925
- "disposal verification",
926
- "disposal documentation",
927
- "certificate of destruction"
772
+ "Securely dispose of data",
773
+ "Disposal process and method are commensurate with the data sensitivity"
928
774
  ],
929
- implementationSuggestions: [
930
- "data wiping tools",
931
- "media destruction services",
932
- "cryptographic erasure",
933
- "physical destruction",
934
- "disposal tracking systems"
775
+ implementationSuggestions: [ // Gray - Implementation suggestions
935
776
  ],
936
777
  relatedSafeguards: ["3.1", "3.2", "3.4", "3.6", "3.10"],
937
778
  keywords: ["securely", "dispose", "data", "enterprise", "management", "process", "destruction"]
@@ -939,37 +780,24 @@ export class SafeguardManager {
939
780
  "3.6": {
940
781
  id: "3.6",
941
782
  title: "Encrypt Data on End-User Devices",
942
- description: "Encrypt data on end-user devices containing sensitive data",
783
+ description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
943
784
  implementationGroup: "IG1",
944
785
  assetType: ["data"],
945
786
  securityFunction: ["Protect"],
946
787
  governanceElements: [
947
- "encrypt data requirement",
948
- "end-user devices coverage",
949
- "sensitive data identification",
950
- "encryption policy enforcement"
788
+ "Encrypt"
951
789
  ],
952
790
  coreRequirements: [
953
- "data encryption",
954
- "end-user devices",
955
- "sensitive data protection",
956
- "encryption implementation"
791
+ "data on end-user devices containing sensitive data"
957
792
  ],
958
793
  subTaxonomicalElements: [
959
- "full disk encryption",
960
- "file-level encryption",
961
- "encryption algorithms",
962
- "key management",
963
- "device types coverage",
964
- "mobile device encryption",
965
- "laptop encryption"
794
+ "Data on end-user devices",
795
+ "Sensitive data"
966
796
  ],
967
797
  implementationSuggestions: [
968
- "BitLocker encryption",
969
- "FileVault encryption",
970
- "third-party encryption tools",
971
- "mobile device management",
972
- "encryption key management"
798
+ "Windows Bitlocker",
799
+ "Apple FileVault",
800
+ "Linux dm-crypt"
973
801
  ],
974
802
  relatedSafeguards: ["1.1", "3.1", "3.2", "3.7", "3.8", "3.9", "3.11"],
975
803
  keywords: ["encrypt", "data", "end-user", "devices", "sensitive", "protection", "encryption"]
@@ -977,37 +805,30 @@ export class SafeguardManager {
977
805
  "3.7": {
978
806
  id: "3.7",
979
807
  title: "Establish and Maintain a Data Classification Scheme",
980
- description: "Establish and maintain a data classification scheme based on the sensitivity of data",
808
+ description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
981
809
  implementationGroup: "IG2",
982
810
  assetType: ["data"],
983
811
  securityFunction: ["Identify"],
984
812
  governanceElements: [
985
- "establish classification scheme",
986
- "maintain classification scheme",
987
- "based on data sensitivity",
988
- "classification governance"
813
+ "Establish",
814
+ "Maintain",
815
+ "Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
989
816
  ],
990
817
  coreRequirements: [
991
- "data classification scheme",
992
- "sensitivity-based classification",
993
- "classification standards",
994
- "data labeling system"
818
+ "overall data classification scheme for the enterprise",
819
+ "classify their data according to those labels"
995
820
  ],
996
821
  subTaxonomicalElements: [
997
- "classification levels",
998
- "sensitivity criteria",
999
- "classification labels",
1000
- "handling requirements",
1001
- "protection levels",
1002
- "access requirements",
1003
- "classification workflows"
822
+ "Data classification scheme",
823
+ "Classify their data according to labels",
824
+ "Review and update classification scheme",
825
+ "Annually",
826
+ "When significant enterprise changes occur that could impact this Safeguard"
1004
827
  ],
1005
828
  implementationSuggestions: [
1006
- "data classification tools",
1007
- "automated labeling",
1008
- "classification policies",
1009
- "sensitivity scanners",
1010
- "classification workflows"
829
+ "Sensitive",
830
+ "Confidential",
831
+ "Public"
1011
832
  ],
1012
833
  relatedSafeguards: ["3.1", "3.2", "3.3", "3.8", "3.9", "3.10", "3.11", "3.12"],
1013
834
  keywords: ["establish", "maintain", "data", "classification", "scheme", "sensitivity", "labeling"]
@@ -1015,37 +836,29 @@ export class SafeguardManager {
1015
836
  "3.8": {
1016
837
  id: "3.8",
1017
838
  title: "Document Data Flows",
1018
- description: "Document data flows for sensitive data",
839
+ description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1019
840
  implementationGroup: "IG2",
1020
841
  assetType: ["data"],
1021
842
  securityFunction: ["Identify"],
1022
843
  governanceElements: [
1023
- "document data flows",
1024
- "sensitive data coverage",
1025
- "data flow documentation requirement",
1026
- "flow mapping governance"
844
+ "Document data flows",
845
+ "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
1027
846
  ],
1028
847
  coreRequirements: [
1029
- "data flow documentation",
1030
- "sensitive data flows",
1031
- "data movement tracking",
1032
- "flow visualization"
848
+ "Data flow documentation includes service provider data flows and should be based on the enterprise's data management process"
1033
849
  ],
1034
850
  subTaxonomicalElements: [
1035
- "data sources",
1036
- "data destinations",
1037
- "processing locations",
1038
- "data transformations",
1039
- "data transit paths",
1040
- "integration points",
1041
- "data boundaries"
851
+ "Document data flows",
852
+ "Enterprise Data Flows",
853
+ "Service Provider Data Flows",
854
+ "Review and update documentation",
855
+ "Annually",
856
+ "When significant enterprise changes occur that could impact this Safeguard"
1042
857
  ],
1043
858
  implementationSuggestions: [
1044
- "data lineage tools",
1045
- "flow mapping software",
1046
- "data discovery tools",
1047
- "process documentation",
1048
- "network flow analysis"
859
+ "Data management systems",
860
+ "Data flow mapping tools",
861
+ "Service provider documentation"
1049
862
  ],
1050
863
  relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
1051
864
  keywords: ["document", "data", "flows", "sensitive", "mapping", "tracking", "lineage"]
@@ -1053,37 +866,20 @@ export class SafeguardManager {
1053
866
  "3.9": {
1054
867
  id: "3.9",
1055
868
  title: "Encrypt Data on Removable Media",
1056
- description: "Encrypt data on removable media",
869
+ description: "Encrypt Data on Removable Media",
1057
870
  implementationGroup: "IG2",
1058
871
  assetType: ["data"],
1059
872
  securityFunction: ["Protect"],
1060
873
  governanceElements: [
1061
- "encrypt data requirement",
1062
- "removable media coverage",
1063
- "encryption policy enforcement",
1064
- "removable media governance"
874
+ "Encrypt Data on Removable Media"
1065
875
  ],
1066
- coreRequirements: [
1067
- "data encryption",
1068
- "removable media",
1069
- "portable storage protection",
1070
- "encryption implementation"
876
+ coreRequirements: [ // Green - The "what"
1071
877
  ],
1072
878
  subTaxonomicalElements: [
1073
- "USB drives",
1074
- "external hard drives",
1075
- "optical media",
1076
- "memory cards",
1077
- "encryption methods",
1078
- "key management",
1079
- "access controls"
879
+ "Data on Removable Media",
880
+ "Maintain"
1080
881
  ],
1081
- implementationSuggestions: [
1082
- "encrypted USB drives",
1083
- "device encryption tools",
1084
- "removable media controls",
1085
- "encryption management",
1086
- "key escrow systems"
882
+ implementationSuggestions: [ // Gray - Implementation suggestions
1087
883
  ],
1088
884
  relatedSafeguards: ["3.1", "3.6", "3.7", "3.10", "3.11"],
1089
885
  keywords: ["encrypt", "data", "removable", "media", "portable", "storage", "USB"]
@@ -1091,37 +887,22 @@ export class SafeguardManager {
1091
887
  "3.10": {
1092
888
  id: "3.10",
1093
889
  title: "Encrypt Sensitive Data in Transit",
1094
- description: "Encrypt sensitive data in transit",
890
+ description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
1095
891
  implementationGroup: "IG2",
1096
892
  assetType: ["data"],
1097
893
  securityFunction: ["Protect"],
1098
894
  governanceElements: [
1099
- "encrypt sensitive data",
1100
- "in transit requirement",
1101
- "transmission encryption policy",
1102
- "transit encryption governance"
895
+ "Encrypt"
1103
896
  ],
1104
897
  coreRequirements: [
1105
- "sensitive data encryption",
1106
- "data in transit",
1107
- "transmission protection",
1108
- "communication security"
898
+ "sensitive data in transit"
1109
899
  ],
1110
900
  subTaxonomicalElements: [
1111
- "network protocols",
1112
- "encryption protocols",
1113
- "TLS/SSL implementation",
1114
- "VPN tunneling",
1115
- "secure communication channels",
1116
- "certificate management",
1117
- "key exchange"
901
+ "Sensitive data in transit"
1118
902
  ],
1119
903
  implementationSuggestions: [
1120
- "TLS encryption",
1121
- "VPN solutions",
1122
- "secure email gateways",
1123
- "encrypted file transfer",
1124
- "secure messaging systems"
904
+ "TLS",
905
+ "OpenSSH"
1125
906
  ],
1126
907
  relatedSafeguards: ["3.1", "3.7", "3.8", "3.11", "13.1", "13.2"],
1127
908
  keywords: ["encrypt", "sensitive", "data", "transit", "transmission", "TLS", "communication"]
@@ -1129,75 +910,53 @@ export class SafeguardManager {
1129
910
  "3.11": {
1130
911
  id: "3.11",
1131
912
  title: "Encrypt Sensitive Data at Rest",
1132
- description: "Encrypt sensitive data at rest",
913
+ description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
1133
914
  implementationGroup: "IG2",
1134
915
  assetType: ["data"],
1135
916
  securityFunction: ["Protect"],
1136
917
  governanceElements: [
1137
- "encrypt sensitive data",
1138
- "at rest requirement",
1139
- "storage encryption policy",
1140
- "rest encryption governance"
918
+ "Encrypt",
919
+ "meets the minimum requirement of this Safeguard"
1141
920
  ],
1142
921
  coreRequirements: [
1143
- "sensitive data encryption",
1144
- "data at rest",
1145
- "storage protection",
1146
- "persistent data security"
922
+ "sensitive data at rest on servers, applications, and databases",
923
+ "Storage-layer encryption, also known as server-side encryption"
1147
924
  ],
1148
925
  subTaxonomicalElements: [
1149
- "database encryption",
1150
- "file system encryption",
1151
- "application-level encryption",
1152
- "cloud storage encryption",
1153
- "backup encryption",
1154
- "key management systems",
1155
- "encryption algorithms"
926
+ "Encrypt Sensitive Data At Rest",
927
+ "Servers",
928
+ "Applications",
929
+ "Databases",
930
+ "Storage Layer (server side) encryption",
931
+ "Minimum Requirement"
1156
932
  ],
1157
933
  implementationSuggestions: [
1158
- "transparent data encryption",
1159
- "column-level encryption",
1160
- "file-level encryption",
1161
- "key management services",
1162
- "hardware security modules"
934
+ "Application layer (client-side) encryption",
935
+ "Where access to the data storage device(s) does not permit access to the plain-text data"
1163
936
  ],
1164
937
  relatedSafeguards: ["3.1", "3.6", "3.7", "3.9", "3.10", "11.1"],
1165
938
  keywords: ["encrypt", "sensitive", "data", "rest", "storage", "database", "persistent"]
1166
939
  },
1167
940
  "3.12": {
1168
941
  id: "3.12",
1169
- title: "Segment Data Processing and Storage Based on Classification",
1170
- description: "Segment data processing and storage based on the classification of the data",
1171
- implementationGroup: "IG3",
942
+ title: "Segment Data Processing and Storage Based on Sensitivity",
943
+ description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
944
+ implementationGroup: "IG2",
1172
945
  assetType: ["data"],
1173
946
  securityFunction: ["Protect"],
1174
947
  governanceElements: [
1175
- "segment data processing",
1176
- "segment data storage",
1177
- "based on classification",
1178
- "segmentation governance"
948
+ "Segment data processing and storage based on the sensitivity of the data",
949
+ "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
1179
950
  ],
1180
- coreRequirements: [
1181
- "data segmentation",
1182
- "processing segregation",
1183
- "storage segregation",
1184
- "classification-based separation"
951
+ coreRequirements: [ // Green - The "what"
1185
952
  ],
1186
953
  subTaxonomicalElements: [
1187
- "network segmentation",
1188
- "logical separation",
1189
- "physical separation",
1190
- "processing environments",
1191
- "storage zones",
1192
- "access boundaries",
1193
- "isolation controls"
954
+ "Based on the sensitivity of data",
955
+ "Segment data processing (compute)",
956
+ "Segment Storage",
957
+ "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
1194
958
  ],
1195
- implementationSuggestions: [
1196
- "network segmentation tools",
1197
- "virtualization platforms",
1198
- "container isolation",
1199
- "zone-based architecture",
1200
- "micro-segmentation"
959
+ implementationSuggestions: [ // Gray - Implementation suggestions
1201
960
  ],
1202
961
  relatedSafeguards: ["3.1", "3.7", "12.1", "12.2", "12.3"],
1203
962
  keywords: ["segment", "data", "processing", "storage", "classification", "separation", "isolation"]
@@ -1205,37 +964,29 @@ export class SafeguardManager {
1205
964
  "3.13": {
1206
965
  id: "3.13",
1207
966
  title: "Deploy a Data Loss Prevention Solution",
1208
- description: "Deploy a data loss prevention solution on assets containing sensitive data",
967
+ description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
1209
968
  implementationGroup: "IG3",
1210
969
  assetType: ["data"],
1211
970
  securityFunction: ["Protect"],
1212
971
  governanceElements: [
1213
- "deploy DLP solution",
1214
- "assets containing sensitive data",
1215
- "data loss prevention requirement",
1216
- "DLP governance"
972
+ "Implement",
973
+ "Update Data Inventory"
1217
974
  ],
1218
975
  coreRequirements: [
1219
- "data loss prevention solution",
1220
- "sensitive data assets",
1221
- "data leakage prevention",
1222
- "data exfiltration controls"
976
+ "automated tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider"
1223
977
  ],
1224
978
  subTaxonomicalElements: [
1225
- "endpoint DLP",
1226
- "network DLP",
1227
- "email DLP",
1228
- "web DLP",
1229
- "cloud DLP",
1230
- "content inspection",
1231
- "policy enforcement"
979
+ "Automated DLP Tool",
980
+ "Identify all sensitive Data",
981
+ "Stored",
982
+ "Processed",
983
+ "Transmitted",
984
+ "Onsite Data",
985
+ "Remote Service Provider",
986
+ "Update Data Inventory"
1232
987
  ],
1233
988
  implementationSuggestions: [
1234
- "DLP platforms",
1235
- "content analysis engines",
1236
- "policy management systems",
1237
- "incident response integration",
1238
- "monitoring and alerting"
989
+ "Host-based Data loss Prevention (DLP) tool"
1239
990
  ],
1240
991
  relatedSafeguards: ["3.1", "3.7", "3.8", "3.10", "3.11"],
1241
992
  keywords: ["deploy", "data", "loss", "prevention", "solution", "sensitive", "DLP"]
@@ -1243,37 +994,23 @@ export class SafeguardManager {
1243
994
  "3.14": {
1244
995
  id: "3.14",
1245
996
  title: "Log Sensitive Data Access",
1246
- description: "Log sensitive data access, including modification and disposal",
997
+ description: "Log sensitive data access, including modification and disposal.",
1247
998
  implementationGroup: "IG3",
1248
999
  assetType: ["data"],
1249
1000
  securityFunction: ["Detect"],
1250
1001
  governanceElements: [
1251
- "log sensitive data access",
1252
- "including modification disposal",
1253
- "data access logging requirement",
1254
- "access monitoring governance"
1002
+ "Log"
1255
1003
  ],
1256
1004
  coreRequirements: [
1257
- "sensitive data access logging",
1258
- "modification logging",
1259
- "disposal logging",
1260
- "comprehensive access tracking"
1005
+ "sensitive data access, including modification and disposal"
1261
1006
  ],
1262
1007
  subTaxonomicalElements: [
1263
- "access events",
1264
- "user identification",
1265
- "timestamp recording",
1266
- "operation type logging",
1267
- "data identification",
1268
- "source system logging",
1269
- "audit trail maintenance"
1008
+ "Sensitive Data access",
1009
+ "Access",
1010
+ "Modification",
1011
+ "Disposal"
1270
1012
  ],
1271
- implementationSuggestions: [
1272
- "database audit logs",
1273
- "file access monitoring",
1274
- "SIEM integration",
1275
- "log management platforms",
1276
- "activity monitoring tools"
1013
+ implementationSuggestions: [ // Gray - Implementation suggestions
1277
1014
  ],
1278
1015
  relatedSafeguards: ["3.1", "3.7", "3.8", "8.1", "8.2"],
1279
1016
  keywords: ["log", "sensitive", "data", "access", "modification", "disposal", "audit"]
@@ -1281,914 +1018,733 @@ export class SafeguardManager {
1281
1018
  "4.1": {
1282
1019
  id: "4.1",
1283
1020
  title: "Establish and Maintain a Secure Configuration Process",
1284
- description: "Establish and maintain a secure configuration process for enterprise assets and software",
1021
+ description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1285
1022
  implementationGroup: "IG1",
1286
- assetType: ["devices", "applications"],
1023
+ assetType: ["end-user devices", "network devices", "IoT devices", "servers", "applications"],
1287
1024
  securityFunction: ["Govern"],
1288
1025
  governanceElements: [
1289
- "establish secure configuration process",
1290
- "maintain secure configuration process",
1291
- "enterprise assets and software coverage",
1292
- "configuration management governance"
1026
+ "Establish",
1027
+ "Maintain",
1028
+ "Documented Secure Configuration Process",
1029
+ "Review and update documentation",
1030
+ "Annually",
1031
+ "When significant enterprise changes occur that could impact this Safeguard"
1293
1032
  ],
1294
1033
  coreRequirements: [
1295
- "secure configuration process",
1296
- "configuration management framework",
1297
- "standardized configuration procedures",
1298
- "configuration lifecycle management"
1034
+ "documented secure configuration process for enterprise assets",
1035
+ "documented secure configuration process for software"
1299
1036
  ],
1300
1037
  subTaxonomicalElements: [
1301
- "configuration standards",
1302
- "baseline configurations",
1303
- "configuration templates",
1304
- "hardening procedures",
1305
- "configuration validation",
1306
- "change management integration",
1307
- "compliance checking"
1038
+ "Enterprise assets",
1039
+ "Software",
1040
+ "End-user devices",
1041
+ "Mobile",
1042
+ "Portable",
1043
+ "Non-computing/IoT devices",
1044
+ "Servers",
1045
+ "OS",
1046
+ "Applications"
1308
1047
  ],
1309
1048
  implementationSuggestions: [
1310
- "configuration management tools",
1311
- "policy management platforms",
1312
- "automated configuration systems",
1313
- "compliance scanning tools",
1314
- "baseline management systems"
1049
+ "Secure Configuration Policy / Process",
1050
+ "Configuration Management Tool"
1315
1051
  ],
1316
1052
  relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
1317
- keywords: ["establish", "maintain", "secure", "configuration", "process", "enterprise", "assets", "software"]
1053
+ keywords: ["establish", "maintain", "documented", "secure", "configuration", "process", "enterprise", "assets", "software", "review", "update"]
1318
1054
  },
1319
1055
  "4.2": {
1320
1056
  id: "4.2",
1321
1057
  title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
1322
- description: "Establish and maintain a secure configuration process for network infrastructure",
1058
+ description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1323
1059
  implementationGroup: "IG1",
1324
- assetType: ["network"],
1060
+ assetType: ["network devices"],
1325
1061
  securityFunction: ["Govern"],
1326
1062
  governanceElements: [
1327
- "establish network configuration process",
1328
- "maintain network configuration process",
1329
- "network infrastructure coverage",
1330
- "network security governance"
1063
+ "Establish",
1064
+ "Maintain",
1065
+ "Documented Secure Network Configuration Process",
1066
+ "Review and update documentation",
1067
+ "Annually",
1068
+ "When significant enterprise changes occur that could impact this Safeguard"
1331
1069
  ],
1332
1070
  coreRequirements: [
1333
- "secure network configuration process",
1334
- "network infrastructure management",
1335
- "network security standards",
1336
- "network configuration lifecycle"
1071
+ "documented secure configuration process for network devices"
1337
1072
  ],
1338
1073
  subTaxonomicalElements: [
1339
- "network device configurations",
1340
- "routing configurations",
1341
- "switching configurations",
1342
- "firewall configurations",
1343
- "wireless configurations",
1344
- "network segmentation",
1345
- "access control configurations"
1074
+ "Network devices"
1346
1075
  ],
1347
1076
  implementationSuggestions: [
1348
- "network configuration tools",
1349
- "network automation platforms",
1350
- "configuration templates",
1351
- "network compliance scanners",
1352
- "infrastructure as code"
1077
+ "Secure Configuration Policy / Process",
1078
+ "Configuration Management Tool"
1353
1079
  ],
1354
- relatedSafeguards: ["1.1", "4.1", "4.3", "4.4", "4.5", "12.1", "12.2"],
1355
- keywords: ["establish", "maintain", "secure", "configuration", "network", "infrastructure", "process"]
1080
+ relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
1081
+ keywords: ["establish", "maintain", "documented", "secure", "configuration", "network", "infrastructure", "process", "devices"]
1356
1082
  },
1357
1083
  "4.3": {
1358
1084
  id: "4.3",
1359
1085
  title: "Configure Automatic Session Locking on Enterprise Assets",
1360
- description: "Configure automatic session locking on enterprise assets after a defined period of inactivity",
1086
+ description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
1361
1087
  implementationGroup: "IG1",
1362
1088
  assetType: ["devices"],
1363
1089
  securityFunction: ["Protect"],
1364
1090
  governanceElements: [
1365
- "configure automatic session locking",
1366
- "enterprise assets coverage",
1367
- "defined period requirement",
1368
- "session security policy"
1091
+ "Configure",
1092
+ "Period must not exceed for 15 Minutes",
1093
+ "Period must not exceed for 2 Minutes"
1369
1094
  ],
1370
1095
  coreRequirements: [
1371
- "automatic session locking",
1372
- "defined inactivity period",
1373
- "session timeout enforcement",
1374
- "unauthorized access prevention"
1096
+ "automatic session locking on enterprise assets after a defined period of inactivity",
1097
+ "general purpose operating systems",
1098
+ "mobile end-user devices"
1375
1099
  ],
1376
1100
  subTaxonomicalElements: [
1377
- "timeout configurations",
1378
- "screen saver activation",
1379
- "workstation locking",
1380
- "mobile device locking",
1381
- "server console locking",
1382
- "application session timeouts",
1383
- "idle session detection"
1101
+ "Automatic Session Locking",
1102
+ "Period of inactivity",
1103
+ "General Purpose OSs",
1104
+ "Mobile end-user devices"
1384
1105
  ],
1385
1106
  implementationSuggestions: [
1386
- "group policy settings",
1387
- "mobile device management",
1388
- "screen saver configurations",
1389
- "application timeout settings",
1390
- "automated locking mechanisms"
1107
+ "Configuration Management Tool"
1391
1108
  ],
1392
- relatedSafeguards: ["1.1", "4.1", "4.2", "5.1", "6.1"],
1393
- keywords: ["configure", "automatic", "session", "locking", "enterprise", "assets", "inactivity", "timeout"]
1109
+ relatedSafeguards: ["4.1"],
1110
+ keywords: ["configure", "automatic", "session", "locking", "enterprise", "assets", "inactivity", "period", "minutes", "mobile", "operating", "systems"]
1394
1111
  },
1395
1112
  "4.4": {
1396
1113
  id: "4.4",
1397
1114
  title: "Implement and Manage a Firewall on Servers",
1398
- description: "Implement and manage a firewall on servers",
1115
+ description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
1399
1116
  implementationGroup: "IG1",
1400
1117
  assetType: ["devices"],
1401
1118
  securityFunction: ["Protect"],
1402
1119
  governanceElements: [
1403
- "implement firewall on servers",
1404
- "manage firewall on servers",
1405
- "server protection requirement",
1406
- "firewall management governance"
1120
+ "Implement",
1121
+ "Manage",
1122
+ "Where Supported"
1407
1123
  ],
1408
1124
  coreRequirements: [
1409
- "firewall implementation",
1410
- "firewall management",
1411
- "server protection",
1412
- "network traffic filtering"
1125
+ "firewall on servers"
1413
1126
  ],
1414
1127
  subTaxonomicalElements: [
1415
- "firewall rules configuration",
1416
- "port access control",
1417
- "protocol filtering",
1418
- "traffic monitoring",
1419
- "rule optimization",
1420
- "logging configuration",
1421
- "exception management"
1128
+ "Server Firewall"
1422
1129
  ],
1423
1130
  implementationSuggestions: [
1424
- "host-based firewalls",
1425
- "operating system firewalls",
1426
- "third-party firewall software",
1427
- "firewall management tools",
1428
- "centralized rule management"
1131
+ "Virtual Firewall",
1132
+ "OS Firewall",
1133
+ "Third Party Firewall",
1134
+ "Firewall",
1135
+ "Configuration Management Tool"
1429
1136
  ],
1430
- relatedSafeguards: ["1.1", "4.1", "4.2", "4.5", "12.1", "13.1"],
1431
- keywords: ["implement", "manage", "firewall", "servers", "protection", "filtering", "rules"]
1137
+ relatedSafeguards: ["4.1"],
1138
+ keywords: ["implement", "manage", "firewall", "servers", "virtual", "operating", "system", "third-party", "agent"]
1432
1139
  },
1433
1140
  "4.5": {
1434
1141
  id: "4.5",
1435
1142
  title: "Implement and Manage a Firewall on End-User Devices",
1436
- description: "Implement and manage a firewall on end-user devices",
1143
+ description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
1437
1144
  implementationGroup: "IG1",
1438
1145
  assetType: ["devices"],
1439
1146
  securityFunction: ["Protect"],
1440
1147
  governanceElements: [
1441
- "implement firewall on end-user devices",
1442
- "manage firewall on end-user devices",
1443
- "end-user device protection",
1444
- "firewall policy enforcement"
1148
+ "Implement",
1149
+ "Manage",
1150
+ "Default deny rule that drops all traffic",
1151
+ "Except Explicitly Allowed"
1445
1152
  ],
1446
1153
  coreRequirements: [
1447
- "firewall implementation",
1448
- "firewall management",
1449
- "end-user device protection",
1450
- "personal firewall deployment"
1154
+ "host-based firewall or port-filtering tool on end-user devices"
1451
1155
  ],
1452
1156
  subTaxonomicalElements: [
1453
- "desktop firewall configuration",
1454
- "laptop firewall configuration",
1455
- "mobile device firewall",
1456
- "application-based rules",
1457
- "network profile management",
1458
- "exception handling",
1459
- "centralized management"
1157
+ "Host-based Firewall",
1158
+ "Port Filtering Tool",
1159
+ "End User Devices",
1160
+ "Services",
1161
+ "Ports"
1460
1162
  ],
1461
1163
  implementationSuggestions: [
1462
- "Windows Defender Firewall",
1463
- "macOS firewall",
1464
- "third-party endpoint firewalls",
1465
- "mobile device management",
1466
- "centralized firewall management"
1164
+ "Firewall",
1165
+ "Configuration Management Tool"
1467
1166
  ],
1468
- relatedSafeguards: ["1.1", "4.1", "4.2", "4.4", "5.1"],
1469
- keywords: ["implement", "manage", "firewall", "end-user", "devices", "personal", "protection"]
1167
+ relatedSafeguards: ["4.1"],
1168
+ keywords: ["implement", "manage", "host-based", "firewall", "port-filtering", "end-user", "devices", "default-deny", "explicitly", "allowed"]
1470
1169
  },
1471
1170
  "4.6": {
1472
1171
  id: "4.6",
1473
1172
  title: "Securely Manage Enterprise Assets and Software",
1474
- description: "Securely manage enterprise assets and software",
1475
- implementationGroup: "IG2",
1173
+ description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
1174
+ implementationGroup: "IG1",
1476
1175
  assetType: ["devices", "applications"],
1477
1176
  securityFunction: ["Protect"],
1478
1177
  governanceElements: [
1479
- "securely manage enterprise assets",
1480
- "securely manage software",
1481
- "secure management practices",
1482
- "asset and software governance"
1178
+ "Do not use insecure management protocols",
1179
+ "Unless operationally essential"
1483
1180
  ],
1484
1181
  coreRequirements: [
1485
- "secure asset management",
1486
- "secure software management",
1487
- "management security controls",
1488
- "administrative access protection"
1182
+ "Securely manage enterprise assets and software"
1489
1183
  ],
1490
1184
  subTaxonomicalElements: [
1491
- "administrative access controls",
1492
- "privileged account management",
1493
- "secure remote management",
1494
- "management interface protection",
1495
- "configuration change controls",
1496
- "management tool security",
1497
- "secure maintenance procedures"
1185
+ "Securely manage enterprise assets and software"
1498
1186
  ],
1499
1187
  implementationSuggestions: [
1500
- "privileged access management",
1501
- "secure remote access tools",
1502
- "configuration management systems",
1503
- "change management platforms",
1504
- "secure administration protocols"
1188
+ "Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
1189
+ "Accessing administrative interfaces over secure network protocols",
1190
+ "SSH",
1191
+ "HTTPS",
1192
+ "Telnet (Teletype Network)",
1193
+ "HTTP",
1194
+ "Configuration Management Tool"
1505
1195
  ],
1506
- relatedSafeguards: ["1.1", "2.1", "4.1", "4.7", "5.1", "5.4"],
1507
- keywords: ["securely", "manage", "enterprise", "assets", "software", "administrative", "privileged"]
1196
+ relatedSafeguards: ["4.1", "12.3"],
1197
+ keywords: ["securely", "manage", "enterprise", "assets", "software", "infrastructure-as-code", "administrative", "interfaces", "SSH", "HTTPS", "protocols"]
1508
1198
  },
1509
1199
  "4.7": {
1510
1200
  id: "4.7",
1511
1201
  title: "Manage Default Accounts on Enterprise Assets and Software",
1512
- description: "Manage default accounts on enterprise assets and software",
1513
- implementationGroup: "IG2",
1514
- assetType: ["devices", "applications"],
1202
+ description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
1203
+ implementationGroup: "IG1",
1204
+ assetType: ["devices", "applications", "users"],
1515
1205
  securityFunction: ["Protect"],
1516
1206
  governanceElements: [
1517
- "manage default accounts",
1518
- "enterprise assets coverage",
1519
- "software coverage",
1520
- "default account governance"
1207
+ "Manage"
1521
1208
  ],
1522
1209
  coreRequirements: [
1523
- "default account management",
1524
- "account security controls",
1525
- "default credential elimination",
1526
- "account hardening"
1210
+ "default accounts on enterprise assets and software"
1527
1211
  ],
1528
1212
  subTaxonomicalElements: [
1529
- "default password changes",
1530
- "default account disabling",
1531
- "vendor default credentials",
1532
- "system account management",
1533
- "service account management",
1534
- "account enumeration prevention",
1535
- "credential strength requirements"
1213
+ "Default accounts",
1214
+ "Enterprise assets",
1215
+ "Software",
1216
+ "Root",
1217
+ "Administrator",
1218
+ "Other pre-configured vendor accounts"
1536
1219
  ],
1537
1220
  implementationSuggestions: [
1538
- "credential management tools",
1539
- "account discovery scanners",
1540
- "password management systems",
1541
- "automated account hardening",
1542
- "vulnerability scanners"
1221
+ "Disabling",
1222
+ "Unusable",
1223
+ "Configuration Management Tool"
1543
1224
  ],
1544
- relatedSafeguards: ["1.1", "2.1", "4.1", "4.6", "5.1", "5.2", "5.3"],
1545
- keywords: ["manage", "default", "accounts", "enterprise", "assets", "software", "credentials", "passwords"]
1225
+ relatedSafeguards: ["4.1"],
1226
+ keywords: ["manage", "default", "accounts", "enterprise", "assets", "software", "root", "administrator", "pre-configured", "vendor", "disabling", "unusable"]
1546
1227
  },
1547
1228
  "4.8": {
1548
1229
  id: "4.8",
1549
1230
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
1550
- description: "Uninstall or disable unnecessary services on enterprise assets and software",
1231
+ description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
1551
1232
  implementationGroup: "IG2",
1552
1233
  assetType: ["devices", "applications"],
1553
1234
  securityFunction: ["Protect"],
1554
1235
  governanceElements: [
1555
- "uninstall unnecessary services",
1556
- "disable unnecessary services",
1557
- "enterprise assets coverage",
1558
- "service minimization governance"
1236
+ "Uninstall",
1237
+ "Disable"
1559
1238
  ],
1560
1239
  coreRequirements: [
1561
- "unnecessary service removal",
1562
- "service disabling",
1563
- "attack surface reduction",
1564
- "minimal service deployment"
1240
+ "unnecessary services on enterprise assets and software"
1565
1241
  ],
1566
1242
  subTaxonomicalElements: [
1567
- "service inventory",
1568
- "service necessity assessment",
1569
- "running services analysis",
1570
- "port closure requirements",
1571
- "daemon management",
1572
- "startup service control",
1573
- "service hardening"
1243
+ "Unnecessary Services",
1244
+ "Enterprise assets",
1245
+ "Software",
1246
+ "Unused file sharing service",
1247
+ "Web application module",
1248
+ "Service function"
1574
1249
  ],
1575
1250
  implementationSuggestions: [
1576
- "service management tools",
1577
- "port scanning tools",
1578
- "configuration baselines",
1579
- "system hardening guides",
1580
- "automated service management"
1251
+ "Configuration Management Tool"
1581
1252
  ],
1582
- relatedSafeguards: ["1.1", "2.1", "4.1", "4.9", "4.10"],
1583
- keywords: ["uninstall", "disable", "unnecessary", "services", "enterprise", "assets", "minimization", "hardening"]
1253
+ relatedSafeguards: ["4.1"],
1254
+ keywords: ["uninstall", "disable", "unnecessary", "services", "enterprise", "assets", "software", "unused", "file", "sharing", "web", "application", "module", "function"]
1584
1255
  },
1585
1256
  "4.9": {
1586
1257
  id: "4.9",
1587
1258
  title: "Configure Trusted DNS Servers on Enterprise Assets",
1588
- description: "Configure trusted DNS servers on enterprise assets",
1259
+ description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
1589
1260
  implementationGroup: "IG2",
1590
1261
  assetType: ["devices"],
1591
1262
  securityFunction: ["Protect"],
1592
1263
  governanceElements: [
1593
- "configure trusted DNS servers",
1594
- "enterprise assets coverage",
1595
- "DNS security requirement",
1596
- "trusted DNS governance"
1264
+ "Configure"
1597
1265
  ],
1598
1266
  coreRequirements: [
1599
- "trusted DNS server configuration",
1600
- "DNS security controls",
1601
- "secure name resolution",
1602
- "DNS poisoning prevention"
1267
+ "trusted DNS servers on enterprise assets"
1603
1268
  ],
1604
1269
  subTaxonomicalElements: [
1605
- "DNS server selection",
1606
- "DNS filtering implementation",
1607
- "malicious domain blocking",
1608
- "DNS over HTTPS configuration",
1609
- "DNS over TLS configuration",
1610
- "internal DNS management",
1611
- "DNS monitoring"
1270
+ "Trusted DNS Servers",
1271
+ "Enterprise assets"
1612
1272
  ],
1613
1273
  implementationSuggestions: [
1614
- "secure DNS services",
1615
- "DNS filtering solutions",
1616
- "internal DNS servers",
1617
- "DNS security tools",
1618
- "network-level DNS controls"
1274
+ "Configuring assets to use enterprise-controlled DNS servers",
1275
+ "Reputable externally accessible DNS servers",
1276
+ "Configuration Management Tool"
1619
1277
  ],
1620
- relatedSafeguards: ["1.1", "4.1", "4.2", "4.8", "13.1"],
1621
- keywords: ["configure", "trusted", "DNS", "servers", "enterprise", "assets", "secure", "resolution"]
1278
+ relatedSafeguards: ["4.1", "8.6", "9.2"],
1279
+ keywords: ["configure", "trusted", "DNS", "servers", "enterprise", "assets", "enterprise-controlled", "reputable", "externally", "accessible"]
1622
1280
  },
1623
1281
  "4.10": {
1624
1282
  id: "4.10",
1625
1283
  title: "Enforce Automatic Device Lockout on Portable End-User Devices",
1626
- description: "Enforce automatic device lockout on portable end-user devices",
1284
+ description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
1627
1285
  implementationGroup: "IG2",
1628
1286
  assetType: ["devices"],
1629
1287
  securityFunction: ["Protect"],
1630
1288
  governanceElements: [
1631
- "enforce automatic device lockout",
1632
- "portable end-user devices",
1633
- "lockout policy enforcement",
1634
- "device security governance"
1289
+ "Enforce",
1290
+ "Where supported",
1291
+ "Do not allow more than 20 Failed Authentication Attempts",
1292
+ "No more than 10 Failed Authentication Attempts"
1635
1293
  ],
1636
1294
  coreRequirements: [
1637
- "automatic device lockout",
1638
- "portable device protection",
1639
- "unauthorized access prevention",
1640
- "device lock enforcement"
1295
+ "automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices"
1641
1296
  ],
1642
1297
  subTaxonomicalElements: [
1643
- "mobile device lockout",
1644
- "laptop lockout policies",
1645
- "tablet lockout configuration",
1646
- "biometric lockout options",
1647
- "PIN/password lockout",
1648
- "failed attempt thresholds",
1649
- "lockout duration settings"
1298
+ "Automatic Device Lockout",
1299
+ "Predetermined threshold of local failed authentication attempts",
1300
+ "Portable end-user devices",
1301
+ "Laptops",
1302
+ "Tablets and smartphones"
1650
1303
  ],
1651
1304
  implementationSuggestions: [
1652
- "mobile device management",
1653
- "device policy enforcement",
1654
- "biometric authentication",
1655
- "automated lockout systems",
1656
- "device compliance tools"
1305
+ "Microsoft® InTune Device Lock",
1306
+ "Apple® Configuration Profile maxFailedAttempts",
1307
+ "Configuration Management Tool"
1657
1308
  ],
1658
- relatedSafeguards: ["1.1", "4.3", "4.5", "5.1", "6.1"],
1659
- keywords: ["enforce", "automatic", "device", "lockout", "portable", "end-user", "devices", "mobile"]
1309
+ relatedSafeguards: ["4.1"],
1310
+ keywords: ["enforce", "automatic", "device", "lockout", "portable", "end-user", "devices", "failed", "authentication", "attempts", "laptops", "tablets", "smartphones", "InTune", "Apple"]
1660
1311
  },
1661
1312
  "4.11": {
1662
1313
  id: "4.11",
1663
1314
  title: "Enforce Remote Wipe Capability on Portable End-User Devices",
1664
- description: "Enforce remote wipe capability on portable end-user devices",
1315
+ description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
1665
1316
  implementationGroup: "IG2",
1666
1317
  assetType: ["devices"],
1667
1318
  securityFunction: ["Protect"],
1668
1319
  governanceElements: [
1669
- "enforce remote wipe capability",
1670
- "portable end-user devices",
1671
- "remote wipe governance",
1672
- "device data protection policy"
1320
+ "When deemed appropriate"
1673
1321
  ],
1674
1322
  coreRequirements: [
1675
- "remote wipe capability",
1676
- "portable device data protection",
1677
- "emergency data removal",
1678
- "lost device security"
1323
+ "Remotely wipe enterprise data from enterprise-owned portable end-user devices"
1679
1324
  ],
1680
1325
  subTaxonomicalElements: [
1681
- "mobile device wipe",
1682
- "laptop remote wipe",
1683
- "tablet data removal",
1684
- "selective wipe capabilities",
1685
- "full device wipe options",
1686
- "wipe trigger mechanisms",
1687
- "wipe verification"
1326
+ "Remotely Wipe enterprise data",
1327
+ "Portable end-user devices",
1328
+ "Lost devices",
1329
+ "Stolen devices",
1330
+ "When an individual no longer supports the enterprise"
1688
1331
  ],
1689
1332
  implementationSuggestions: [
1690
- "mobile device management",
1691
- "remote wipe solutions",
1692
- "cloud-based device management",
1693
- "enterprise mobility management",
1694
- "device tracking systems"
1333
+ "Configuration Management Tool"
1695
1334
  ],
1696
- relatedSafeguards: ["1.1", "3.5", "4.10", "5.1"],
1697
- keywords: ["enforce", "remote", "wipe", "capability", "portable", "end-user", "devices", "data", "removal"]
1335
+ relatedSafeguards: ["4.1"],
1336
+ keywords: ["remotely", "wipe", "enterprise", "data", "enterprise-owned", "portable", "end-user", "devices", "lost", "stolen", "individual", "no", "longer", "supports"]
1698
1337
  },
1699
1338
  "4.12": {
1700
1339
  id: "4.12",
1701
- title: "Separate Enterprise Workloads from Untrusted Networks",
1702
- description: "Separate enterprise workloads from untrusted networks",
1340
+ title: "Separate Enterprise Workspaces on Mobile End-User Devices",
1341
+ description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
1703
1342
  implementationGroup: "IG3",
1704
- assetType: ["network"],
1343
+ assetType: ["devices", "data"],
1705
1344
  securityFunction: ["Protect"],
1706
1345
  governanceElements: [
1707
- "separate enterprise workloads",
1708
- "from untrusted networks",
1709
- "network separation requirement",
1710
- "workload isolation governance"
1346
+ "Ensure",
1347
+ "Where Supported"
1711
1348
  ],
1712
1349
  coreRequirements: [
1713
- "enterprise workload separation",
1714
- "untrusted network isolation",
1715
- "network boundary controls",
1716
- "secure network architecture"
1350
+ "separate enterprise workspaces are used on mobile end-user devices"
1717
1351
  ],
1718
1352
  subTaxonomicalElements: [
1719
- "network segmentation",
1720
- "VLAN separation",
1721
- "subnet isolation",
1722
- "firewall boundaries",
1723
- "DMZ implementation",
1724
- "air gap controls",
1725
- "network access controls"
1353
+ "Separate enterprise workspaces",
1354
+ "On Mobile Devices",
1355
+ "Enterprise Applications",
1356
+ "Enterprise Data",
1357
+ "Personal Applications",
1358
+ "Personal Data"
1726
1359
  ],
1727
1360
  implementationSuggestions: [
1728
- "network segmentation tools",
1729
- "VLAN management systems",
1730
- "next-generation firewalls",
1731
- "network access control systems",
1732
- "micro-segmentation platforms"
1361
+ "Apple® Configuration Profile",
1362
+ "AndroidTM Work Profile",
1363
+ "Configuration Management Tool"
1733
1364
  ],
1734
- relatedSafeguards: ["4.1", "4.2", "4.4", "12.1", "12.2", "12.3"],
1735
- keywords: ["separate", "enterprise", "workloads", "untrusted", "networks", "isolation", "segmentation"]
1365
+ relatedSafeguards: ["4.1"],
1366
+ keywords: ["separate", "enterprise", "workspaces", "mobile", "end-user", "devices", "Apple", "Configuration", "Profile", "Android", "Work", "Profile", "applications", "data", "personal"]
1736
1367
  },
1737
1368
  "5.2": {
1738
1369
  id: "5.2",
1739
1370
  title: "Use Unique Passwords",
1740
- description: "Use unique passwords for all enterprise assets",
1371
+ description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
1741
1372
  implementationGroup: "IG1",
1742
1373
  assetType: ["users"],
1743
1374
  securityFunction: ["Protect"],
1744
1375
  governanceElements: [
1745
- "use unique passwords",
1746
- "all enterprise assets",
1747
- "password uniqueness requirement",
1748
- "password governance policy"
1376
+ "Use unique passwords for all enterprise assets",
1377
+ "Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
1749
1378
  ],
1750
1379
  coreRequirements: [
1751
- "unique passwords",
1752
- "password uniqueness enforcement",
1753
- "no password reuse",
1754
- "distinct credentials"
1380
+ "Unique Passwords"
1755
1381
  ],
1756
1382
  subTaxonomicalElements: [
1757
- "password complexity requirements",
1758
- "password history tracking",
1759
- "password reuse prevention",
1760
- "account-specific passwords",
1761
- "service account passwords",
1762
- "system account passwords",
1763
- "password strength validation"
1383
+ "Use",
1384
+ "At a minimum",
1385
+ "All Enterprise Assets",
1386
+ "8-character password for accounts using MFA",
1387
+ "14-character password for accounts not using MFA"
1764
1388
  ],
1765
1389
  implementationSuggestions: [
1766
- "password management systems",
1767
- "password policy enforcement",
1768
- "active directory policies",
1769
- "password generators",
1770
- "credential vaults"
1390
+ "Account and Access Control Management",
1391
+ "Password Management Tool"
1771
1392
  ],
1772
- relatedSafeguards: ["5.1", "5.3", "5.4", "5.5", "5.6"],
1773
- keywords: ["unique", "passwords", "enterprise", "assets", "password", "reuse", "complexity"]
1393
+ relatedSafeguards: ["5.1"],
1394
+ keywords: ["use", "unique", "passwords", "enterprise", "assets", "8-character", "14-character", "MFA", "minimum"]
1774
1395
  },
1775
1396
  "5.3": {
1776
1397
  id: "5.3",
1777
1398
  title: "Disable Dormant Accounts",
1778
- description: "Delete or disable any dormant accounts after a period of 45 days of inactivity",
1399
+ description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
1779
1400
  implementationGroup: "IG1",
1780
1401
  assetType: ["users"],
1781
1402
  securityFunction: ["Protect"],
1782
1403
  governanceElements: [
1783
- "delete or disable dormant accounts",
1784
- "45 days inactivity period",
1785
- "dormant account management",
1786
- "account lifecycle governance"
1404
+ "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
1787
1405
  ],
1788
1406
  coreRequirements: [
1789
- "dormant account identification",
1790
- "account deletion or disabling",
1791
- "inactivity period monitoring",
1792
- "automated account management"
1407
+ "Dormant Accounts"
1793
1408
  ],
1794
1409
  subTaxonomicalElements: [
1795
- "account activity monitoring",
1796
- "login tracking",
1797
- "last access timestamps",
1798
- "account status management",
1799
- "deactivation procedures",
1800
- "account archival processes",
1801
- "reactivation workflows"
1410
+ "Disable",
1411
+ "Delete",
1412
+ "Period of 45 days of inactivity",
1413
+ "Where Supported"
1802
1414
  ],
1803
1415
  implementationSuggestions: [
1804
- "identity management systems",
1805
- "automated account lifecycle tools",
1806
- "activity monitoring solutions",
1807
- "account governance platforms",
1808
- "directory service automation"
1416
+ "Account and Access Control Management",
1417
+ "Identity and Access Management Tool"
1809
1418
  ],
1810
- relatedSafeguards: ["5.1", "5.2", "5.4", "5.5", "5.6"],
1811
- keywords: ["disable", "dormant", "accounts", "45", "days", "inactivity", "delete", "lifecycle"]
1419
+ relatedSafeguards: ["5.1"],
1420
+ keywords: ["delete", "disable", "dormant", "accounts", "45", "days", "inactivity", "supported"]
1812
1421
  },
1813
1422
  "5.4": {
1814
1423
  id: "5.4",
1815
1424
  title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
1816
- description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
1425
+ description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
1817
1426
  implementationGroup: "IG1",
1818
1427
  assetType: ["users"],
1819
1428
  securityFunction: ["Protect"],
1820
1429
  governanceElements: [
1821
- "restrict administrator privileges",
1822
- "dedicated administrator accounts",
1823
- "enterprise assets coverage",
1824
- "privilege separation governance"
1430
+ "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
1431
+ "Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
1825
1432
  ],
1826
1433
  coreRequirements: [
1827
- "administrator privilege restriction",
1828
- "dedicated admin accounts",
1829
- "privilege separation",
1830
- "role-based access control"
1434
+ "Administrator Privileges",
1435
+ "Dedicated Admin Accounts"
1831
1436
  ],
1832
1437
  subTaxonomicalElements: [
1833
- "privileged account identification",
1834
- "admin account separation",
1835
- "regular user accounts",
1836
- "privilege escalation controls",
1837
- "admin account monitoring",
1838
- "privileged access workflows",
1839
- "least privilege enforcement"
1438
+ "Restrict",
1439
+ "Enterprise assets",
1440
+ "User's primary, non-privileged account",
1441
+ "General Computing Activities"
1840
1442
  ],
1841
1443
  implementationSuggestions: [
1842
- "privileged access management",
1843
- "role-based access control systems",
1844
- "admin account management tools",
1845
- "privilege escalation monitoring",
1846
- "just-in-time access"
1444
+ "Account and Access Control Management",
1445
+ "Identity and Access Management Tool",
1446
+ "Such as",
1447
+ "Internet browsing",
1448
+ "Email",
1449
+ "Productivity suite use"
1847
1450
  ],
1848
- relatedSafeguards: ["4.6", "5.1", "5.2", "5.3", "5.5", "5.6", "6.1", "6.2"],
1849
- keywords: ["restrict", "administrator", "privileges", "dedicated", "accounts", "enterprise", "assets", "privileged"]
1451
+ relatedSafeguards: ["4.1", "5.1"],
1452
+ keywords: ["restrict", "administrator", "privileges", "dedicated", "accounts", "enterprise", "assets", "general", "computing", "browsing", "email", "productivity"]
1850
1453
  },
1851
1454
  "5.5": {
1852
1455
  id: "5.5",
1853
1456
  title: "Establish and Maintain an Inventory of Service Accounts",
1854
- description: "Establish and maintain an inventory of service accounts",
1457
+ description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
1855
1458
  implementationGroup: "IG2",
1856
1459
  assetType: ["users"],
1857
1460
  securityFunction: ["Identify"],
1858
1461
  governanceElements: [
1859
- "establish service account inventory",
1860
- "maintain service account inventory",
1861
- "service account governance",
1862
- "inventory management requirements"
1462
+ "Establish and maintain an inventory of service accounts",
1463
+ "The inventory, at a minimum, must contain department owner, review date, and purpose",
1464
+ "Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
1863
1465
  ],
1864
1466
  coreRequirements: [
1865
- "service account inventory",
1866
- "service account identification",
1867
- "account classification",
1868
- "service account tracking"
1467
+ "Inventory of Service Accounts"
1869
1468
  ],
1870
1469
  subTaxonomicalElements: [
1871
- "service account names",
1872
- "associated services",
1873
- "account purposes",
1874
- "account owners",
1875
- "privilege levels",
1876
- "account dependencies",
1877
- "credential management"
1470
+ "Establish",
1471
+ "Maintain",
1472
+ "At a Minimum Must Contain",
1473
+ "Perform service account reviews to validate that all active accounts are authorized",
1474
+ "On a recurring schedule",
1475
+ "Department Owner",
1476
+ "Review date",
1477
+ "Purpose",
1478
+ "At a minimum quarterly",
1479
+ "More frequently",
1480
+ "Or"
1878
1481
  ],
1879
1482
  implementationSuggestions: [
1880
- "service account discovery tools",
1881
- "identity management platforms",
1882
- "account inventory systems",
1883
- "automated discovery agents",
1884
- "credential scanning tools"
1483
+ "Account and Access Control Management",
1484
+ "Identity and Access Management Tool"
1885
1485
  ],
1886
- relatedSafeguards: ["1.1", "2.1", "5.1", "5.2", "5.3", "5.4", "5.6"],
1887
- keywords: ["establish", "maintain", "inventory", "service", "accounts", "identification", "tracking"]
1486
+ relatedSafeguards: ["5.1"],
1487
+ keywords: ["establish", "maintain", "inventory", "service", "accounts", "department", "owner", "review", "date", "purpose", "quarterly", "validate", "authorized"]
1888
1488
  },
1889
1489
  "5.6": {
1890
1490
  id: "5.6",
1891
1491
  title: "Centralize Account Management",
1892
- description: "Centralize account management through a directory service or identity provider",
1492
+ description: "Centralize account management through a directory or identity service.",
1893
1493
  implementationGroup: "IG2",
1894
1494
  assetType: ["users"],
1895
- securityFunction: ["Protect"],
1495
+ securityFunction: ["Govern"],
1896
1496
  governanceElements: [
1897
- "centralize account management",
1898
- "directory service or identity provider",
1899
- "centralized management requirement",
1900
- "identity governance"
1497
+ "Centralize account management through a directory or identity service"
1901
1498
  ],
1902
1499
  coreRequirements: [
1903
- "centralized account management",
1904
- "directory service integration",
1905
- "identity provider deployment",
1906
- "unified account control"
1500
+ "Account Management"
1907
1501
  ],
1908
1502
  subTaxonomicalElements: [
1909
- "directory service implementation",
1910
- "identity provider integration",
1911
- "single sign-on capabilities",
1912
- "federated identity management",
1913
- "account provisioning automation",
1914
- "centralized authentication",
1915
- "identity synchronization"
1503
+ "Centralize",
1504
+ "Directory Service",
1505
+ "Identity Service",
1506
+ "Or"
1916
1507
  ],
1917
1508
  implementationSuggestions: [
1918
- "Active Directory services",
1919
- "LDAP directories",
1920
- "cloud identity providers",
1921
- "identity management platforms",
1922
- "federation services"
1509
+ "Account and Access Control Management",
1510
+ "Identity and Access Management Tool"
1923
1511
  ],
1924
- relatedSafeguards: ["5.1", "5.2", "5.3", "5.4", "5.5", "6.1", "6.2", "6.3"],
1925
- keywords: ["centralize", "account", "management", "directory", "service", "identity", "provider"]
1512
+ relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
1513
+ keywords: ["centralize", "account", "management", "directory", "service", "identity"]
1926
1514
  },
1927
1515
  "6.1": {
1928
1516
  id: "6.1",
1929
1517
  title: "Establish an Access Granting Process",
1930
- description: "Establish and follow a process for granting access to enterprise assets upon new hire, promotion, or role change",
1518
+ description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
1931
1519
  implementationGroup: "IG1",
1932
1520
  assetType: ["users"],
1933
- securityFunction: ["Protect"],
1521
+ securityFunction: ["Govern"],
1934
1522
  governanceElements: [
1935
- "establish access granting process",
1936
- "follow access granting process",
1937
- "new hire promotion role change coverage",
1938
- "access governance framework"
1523
+ "Establish",
1524
+ "Follow",
1525
+ "Account and Access Control Management",
1526
+ "Account and Credential Management Policy/Process",
1527
+ "Documentation"
1939
1528
  ],
1940
1529
  coreRequirements: [
1941
- "access granting process",
1942
- "new hire access provisioning",
1943
- "promotion access updates",
1944
- "role change access management"
1530
+ "documented process",
1531
+ "granting access to enterprise assets"
1945
1532
  ],
1946
1533
  subTaxonomicalElements: [
1947
- "access request workflows",
1948
- "manager approval processes",
1949
- "role-based access assignment",
1950
- "access provisioning procedures",
1951
- "onboarding access checklists",
1952
- "access documentation requirements",
1953
- "approval audit trails"
1534
+ "preferably automated",
1535
+ "upon new hire",
1536
+ "role change of a user",
1537
+ "New Hire",
1538
+ "Role Change",
1539
+ "Enterprise assets"
1954
1540
  ],
1955
1541
  implementationSuggestions: [
1956
- "identity governance platforms",
1957
- "access request systems",
1958
- "workflow automation tools",
1959
- "role-based provisioning systems",
1960
- "approval workflow tools"
1542
+ "Account and Access Control Management",
1543
+ "Account and Credential Management Policy/Process"
1961
1544
  ],
1962
- relatedSafeguards: ["5.1", "5.4", "5.6", "6.2", "6.3", "6.4", "6.5", "6.6", "6.7", "6.8"],
1963
- keywords: ["establish", "access", "granting", "process", "new", "hire", "promotion", "role", "change"]
1545
+ relatedSafeguards: ["5.1", "6.7", "6.8"],
1546
+ keywords: ["establish", "follow", "documented", "process", "automated", "granting", "access", "enterprise", "assets", "new", "hire", "role", "change"]
1964
1547
  },
1965
1548
  "6.2": {
1966
1549
  id: "6.2",
1967
1550
  title: "Establish an Access Revoking Process",
1968
- description: "Establish and follow a process for revoking access to enterprise assets upon termination, demotion, or role change",
1551
+ description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
1969
1552
  implementationGroup: "IG1",
1970
1553
  assetType: ["users"],
1971
- securityFunction: ["Protect"],
1554
+ securityFunction: ["Govern"],
1972
1555
  governanceElements: [
1973
- "establish access revoking process",
1974
- "follow access revoking process",
1975
- "termination demotion role change coverage",
1976
- "access revocation governance"
1556
+ "Establish",
1557
+ "Follow",
1558
+ "Account and Access Control Management",
1559
+ "Account and Credential Management Policy/Process",
1560
+ "Documentation"
1977
1561
  ],
1978
1562
  coreRequirements: [
1979
- "access revoking process",
1980
- "termination access removal",
1981
- "demotion access reduction",
1982
- "role change access adjustment"
1563
+ "process",
1564
+ "revoking access to enterprise assets",
1565
+ "disabling accounts immediately"
1983
1566
  ],
1984
1567
  subTaxonomicalElements: [
1985
- "termination procedures",
1986
- "access revocation checklists",
1987
- "account deactivation processes",
1988
- "credential recovery procedures",
1989
- "system access removal",
1990
- "physical access revocation",
1991
- "asset return procedures"
1568
+ "preferably automated",
1569
+ "upon termination",
1570
+ "rights revocation",
1571
+ "role change of a user",
1572
+ "Role Change",
1573
+ "Termination",
1574
+ "Rights revocation",
1575
+ "Enterprise assets",
1576
+ "Disabling accounts immediately"
1992
1577
  ],
1993
1578
  implementationSuggestions: [
1994
- "identity governance platforms",
1995
- "automated deprovisioning",
1996
- "HR system integration",
1997
- "access revocation workflows",
1998
- "termination checklist systems"
1579
+ "Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails",
1580
+ "Account and Access Control Management",
1581
+ "Account and Credential Management Policy/Process"
1999
1582
  ],
2000
- relatedSafeguards: ["5.1", "5.3", "5.4", "5.6", "6.1", "6.3", "6.4", "6.5", "6.6", "6.7", "6.8"],
2001
- keywords: ["establish", "access", "revoking", "process", "termination", "demotion", "role", "change"]
1583
+ relatedSafeguards: ["5.1", "6.7"],
1584
+ keywords: ["establish", "follow", "process", "automated", "revoking", "access", "enterprise", "assets", "disabling", "accounts", "termination", "rights", "revocation", "role", "change", "audit", "trails"]
2002
1585
  },
2003
1586
  "6.4": {
2004
1587
  id: "6.4",
2005
1588
  title: "Require MFA for Remote Network Access",
2006
- description: "Require MFA for remote network access",
1589
+ description: "Require MFA for remote network access.",
2007
1590
  implementationGroup: "IG1",
2008
1591
  assetType: ["users"],
2009
1592
  securityFunction: ["Protect"],
2010
1593
  governanceElements: [
2011
- "require MFA for remote access",
2012
- "remote network access coverage",
2013
- "MFA enforcement policy",
2014
- "remote access governance"
1594
+ "Require",
1595
+ "Account and Access Control Management",
1596
+ "Multi-Factor Authentication Tool"
2015
1597
  ],
2016
1598
  coreRequirements: [
2017
- "multi-factor authentication",
2018
- "remote network access",
2019
- "MFA enforcement",
2020
- "remote access security"
1599
+ "MFA",
1600
+ "remote network access"
2021
1601
  ],
2022
1602
  subTaxonomicalElements: [
2023
- "VPN access controls",
2024
- "remote desktop authentication",
2025
- "cloud service access",
2026
- "mobile device access",
2027
- "authentication factors",
2028
- "MFA token management",
2029
- "backup authentication methods"
1603
+ "Remote Network Access"
2030
1604
  ],
2031
1605
  implementationSuggestions: [
2032
- "VPN with MFA integration",
2033
- "remote access gateways",
2034
- "cloud identity providers",
2035
- "MFA token systems",
2036
- "biometric authentication"
1606
+ "Account and Access Control Management",
1607
+ "Multi-Factor Authentication Tool"
2037
1608
  ],
2038
- relatedSafeguards: ["5.6", "6.1", "6.2", "6.3", "6.5", "6.6"],
2039
- keywords: ["require", "MFA", "remote", "network", "access", "multi-factor", "authentication", "VPN"]
1609
+ relatedSafeguards: ["4.2", "12.7"],
1610
+ keywords: ["require", "MFA", "remote", "network", "access", "multi-factor", "authentication"]
2040
1611
  },
2041
1612
  "6.5": {
2042
1613
  id: "6.5",
2043
1614
  title: "Require MFA for Administrative Access",
2044
- description: "Require MFA for administrative access to enterprise assets",
1615
+ description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
2045
1616
  implementationGroup: "IG1",
2046
1617
  assetType: ["users"],
2047
1618
  securityFunction: ["Protect"],
2048
1619
  governanceElements: [
2049
- "require MFA for administrative access",
2050
- "enterprise assets coverage",
2051
- "administrative access governance",
2052
- "MFA policy enforcement"
1620
+ "Require",
1621
+ "Account and Access Control Management",
1622
+ "Multi-Factor Authentication Tool"
2053
1623
  ],
2054
1624
  coreRequirements: [
2055
- "multi-factor authentication",
2056
- "administrative access",
2057
- "privileged account protection",
2058
- "MFA enforcement"
1625
+ "MFA",
1626
+ "all administrative access accounts",
1627
+ "all enterprise assets"
2059
1628
  ],
2060
1629
  subTaxonomicalElements: [
2061
- "administrator account protection",
2062
- "privileged access controls",
2063
- "system administration access",
2064
- "database administration access",
2065
- "network administration access",
2066
- "security administration access",
2067
- "emergency access procedures"
1630
+ "where supported",
1631
+ "All Admin Access Accounts",
1632
+ "All enterprise assets",
1633
+ "Onsite Management",
1634
+ "Service Provider",
1635
+ "Or"
2068
1636
  ],
2069
1637
  implementationSuggestions: [
2070
- "privileged access management",
2071
- "administrative MFA systems",
2072
- "just-in-time access",
2073
- "privileged session management",
2074
- "administrative workstations"
1638
+ "Account and Access Control Management",
1639
+ "Multi-Factor Authentication Tool"
2075
1640
  ],
2076
- relatedSafeguards: ["5.4", "5.6", "6.1", "6.2", "6.3", "6.4", "6.6"],
2077
- keywords: ["require", "MFA", "administrative", "access", "enterprise", "assets", "privileged", "protection"]
1641
+ relatedSafeguards: ["4.1"],
1642
+ keywords: ["require", "MFA", "administrative", "access", "accounts", "supported", "enterprise", "assets", "managed", "onsite", "service", "provider"]
2078
1643
  },
2079
1644
  "6.6": {
2080
1645
  id: "6.6",
2081
1646
  title: "Establish and Maintain an Inventory of Authentication and Authorization Systems",
2082
- description: "Establish and maintain an inventory of authentication and authorization systems",
1647
+ description: "Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.",
2083
1648
  implementationGroup: "IG2",
2084
- assetType: ["applications"],
1649
+ assetType: ["software"],
2085
1650
  securityFunction: ["Identify"],
2086
1651
  governanceElements: [
2087
- "establish auth system inventory",
2088
- "maintain auth system inventory",
2089
- "authentication authorization coverage",
2090
- "auth system governance"
1652
+ "Establish",
1653
+ "maintain",
1654
+ "Review and update",
1655
+ "Account and Access Control Management",
1656
+ "Account and Credential Management Policy/Process"
2091
1657
  ],
2092
1658
  coreRequirements: [
2093
- "authentication system inventory",
2094
- "authorization system inventory",
2095
- "identity system tracking",
2096
- "access control system management"
1659
+ "inventory of the enterprise's authentication and authorization systems"
2097
1660
  ],
2098
1661
  subTaxonomicalElements: [
2099
- "identity providers",
2100
- "authentication servers",
2101
- "authorization systems",
2102
- "single sign-on systems",
2103
- "directory services",
2104
- "access control lists",
2105
- "federation services"
1662
+ "including those hosted on-site or at a remote service provider",
1663
+ "at a minimum, annually, or more frequently",
1664
+ "Hosted on-site",
1665
+ "Remote Service Provider",
1666
+ "Or",
1667
+ "At a minimum Annually",
1668
+ "More frequently"
2106
1669
  ],
2107
1670
  implementationSuggestions: [
2108
- "identity system discovery tools",
2109
- "authentication inventory platforms",
2110
- "system catalog management",
2111
- "integration mapping tools",
2112
- "identity architecture documentation"
1671
+ "Account and Access Control Management",
1672
+ "Account and Credential Management Policy/Process"
2113
1673
  ],
2114
- relatedSafeguards: ["1.1", "2.1", "5.1", "5.6", "6.1", "6.2", "6.3", "6.4", "6.5", "6.7", "6.8"],
2115
- keywords: ["establish", "maintain", "inventory", "authentication", "authorization", "systems", "identity"]
1674
+ relatedSafeguards: ["1.1", "2.1", "3.3", "5.6", "6.7"],
1675
+ keywords: ["establish", "maintain", "inventory", "enterprise", "authentication", "authorization", "systems", "hosted", "onsite", "remote", "service", "provider", "review", "update", "annually"]
2116
1676
  },
2117
1677
  "6.7": {
2118
1678
  id: "6.7",
2119
1679
  title: "Centralize Access Control",
2120
- description: "Centralize access control for all enterprise assets through a directory service or SSO provider",
1680
+ description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
2121
1681
  implementationGroup: "IG2",
2122
1682
  assetType: ["users"],
2123
1683
  securityFunction: ["Protect"],
2124
1684
  governanceElements: [
2125
- "centralize access control",
2126
- "all enterprise assets",
2127
- "directory service or SSO provider",
2128
- "centralized control governance"
1685
+ "Centralize",
1686
+ "Account and Access Control Management",
1687
+ "Account and Credential Management Policy/Process",
1688
+ "Identity and Access Management Tool"
2129
1689
  ],
2130
1690
  coreRequirements: [
2131
- "centralized access control",
2132
- "directory service integration",
2133
- "SSO provider deployment",
2134
- "unified access management"
1691
+ "access control",
1692
+ "all enterprise assets"
2135
1693
  ],
2136
1694
  subTaxonomicalElements: [
2137
- "single sign-on implementation",
2138
- "directory service integration",
2139
- "federated authentication",
2140
- "centralized authorization",
2141
- "access policy management",
2142
- "identity federation",
2143
- "cross-platform integration"
1695
+ "through a directory service or SSO provider",
1696
+ "where supported",
1697
+ "Directory Service",
1698
+ "SSO Provider",
1699
+ "Or",
1700
+ "All enterprise assets",
1701
+ "Where Supported"
2144
1702
  ],
2145
1703
  implementationSuggestions: [
2146
- "Active Directory integration",
2147
- "SAML-based SSO",
2148
- "OAuth implementations",
2149
- "identity federation platforms",
2150
- "centralized access gateways"
1704
+ "Account and Access Control Management",
1705
+ "Account and Credential Management Policy/Process",
1706
+ "Identity and Access Management Tool"
2151
1707
  ],
2152
- relatedSafeguards: ["5.6", "6.1", "6.2", "6.3", "6.4", "6.5", "6.6", "6.8"],
2153
- keywords: ["centralize", "access", "control", "enterprise", "assets", "directory", "service", "SSO"]
1708
+ relatedSafeguards: ["4.1", "5.1", "5.6", "6.1", "6.2", "6.6", "12.5", "12.7"],
1709
+ keywords: ["centralize", "access", "control", "enterprise", "assets", "directory", "service", "SSO", "provider", "supported"]
2154
1710
  },
2155
1711
  "6.8": {
2156
1712
  id: "6.8",
2157
1713
  title: "Define and Maintain Role-Based Access Control",
2158
- description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise",
1714
+ description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
2159
1715
  implementationGroup: "IG3",
2160
1716
  assetType: ["users"],
2161
- securityFunction: ["Protect"],
1717
+ securityFunction: ["Govern"],
2162
1718
  governanceElements: [
2163
- "define role-based access control",
2164
- "maintain role-based access control",
2165
- "determine access rights for each role",
2166
- "document access rights"
1719
+ "Define",
1720
+ "maintain",
1721
+ "Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently",
1722
+ "Account and Access Control Management",
1723
+ "Account and Credential Management Policy/Process",
1724
+ "Identity and Access management Tool"
2167
1725
  ],
2168
1726
  coreRequirements: [
2169
1727
  "role-based access control",
2170
- "access rights determination",
2171
- "role documentation",
2172
- "RBAC implementation"
1728
+ "determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties"
2173
1729
  ],
2174
1730
  subTaxonomicalElements: [
2175
- "role definitions",
2176
- "permission matrices",
2177
- "access entitlements",
2178
- "role hierarchies",
2179
- "job function mapping",
2180
- "segregation of duties",
2181
- "role certification processes"
1731
+ "Access rights",
1732
+ "Each Role",
1733
+ "Necessary",
1734
+ "Successfully carry out its assigned duties",
1735
+ "Determining",
1736
+ "Documenting",
1737
+ "At a minimum Annually",
1738
+ "More frequently",
1739
+ "Or"
2182
1740
  ],
2183
1741
  implementationSuggestions: [
2184
- "RBAC management systems",
2185
- "role mining tools",
2186
- "access certification platforms",
2187
- "permission analysis tools",
2188
- "role governance systems"
1742
+ "Account and Access Control Management",
1743
+ "Account and Credential Management Policy/Process",
1744
+ "Identity and Access management Tool"
2189
1745
  ],
2190
- relatedSafeguards: ["5.1", "5.4", "6.1", "6.2", "6.6", "6.7"],
2191
- keywords: ["define", "maintain", "role-based", "access", "control", "RBAC", "roles", "permissions"]
1746
+ relatedSafeguards: ["3.3", "4.1", "6.1"],
1747
+ keywords: ["define", "maintain", "role-based", "access", "control", "determining", "documenting", "rights", "necessary", "role", "enterprise", "duties", "perform", "reviews", "validate", "privileges", "authorized", "recurring", "annually"]
2192
1748
  },
2193
1749
  "7.2": {
2194
1750
  id: "7.2",