Generate a Risk Management Framework (RMF) output #39
Description
NIST has done a relatively great job (IMHO) of translating/mapping the RMF to NIST-800-53 through the NIST Framework for Improving Critical Infrastructure Cybersecurity
Considering the highlevel controls are already mapped we should be able to parse out control enhancements `i.e. those additional questions based on whether a system is Low/Moderate/High) to their root control and map that back to the framework as a way to assess how a system is addressing RMF using the mappings provided by NIST
For reference only on existing control mappings:
https://gist.github.com/JJediny/65438415b5e38ac7560ad5f5597f1877
Updated: 1/13/2017 - Updated with Draft v1.1 https://www.nist.gov/cyberframework/draft-version-11
NIST CSF has three levels: Function -> Category -> Subcategory
###################
# Subcategory #
###################
-
Category: ID.AM
Subcategory: 1
Description: Physical devices and systems within the organization are inventoried
Component:
Control:
- CM-8
-
Category: ID.AM
Subcategory: 2
Description: Software platforms and applications within the organization are inventoried
Component:
Control:
- CM-8
-
Category: ID.AM
Subcategory: 3
Description: Organizational communication and data flows are mapped
Component:
Control:
- AC-4
- CA-3
- CA-9
- PL-8
-
Category: ID.AM
Subcategory: 4
Description: External information systems are cataloged
Component:
Control:
- AC-20
- SA-9
-
Category: ID.AM
Subcategory: 5
Description: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value
Component:
Control:
- CP-2
- RA-2
- SA-14
-
Category: ID.AM
Subcategory: 6
Description: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Component:
Control:
- CP-2
- PS-7
- PM-11
-
Category: ID.BE
Subcategory: 1
Description: The organization’s role in the supply chain is identified and communicated
Component:
Control:
- CP-2
- SA-12
-
Category: ID.BE
Subcategory: 2
Description: The organization’s place in critical infrastructure and its industry sector is identified and communicated
Component:
Control:
- PM-8
-
Category: ID.BE
Subcategory: 3
Description: Priorities for organizational mission, objectives, and activities are established and communicated
Component:
Control:
- PM-11
- SA-14
-
Category: ID.BE
Subcategory: 4
Description: Dependencies and critical functions for delivery of critical services are established
Component:
Control:
- CP-8
- PE-9
- PE-11
- PM-8
- SA-14
-
Category: ID.BE
Subcategory: 5
Description: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
Component:
Control:
- CP-2
- CP-11
- SA-14
-
Category: ID.GV
Subcategory: 1
Description: Organizational information security policy is established
Component:
Control:
- All
-
Category: ID.GV
Subcategory: 2
Description: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
Component:
Control:
- PM-1
- PS-7
-
Category: ID.GV
Subcategory: 3
Description: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Component:
Control:
- All
-
Category: ID.GV
Subcategory: 4
Description: Governance and risk management processes address cybersecurity risks
Component:
Control:
- PM-9
- PM-11
-
Category: ID.RA
Subcategory: 1
Description: Asset vulnerabilities are identified and documented
Component:
Control:
- CA-2
- CA-7
- CA-8
- RA-3
- RA-5
- SA-5
- SA-11
- SI-2
- SI-4
- SI-5
-
Category: ID.RA
Subcategory: 2
Description: Cyber threat intelligence is received from information sharing forums and sources
Component:
Control:
- PM-15
- PM-16
- SI-5
-
Category: ID.RA
Subcategory: 3
Description: Threats, both internal and external, are identified and documented
Component:
Control:
- RA-3
- SI-5
- PM-12
- PM-16
-
Category: ID.RA
Subcategory: 4
Description: Potential business impacts and likelihoods are identified
Component:
Control:
- RA-2
- RA-3
- PM-9
- PM-11
- SA-14
-
Category: ID.RA
Subcategory: 5
Description: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
Component:
Control:
- RA-2
- RA-3
- PM-16
-
Category: ID.RA
Subcategory: 6
Description: Risk responses are identified and prioritized
Component:
Control:
- PM-4
- PM-9
-
Category: ID.RM
Subcategory: 1
Description: Risk management processes are established, managed, and agreed to by organizational stakeholders
Component:
Control:
- PM-9
-
Category: ID.RM
Subcategory: 2
Description: Organizational risk tolerance is determined and clearly expressed
Component:
Control:
- PM-9
-
Category: ID.RM
Subcategory: 3
Description: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Component:
Control:
- PM-8
- PM-9
- PM-11
- SA-14
-
Category: ID.SC
Subcategory: 1
Description: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
Component:
Control:
- SA-9
- SA-12
- PM-9
-
Category: ID.SC
Subcategory: 2
Description: Identify, prioritize and assess suppliers and partners of critical information systems, components and services using a cyber supply chain risk assessment process
Component:
Control:
- RA-2
- RA-3
- SA-12
- SA-14
- SA-15
- PM-9
-
Category: ID.SC
Subcategory: 3
Description: Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan.
Component:
Control:
- SA-9
- SA-11
- SA-12
- PM-9
-
Category: ID.SC
Subcategory: 4
Description: Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted
Component:
Control:
- AU-2
- AU-6
- AU-12
- AU-16
- PS-7
- SA-9
- SA-12
-
Category: ID.SC
Subcategory: 5
Description: Response and recovery planning and testing are conducted with critical suppliers/providers
Component:
Control:
- CP-2
- CP-4
- IR-3
- IR-4
- IR-6
- IR-8
- IR-9
-
Category: PR.AC
Subcategory: 1
Description: Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes
Component:
Control:
- AC-2
- IA
-
Category: PR.AC
Subcategory: 2
Description: Physical access to assets is managed and protected
Component:
Control:
- PE-2
- PE-3
- PE-4
- PE-5
- PE-6
- PE-9
-
Category: PR.AC
Subcategory: 3
Description: Remote access is managed
Component:
Control:
- AC‑17
- AC-19
- AC-20
-
Category: PR.AC
Subcategory: 4
Description: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
Component:
Control:
- AC-2
- AC-3
- AC-5
- AC-6
- AC-16
-
Category: PR.AC
Subcategory: 5
Description: Network integrity is protected, incorporating network segregation where appropriate
Component:
Control:
- AC-4
- SC-7
-
Category: PR.AC
Subcategory: 6
Description: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
Component:
Control:
- AC-2
- AC-3
- AC-5
- AC-6
- AC-16
- AC-19
- AC-24
- IA-2
- IA-4
- IA-5
- IA-8
- PE-2
- PS-3
-
Category: PR.AT
Subcategory: 1
Description: All users are informed and trained
Component:
Control:
- AT-2
- PM-13
-
Category: PR.AT
Subcategory: 2
Description: Privileged users understand roles & responsibilities
Component:
Control:
- AT-3
- PM-13
-
Category: PR.AT
Subcategory: 3
Description: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities
Component:
Control:
- PS-7
- SA-9
-
Category: PR.AT
Subcategory: 4
Description: Senior executives understand roles & responsibilities
Component:
Control:
- AT-3
- PM-13
-
Category: PR.AT
Subcategory: 5
Description: Physical and information security personnel understand roles & responsibilities
Component:
Control:
- AT-3
- PM-13
-
Category: PR.DS
Subcategory: 1
Description: Data-at-rest is protected
Component:
Control:
- SC-28
-
Category: PR.DS
Subcategory: 2
Description: Data-in-transit is protected
Component:
Control:
- SC-8
-
Category: PR.DS
Subcategory: 3
Description: Assets are formally managed throughout removal, transfers, and disposition
Component:
Control:
- CM-8
- MP-6
- PE-16
-
Category: PR.DS
Subcategory: 4
Description: Adequate capacity to ensure availability is maintained
Component:
Control:
- AU-4
- CP-2
- SC-5
-
Category: PR.DS
Subcategory: 5
Description: Protections against data leaks are implemented
Component:
Control:
- AC-4
- AC-5
- AC-6
- PE-19
- PS-3
- PS-6
- SC-7
- SC-8
- SC-13
- SC-31
- SI-4
-
Category: PR.DS
Subcategory: 6
Description: Integrity checking mechanisms are used to verify software, firmware, and information integrity
Component:
Control:
- SI-7
-
Category: PR.DS
Subcategory: 7
Description: The development and testing environment(s) are separate from the production environment
Component:
Control:
- CM-2
-
Category: PR.DS
Subcategory: 8
Description: Integrity checking mechanisms are used to verify hardware integrity
Component:
Control:
- SA-10
- SI-7
-
Category: PR.IP
Subcategory: 1
Description: A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality)
Component:
Control:
- CM-2
- CM-3
- CM-4
- CM-5
- CM-6
- CM-7
- CM-9
- SA-10
-
Category: PR.IP
Subcategory: 2
Description: A System Development Life Cycle to manage systems is implemented
Component:
Control:
- SA-3
- SA-4
- SA-8
- SA-10
- SA-11
- SA-12
- SA-15
- SA-17
- PL-8
-
Category: PR.IP
Subcategory: 3
Description: Configuration change control processes are in place
Component:
Control:
- CM-3
- CM-4
- SA-10
-
Category: PR.IP
Subcategory: 4
Description: Backups of information are conducted, maintained, and tested periodically
Component:
Control:
- CP-4
- CP-6
- CP-9
-
Category: PR.IP
Subcategory: 5
Description: Policy and regulations regarding the physical operating environment for organizational assets are met
Component:
Control:
- PE-10
- PE-12
- PE-13
- PE-14
- PE-15
- PE-18
-
Category: PR.IP
Subcategory: 6
Description: Data is destroyed according to policy
Component:
Control:
- MP-6
-
Category: PR.IP
Subcategory: 7
Description: Protection processes are continuously improved
Component:
Control:
- CA-7
- CP-2
- IR-8
- PL-2
- PM-6
-
Category: PR.IP
Subcategory: 8
Description: Effectiveness of protection technologies is shared with appropriate parties
Component:
Control:
- AC-21
- CA-7
- SI-4
-
Category: PR.IP
Subcategory: 9
Description: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
Component:
Control:
- CP-2
- IR-8
-
Category: PR.IP
Subcategory: 10
Description: Response and recovery plans are tested
Component:
Control:
- IR-3
- PM-14
-
Category: PR.IP
Subcategory: 11
Description: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
Component:
Control:
- PS
-
Category: PR.IP
Subcategory: 12
Description: A vulnerability management plan is developed and implemented
Component:
Control:
- RA-3
- RA-5
- SI-2
-
Category: PR.MA
Subcategory: 1
Description: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools
Component:
Control:
- MA-2
- MA-3
- MA-5
-
Category: PR.MA
Subcategory: 2
Description: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
Component:
Control:
- MA-4
-
Category: PR.PT
Subcategory: 1
Description: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
Component:
Control:
- AU
-
Category: PR.PT
Subcategory: 2
Description: Removable media is protected and its use restricted according to policy
Component:
Control:
- MP-2
- MP-4
- MP-5
- MP-7
-
Category: PR.PT
Subcategory: 3
Description: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
Component:
Control:
- AC-3
- CM-7
-
Category: PR.PT
Subcategory: 4
Description: Communications and control networks are protected
Component:
Control:
- AC-4
- AC-17
- AC-18
- CP-8
- SC-7
-
Category: PR.PT
Subcategory: 5
Description: Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations).
Component:
Control:
- CP-7
- CP-8
- CP-11
- CP-13
- PL-8
- SA-14
- SC-6
-
Category: DE.AE
Subcategory: 1
Description: A baseline of network operations and expected data flows for users and systems is established and managed
Component:
Control:
- AC-4
- CA-3
- CM-2
- SI-4
-
Category: DE.AE
Subcategory: 2
Description: Detected events are analyzed to understand attack targets and methods
Component:
Control:
- AU-6
- CA-7
- IR-4
- SI-4
-
Category: DE.AE
Subcategory: 3
Description: Event data are aggregated and correlated from multiple sources and sensors
Component:
Control:
- AU-6
- CA-7
- IR-4
- IR-5
- IR-8
- SI-4
-
Category: DE.AE
Subcategory: 4
Description: Impact of events is determined
Component:
Control:
- CP-2
- IR-4
- RA-3
- SI -4
-
Category: DE.AE
Subcategory: 5
Description: Incident alert thresholds are established
Component:
Control:
- IR-4
- IR-5
- IR-8
-
Category: DE.CM
Subcategory: 1
Description: The network is monitored to detect potential cybersecurity events
Component:
Control:
- AC-2
- AU-12
- CA-7
- CM-3
- SC-5
- SC-7
- SI-4
-
Category: DE.CM
Subcategory: 2
Description: The physical environment is monitored to detect potential cybersecurity events
Component:
Control:
- CA-7
- PE-3
- PE-6
- PE-20
-
Category: DE.CM
Subcategory: 3
Description: Personnel activity is monitored to detect potential cybersecurity events
Component:
Control:
- AC-2
- AU-12
- AU-13
- CA-7
- CM-10
- CM-11
-
Category: DE.CM
Subcategory: 4
Description: Malicious code is detected
Component:
Control:
- SI-3
-
Category: DE.CM
Subcategory: 5
Description: Unauthorized mobile code is detected
Component:
Control:
- SC-18
- SI-4
- SC-44
-
Category: DE.CM
Subcategory: 6
Description: External service provider activity is monitored to detect potential cybersecurity events
Component:
Control:
- CA-7
- PS-7
- SA-4
- SA-9
- SI-4
-
Category: DE.CM
Subcategory: 7
Description: Monitoring for unauthorized personnel, connections, devices, and software is performed
Component:
Control:
- AU-12
- CA-7
- CM-3
- CM-8
- PE-3
- PE-6
- PE-20
- SI-4
-
Category: DE.CM
Subcategory: 8
Description: Vulnerability scans are performed
Component:
Control:
- RA-5
-
Category: DE.DP
Subcategory: 1
Description: Roles and responsibilities for detection are well defined to ensure accountability
Component:
Control:
- CA-2
- CA-7
- PM-14
-
Category: DE.DP
Subcategory: 2
Description: Detection activities comply with all applicable requirements
Component:
Control:
- CA-2
- CA-7
- PM-14
- SI-4
-
Category: DE.DP
Subcategory: 3
Description: Detection processes are tested
Component:
Control:
- CA-2
- CA-7
- PE-3
- PM-14
- SI-3
- SI-4
-
Category: DE.DP
Subcategory: 4
Description: Event detection information is communicated to appropriate parties
Component:
Control:
- AU-6
- CA-2
- CA-7
- RA-5
- SI-4
-
Category: DE.DP
Subcategory: 5
Description: Detection processes are continuously improved
Component:
Control:
- CA-2
- CA-7
- PL-2
- RA-5
- SI-4
- PM-14
-
Category: RS.RP
Subcategory: 1
Description: Response plan is executed during or after an event
Component:
Control:
- CP-2
- CP-10
- IR-4
- IR-8
-
Category: RS.CO
Subcategory: 1
Description: Personnel know their roles and order of operations when a response is needed
Component:
Control:
- CP-2
- CP-3
- IR-3
- IR-8
-
Category: RS.CO
Subcategory: 2
Description: Events are reported consistent with established criteria
Component:
Control:
- AU-6
- IR-6
- IR-8
-
Category: RS.CO
Subcategory: 3
Description: Information is shared consistent with response plans
Component:
Control:
- CA-2
- CA-7
- CP-2
- IR-4
- IR-8
- PE-6
- RA-5
- SI-4
-
Category: RS.CO
Subcategory: 4
Description: Coordination with stakeholders occurs consistent with response plans
Component:
Control:
- CP-2
- IR-4
- IR-8
-
Category: RS.CO
Subcategory: 5
Description: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
Component:
Control:
- PM-15
- SI-5
-
Category: RS.AN
Subcategory: 1
Description: Notifications from detection systems are investigated
Component:
Control:
- AU-6
- CA-7
- IR-4
- IR-5
- PE-6
- SI-4
-
Category: RS.AN
Subcategory: 2
Description: The impact of the incident is understood
Component:
Control:
- CP-2
- IR-4
-
Category: RS.AN
Subcategory: 3
Description: Forensics are performed
Component:
Control:
- AU-7
- IR-4
-
Category: RS.AN
Subcategory: 4
Description: Incidents are categorized consistent with response plans
Component:
Control:
- CP-2
- IR-4
- IR-5
- IR-8
-
Category: RS.MI
Subcategory: 1
Description: Incidents are contained
Component:
Control:
- IR-4
-
Category: RS.MI
Subcategory: 2
Description: Incidents are mitigated
Component:
Control:
- IR-4
-
Category: RS.MI
Subcategory: 3
Description: Newly identified vulnerabilities are mitigated or documented as accepted risks
Component:
Control:
- CA-7
- RA-3
- RA-5
-
Category: RS.IM
Subcategory: 1
Description: Response plans incorporate lessons learned
Component:
Control:
- CP-2
- IR-4
- IR-8
-
Category: RS.IM
Subcategory: 2
Description: Response strategies are updated
Component:
Control:
- CP-2
- IR-4
- IR-8
-
Category: RC.RP
Subcategory: 1
Description: Recovery plan is executed during or after an event
Component:
Control:
- CP-10
- IR-4
- IR-8
-
Category: RC.IM
Subcategory: 1
Description: Recovery plans incorporate lessons learned
Component:
Control:
- CP-2
- IR-4
- IR-8
-
Category: RC.IM
Subcategory: 2
Description: Recovery strategies are updated
Component:
Control:
- CP-2
- IR-4
- IR-8
-
Category: RC.CO
Subcategory: 3
Description: Recovery activities are communicated to internal stakeholders and executive and management teams
Component:
Control:
- CP-2
- IR-4