NIST - National Institute of Standards and Technology

NIST 800-53IdentityRecoverRespondDetectProtectMaintenance (PR.MA):Info Protetn Procs and ProceData Security (PR.DS):Awareness and Training (PR.AT):Identity Mgmt, Authc and Accss CtlSupply Chain Risk Management (ID.SC):Risk Assessment (ID.RA):Governance (ID.GV):Business Environment (ID.BEAsset Management (ID.AM):Security Continuous MonitoringDetection Processes (DE.DP)Anomalies and Events (DE.AE):Protective Technology (PR.PT):Recovery Planning (RC.RP):Improvements (RC.IM):Communications (RC.CO):Communications /lesson learnedResponse Planning / analysis/ MitigationID.AM-1: Physical devices and systems within the organization are inventoriedID.AM-2: Software platforms and applications within the organization are inventoriedID.AM-3: Organizational communication and data flows are mappedID.AM-4: External information systems are cataloguedID.AM-5: Resources are prioritized based on their classification, criticality, and business value ID.BE-1: The organization’s role in the supply chain is identified and communicatedID.BE-2: The org’s place in critical infra & its industry sector is identified and communicatedID.BE-3: Priorities for org mission, obj, & activities are estab and communicatedID.BE-4: Dependencies and critical functions for delivery of critical services are establishedID.BE-5: Resilience reqs to support delivery of critical services are estab for all operating states ID.GV-1: Organizational cybersecurity policy is established and communicatedID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partnersID.GV-3: Legal and regulatory req regarding cybersec, inc privacy and civil liberties obligations, are understood and managedID.GV-4: Governance and risk management processes address cybersecurity risksID.RA-1: Asset vulnerabilities are identified and documentedID.RA-2: Cyber threat intelligence is received from information sharing forums and sourcesID.RA-3: Threats, both internal and external, are identified and documentedID.RA-4: Potential business impacts and likelihoods are identifiedID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine riskID.RA-6: Risk responses are identified and prioritizedID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by stakeID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized,using assessment ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives cybsec ID.SC-4: Suppliers and 3rd-party partners are routinely asses using audits, test resltID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers