GOV — Governance (3 Controls)
GOV-01 — Cybersecurity Program: Establish and maintain a cybersecurity program.
GOV-02 — Publishing Cybersecurity Policies: Develop, document, and disseminate policies.
GOV-04 — Cybersecurity Risk Management: Establish a risk management process.
AST — Asset Management (5 Controls)
AST-01 — Asset Inventories: Maintain inventories of hardware and software assets.
AST-02 — Asset Ownership: Assign ownership and accountability for each asset.
AST-03 — Asset Custodianship: Assign custodial responsibilities.
AST-04 — Asset Classification: Classify assets by sensitivity and criticality.
AST-07 — Secure Disposal: Securely dispose of assets when no longer needed.
BCD — Business Continuity & Disaster Recovery (2 Controls)
BCD-01 — Business Continuity Management: Implement a business continuity program.
BCD-11 — Data Backups: Maintain backups per recovery time and point objectives.
CHG — Change Management (2 Controls)
CHG-01 — Change Management Program: Control changes to systems and infrastructure.
CHG-02 — Configuration & Change Management: Maintain configurations and manage changes.
CLD — Cloud Security (2 Controls)
CLD-01 — Cloud Services: Controls governing use of cloud services.
CLD-02 — Cloud Security Architecture: Apply security architecture to cloud environments.
CPL — Compliance (1 Control)
CPL-01 — Statutory & Regulatory Compliance: Track all applicable obligations.
CFG — Configuration Management (2 Controls)
CFG-01 — Configuration Management Program: Baseline and control system configurations.
CFG-02 — Baseline Configuration: Maintain baseline security configurations.
MON — Monitoring (3 Controls)
MON-01 — Continuous Monitoring: Monitor systems to detect cybersecurity events.
MON-02 — Audit Logging: Capture security-relevant events across systems.
MON-07 — Log Protection: Protect audit logs from unauthorized access.
CRY — Cryptographic Protections (3 Controls)
CRY-01 — Use of Cryptographic Controls: Policies governing cryptographic controls.
CRY-03 — Transmission Confidentiality: Encrypt data transmitted across networks.
CRY-09 — Encryption for Data at Rest: Encrypt sensitive data at rest.
DCH — Data Classification & Handling (5 Controls)
DCH-01 — Data Classification: Classify data by sensitivity levels.
DCH-02 — Data Handling: Implement handling procedures based on classification.
DCH-06 — Sensitive Data Transfer: Controls governing transfer of sensitive data.
DCH-12 — Data Retention & Disposal: Retain and securely dispose of data.
DCH-19 — Data Privacy: Protect privacy of personal information.
END — Endpoint Security (2 Controls)
END-01 — Endpoint Protection: Deploy and maintain endpoint protection solutions.
END-02 — Endpoint Device Management: Device management controls for organizational devices.
HRS — Human Resources Security (2 Controls)
HRS-01 — Human Resources Security Management: HR security controls for employment lifecycle.
HRS-04 — Termination & Transfer: Revoke access and return assets when employment ends.
IAC — Identity & Access Control (10 Controls)
IAC-01 — Identity & Access Management: Govern user identity and access rights.
IAC-02 — Identify & Authenticate Users: Uniquely identify and authenticate all users.
IAC-06 — Multi-Factor Authentication: MFA for sensitive systems and privileged accounts.
IAC-07 — Least Privilege: Grant minimum access necessary for job functions.
IAC-08 — Role-Based Access Control: Manage permissions based on job responsibilities.
IAC-09 — Privileged Account Management: Enhanced controls for privileged accounts.
IAC-10 — Account Management: Manage accounts through their full lifecycle.
IAC-12 — Password Management: Complexity, expiration, and reuse restrictions.
IAC-16 — Remote Access: Secure methods for remote access to systems.
IAC-17 — Separation of Duties: Prevent conflicting authorities.
IRO — Incident Response (2 Controls)
IRO-01 — Incident Response Program: Detect, respond to, and recover from incidents.
IRO-02 — Incident Response Plan: Define roles, responsibilities, and procedures.
NET — Network Security (7 Controls)
NET-01 — Network Security Controls: Protect networks from unauthorized access.
NET-02 — Firewall & Router Configuration: Enforce network security policies.
NET-04 — Network Segmentation: Limit lateral movement and contain breaches.
NET-05 — Network Access Control: Control access based on identity and compliance.
NET-06 — Wireless Access: Secure wireless networks.
NET-13 — DNS Security: Protect against DNS-based attacks.
NET-14 — Network Intrusion Detection: Identify suspicious network activity.
PES — Physical & Environmental Security (3 Controls)
PES-01 — Physical Security Program: Protect facilities and assets.
PES-02 — Physical Access Controls: Restrict access to sensitive areas.
PES-04 — Physical Access Monitoring: Detect unauthorized entry attempts.
RSK — Risk Management (4 Controls)
RSK-01 — Risk Management Program: Identify, assess, and treat cybersecurity risks.
RSK-02 — Risk-Based Security Categorization: Categorize systems and data based on risk.
RSK-03 — Risk Assessments: Conduct periodic risk assessments.
RSK-07 — Risk Register: Track identified risks, owners, treatments, and status.
SAT — Security Awareness & Training (1 Control)
SAT-01 — Security Awareness Program: Educate personnel on cybersecurity risks and responsibilities.
TPM — Third-Party Management (5 Controls)
TPM-01 — Third-Party Management Program: Govern vendor and supplier relationships.
TPM-02 — Third-Party Criticality Assessments: Assess criticality of third-party relationships.
TPM-05 — Supply Chain Risk Management: Address risks from hardware and software suppliers.
TPM-06 — Third-Party Contracts: Include cybersecurity requirements in contracts.
TPM-09 — Third-Party Monitoring: Monitor third-party compliance on an ongoing basis.
VPM — Vulnerability & Patch Management (3 Controls)
VPM-01 — Vulnerability Management Program: Identify, prioritize, and remediate vulnerabilities.
VPM-02 — Vulnerability Scanning: Conduct regular vulnerability scans.
VPM-04 — Patch Management: Apply security patches in a timely and controlled manner.
.png)
%20(white).png)