- Introduction
- About NIST 2.0 Core
- CSF Components
- The CSF Core
- GOVERN (GV)
- IDENTIFY (ID)
- PROTECT (PR)
- DETECT (DE)
- RESPOND (RS)
- RECOVER (RC)
- How Does The CSF Functions Work Together
- CSF Profiles
- CSF Tiers
- Online Resources That Supplement the CSF
- Improving Cybersecurity Risk Communication and Integration
- Improving Risk Management Communication
- Our Use Case - GreenLeaf Retailers
- The CSF Core
- Major Changes to the Core from CSF 1.1 to 2.0
- GOVERN (GV)
- Organizational Context (GV.OC)
- GV.OC-01: Organizational mission and risk management
- GV.OC-01 Assignment
- GV.OC-02: Understanding internal and external stakeholders
- GV.OC-02 Assignment
- GV.OC-03: Legal, regulatory, and contractual requirements
- GV.OC-04: Ensuring Understanding and Communication of Stakeholder Expectations
- GV.OC-05:Ensuring Understanding and Communication of Organizational Dependencies
- Risk Management Strategy (GV.RM)
- GV.RM-01: Establishing and Agreeing on Organizational Risk Management Objectives
- GV-RM-02: Establishing and Communicating Risk Appetite and Tolerance Statements
- GV.RM-03: Integrating Cybersecurity Risk Management into Enterprise Risk Process
- GV.RM-04: Establishing and Communicating Strategic Risk Response Options
- GV.RM-05: Establishing Communication for Cybersecurity Risks in the Organization
- GV.RM-06: Establishing Standardized Cybersecurity Risk Management Methods
- GV.RM-07:Integrating Strategic Opportunities into Cybersecurity Risk Discussions
- Cybersecurity Supply Chain Risk Management (GV.SC)
- GV.SC-01 - Cybersecurity supply chain risk management program
- GV.SC-02 - Cybersecurity roles and responsibilities for suppliers
- GV.SC-03 - Cybersecurity supply chain risk management is integrated
- GV.SC-04 - Suppliers are known and prioritized by criticality
- GV.SC-05 - Prioritize Requirements for cybersecurity risks in supply chain
- GV.SC-06 - Planning and due diligence are performed to reduce risk
- GV.SC-07 - The risks posed by a supplier
- GV.SC-08 - Relevant suppliers and other third parties
- GV.SC-09 - Supply chain security practices
- GV.SC-10 - Cybersecurity supply chain risk management plans
- Part 2 of the Course
- Roles, Responsibilities, and Authorities (GV.RR)
- GV.RR-01 - Organizational leadership
- GV.RR-02 - Roles, responsibilities, and authorities
- GV.RR-03 - Adequate resources are allocated
- GV.RR-04: Cybersecurity in human resources practices
- Policy (GV.PO)
- GV.PO-01 - Policy for managing cybersecurity risks
- GV.PO-02 - Policy is reviewed, updated, communicated, and enforced
- Oversight (GV.OV)
- Cybersecurity risk management strategy outcomes
- GV.OV-02 - The cybersecurity risk management strategy is reviewed
- GV.OV-03 - Organizational cybersecurity risk management performance
- IDENTIFY (ID)
- Asset Management (ID.AM)
- ID.AM-01 - Inventories of hardware
- ID.AM-02 - Inventories of software, services, and systems
- ID.AM-03 - Representations of the organization’s authorized network
- ID.AM-04 - Inventories of services provided by suppliers
- ID.AM-05 - Assets are prioritized
- ID.AM-07 - Inventories of data and metadata are maintained
- ID.AM-08 - Systems, hardware, software, services, and data managed in lifecycle
- Risk Assessment (ID.RA)
- ID.RA-01 - Vulnerabilities in assets
- ID.RA-02 - Cyber threat intelligence
- ID.RA-03 - Internal and external threats to the organization
- ID.RA-04: Potential impacts and likelihoods of threats
- ID.RA-05 - Prioritize by Threats, vulnerabilities, likelihoods, and impacts
- ID.RA-06 - Risk responses are chosen, prioritized, planned
- ID.RA-07 - Changes and exceptions
- ID.RA-08 - Vulnerability Response Processes are Established
- ID.RA-09 - The authenticity and integrity of hardware and software assessed
- ID.RA-10 - Critical suppliers are assessed prior to acquisition
- Improvement (ID.IM)
- ID.IM-01 - Improvements are identified from evaluations
- ID.IM-02 - Improvements are identified from security tests