CSF Identifiers: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
m (Wikiadmin moved page Function and Category Identifiers to CSF Identifiers without leaving a redirect)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Source of Reference: official [https://www.nist.gov/cyberframework/online-learning/components-framework Cybersecurity Framework Components] from National Institute of Standards and Technology (NIST).'''
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
{|class="wikitable" style="width: 85%;"
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Function Unique Identifier
! style="width: 15%"| Function Unique Identifier
Line 5: Line 9:
! style="width: 50%"| Category
! style="width: 50%"| Category
|-
|-
|'''Controlled Unclassified Information (CUI) Assets'''
|rowspan="6" style="text-align:center;"|'''ID'''
|
|rowspan="6" style="text-align:center;"|Identify
* Assets that process, store, or transmit CUI
|style="text-align:center;"|ID.AM
|rowspan="2"|
|Asset Management
* Document in the asset inventory
* Document in the System Security Plan (SSP)
* Document in the network diagram of the CMMC Assessment Scope
* Prepare to be assessed against CMMC practices
|rowspan="2"|
* Assess against CMMC practices
|-
|-
|'''Security Protection Assets'''
|style="text-align:center;"|ID.BE
|
|Business Environment
* Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
|-
|-
|'''Contractor Risk Managed Assets'''
|style="text-align:center;"|ID.GV
|
|Governance
* Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
* Assets are not required to be physically or logically separated from CUI assets
|rowspan="2"|
* Document in the asset inventory
* Document in the SSP
** Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
* Document in the network diagram of the CMMC Assessment Scope
|
* Review the SSP in accordance with practice CA.L2-3.12.4
** If appropriately documented, do not assess against other CMMC practices
** If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
** The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
** The limited spot check(s) will be within the defined assessment scope
|-
|-
|'''Specialized Assets'''
|style="text-align:center;"|ID.RA
|
|Risk Assessment
* Assets that may or may not process, store, or transmit CUI
* Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
|
* Review the SSP in accordance with practice CA.L2-3.12.4
* Do not assess against other CMMC practices
|-
|-
|colspan="4"|Assets that are not in the CMMC Assessment Scope
|style="text-align:center;"|ID.RM
|Risk Management Strategy
|-
|-
|'''Out-of-Scope Assets'''
|style="text-align:center;"|ID.SC
|
|Business Environment
* Assets that cannot process, store, or transmit CUI
|-
|
|rowspan="6" style="text-align:center;"|'''PR'''
* Assets are required to be physically or logically separated from CUI assets
|rowspan="6" style="text-align:center;"|Protect
|
|style="text-align:center;"|PR.AC
* None
|Identity Management and Access Control
|-
|style="text-align:center;"|PR.AT
|Awareness and Training
|-
|style="text-align:center;"|PR.DS
|Data Security
|-
|style="text-align:center;"|PR.IP
|Information Protection Processes and Procedures
|-
|style="text-align:center;"|PR.MA
|Maintenance
|-
|style="text-align:center;"|PR.PT
|Protective Technology
|-
|rowspan="3" style="text-align:center;"|'''DE'''
|rowspan="3" style="text-align:center;"|Detect
|style="text-align:center;"|DE.AE
|Anomalies and Events
|-
|style="text-align:center;"|DE.CM
|Security Continuous Monitoring
|-
|style="text-align:center;"|DE.DP
|Detection Process
|-
|rowspan="5" style="text-align:center;"|'''RS'''
|rowspan="5" style="text-align:center;"|Respond
|style="text-align:center;"|RS.RP
|Response Planning
|-
|style="text-align:center;"|RS.CO
|Communications
|-
|style="text-align:center;"|RS.AN
|Analysis
|-
|style="text-align:center;"|RS.MI
|Mitigation
|-
|style="text-align:center;"|RS.IM
|Improvements
|-
|rowspan="3" style="text-align:center;"|'''RC'''
|rowspan="3" style="text-align:center;"|Recovery
|style="text-align:center;"|RC.RP
|Recovery Planning
|-
|style="text-align:center;"|RC.IM
|Improvements
|-
|style="text-align:center;"|RC.CO
|Communications
|}
|}

Latest revision as of 21:08, 9 April 2023

Source of Reference: official Cybersecurity Framework Components from National Institute of Standards and Technology (NIST).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Function Unique Identifier Function Category Unique Identifier Category
ID Identify ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Business Environment
PR Protect PR.AC Identity Management and Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE Detect DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Process
RS Respond RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC Recovery RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications