HITRUST CSF to NIST Relationship Matrix...
25
HITRUST CSF to NIST Relationship Matrix v3 Scope This matrix is provided to reflect changes in CSF 2014 (v6.0), which ensures tighter alignment between the CSF and NIST with respect to the mapping of controls in NIST SP 800‐53 R4 to ISO/IEC 27001:2005 clauses. Relationships The matrix provides "many‐to‐many" mappings of the relationships between the CSF and NIST control frameworks due to differences in the structure of NIST SP 800‐53 r4 and ISO/IEC 27001:2005 as well as the very specific nature of NIST controls as compared to the more general ISO clauses. As a result, the matrix indicates two types of mappings: very specific, direct relationships between controls and their more general, supportive relationships. For questions, visit our forum on HITRUST Central, Ask HITRUST, at: https://www.hitrustcentral.net/forums/112.aspx . General: This document is protected with a password. If you would like to make corrections or other modifications, please contact HITRUST. NOTE that you assume the risk, responsibility and potential legal liability for any issues that may arise a should you attempt to unprotect the document and/or make your own changes. "COPYRIGHT (c) 2012‐2014 HITRUST Frisco, Texas All Rights Reserved. "This document is the sole and exclusive property of HITRUST and is protected by U.S. and international copyright. No part of this document may be used or reproduced in any manner except pursuant to valid license, or prior express written permission of HITRUST. "This document has been provided AS IS, without warranty. HITRUST and its agents and affiliates are not responsible for content of third parties. "HITRUST and CSF are trademarks of HITRUST LLC. HITRUST CENTRAL is a trademark of HITRUST Service Corporation. All other marks contained herein are the property of their respective owners."
Transcript of HITRUST CSF to NIST Relationship Matrix...
HITRUST CSF to NIST Relationship Matrix v3Scope
This matrix is provided to reflect changes in CSF 2014 (v6.0), which ensures tighter alignment between the CSF and NIST with respect to the mapping of controls in NIST SP 800‐53 R4 to ISO/IEC 27001:2005 clauses.
RelationshipsThe matrix provides "many‐to‐many" mappings of the relationships between the CSF and NIST control frameworks due to differences in the structure of NIST SP 800‐53 r4 and ISO/IEC 27001:2005 as well as the very specific nature of NIST controls as compared to the more general ISO clauses. As a result, the matrix indicates two types of mappings: very specific, direct relationships between controls and their more general, supportive relationships.
For questions, visit our forum on HITRUST Central, Ask HITRUST, at: https://www.hitrustcentral.net/forums/112.aspx.
General: This document is protected with a password. If you would like to make corrections or other modifications, please contact HITRUST. NOTE that you assume the risk, responsibility and potential legal liability for any issues that may arise a should you attempt to unprotect the document and/or make your own changes.
"COPYRIGHT (c) 2012‐2014 HITRUST Frisco, Texas All Rights Reserved.
"This document is the sole and exclusive property of HITRUST and is protected by U.S. and international copyright. No part of this document may be used or reproduced in any manner except pursuant to valid license, or prior express written permission of HITRUST.
"This document has been provided AS IS, without warranty. HITRUST and its agents and affiliates are not responsible for content of third parties.
"HITRUST and CSF are trademarks of HITRUST LLC. HITRUST CENTRAL is a trademark of HITRUST Service Corporation. All other marks contained herein are the property of their respective owners."
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF
AC‐1**ACCESS CONTROL
POLICY AND PROCEDURES
AC‐2** ACCOUNT
MANAGEMENT
AC‐3** ACCESS
ENFORCEMENT
AC‐4**INFORMATION
FLOW ENFORCEMENT
AC‐5**SEPARATION OF
DUTIESAC‐6**
LEAST PRIVILEGE
AC‐7UNSUCCESSFUL
LOGON ATTEMPTS
AC‐8SYSTEM USE NOTIFICATION
AC‐9PREVIOUS LOGON
(ACCESS) NOTIFICATION
AC‐10CONCURRENT
SESSION CONTROLAC‐11**
SESSION LOCK
AC‐12**SESSION
TERMINATION
AC‐14PERMITTED
ACTIONS WITHOUT IDENTIFICATION
OR AUTHENTICATION
AC‐16**SECURITY
ATTRIBUTESAC‐17**
REMOTE ACCESSAC‐18
WIRELESS ACCESS
AC‐19**ACCESS CONTROL
FOR MOBILE DEVICES
AC‐20USE OF EXTERNAL INFORMATION
SYSTEMS
AC‐21USER‐BASED
COLLABORATION AND
INFORMATION SHARING
AC‐22PUBLICLY ACCESSIBLE CONTENT
AC‐23PUBLICLY ACCESSIBLE CONTENT
AC‐24PUBLICLY ACCESSIBLE CONTENT
AC‐25REFERENCE MONITOR FUNCTION
AT‐1**SECURITY
AWARENESS AND TRAINING POLICY AND PROCEDURES
AT‐2**SECURITY
AWARENESS TRAINING
AT‐3**ROLE‐BASED SECURITY TRAINING
AT‐4**SECURITY TRAINING RECORDS
AU‐1**AUDIT AND
ACCOUNTABILITY POLICY AND PROCEDURES
AU‐2**AUDIT EVENTS
AU‐3**CONTENT OF
AUDIT RECORDS0.a InfoSec Mgmt Program*
01.a Access Control Policy* X01.b User Registration* X O01.c Privilege Management X O X X01.d User Password Management*
01.e Review of User Access Rights X01.f Password Use*
01.g Unattended User Equipment X01.h Clear Desk and Clear Screen Policy* O X01.i Policy on Use of Network Services* X O O O X01.j User Auth. for Ext. Connections* X X O01.k Equip Ident. in Networks O01.l Remote Diagnostic & Config Port Protection O01.m Segregation in Networks* X01.n Network Connection Control* X O O O01.o Network Routing Control* X01.p Secure Log‐on Procedures X O O X01.q User Identification and Authentication* O01.r Password Mgmt System*
01.s Use of System Utilities X X O01.t Session Time‐out O X X01.u Limitation of Connection Time O01.v Information Access Restriction* O X X X01.w Sensitive System Isolation*
01.x Mobile Computing and Communications* O O O X01.y Teleworking* O X02.a Roles and Responsibilities* O O O02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training* X X X X02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights* X03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document* O O O04.b Review of the InfoSec Policy* O O O05.a Management Commitment to InfoSec* O O O05.b InfoSec Coordination* O O O05.c Allocation of InfoSec Responsibilities O O O05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties* O05.j Addressing Security When Dealing w/ Customers O O O05.k Addressing Security in Third Party Agreements*
Page 1 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
AU‐4**AUDIT STORAGE
CAPACITY
AU‐5RESPONSE TO
AUDIT PROCESSING FAILURES
AU‐6**AUDIT REVIEW, ANALYSIS, AND REPORTING
AU‐7**AUDIT REDUCTION
AND REPORT GENERATION
AU‐8TIME STAMPS
AU‐9PROTECTION OF
AUDIT INFORMATION
AU‐10NON‐REPUDIATION
AU‐11AUDIT RECORD RETENTION
AU‐12AUDIT
GENERATION
AU‐13MONITORING FOR INFORMATION DISCLOSURE
AU‐14SESSION AUDIT
AU‐15 Alternate Audit
Capatility
AU‐16Cross‐
Organizational Auditing
CA‐1**SECURITY
ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES
CA‐2**SECURITY
ASSESSMENTS
CA‐3**SYSTEM
CONNECTIONS
CA‐5PLAN OF ACTION AND MILESTONES
CA‐6**SECURITY
AUTHORIZATION
CA‐7**CONTINUOUS MONITORING
CA‐8 PENETRATION
TESTING
CA‐9INTERNAL SYSTEM CONNECTIONS
CM‐1CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM‐2BASELINE
CONFIGURATION
CM‐3CONFIGURATION CHANGE CONTROL
CM‐4SECURITY IMPACT
ANALYSIS
CM‐5ACCESS
RESTRICTIONS FOR CHANGE
CM‐6CONFIGURATION
SETTINGS
CM‐7LEAST
FUNCTIONALITY
CM‐8**INFORMATION
SYSTEM COMPONENT INVENTORY
CM‐9CONFIGURATION MANAGEMENT
PLAN
X
O
X
O
X
O O
X
X
O
O O
O O
O O
O O
O O O
O X
O O X
X
O O
O O
Page 2 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
CM‐10SOFTWARE USAGE RESTRICTIONS
CM‐11USER‐INSTALLED
SOFTWARE
CP‐1**CONTINGENCY
PLANNING POLICY AND PROCEDURES
CP‐2**CONTINGENCY
PLAN
CP‐3**CONTINGENCY TRAINING
CP‐4**CONTINGENCY
PLAN TESTING AND EXERCISES
CP‐6**ALTERNATE
STORAGE SITE
CP‐7**ALTERNATE
PROCESSING SITE
CP‐8** TELECOM‐
MUNICATIONS SERVICES
CP‐9**INFORMATION SYSTEM BACKUP
CP‐10**INFORMATION
SYSTEM RECOVERY AND
RECONSTITUTION
CP‐11ALTERNATE COMMUNI‐CATIONS
PROTOCOLSCP‐12
SAFE MODE
CP‐13ALTERNATE SECURITY
MECHANISMS
IA‐1IDENTIFICATION
AND AUTHENTICATION
POLICY AND PROCEDURES
IA‐2**IDENTIFICATION
AND AUTHENTICATION (ORGANIZATIONAL
USERS)
IA‐3**DEVICE‐TO‐DEVICE IDENTIFICATION
AND AUTHENTICATION
IA‐4**IDENTIFIER
MANAGEMENT
IA‐5**AUTHENTICATOR MANAGEMENT
IA‐6**AUTHENTICATOR
FEEDBACK
IA‐7**CRYPTOGRAPHIC
MODULE AUTHENTICATION
IA‐8IDENTIFICATION
AND AUTHENTICATION
(NON‐ORGANIZATIONAL
USERS)
IA‐9SERVICE
IDENTIFICATION AND
AUTHENTICATION
IA‐10ADAPTIVE
IDENTIFICATION AND
AUTHENTICATION
IA‐11RE‐
AUTHENTICATION
IR‐1**INCIDENT
RESPONSE POLICY AND PROCEDURES
IR‐2**INCIDENT RESPONSE TRAINING
IR‐3**INCIDENT RESPONSE TESTING
IR‐4**INCIDENT HANDLING
IR‐5**INCIDENT
MONITORING
X X X
X
X
O O X
X
O O X O
X X X O X
O X
O
O O O
X X
O O O
O O O
O O O
O O O O O O
O O O O
O
Page 3 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
IR‐6**INCIDENT REPORTING
IR‐7**INCIDENT RESPONSE ASSISTANCE
IR‐8INCIDENT
RESPONSE PLAN
IR‐9INFORMATION
SPILLAGE RESPONSE
IR‐10INTEGRATED INFORMATION SECURITY CELL
MA‐1**SYSTEM
MAINTENANCE POLICY AND PROCEDURES
MA‐2**CONTROLLED MAINTENANCE
MA‐3 MAINTENANCE
TOOLS
MA‐4NONLOCAL
MAINTENANCE
MA‐5**MAINTENANCE PERSONNEL
MA‐6**TIMELY
MAINTENANCE
MP‐1**MEDIA
PROTECTION POLICY AND PROCEDURES
MP‐2**MEDIA ACCESS
MP‐3**MEDIA MARKING
MP‐4**MEDIA STORAGE
MP‐5**MEDIA TRANSPORT
MP‐6**MEDIA
SANITIZATIONMP‐7
MEDIA USE
MP‐8MEDIA
DOWNGRADING
PE‐1**PHYSICAL AND
ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE‐2**PHYSICAL ACCESS AUTHORIZATIONS
PE‐3**PHYSICAL ACCESS
CONTROL
PE‐4**ACCESS CONTROL
FOR TRANSMISSION
MEDIUM
PE‐5**ACCESS CONTROL FOR OUTPUT DEVICES
PE‐6**MONITORING
PHYSICAL ACCESS
PE‐8**VISITOR ACCESS
RECORDS
PE‐9POWER
EQUIPMENT AND POWER CABLING
PE‐10EMERGENCY SHUTOFF
PE‐11EMERGENCY
POWER
PE‐12EMERGENCY LIGHTING
O
X
O O O
O X O
O O O
O
O O O
O O O
O O O
O O
O O O
O O
Page 4 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
PE‐13FIRE PROTECTION
PE‐14TEMPERATURE AND HUMIDITY CONTROLS
PE‐15WATER DAMAGE PROTECTION
PE‐16DELIVERY AND REMOVAL
PE‐17**ALTERNATE WORK
SITE
PE‐18**LOCATION OF INFORMATION
SYSTEM COMPONENTS
PE‐19INFORMATION
LEAKAGE
PE‐20ASSET
MONITORING AND TRACKING
PL‐1**SECURITY
PLANNING POLICY AND PROCEDURES
PL‐2**SYSTEM SECURITY
PLAN
PL‐4RULES OF BEHAVIOR
PL‐7SECURITY
CONCEPT OF OPERATIONS
PL‐8INFORMATION
SECURITY ARCHITECTURE
PL‐9CENTRAL
MANAGEMENT
PS‐1**PERSONNEL
SECURITY POLICY AND PROCEDURES
PS‐2**POSITION RISK DESIGNATION
PS‐3**PERSONNEL SCREENING
PS‐4**PERSONNEL
TERMINATION
PS‐5**PERSONNEL TRANSFER
PS‐6**ACCESS
AGREEMENTS
PS‐7**THIRD‐PARTY PERSONNEL SECURITY
PS‐8**PERSONNEL SANCTIONS
RA‐1**RISK ASSESSMENT
POLICY AND PROCEDURES
RA‐2**SECURITY
CATEGORIZATIONRA‐3 **
RISK ASSESSMENT
RA‐5VULNERABILITY SCANNING
RA‐6TECHNICAL
SURVEILLANCE COUNTER‐MEASURES SURVEY
SA‐1SYSTEM AND SERVICES
ACQUISITION POLICY AND PROCEDURES
SA‐2ALLOCATION OF RESOURCES
SA‐3SYSTEM
DEVELOPMENT LIFE CYCLE
O
O O
X O O
O O X X O O O O
X
X X
X O X
X
X X
X O
X X
X
X
O O O
X O O
X X O O
O X O O O X
O O O O O O
O O
O
O
X
O O X
Page 5 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
SA‐4**ACQUISITION PROCESS
SA‐5INFORMATION
SYSTEM DOCUMENTATION
SA‐8SECURITY
ENGINEERING PRINCIPLES
SA‐9**EXTERNAL
INFORMATION SYSTEM SERVICES
SA‐10DEVELOPER
CONFIGURATION MANAGEMENT
SA‐11DEVELOPER
SECURITY TESTING AND EVALUATION
SA‐12SUPPLY CHAIN PROTECTION
SA‐13 TRUST‐
WORTHINESS
SA‐14CRITICALITY ANALYSIS
SA‐15DEVELOPMENT
PROCESS, STANDARDS AND
TOOLS
SA‐16 DEVELOPER‐PROVIDED TRAINING
SA‐17DEVELOPER SECURITIY
ARCHITECTURE AND DESIGN
SA‐18TAMPER
RESISTANCE AND DETECTION
SA‐19COMPONENT AUTHENTICITY
SA‐20CUSTOMIZED
DEVELOPMENT OF CRITICAL
COMPONENTS
SA‐21DEVELOPER SCREENING
SA‐22UNSUP‐PORTED SYSTEM COMPO‐
NENTS
SC‐1SYSTEM AND
COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC‐2APPLICATION PARTITIONING
SC‐3SECURITY FUNCTION ISOLATION
SC‐4INFORMATION IN
SHARED RESOURCES
SC‐5DENIAL OF SERVICE
PROTECTION
SC‐6RESOURCE
AVAILABILITY
SC‐7BOUNDARY PROTECTION
SC‐8**TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC‐10NETWORK
DISCONNECTSC‐11
TRUSTED PATH
SC‐12**CRYPTO‐GRAPHIC KEY ESTABLISH‐
MENT AND MGMT
SC‐13**CRYPTOGRAPHIC PROTECTION
SC‐15COLLABORATIVE COMPUTING DEVICES
O
O
O
O O X
X
O
O
X
X
X O
O
O
O
O
O
O
O
O
O
O O
O
O
O O
O
O
Page 6 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
SC‐16TRANSMISSION OF
SECURITY ATTRIBUTES
SC‐17PUBLIC KEY
INFRASTRUCTURE CERTIFICATES
SC‐18 MOBILE CODE
SC‐19VOICE OVER INTERNET PROTOCOL
SC‐20SECURE NAME /
ADDRESS RESOLUTION SERVICE
(AUTHORITATIVE SOURCE)
SC‐21SECURE NAME /
ADDRESS RESOLUTION SERVICE
(RECURSIVE OR CACHING RESOLVER)
SC‐22ARCHITECTURE
AND PROVISIONING FOR NAME / ADDRESS
RESOLUTION SERVICE
SC‐23SESSION
AUTHENTICITY
SC‐24FAIL IN KNOWN
STATESC‐25
THIN NODESSC‐26
HONEYPOTS
SC‐27PLATFORM‐
INDEPENDENT APPLICATIONS
SC‐28PROTECTION OF INFORMATION AT
RESTSC‐29
HETEROGENEITY
SC‐30CONCEALMENT
AND MISDIRECTION
SC‐31COVERT CHANNEL
ANALYSIS
SC‐32INFORMATION
SYSTEM PARTITIONING
SC‐34NON‐MODIFIABLE
EXECUTABLE PROGRAMS
SC‐35HONEYCLIENTS
SC‐36DISTRIBUTED
PROCESSING AND STORAGE
SC‐37OUT‐OF‐BAND CHANNELS
SC‐38OPERATIONS SECURITY
SC‐39PROCESS ISOLATION
SC‐40WIRELESS LINK PROTECTION
SC‐41PORT AND I/O DEVICE ACCESS
SC‐42SENSOR DATA
SC‐43USAGE
RESTRICTIONS
SC‐44DETONATION CHAMBERS
SI‐1**SYSTEM AND INFORMATION
INTEGRITY POLICY AND PROCEDURES
SI‐2**FLAW
REMEDIATION
O
O
O
X
O
O
O
O
Page 7 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF0.a InfoSec Mgmt Program*
01.a Access Control Policy*
01.b User Registration*
01.c Privilege Management
01.d User Password Management*
01.e Review of User Access Rights
01.f Password Use*
01.g Unattended User Equipment
01.h Clear Desk and Clear Screen Policy*
01.i Policy on Use of Network Services*
01.j User Auth. for Ext. Connections*
01.k Equip Ident. in Networks
01.l Remote Diagnostic & Config Port Protection01.m Segregation in Networks*
01.n Network Connection Control*
01.o Network Routing Control*
01.p Secure Log‐on Procedures
01.q User Identification and Authentication*01.r Password Mgmt System*
01.s Use of System Utilities
01.t Session Time‐out
01.u Limitation of Connection Time
01.v Information Access Restriction*
01.w Sensitive System Isolation*
01.x Mobile Computing and Communications*01.y Teleworking*
02.a Roles and Responsibilities*
02.b Screening
02.c Terms and Conditions of Employment
02.d Management Responsibilities*
02.e InfoSec Awareness, Education, and Training*02.f Disciplinary Process*
02.g Termination or Change Responsibilities02.h Return of Assets
02.i Removal of Access Rights*
03.a Risk Management Program Development*03.b Performing Risk Assessments*
03.c Risk Mitigation*
03.d Risk Evaluation
04.a Information Security Policy Document*04.b Review of the InfoSec Policy*
05.a Management Commitment to InfoSec*05.b InfoSec Coordination*
05.c Allocation of InfoSec Responsibilities
05.d Authorization Process for Info Assets and Facilities05.e Confidentiality Agreements
05.f Contact with Authorities
05.g Contact with Special Interest Groups
05.h Independent Review of Information Security05.i Identification of Risks Related to External Parties*05.j Addressing Security When Dealing w/ Customers05.k Addressing Security in Third Party Agreements*
SI‐3**MALICIOUS CODE PROTECTION
SI‐4**INFORMATION
SYSTEM MONITORING
SI‐5**SECURITY ALERTS, ADVISORIES, AND
DIRECTIVES
SI‐6SECURITY FUNCTION
VERIFICATION
SI‐7**SOFTWARE,
FIRMWARE AND INFORMATION INTEGRITY
SI‐8**SPAM
PROTECTION
SI‐10INFORMATION
INPUT VALIDATIONSI‐11
ERROR HANDLING
SI‐12INFORMATION
OUTPUT HANDLING AND RETENTION
SI‐13PREDICTABLE
FAILURE PREVENTION
SI‐14NON‐PERSISTENCE
SI‐15INFORMATION
OUTPUT FILTERING
SI‐16MEMORY
PROTECTION
SI‐17FAIL SAFE
PROCEDURES
PM‐1INFORMATION
SECURITY PROGRAM PLAN
PM‐2SENIOR
INFORMATION SECURITY OFFICER
PM‐3INFORMATION
SECURITY RESOURCES
PM‐4PLAN OF ACTION AND MILESTONES
PROCESS
PM‐5INFORMATION
SYSTEM INVENTORY
PM‐6INFORMATION
SECURITY MEASURES OF PERFORMANCE
PM‐7ENTERPRISE
ARCHITECTURE
PM‐8CRITICAL
INFRASTRUCTURE PLAN
PM‐9RISK
MANAGEMENT STRATEGY
PM‐10SECURITY
AUTHORIZATION PROCESS
PM‐11MISSION/ BUSINESS PROCESS
DEFINITION
PM‐12INSIDER THREAT
PROGRAM
PM‐13INFORMATION
SECURITY WORKFORCE
PM‐14TESTING,
TRAINING AND MONITORING
PM‐15CONTACTS WITH SECURITY GROUPS
AND ASSOCIATIONS
PM‐16THREAT
AWARENESS PROGRAM
X X X X X X X
X
O X
X X
X
X
O
O X X
O O
O X O
X
O O
X X O
O
O
Page 8 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF
AC‐1**ACCESS CONTROL
POLICY AND PROCEDURES
AC‐2** ACCOUNT
MANAGEMENT
AC‐3** ACCESS
ENFORCEMENT
AC‐4**INFORMATION
FLOW ENFORCEMENT
AC‐5**SEPARATION OF
DUTIESAC‐6**
LEAST PRIVILEGE
AC‐7UNSUCCESSFUL
LOGON ATTEMPTS
AC‐8SYSTEM USE NOTIFICATION
AC‐9PREVIOUS LOGON
(ACCESS) NOTIFICATION
AC‐10CONCURRENT
SESSION CONTROLAC‐11**
SESSION LOCK
AC‐12**SESSION
TERMINATION
AC‐14PERMITTED
ACTIONS WITHOUT IDENTIFICATION
OR AUTHENTICATION
AC‐16**SECURITY
ATTRIBUTESAC‐17**
REMOTE ACCESSAC‐18
WIRELESS ACCESS
AC‐19**ACCESS CONTROL
FOR MOBILE DEVICES
AC‐20USE OF EXTERNAL INFORMATION
SYSTEMS
AC‐21USER‐BASED
COLLABORATION AND
INFORMATION SHARING
AC‐22PUBLICLY ACCESSIBLE CONTENT
AC‐23PUBLICLY ACCESSIBLE CONTENT
AC‐24PUBLICLY ACCESSIBLE CONTENT
AC‐25REFERENCE MONITOR FUNCTION
AT‐1**SECURITY
AWARENESS AND TRAINING POLICY AND PROCEDURES
AT‐2**SECURITY
AWARENESS TRAINING
AT‐3**ROLE‐BASED SECURITY TRAINING
AT‐4**SECURITY TRAINING RECORDS
AU‐1**AUDIT AND
ACCOUNTABILITY POLICY AND PROCEDURES
AU‐2**AUDIT EVENTS
AU‐3**CONTENT OF
AUDIT RECORDS06.a Identification of Applicable Legislation O O O06.b Intellectual Property Rights
06.c Protection of Organizational Records O06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets* X06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds* O O O06.h Technical Compliance Checking
06.i Information Systems Audit Controls X O06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets* O07.d Classification Guidelines
07.e Information Labeling and Handling O O O08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas O O08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises O O08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures O O O09.b Change Management
09.c Segregation of Duties* X09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code* O O O09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls* O O X O09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures* O O O O09.r Security of System Documentation O09.s Information Exchange Policies and Procedures* O O O X O X09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems O
Page 9 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
AU‐4**AUDIT STORAGE
CAPACITY
AU‐5RESPONSE TO
AUDIT PROCESSING FAILURES
AU‐6**AUDIT REVIEW, ANALYSIS, AND REPORTING
AU‐7**AUDIT REDUCTION
AND REPORT GENERATION
AU‐8TIME STAMPS
AU‐9PROTECTION OF
AUDIT INFORMATION
AU‐10NON‐REPUDIATION
AU‐11AUDIT RECORD RETENTION
AU‐12AUDIT
GENERATION
AU‐13MONITORING FOR INFORMATION DISCLOSURE
AU‐14SESSION AUDIT
AU‐15 Alternate Audit
Capatility
AU‐16Cross‐
Organizational Auditing
CA‐1**SECURITY
ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES
CA‐2**SECURITY
ASSESSMENTS
CA‐3**SYSTEM
CONNECTIONS
CA‐5PLAN OF ACTION AND MILESTONES
CA‐6**SECURITY
AUTHORIZATION
CA‐7**CONTINUOUS MONITORING
CA‐8 PENETRATION
TESTING
CA‐9INTERNAL SYSTEM CONNECTIONS
CM‐1CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM‐2BASELINE
CONFIGURATION
CM‐3CONFIGURATION CHANGE CONTROL
CM‐4SECURITY IMPACT
ANALYSIS
CM‐5ACCESS
RESTRICTIONS FOR CHANGE
CM‐6CONFIGURATION
SETTINGS
CM‐7LEAST
FUNCTIONALITY
CM‐8**INFORMATION
SYSTEM COMPONENT INVENTORY
CM‐9CONFIGURATION MANAGEMENT
PLAN
O O
O X
O
X O X X O
O X
X
X O
X O
O O
O X X X O
X O O
O X
O O O O O
O
X
O
O
O
X
Page 10 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
CM‐10SOFTWARE USAGE RESTRICTIONS
CM‐11USER‐INSTALLED
SOFTWARE
CP‐1**CONTINGENCY
PLANNING POLICY AND PROCEDURES
CP‐2**CONTINGENCY
PLAN
CP‐3**CONTINGENCY TRAINING
CP‐4**CONTINGENCY
PLAN TESTING AND EXERCISES
CP‐6**ALTERNATE
STORAGE SITE
CP‐7**ALTERNATE
PROCESSING SITE
CP‐8** TELECOM‐
MUNICATIONS SERVICES
CP‐9**INFORMATION SYSTEM BACKUP
CP‐10**INFORMATION
SYSTEM RECOVERY AND
RECONSTITUTION
CP‐11ALTERNATE COMMUNI‐CATIONS
PROTOCOLSCP‐12
SAFE MODE
CP‐13ALTERNATE SECURITY
MECHANISMS
IA‐1IDENTIFICATION
AND AUTHENTICATION
POLICY AND PROCEDURES
IA‐2**IDENTIFICATION
AND AUTHENTICATION (ORGANIZATIONAL
USERS)
IA‐3**DEVICE‐TO‐DEVICE IDENTIFICATION
AND AUTHENTICATION
IA‐4**IDENTIFIER
MANAGEMENT
IA‐5**AUTHENTICATOR MANAGEMENT
IA‐6**AUTHENTICATOR
FEEDBACK
IA‐7**CRYPTOGRAPHIC
MODULE AUTHENTICATION
IA‐8IDENTIFICATION
AND AUTHENTICATION
(NON‐ORGANIZATIONAL
USERS)
IA‐9SERVICE
IDENTIFICATION AND
AUTHENTICATION
IA‐10ADAPTIVE
IDENTIFICATION AND
AUTHENTICATION
IA‐11RE‐
AUTHENTICATION
IR‐1**INCIDENT
RESPONSE POLICY AND PROCEDURES
IR‐2**INCIDENT RESPONSE TRAINING
IR‐3**INCIDENT RESPONSE TESTING
IR‐4**INCIDENT HANDLING
IR‐5**INCIDENT
MONITORING
O O O
X
O
X
X
O O O
O O O O
O
O O O
O
O O
X
O X
Page 11 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
IR‐6**INCIDENT REPORTING
IR‐7**INCIDENT RESPONSE ASSISTANCE
IR‐8INCIDENT
RESPONSE PLAN
IR‐9INFORMATION
SPILLAGE RESPONSE
IR‐10INTEGRATED INFORMATION SECURITY CELL
MA‐1**SYSTEM
MAINTENANCE POLICY AND PROCEDURES
MA‐2**CONTROLLED MAINTENANCE
MA‐3 MAINTENANCE
TOOLS
MA‐4NONLOCAL
MAINTENANCE
MA‐5**MAINTENANCE PERSONNEL
MA‐6**TIMELY
MAINTENANCE
MP‐1**MEDIA
PROTECTION POLICY AND PROCEDURES
MP‐2**MEDIA ACCESS
MP‐3**MEDIA MARKING
MP‐4**MEDIA STORAGE
MP‐5**MEDIA TRANSPORT
MP‐6**MEDIA
SANITIZATIONMP‐7
MEDIA USE
MP‐8MEDIA
DOWNGRADING
PE‐1**PHYSICAL AND
ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE‐2**PHYSICAL ACCESS AUTHORIZATIONS
PE‐3**PHYSICAL ACCESS
CONTROL
PE‐4**ACCESS CONTROL
FOR TRANSMISSION
MEDIUM
PE‐5**ACCESS CONTROL FOR OUTPUT DEVICES
PE‐6**MONITORING
PHYSICAL ACCESS
PE‐8**VISITOR ACCESS
RECORDS
PE‐9POWER
EQUIPMENT AND POWER CABLING
PE‐10EMERGENCY SHUTOFF
PE‐11EMERGENCY
POWER
PE‐12EMERGENCY LIGHTING
O O O
O O
O O O
O X
O X O O
X X O O X X
X X O
X O
O X
O
X
X X X X
X X
X X X X X X
X
X
O O
X O O
O O O
O
X X X O X
X
X X
O O
X
Page 12 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
PE‐13FIRE PROTECTION
PE‐14TEMPERATURE AND HUMIDITY CONTROLS
PE‐15WATER DAMAGE PROTECTION
PE‐16DELIVERY AND REMOVAL
PE‐17**ALTERNATE WORK
SITE
PE‐18**LOCATION OF INFORMATION
SYSTEM COMPONENTS
PE‐19INFORMATION
LEAKAGE
PE‐20ASSET
MONITORING AND TRACKING
PL‐1**SECURITY
PLANNING POLICY AND PROCEDURES
PL‐2**SYSTEM SECURITY
PLAN
PL‐4RULES OF BEHAVIOR
PL‐7SECURITY
CONCEPT OF OPERATIONS
PL‐8INFORMATION
SECURITY ARCHITECTURE
PL‐9CENTRAL
MANAGEMENT
PS‐1**PERSONNEL
SECURITY POLICY AND PROCEDURES
PS‐2**POSITION RISK DESIGNATION
PS‐3**PERSONNEL SCREENING
PS‐4**PERSONNEL
TERMINATION
PS‐5**PERSONNEL TRANSFER
PS‐6**ACCESS
AGREEMENTS
PS‐7**THIRD‐PARTY PERSONNEL SECURITY
PS‐8**PERSONNEL SANCTIONS
RA‐1**RISK ASSESSMENT
POLICY AND PROCEDURES
RA‐2**SECURITY
CATEGORIZATIONRA‐3 **
RISK ASSESSMENT
RA‐5VULNERABILITY SCANNING
RA‐6TECHNICAL
SURVEILLANCE COUNTER‐MEASURES SURVEY
SA‐1SYSTEM AND SERVICES
ACQUISITION POLICY AND PROCEDURES
SA‐2ALLOCATION OF RESOURCES
SA‐3SYSTEM
DEVELOPMENT LIFE CYCLE
O O O O
X O X
O O O O
X
X
X
O X
X X O O
X
O O O X O
X
X
X
O O O O
O
O O
Page 13 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
SA‐4**ACQUISITION PROCESS
SA‐5INFORMATION
SYSTEM DOCUMENTATION
SA‐8SECURITY
ENGINEERING PRINCIPLES
SA‐9**EXTERNAL
INFORMATION SYSTEM SERVICES
SA‐10DEVELOPER
CONFIGURATION MANAGEMENT
SA‐11DEVELOPER
SECURITY TESTING AND EVALUATION
SA‐12SUPPLY CHAIN PROTECTION
SA‐13 TRUST‐
WORTHINESS
SA‐14CRITICALITY ANALYSIS
SA‐15DEVELOPMENT
PROCESS, STANDARDS AND
TOOLS
SA‐16 DEVELOPER‐PROVIDED TRAINING
SA‐17DEVELOPER SECURITIY
ARCHITECTURE AND DESIGN
SA‐18TAMPER
RESISTANCE AND DETECTION
SA‐19COMPONENT AUTHENTICITY
SA‐20CUSTOMIZED
DEVELOPMENT OF CRITICAL
COMPONENTS
SA‐21DEVELOPER SCREENING
SA‐22UNSUP‐PORTED SYSTEM COMPO‐
NENTS
SC‐1SYSTEM AND
COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC‐2APPLICATION PARTITIONING
SC‐3SECURITY FUNCTION ISOLATION
SC‐4INFORMATION IN
SHARED RESOURCES
SC‐5DENIAL OF SERVICE
PROTECTION
SC‐6RESOURCE
AVAILABILITY
SC‐7BOUNDARY PROTECTION
SC‐8**TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC‐10NETWORK
DISCONNECTSC‐11
TRUSTED PATH
SC‐12**CRYPTO‐GRAPHIC KEY ESTABLISH‐
MENT AND MGMT
SC‐13**CRYPTOGRAPHIC PROTECTION
SC‐15COLLABORATIVE COMPUTING DEVICES
O
O
X
O
O O
O
O
X
X
O O
X
O O O
X O
O X X O
X X O
X
X
X O O X
O
O X
Page 14 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
SC‐16TRANSMISSION OF
SECURITY ATTRIBUTES
SC‐17PUBLIC KEY
INFRASTRUCTURE CERTIFICATES
SC‐18 MOBILE CODE
SC‐19VOICE OVER INTERNET PROTOCOL
SC‐20SECURE NAME /
ADDRESS RESOLUTION SERVICE
(AUTHORITATIVE SOURCE)
SC‐21SECURE NAME /
ADDRESS RESOLUTION SERVICE
(RECURSIVE OR CACHING RESOLVER)
SC‐22ARCHITECTURE
AND PROVISIONING FOR NAME / ADDRESS
RESOLUTION SERVICE
SC‐23SESSION
AUTHENTICITY
SC‐24FAIL IN KNOWN
STATESC‐25
THIN NODESSC‐26
HONEYPOTS
SC‐27PLATFORM‐
INDEPENDENT APPLICATIONS
SC‐28PROTECTION OF INFORMATION AT
RESTSC‐29
HETEROGENEITY
SC‐30CONCEALMENT
AND MISDIRECTION
SC‐31COVERT CHANNEL
ANALYSIS
SC‐32INFORMATION
SYSTEM PARTITIONING
SC‐34NON‐MODIFIABLE
EXECUTABLE PROGRAMS
SC‐35HONEYCLIENTS
SC‐36DISTRIBUTED
PROCESSING AND STORAGE
SC‐37OUT‐OF‐BAND CHANNELS
SC‐38OPERATIONS SECURITY
SC‐39PROCESS ISOLATION
SC‐40WIRELESS LINK PROTECTION
SC‐41PORT AND I/O DEVICE ACCESS
SC‐42SENSOR DATA
SC‐43USAGE
RESTRICTIONS
SC‐44DETONATION CHAMBERS
SI‐1**SYSTEM AND INFORMATION
INTEGRITY POLICY AND PROCEDURES
SI‐2**FLAW
REMEDIATION
O
O
O
O
O O
X
X X X X X
O
Page 15 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF06.a Identification of Applicable Legislation
06.b Intellectual Property Rights
06.c Protection of Organizational Records
06.d Data Protection and Privacy of Covered Info*06.e Prevention of Misuse of Information Assets*06.f Regulation of Cryptographic Controls
06.g Compliance with Security Policies and Stds*06.h Technical Compliance Checking
06.i Information Systems Audit Controls
06.j Protection of Info Systems Audit Tools
07.a Inventory of Assets*
07.b Ownership of Assets
07.c Acceptable Use of Assets*
07.d Classification Guidelines
07.e Information Labeling and Handling
08.a Physical Security Perimeter
08.b Physical Entry Controls*
08.c Securing Offices, Rooms, and Facilities
08.d Protecting Against External and Env. Threats*08.e Working in Secure Areas
08.f Public Access, Delivery, and Loading Areas08.g Equipment Siting and Protection
08.h Supporting Utilities
08.i Cabling Security
08.j Equipment Maintenance*
08.k Security of Equipment Off‐Premises
08.l Secure Disposal or Re‐Use of Equipment*08.m Removal of Property
09.a Documented Operations Procedures
09.b Change Management
09.c Segregation of Duties*
09.d Separation of Development, Test, and Operational Environments09.e Service Delivery*
09.f Monitoring and Review of Third Party Services*09.g Managing Changes to Third Party Services*09.h Capacity Management
09.i System Acceptance
09.j Controls Against Malicious Code*
09.k Controls Against Mobile Code
09.l Back‐up
09.m Network Controls*
09.n Security of Network Services
09.o Management of Removable Media*
09.p Disposal of Media*
09.q Information Handling Procedures*
09.r Security of System Documentation
09.s Information Exchange Policies and Procedures*09.t Exchange Agreements
09.u Physical Media in Transit
09.v Electronic Messaging
09.w Interconnected Business Information Systems
SI‐3**MALICIOUS CODE PROTECTION
SI‐4**INFORMATION
SYSTEM MONITORING
SI‐5**SECURITY ALERTS, ADVISORIES, AND
DIRECTIVES
SI‐6SECURITY FUNCTION
VERIFICATION
SI‐7**SOFTWARE,
FIRMWARE AND INFORMATION INTEGRITY
SI‐8**SPAM
PROTECTION
SI‐10INFORMATION
INPUT VALIDATIONSI‐11
ERROR HANDLING
SI‐12INFORMATION
OUTPUT HANDLING AND RETENTION
SI‐13PREDICTABLE
FAILURE PREVENTION
SI‐14NON‐PERSISTENCE
SI‐15INFORMATION
OUTPUT FILTERING
SI‐16MEMORY
PROTECTION
SI‐17FAIL SAFE
PROCEDURES
PM‐1INFORMATION
SECURITY PROGRAM PLAN
PM‐2SENIOR
INFORMATION SECURITY OFFICER
PM‐3INFORMATION
SECURITY RESOURCES
PM‐4PLAN OF ACTION AND MILESTONES
PROCESS
PM‐5INFORMATION
SYSTEM INVENTORY
PM‐6INFORMATION
SECURITY MEASURES OF PERFORMANCE
PM‐7ENTERPRISE
ARCHITECTURE
PM‐8CRITICAL
INFRASTRUCTURE PLAN
PM‐9RISK
MANAGEMENT STRATEGY
PM‐10SECURITY
AUTHORIZATION PROCESS
PM‐11MISSION/ BUSINESS PROCESS
DEFINITION
PM‐12INSIDER THREAT
PROGRAM
PM‐13INFORMATION
SECURITY WORKFORCE
PM‐14TESTING,
TRAINING AND MONITORING
PM‐15CONTACTS WITH SECURITY GROUPS
AND ASSOCIATIONS
PM‐16THREAT
AWARENESS PROGRAM
X
X
O
X
O
X O O X
X
O X
Page 16 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF
AC‐1**ACCESS CONTROL
POLICY AND PROCEDURES
AC‐2** ACCOUNT
MANAGEMENT
AC‐3** ACCESS
ENFORCEMENT
AC‐4**INFORMATION
FLOW ENFORCEMENT
AC‐5**SEPARATION OF
DUTIESAC‐6**
LEAST PRIVILEGE
AC‐7UNSUCCESSFUL
LOGON ATTEMPTS
AC‐8SYSTEM USE NOTIFICATION
AC‐9PREVIOUS LOGON
(ACCESS) NOTIFICATION
AC‐10CONCURRENT
SESSION CONTROLAC‐11**
SESSION LOCK
AC‐12**SESSION
TERMINATION
AC‐14PERMITTED
ACTIONS WITHOUT IDENTIFICATION
OR AUTHENTICATION
AC‐16**SECURITY
ATTRIBUTESAC‐17**
REMOTE ACCESSAC‐18
WIRELESS ACCESS
AC‐19**ACCESS CONTROL
FOR MOBILE DEVICES
AC‐20USE OF EXTERNAL INFORMATION
SYSTEMS
AC‐21USER‐BASED
COLLABORATION AND
INFORMATION SHARING
AC‐22PUBLICLY ACCESSIBLE CONTENT
AC‐23PUBLICLY ACCESSIBLE CONTENT
AC‐24PUBLICLY ACCESSIBLE CONTENT
AC‐25REFERENCE MONITOR FUNCTION
AT‐1**SECURITY
AWARENESS AND TRAINING POLICY AND PROCEDURES
AT‐2**SECURITY
AWARENESS TRAINING
AT‐3**ROLE‐BASED SECURITY TRAINING
AT‐4**SECURITY TRAINING RECORDS
AU‐1**AUDIT AND
ACCOUNTABILITY POLICY AND PROCEDURES
AU‐2**AUDIT EVENTS
AU‐3**CONTENT OF
AUDIT RECORDS09.x Electronic Commerce Services O09.y On‐line Transactions O09.z Publicly Available Information O X09.aa Audit Logging* X X09.ab Monitoring System Use* O O O09.ac Protection of Log Information*
09.ad Administrator and Operator Logs X O09.ae Fault Logging X09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management* O10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code O O10.k Change Control Procedures O10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
Page 17 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
AU‐4**AUDIT STORAGE
CAPACITY
AU‐5RESPONSE TO
AUDIT PROCESSING FAILURES
AU‐6**AUDIT REVIEW, ANALYSIS, AND REPORTING
AU‐7**AUDIT REDUCTION
AND REPORT GENERATION
AU‐8TIME STAMPS
AU‐9PROTECTION OF
AUDIT INFORMATION
AU‐10NON‐REPUDIATION
AU‐11AUDIT RECORD RETENTION
AU‐12AUDIT
GENERATION
AU‐13MONITORING FOR INFORMATION DISCLOSURE
AU‐14SESSION AUDIT
AU‐15 Alternate Audit
Capatility
AU‐16Cross‐
Organizational Auditing
CA‐1**SECURITY
ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES
CA‐2**SECURITY
ASSESSMENTS
CA‐3**SYSTEM
CONNECTIONS
CA‐5PLAN OF ACTION AND MILESTONES
CA‐6**SECURITY
AUTHORIZATION
CA‐7**CONTINUOUS MONITORING
CA‐8 PENETRATION
TESTING
CA‐9INTERNAL SYSTEM CONNECTIONS
CM‐1CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM‐2BASELINE
CONFIGURATION
CM‐3CONFIGURATION CHANGE CONTROL
CM‐4SECURITY IMPACT
ANALYSIS
CM‐5ACCESS
RESTRICTIONS FOR CHANGE
CM‐6CONFIGURATION
SETTINGS
CM‐7LEAST
FUNCTIONALITY
CM‐8**INFORMATION
SYSTEM COMPONENT INVENTORY
CM‐9CONFIGURATION MANAGEMENT
PLAN
O
O
X X X O
X X O O
O X X
O
O O
X
O
O X X X O X O O
O O
O X X X X X X X X
O X
O
O O
O O O O
Page 18 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
CM‐10SOFTWARE USAGE RESTRICTIONS
CM‐11USER‐INSTALLED
SOFTWARE
CP‐1**CONTINGENCY
PLANNING POLICY AND PROCEDURES
CP‐2**CONTINGENCY
PLAN
CP‐3**CONTINGENCY TRAINING
CP‐4**CONTINGENCY
PLAN TESTING AND EXERCISES
CP‐6**ALTERNATE
STORAGE SITE
CP‐7**ALTERNATE
PROCESSING SITE
CP‐8** TELECOM‐
MUNICATIONS SERVICES
CP‐9**INFORMATION SYSTEM BACKUP
CP‐10**INFORMATION
SYSTEM RECOVERY AND
RECONSTITUTION
CP‐11ALTERNATE COMMUNI‐CATIONS
PROTOCOLSCP‐12
SAFE MODE
CP‐13ALTERNATE SECURITY
MECHANISMS
IA‐1IDENTIFICATION
AND AUTHENTICATION
POLICY AND PROCEDURES
IA‐2**IDENTIFICATION
AND AUTHENTICATION (ORGANIZATIONAL
USERS)
IA‐3**DEVICE‐TO‐DEVICE IDENTIFICATION
AND AUTHENTICATION
IA‐4**IDENTIFIER
MANAGEMENT
IA‐5**AUTHENTICATOR MANAGEMENT
IA‐6**AUTHENTICATOR
FEEDBACK
IA‐7**CRYPTOGRAPHIC
MODULE AUTHENTICATION
IA‐8IDENTIFICATION
AND AUTHENTICATION
(NON‐ORGANIZATIONAL
USERS)
IA‐9SERVICE
IDENTIFICATION AND
AUTHENTICATION
IA‐10ADAPTIVE
IDENTIFICATION AND
AUTHENTICATION
IA‐11RE‐
AUTHENTICATION
IR‐1**INCIDENT
RESPONSE POLICY AND PROCEDURES
IR‐2**INCIDENT RESPONSE TRAINING
IR‐3**INCIDENT RESPONSE TESTING
IR‐4**INCIDENT HANDLING
IR‐5**INCIDENT
MONITORING
O O
O O
O
O O
X
X X O X
X X
X
O X
O
X X X X X X X O O
X O
X X
Page 19 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
IR‐6**INCIDENT REPORTING
IR‐7**INCIDENT RESPONSE ASSISTANCE
IR‐8INCIDENT
RESPONSE PLAN
IR‐9INFORMATION
SPILLAGE RESPONSE
IR‐10INTEGRATED INFORMATION SECURITY CELL
MA‐1**SYSTEM
MAINTENANCE POLICY AND PROCEDURES
MA‐2**CONTROLLED MAINTENANCE
MA‐3 MAINTENANCE
TOOLS
MA‐4NONLOCAL
MAINTENANCE
MA‐5**MAINTENANCE PERSONNEL
MA‐6**TIMELY
MAINTENANCE
MP‐1**MEDIA
PROTECTION POLICY AND PROCEDURES
MP‐2**MEDIA ACCESS
MP‐3**MEDIA MARKING
MP‐4**MEDIA STORAGE
MP‐5**MEDIA TRANSPORT
MP‐6**MEDIA
SANITIZATIONMP‐7
MEDIA USE
MP‐8MEDIA
DOWNGRADING
PE‐1**PHYSICAL AND
ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE‐2**PHYSICAL ACCESS AUTHORIZATIONS
PE‐3**PHYSICAL ACCESS
CONTROL
PE‐4**ACCESS CONTROL
FOR TRANSMISSION
MEDIUM
PE‐5**ACCESS CONTROL FOR OUTPUT DEVICES
PE‐6**MONITORING
PHYSICAL ACCESS
PE‐8**VISITOR ACCESS
RECORDS
PE‐9POWER
EQUIPMENT AND POWER CABLING
PE‐10EMERGENCY SHUTOFF
PE‐11EMERGENCY
POWER
PE‐12EMERGENCY LIGHTING
O O
O
O
X
X X
O
Page 20 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
PE‐13FIRE PROTECTION
PE‐14TEMPERATURE AND HUMIDITY CONTROLS
PE‐15WATER DAMAGE PROTECTION
PE‐16DELIVERY AND REMOVAL
PE‐17**ALTERNATE WORK
SITE
PE‐18**LOCATION OF INFORMATION
SYSTEM COMPONENTS
PE‐19INFORMATION
LEAKAGE
PE‐20ASSET
MONITORING AND TRACKING
PL‐1**SECURITY
PLANNING POLICY AND PROCEDURES
PL‐2**SYSTEM SECURITY
PLAN
PL‐4RULES OF BEHAVIOR
PL‐7SECURITY
CONCEPT OF OPERATIONS
PL‐8INFORMATION
SECURITY ARCHITECTURE
PL‐9CENTRAL
MANAGEMENT
PS‐1**PERSONNEL
SECURITY POLICY AND PROCEDURES
PS‐2**POSITION RISK DESIGNATION
PS‐3**PERSONNEL SCREENING
PS‐4**PERSONNEL
TERMINATION
PS‐5**PERSONNEL TRANSFER
PS‐6**ACCESS
AGREEMENTS
PS‐7**THIRD‐PARTY PERSONNEL SECURITY
PS‐8**PERSONNEL SANCTIONS
RA‐1**RISK ASSESSMENT
POLICY AND PROCEDURES
RA‐2**SECURITY
CATEGORIZATIONRA‐3 **
RISK ASSESSMENT
RA‐5VULNERABILITY SCANNING
RA‐6TECHNICAL
SURVEILLANCE COUNTER‐MEASURES SURVEY
SA‐1SYSTEM AND SERVICES
ACQUISITION POLICY AND PROCEDURES
SA‐2ALLOCATION OF RESOURCES
SA‐3SYSTEM
DEVELOPMENT LIFE CYCLE
O O O X X
O
O
O X
X
O
Page 21 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
SA‐4**ACQUISITION PROCESS
SA‐5INFORMATION
SYSTEM DOCUMENTATION
SA‐8SECURITY
ENGINEERING PRINCIPLES
SA‐9**EXTERNAL
INFORMATION SYSTEM SERVICES
SA‐10DEVELOPER
CONFIGURATION MANAGEMENT
SA‐11DEVELOPER
SECURITY TESTING AND EVALUATION
SA‐12SUPPLY CHAIN PROTECTION
SA‐13 TRUST‐
WORTHINESS
SA‐14CRITICALITY ANALYSIS
SA‐15DEVELOPMENT
PROCESS, STANDARDS AND
TOOLS
SA‐16 DEVELOPER‐PROVIDED TRAINING
SA‐17DEVELOPER SECURITIY
ARCHITECTURE AND DESIGN
SA‐18TAMPER
RESISTANCE AND DETECTION
SA‐19COMPONENT AUTHENTICITY
SA‐20CUSTOMIZED
DEVELOPMENT OF CRITICAL
COMPONENTS
SA‐21DEVELOPER SCREENING
SA‐22UNSUP‐PORTED SYSTEM COMPO‐
NENTS
SC‐1SYSTEM AND
COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC‐2APPLICATION PARTITIONING
SC‐3SECURITY FUNCTION ISOLATION
SC‐4INFORMATION IN
SHARED RESOURCES
SC‐5DENIAL OF SERVICE
PROTECTION
SC‐6RESOURCE
AVAILABILITY
SC‐7BOUNDARY PROTECTION
SC‐8**TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC‐10NETWORK
DISCONNECTSC‐11
TRUSTED PATH
SC‐12**CRYPTO‐GRAPHIC KEY ESTABLISH‐
MENT AND MGMT
SC‐13**CRYPTOGRAPHIC PROTECTION
SC‐15COLLABORATIVE COMPUTING DEVICES
O X O
O O O O O
O
X X
X
O X X
X X
O
X
O O O X X O O
O O
Page 22 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
SC‐16TRANSMISSION OF
SECURITY ATTRIBUTES
SC‐17PUBLIC KEY
INFRASTRUCTURE CERTIFICATES
SC‐18 MOBILE CODE
SC‐19VOICE OVER INTERNET PROTOCOL
SC‐20SECURE NAME /
ADDRESS RESOLUTION SERVICE
(AUTHORITATIVE SOURCE)
SC‐21SECURE NAME /
ADDRESS RESOLUTION SERVICE
(RECURSIVE OR CACHING RESOLVER)
SC‐22ARCHITECTURE
AND PROVISIONING FOR NAME / ADDRESS
RESOLUTION SERVICE
SC‐23SESSION
AUTHENTICITY
SC‐24FAIL IN KNOWN
STATESC‐25
THIN NODESSC‐26
HONEYPOTS
SC‐27PLATFORM‐
INDEPENDENT APPLICATIONS
SC‐28PROTECTION OF INFORMATION AT
RESTSC‐29
HETEROGENEITY
SC‐30CONCEALMENT
AND MISDIRECTION
SC‐31COVERT CHANNEL
ANALYSIS
SC‐32INFORMATION
SYSTEM PARTITIONING
SC‐34NON‐MODIFIABLE
EXECUTABLE PROGRAMS
SC‐35HONEYCLIENTS
SC‐36DISTRIBUTED
PROCESSING AND STORAGE
SC‐37OUT‐OF‐BAND CHANNELS
SC‐38OPERATIONS SECURITY
SC‐39PROCESS ISOLATION
SC‐40WIRELESS LINK PROTECTION
SC‐41PORT AND I/O DEVICE ACCESS
SC‐42SENSOR DATA
SC‐43USAGE
RESTRICTIONS
SC‐44DETONATION CHAMBERS
SI‐1**SYSTEM AND INFORMATION
INTEGRITY POLICY AND PROCEDURES
SI‐2**FLAW
REMEDIATION
X
X
X
O
O O
X
X
Page 23 of 24
CSF ‐ NIST Cross‐Reference Matrix v3
NIST
CSF09.x Electronic Commerce Services
09.y On‐line Transactions
09.z Publicly Available Information
09.aa Audit Logging*
09.ab Monitoring System Use*
09.ac Protection of Log Information*
09.ad Administrator and Operator Logs
09.ae Fault Logging
09.af Clock Synchronization*
10.a Security Requirements Analysis and Specification10.b Input Data Validation*
10.c Control of Internal Processing
10.d Message Integrity
10.e Output Data Validation
10.f Policy on the Use of Cryptographic Controls*10.g Key Management*
10.h Control of Operational Software*
10.i Protection of System Test Data
10.j Access Control to Program Source Code10.k Change Control Procedures
10.l Outsourced Software Development*
10.m Control of Technical Vulnerabilities*
11.a Reporting Information Security Events*11.b Reporting Security Weaknesses
11.c Responsibilities and Procedures*
11.d Learning from InfoSec Incidents
11.e Collection of Evidence
12.a Including InfoSec in the BC Mgmt Process12.b Business Continuity and Risk Assessment12.c Develop/Implement continuity Plans incl Information Security*12.d Business Continuity Planning Framework12.e Testing, Maintaining & Re‐Assessing Continuity Plans
X ‐ Primary, direct relationship
X ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
O ‐ Secondary, supporting relationship
O ‐ Exception to NIST's mapping of SP800‐53 to ISO 27001
* CSF control is required for 2012 Certification** NIST control maps to HIPAA Security Rule required or addressable implementation specification
Red Text ‐ NIST control is not part of moderate‐impact baseline
Italicized Text ‐ NIST control does not map to ISO/IEC 27001/2
SI‐3**MALICIOUS CODE PROTECTION
SI‐4**INFORMATION
SYSTEM MONITORING
SI‐5**SECURITY ALERTS, ADVISORIES, AND
DIRECTIVES
SI‐6SECURITY FUNCTION
VERIFICATION
SI‐7**SOFTWARE,
FIRMWARE AND INFORMATION INTEGRITY
SI‐8**SPAM
PROTECTION
SI‐10INFORMATION
INPUT VALIDATIONSI‐11
ERROR HANDLING
SI‐12INFORMATION
OUTPUT HANDLING AND RETENTION
SI‐13PREDICTABLE
FAILURE PREVENTION
SI‐14NON‐PERSISTENCE
SI‐15INFORMATION
OUTPUT FILTERING
SI‐16MEMORY
PROTECTION
SI‐17FAIL SAFE
PROCEDURES
PM‐1INFORMATION
SECURITY PROGRAM PLAN
PM‐2SENIOR
INFORMATION SECURITY OFFICER
PM‐3INFORMATION
SECURITY RESOURCES
PM‐4PLAN OF ACTION AND MILESTONES
PROCESS
PM‐5INFORMATION
SYSTEM INVENTORY
PM‐6INFORMATION
SECURITY MEASURES OF PERFORMANCE
PM‐7ENTERPRISE
ARCHITECTURE
PM‐8CRITICAL
INFRASTRUCTURE PLAN
PM‐9RISK
MANAGEMENT STRATEGY
PM‐10SECURITY
AUTHORIZATION PROCESS
PM‐11MISSION/ BUSINESS PROCESS
DEFINITION
PM‐12INSIDER THREAT
PROGRAM
PM‐13INFORMATION
SECURITY WORKFORCE
PM‐14TESTING,
TRAINING AND MONITORING
PM‐15CONTACTS WITH SECURITY GROUPS
AND ASSOCIATIONS
PM‐16THREAT
AWARENESS PROGRAM
O O O O O
X O O
O
X
O
X
X
O X X
O
O
O
O
X X
X 0
O
X
Page 24 of 24
