4.0 Self-Assessing Cybersecurity Risk with the Framework
Appendix A: Framework Core
This appendix presents the Framework Core: a listing of Functions, Categories, Subcategories, and Informative References that describe specific cybersecurity activities that are common across all critical infrastructure sectors. The chosen presentation format for the Framework Core does not suggest a specific implementation order or imply a degree of importance of the Categories, Subcategories, and Informative References. The Framework Core presented in this appendix represents a common set of activities for managing cybersecurity risk. While the Framework is not exhaustive, it is extensible, allowing organizations, sectors, and other entities to use Subcategories and Informative References that are cost-effective and efficient and that enable them to manage their cybersecurity risk. Activities can be selected from the Framework Core during the Profile creation process and additional Categories, Subcategories, and Informative References may be added to the Profile. An organization’s risk management processes, legal/regulatory requirements, business/mission objectives, and organizational constraints guide the selection of these activities during Profile creation. Personal information is considered a component of data or assets referenced in the Categories when assessing security risks and protections.
While the intended outcomes identified in the Functions, Categories, and Subcategories are the same for IT and ICS, the operational environments and considerations for IT and ICS differ. ICS have a direct effect on the physical world, including potential risks to the health and safety of individuals, and impact on the environment. Additionally, ICS have unique performance and reliability requirements compared with IT, and the goals of safety and efficiency must be considered when implementing cybersecurity measures.
For ease of use, each component of the Framework Core is given a unique identifier. Functions and Categories each have a unique alphabetic identifier, as shown in Table 1. Subcategories within each Category are referenced numerically; the unique identifier for each Subcategory is included in Table 2.
Additional supporting material, including Informative References, relating to the Framework can be found on the NIST website at http://www.nist.gov/cyberframework/.
Table 1: Function and Category Unique Identifiers
| Function Unique Identifier | Function | Category Unique Identifier | Category | ||
| ID | Identify | ID.AM | Asset Management | ||
| ID.BE | Business Environment | ||||
| ID.GV | Governance | ||||
| ID.RA | Risk Assessment | ||||
| ID.RM | Risk Management Strategy | ||||
| ID.SC | Supply Chain Risk Management | ||||
| PR | Protect | PR.AC | Identity Management and Access Control | ||
| PR.AT | Awareness and Training | ||||
| PR.DS | Data Security | ||||
| PR.IP | Information Protection Processes and Procedures | ||||
| PR.MA | Maintenance | ||||
| PR.PT | Protective Technology | ||||
| DE | Detect | DE.AE | Anomalies and Events | ||
| DE.CM | Security Continuous Monitoring | ||||
| DE.DP | Detection Processes | ||||
| RS | Respond | RS.RP | Response Planning | ||
| RS.CO | Communications | ||||
| RS.AN | Analysis | ||||
| RS.MI | Mitigation | ||||
| RS.IM | Improvements | ||||
| RC | Recover | RC.RP | Recovery Planning | ||
| RC.IM | Improvements | ||||
| RC.CO | Communications | ||||
Table 2: Framework Core
| Function | Category | Subcategory | Informative References | ||||
| IDENTIFY (ID) | Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. | ID.AM-1: Physical devices and systems within the organization are inventoried | CIS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8, PM-5 | ||||
| ID.AM-2: Software platforms and applications within the organization are inventoried | CIS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1 NIST SP 800-53 Rev. 4 CM-8, PM-5 | ||||||
| ID.AM-3: Organizational communication and data flows are mapped | CIS CSC 12 COBIT 5 DSS05.02 ISA 62443-2-1:2009 4.2.3.4 ISO/IEC 27001:2013 A.13.2.1, A.13.2.2 NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8 | ||||||
| ID.AM-4: External information systems are catalogued | CIS CSC 12 COBIT 5 APO02.02, APO10.04, DSS01.02 ISO/IEC 27001:2013 A.11.2.6 NIST SP 800-53 Rev. 4 AC-20, SA-9 | ||||||
| ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value | CIS CSC 13, 14 COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02 ISA 62443-2-1:2009 4.2.3.6 ISO/IEC 27001:2013 A.8.2.1 NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6 | ||||||
| ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | CIS CSC 17, 19 COBIT 5 APO01.02, APO07.06, APO13.01, DSS06.03 ISA 62443-2-1:2009 4.3.2.3.3 ISO/IEC 27001:2013 A.6.1.1 NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 | ||||||